Building an international security standard

The Common Criteria for Information Technology Security Evaluation standard (CC) promises to replace scattered and often conflicting regional and national security standards. An emerging international standard, it is intended to support developers, evaluators and consumers of security products. The CC provides a framework to rate products by evaluation assurance level (EAL). Each EAL embodies a recommended set of assurance requirements: the higher the EAL, the more secure the product. You can use EALs to pick and choose which assurance requirements you want to satisfy. Think of the EALs as you would think of bandwidth or processor speed. Not everyone in your organization needs a dedicated T3 line or a 450 MHz desktop. Likewise, not every security product you use needs an EAL7 rating. The article shows how you, as a security products consumer, can use the CC to help determine if a given product meets your security needs. By rating different products according to their EALs, the CC can help you comparison shop and select an appropriately secure product. Further, the standard's international scope can help you integrate your system's security components with those in other countries-whether those components belong to customers, vendors, or other divisions of your own enterprise     

Abstracts & Commentary

Abstract

Whether you are responsible for ensuring the availability of your enterprise network or you are a chief technology officer or information security manager, you will likely ask yourself these questions: How much should I spend on security? Am I more secure today than I was yesterday? What metrics can I use to measure whether my security is improving or not? When can I stop patching so I can get back to doing real work?     

Customer service [in e-business]

When you're in business, it's good to have customers, but do you have customer service in mind when you're developing technology for an e-business Web site? If not, you should, because the place where your work and the customers' experience comes together is where you can make it easy-or hard for customers to do business at a site. If you can understand customer intentions at an e-business site, you can factor them into technology choices and mechanisms that support them. Is it easy for a single-minded customer to find and buy a product, or for a holistic-minded user to do a combination of browsing, learning and shopping? While the marketing people decide what goes on a site and the content developers create the look-and-feel, the front-row seat for data mining is with the technical staff who know what information is available in log files, what profiling can be dynamically processed in the background and indexed into the dynamic generation of HTML, and what performance can be expected from the servers and network to support customer service and make e-business interaction productive     

Analyzing Enterprise Network Vulnerabilities

Abstract

Imagine you are an information security manager and your boss is asking: “How secure are our information systems? Is the security getting better or worse? How do you know that?” One thing is sure: if you do not have a good answer, your own job may not be secure. You could answer that you are monitoring intrusion attempts and investigating alarms, that you are updating the anti-virus software on a regular basis and applying software patches on a timely basis, but that was not the question. Your boss wants to know not only whatyou have done to lower the risk, but how effective you have been. It is all about process, measurements, and trend monitoring.¹     

Don't judge a software license by its cover

Software licenses are of vital concern to vendors and users. Software vendors use contracts, called licenses, to make sure that their products are used in a way that will benefit them. Users want to know the conditions that licenses impose on software so they can buy software that meets their needs. Beyond this, however, licenses and their enforceability are not always a straightforward matter. Are you bound by the conditions of a license even if the license is inside a container of shrinkwrap software, and you can't see its terms until after you buy the product? What if you can't see the license until you load your software into your computer and its terms appear on the monitor? This is particularly an issue with software sold by phone or mail, or over the Internet. In some of these cases, buyers purchase only a serial number or security code that activates publicly accessible software. In many cases, buyers don't even receive a solid product. They receive only a stream of electrons that contains data, an application program, instructions, and license conditions. The thorny legal issues that these situations raise recently confronted the US Court of Appeals for the Seventh Circuit, which hears appeals of cases from US District Courts in Illinois, Indiana, and Wisconsin. The changing nature of the software business has raised questions about the enforceability of shrinkwrap licenses     

Product development with data mining techniques: A case on design of digital camera

Many enterprises have been devoting a significant portion of their budget to product development in order to distinguish their products from those of their competitors and to make them better fit the needs and wants of customers. Hence, businesses should develop product designing that could satisfy the customers’ requirements since this will increase the enterprise’s competitiveness and it is an essential criterion to earning higher loyalties and profits. This paper investigates the following research issues in the development of new digital camera products: (1) What exactly are the customers’ “needs” and “wants” for digital camera products? (2) What features is more importance than others? (3) Can product design and planning for product lines/product collection be integrated with the knowledge of customers? (4) How can the rules help us to make a strategy during we design new digital camera? To investigate these research issues, the Apriori and C5.0 algorithms are methodologies of association rules and decision trees for data mining, which is implemented to mine customer’s needs. Knowledge extracted from data mining results is illustrated as knowledge patterns and rules on a product map in order to propose possible suggestions and solutions for product design and marketing.     

A practical guide to biometric security technology

As organizations search for more secure authentication methods for user access, e-commerce. and other security applications, biometrics is gaining increasing attention. But should your company use biometrics? And, if so, which ones should you use and how do you choose them? There is no one best biometric technology. Different applications require different biometrics. To select the right biometric for your situation, you will need to navigate through some complex vendor products and keep an eye on future developments in technology and standards. Your options have never been more diverse. After years of research and development, vendors now have several products to offer. Some are relatively immature, having only recently become commercially available, but even these can substantially improve your company's information security posture. We briefly describe some emerging biometric technologies to help guide your decision making     

Who ya gonna call! You're on your own [software usability design]

The issue here is not whether discount techniques should be used; they are inevitable. The issue is, in trying to do the best job you can with the ridiculously limited resources provided you, what should you do? How confident should you be in the techniques you are using? A bad design may come back and bite you. When you choose a technique to use in a hurry, you are placing your professional reputation and perhaps your job on the line. You deserve to know four things about any technique that you apply. The hit rate: How many real problems will this technique uncover? The false-alarm rate: How many (and what sorts) of things will it falsely identify as problems (that may not exist, but are costly and time consuming to “fix”)? What does it miss? What types of problems (and how many) does this technique not discover? The correct rejections: How confident are you in your discount technique's ability to flag problems? Discount techniques are not a substitute for the potent combination of analytic and empirical methodologies that usability professionals can bring to bear in designing and evaluating an interface     

Why You Should Not Play the Numbers Game with Anti-Spyware Vendors

Abstract

Security technology vendors relish throwing out numbers: We have “X” more pattern files or “Y” more algorithms than any other vendor. We have more ?fill in this blank with your most-often-heard sales pitch? to make you more secure.     

Year 2000 work comes down to the wire

How much is the year 2000 problem going to cost you? How long is it going to take you to get ready? Can you make it in time? The authors offer some practical advice. They consider how a good project planning and project monitoring tool set will be extremely valuable. Cost estimating tools and models will be very important in answering trade-off questions and keeping a handle on the actual impact of the Y2K remediation effort     

The future of PGP on the Internet

The opinion of many truly knowledgeable in the areas of security in general, and Internet security in particular, is that the only true security will come from full encryption. If the messages you send are encrypted, what does it matter if they are intercepted and viewed by unauthorized individuals? If an intruder breaks into your system or network and finds that all files are encrypted, what secretes will leak, what vital information can be altered without user knowledge? If your encryption algorithm is solid, and your encryption keys are both good (i.e. not readily guessed) and secure (i.e. not readily stolen — not written on a post-it note on your VDT, not written on the last page of your desk diary, not kept in a clear text file on your disk or sent in clear text on a LAN, etc.), and if you maintain complete, current and correct backups of all critical files (which you should certainly do, independent of any Internet connectivity), then at worst you may suffer inconveniences as a result of security breaches.     

The challenge of tamperproof Internet computing

Internet computing, harnessing global communication to increase computational power, is now possible. But will it ever truly be secure? Researchers have proposed various schemes to transform the Internet into the “Interputer”. Several companies are creating applications, tools, and protocols to harvest cycles from idling CPUs around the world, while compensating their obviously industrious users with offline and online gifts. Although the potential benefits of a universally accessible Interputer are undoubtedly extensive, a fundamental problem lurks backstage: How can you guarantee the accuracy of the results you receive from a remote computing node, which has just purportedly run the program you sent it? The article examines this question and suggests an answer involving cryptography     

Security for Enterprise Resource Planning Systems

Enterprise Resource Planning (ERP) is the technology that provides the unified business function to the organization by integrating the core processes. ERP now is experiencing the transformation that will make it highly integrated, more intelligent, more collaborative, web-enabled, and even wireless. The ERP system is becoming the system with high vulnerability and high confidentiality in which the security is critical for it to operate. Many ERP vendors have already integrated their security solution, which may work well internally; while in an open environment, we need new technical approaches to secure an ERP system. This paper introduces ERP technology from its evolution through architecture to its products. The security solution in ERP as well as directions for secure ERP systems is presented.     

How the Human Brain Buys Security

Bruce Schneier examines prospect theory and how it applies to computer security. The solution is not to sell security directly, but to include it as part of a more general product or service. Vendors need to build security into the products and services that customers actually want. Security is inherently about avoiding a negative, so you can never ignore the cognitive bias embedded so deeply in the human brain. But if you understand it, you have a better chance of overcoming it.     

Public Key Infrastructures: A Panacea Solution?

Over the last 18 months or so, a great deal has been written about Public Key Infrastructure (PKI) technology in security magazines. Most vendors (and some consultants) will have you believe that these days almost every kind of enterprise will need a PKI for something. While PKI is undoubtedly a valuable new technology with many benefits, there are also several issues and pitfalls associated with it. These, unfortunately, are often understated. The aim of this article is to provide you with an overview of things that need to be resolved before PKI technology will become truly ubiquitous and transparent. It will also go into some of the fundamental questions you must ask yourself before embarking on a (costly) PKI project, as well as discuss different ways in which the technology can be deployed.     

SPEC CPU2000: measuring CPU performance in the New Millennium

As computers and software have become more powerful, it seems almost human nature to want the biggest and fastest toy you can afford. But how do you know if your toy is tops? Even if your application never does any I/O, it's not just the speed of the CPU that dictates performance. Cache, main memory, and compilers also play a role. Software applications also have differing performance requirements. So whom do you trust to provide this information? The Standard Performance Evaluation Corporation (SPEC) is a nonprofit consortium whose members include hardware vendors, software vendors, universities, customers, and consultants. SPEC's mission is to develop technically credible and objective component- and system-level benchmarks for multiple operating systems and environments, including high-performance numeric computing, Web servers, and graphical subsystems. On 30 June 2000, SPEC retired the CPU95 benchmark suite. Its replacement is CPU2000, a new CPU benchmark suite with 19 applications that have never before been in a SPEC CPU suite. The article discusses how SPEC developed this benchmark suite and what the benchmarks do     

Metrics-Based Management of Software Product Portfolios

Commmercial software product vendors such as Microsoft, IBM, and Oracle develop and manage a large portfolio of software products, which might include operating systems, middleware, firmware, and applications. Many institutions (such as banks, universities, and hospitals) also create and manage their own custom applications. Managers at these companies face an important problem: How can you manage investment, revenue, quality, and customer expectations across such a large portfolio? A heuristics-based product maturity framework can help companies effectively manage the development and maintenance of a portfolio of software products     

一个安全高效的移动微支付协议

提出了一个基于Payword的移动微支付协议,新协议对Payword的协议的不足之处进行了改进。为了使协议更好地应用到移动商务中,协议采用了对称加密算法,并且将多值hash链应用到与不同商家的交易中,降低了用户端的存储和计算开销。协议在保证安全性的前提下降低了微支付的交易成本。     

Five strategies for overcoming obviousness

The author explained the various office actions that you are likely to see a patent examiner make (under legal sections 101-103 and 112) and briefly noted some other parts of the legal code that you are unlikely to encounter (legal sections 104, 105, and 113-122). In addition, the author mentioned the possibility of the examiner filing a restriction on your patent application. The two remaining sections, 102 and 103, address novelty and obviousness, respectively. Under section 102, the examiner cites a single reference to prior art that he claims is the same as your invention. That is, he makes the claim that your invention is not novel (new). This is usually cut and dried $he is either right, or he has misunderstood at least one of the inventions. Section 103 leaves you more wiggle room to argue, since it pertains to the murky area of obviousness. In a 103, the examiner cites not just one, but two or more references and claims two things: that combining the inventions in those multiple references will produce your invention; and that conceiving such a combination is obvious. In this column, the author explains five distinct dimensions in which you can argue to overcome a section 103 rejection. You may choose to argue in multiple dimensions, but if you do, make it clear at all times which dimension you are arguing, or your argument will be confusing     

Managing vulnerabilities in networked systems

Most organizations recognize the importance of cyber security and are implementing various forms of protection. However, many are failing to find and fix known security problems in the software packages they use as the building blocks of their networks and systems, a vulnerability that a hacker can exploit to bypass all other efforts to secure the enterprise. The Common Vulnerabilities and Exposures (CVE) initiative seeks to avoid such disasters and transform this area from a liability to a key asset in the fight to build and maintain secure systems. Coordinating international, community-based efforts from industry, government and academia, CVE strives to find and fix software product vulnerabilities more rapidly, predictably, and efficiently. The initiative seeks the adoption of a common naming practice for describing software vulnerabilities. Once adopted, these names will be included within security tools and services and on the fix sites of commercial and open source software package providers. As vendors respond to more users requests for CVE-compatible fix sites, securing the enterprise will gradually include the complete cycle of finding, analyzing, and fixing vulnerabilities