As a follow up on the last article about SSLVPN software and appliances, I was lucky enough to stumble upon a gold mine of a find called SSL-Explorer. This virtual appliance which can be installed on Windows or Linux and has everything that small/medium sized businesses would be looking for in a SSLVPN solution at an affordable price.

SSL-Explorer offer’s many authentication methods such as Active Directory, LDAP, Radius and multi-factor authentication which would accommodate the most secure of environments. This feature rich software provides many configuration options which include web forwards which allow for Intranet access from anywhere in the world. The Network places extension which provides the administrator the option to allow access to internal FTP and Windows CIFS/SAMBA systems. The application extension includes the Microsoft RDP client, Putty, VNC and WINSCP for easy access to internal resources without giving up the keys to the kingdom. Although if additional access is required a Network extension is provided that will actually give IP access to your internal network and allow tele-workers to function outside the office at a very reasonable cost.

In addition to the application features a granular access control panel is provided to the administrators of the system. The lockdown options of SSL-Explorer include individual logins, group membership, policies associated with individual groups, granular access rights to the system and IP restrictions to prevent unauthorized connections.

If all the above is not enough to sell you on trying SSL-Explorer the company offers a freeware package which provide many of the above mentioned features except for a few which require a license key to activate. I have been using this software for about a year and would highly recommend it to anyone looking for a remote access gateway.

See:  http://sourceforge.net/projects/sslexplorer/

SECNAP Chief Technology Officer to Speak at Hacker Halted Conference

Michael Scheidell Will Deliver Opening Keynote Address

Boca Raton, Fla. - May 6, 2008 - Michael Scheidell, chief technology officer for SECNAP® Network Security Corporation, has been selected to deliver the opening keynote address at the Hacker Halted Conference on Sunday, June 1, 2008 at the Marriott Resort at Grande Dunes in Myrtle Beach, S.C.

Hosted by EC-Council, Hacker Halted will debut in the United States May 28 to June 4 in conjunction with the Techno Security Conference. Hacker Halted will feature some of the top speakers in the world, and is in its tenth year raising international awareness toward increased education and ethics in Information Technology security.

Michael Scheidell is a recognized expert in network and data security with a rich history of innovation. Since 2001 he has aggressively pursued the development of advanced security technology with impressive results, including a patent-pending intrusion detection and prevention system and a revolutionary spam solution.

Scheidell's presentation proposes that three additional, undocumented layers of the Open Systems Interconnection (OSI) model exert a powerful influence on information security decisions, and is intended to help delegates manage these influences to become more effective in their organizations and more successful in their careers.

Delegates will include chief security officers (CSO), chief information security officers (CISO), and other C-level executives as well as information technology management, security architects and engineers, auditors and practitioners of information technology across a variety of industries.

The Hacker Halted Conference also affords attendees the opportunity to complete training for certification by EC-Council as a Certified Ethical Hacker, Computer Hacking Forensic Investigator, and Licensed Penetration Tester. For additional information visit www.hackerhalted.com and www.eccouncil.org.

About SECNAP
Founded in 2001 in Boca Raton, Fla., SECNAP Network Security is a leading provider of network security solutions for organizations ranging from small businesses to global enterprises. The company's innovative products include SpammerTrap® and Hosted SpammerTrap®, which block malicious spam, viruses, and phishing emails; HackerTrap(TM), a patent-pending managed network security system that protects company assets; and expert Testing and Auditing services including Information Technology and regulatory compliance audits. SpammerTrap was named a Hot Product at the 2008 XChange Solution Provider Conference. SECNAP is a Technosium Hot Company of 2008. For more information, visit www.secnap.com.

http://www.secnap.com

http://www.hackerhalted.com

# # #

Contact:
Gail Blount
561-999-5000
gblount@secnap.com

Kind regards,
Gary

Gary Hinson
Passionate about security awareness
www.NoticeBored.com Creative awareness materials
http://www.iso27001security.com/ ISO/IEC 27000 standards

Canadian Data breach notification guidelines – jointly created by the Information and Privacy Commissioners for British Columbia and Ontario – have made their way to the land down under.

Last week, Australian Privacy Commissioner Karen Curtis released the Voluntary Information Security Breach Notification Guide, which aims to assist organizations in effectively responding to information security breaches. The draft guide credits voluntary guidelines by both the Privacy Commissioners of Canada and New Zealand.

“We had worked with the New Zealand privacy commissioner and showed her our breach notification assessment tool,” Ann Cavoukian, Information and Privacy Commissioner of Ontario, said. “She took it and developed one in New Zealand similar to ours. It’s great to see Australia follow suit.” The jointly created Canadian breach notification guide was created in December 2006 and outlines steps on when and how to notify affected individuals.

“When you’re notifying somebody of a breach relating to their data, you’ve got to be perfectly clear and concise,” Cavoukian said. “In regards to the preferred method of notification, we think direct contact either by phone, letter or in person are the most effective methods.”

As for what to include in the notification, the assessment tool advises organizations provide a general description of what happened without a lot of legal jargon, outline the steps taken thus far (and will be taken in the future) to control or reduce the harm, and the steps the individual can take to further protect themselves.

“You’ve got to be practical and do things as quickly as possible,” Cavoukian said. “You need to contain the damages, get the notices out, fix the problem and prevent it from reoccurring. You’ve also have to be practical about it and notify people in a way that’s not full of legal legalese and provides clear notice as to what you’re doing.”

Currently, Australia’s privacy legislation does not specifically require an agency or organization to notify individuals, or even the privacy commissioner, of a data breach. However, an amendment to the Australian Privacy Act to require mandatory data breach notification is under way.

The same story is playing out in Canada. Last year, the federal government recommended that data protection laws – specifically the Personal Information Protection and Electronic Documents Act (PIPEDA) – be amended to include requirements for companies to notify individuals when their personal information was subject to a security breach.

Cavoukian hopes the breach notification assessment tool, along with the influence it is having on the other side of globe, will inspire the federal government to implement an effective and common sense approach on breach notification.

“They’re certainly aware of our guidelines, so I’m sure it’s food for fodder for them,” she said. “We’ve had very good feedback on our guidelines and I’m sure it’ll be one of the things that they take into consideration.”

But some organizations such as the University of Ottawa’s Canadian Internet Policy and Public Interest Clinic (CIPPIC) want the government to go even further. Responding to an Industry Canada request for public consultation on data security laws earlier this year, CIPPIC recommended that mandatory reporting of data breaches to a publicly-accessible electronic registry is the most effective way to persuade corporations to shore up their potential security risks.

“We’ve been pushing for notification requirements for years, because it’s obvious to me and my colleagues that, by and large, corporations are not doing as much as they should be to secure the personal information in their possession,” Pippa Lawson, executive director at CIPPIC, told ComputerWorld Canada earlier this year. “Our conclusion from years of research is that the market does not provide efficient incentives for effective security precautions, because in most cases, companies can hide the breaches and they are never publicly known about.”

Lawson said that while the government’s interest in drafting better data breach notification laws is positive, Ottawa needs to take it a step further and require mandatory public reporting as well.

“There’s two ways that you can create incentives for companies to take strong security measures: one is to make them pay financially through penalties and fines, and two is to give them bad publicity that can be even more costly,” Lawson said. “If there is a real risk of negative publicity for these companies, the CEOs will make sure that they put more resources into security.”

David Senf, director of security and software research at Toronto-based IDC Canada Ltd., said Canada would benefit greatly from similar privacy legislation passed in California, which mandates organizations to reveal to customers that personal data has been compromised.

“Organizations in this country don't fear the repercussions of PIPEDA,” Senf said earlier this year. “Stronger legislation will go a long way in convincing organizations to tighten up security for better privacy protection.”

Cavoukian, however, disagreed on taking such a punitive approach. As a regulator, she said, her concern is to ensure when something happens that it’s addressed immediately and as quickly as possible to benefit the affected individuals.

“You can almost take as a given that over time, virtually every company is going to make an oversight or a mistake and have some kind of data breach,” Cavoukian said. “My experience in working with organizations is that as soon as they know there’s a breach, they’re really motivated to cure the harm and prevent it. If you create a database of who did what and how many times they did it, I just don’t know how effective it would be.”

Copyright © 2007
ITworldcanada.com

Click HERE to see original article on IT World Canada web site

Dear Mr. Clement Dupuis,

Welcome to the April 2008 issue of COBIT Focus, a newsletter designed specifically for users of Control Objectives for Information and related Technology (COBIT). This newsletter provides updates on COBIT developments and is meant to provide a vehicle for sharing COBIT experiences.

You have received this e-mail message because you have participated or expressed interest in ISACA/ITGI products and services. The e-mail address was provided by you through the ISACA/ITGI web sites or other direct means. We did not purchase your e-mail address, nor do we provide your e-mail address to any third party.

We invite you, a member of the growing user community, to submit articles for publication in future issues. For more information on this opportunity, please e-mail the editors at publication@isaca.org. Additionally, please let us know what you think of the issue. Your responses will help us evaluate the value of the newsletter to COBIT users and identify any necessary changes. Please help support this initiative by submitting comments and articles to publication@isaca.org.

Volume 2 2008 of COBIT Focus is now posted online and may be accessed at www.isaca.org/cobitnewsletter.

The following articles are found in the April issue:
- COBIT and IT Governance: Focusing on IT Governance, Value Delivery and IT Investment Evaluation, by John W. Beveridge
- CGEIT Credential Meets Business Demands for IT Governance, by John Lainhart
- Adoption of COBIT by Multiplan, by Romulo Gouvêa and Tiago Quadra
- COBIT: An IT Governance Tool for the CIO and CEO, by Romulo Lomparte
- ISACA COBIT Education

www.isaca.org/cobitnewsletter

======================================================================
ISACA Member Benefit of the Month

The Information Systems Control Journal is an authoritative, peer-reviewed publication that has reported on topics such as Internet security, IT governance, computer crime, information integrity, computer confidentiality issues and IT risk management. ISACA members receive a subscription to the print version of the Journal which is published six times a year. Members also have exclusive access for one year to the online version, JOnline, which features additional articles not featured in the print version. Visit www.isaca.org/currentissue to view the latest Journal today!

What is Geekonomics about?

Geekonomics is about the astonishing lack of consumer protection in the software market and how this impacts economic and national security. Software buyers are literally crash test dummies for an industry that is remarkably insulated against liability, accountability, and responsibility for any harm, damages or loss that should occur because of manufacturing defects or weaknesses that allow cyber attackers to break into and hijack our computer systems. As a matter of good public policy, this is unacceptable and must change.

Geekonomics is also about us and why we behave the way we do when it comes to protecting ourselves in cyber space. As such, Geekonomics is about incentives. Specifically, Geekonomics is about incentives that affect three groups of people: consumers, software manufacturers, and hackers. Each group has incentives for making, buying, and breaking into computer systems that are rife with defects, errors, and weaknesses. This book explains these incentives and how new and different incentives are necessary to address the problem of “bad” software.

Finally, Geekonomics is a book for everyone, not just for geeks or technophiles, because frankly, in modern civilization, how and when software touches us is less our choice every day.

Why is there a bridge on the cover of Geekonomics?

A bridge is infrastructure you can see. Software is infrastructure you cannot see. But the quality of software construction affects you as surely as the quality and attention to detail given to bridge construction. Perhaps more so. Software is the stuff of modern infrastructure and this infrastructure is pervasive and global.

Geekonomics strives to help you compare software with things like bridges and cement (among many others) that you are familiar with in the physical world. By relating what you are familiar with, with what you perhaps are not so familiar with, my hope is that the full scope and impact of software on your daily life will become more apparent.

Why is Geekonomics a necessary and novel approach to the dangers confronting national infrastructure?

The discussion about software security and how it impacts national infrastructure has largely been dominated over the decades by very smart, but very technically-oriented individuals. As such, their response to the “software problem” has been almost unanimously technical. It has also alienated the very people that software impacts: us. The problem of bad software has been a discussion lead by experts for experts. This was necessary, but far from complete. Software is so pervasive in modern civilization that the discussion should not be limited only to experts.

As Geekonomics argues, insecure software is as much an economic issue as it is a technology issue. This is a critical matter of public policy. Without proper incentives, technology alone will not address the problem of “bad” software. In short, incentives matter. To change the story of “bad” software, the incentives must change.

What do you want people to take away from reading Geekonomics?

We are all in this together. We are all, as economists like to say, trying to “maximize our utility.” That is, we, each in our own way, are trying to make our lives as absolutely pleasant as possible. But society is a morass of competing, mis-aligned, and contradictory incentives. This means individual actions, though beneficial to ourselves, may detrimentally affect others.

Though my tone is often times urgent and forceful in Geekonomics, I am not blaming software manufacturers in their entirety for the sorry state of cyber space. Software manufacturers are not consciously trying to harm you, hoodwink you, or otherwise cheat you; however, as Geekonomics argues, software manufacturers do not currently have sufficient incentives to look out for your well-being in a meaningful manner either.

A similar scenario existed in 1950s and 1960s America relating to auto manufacturers. Auto manufacturers were not trying to kill people when building cars that were more aesthetically pleasing than safe. But the result was tragic nonetheless. Market incentives simply promoted cars that were festooned with chrome and tailfins, but deadly in their operation.

Without meaningful incentives that held auto manufacturers to account, the modern car would not nearly be as safe as it is today. Geekonomics makes a similar argument regarding software. Wonderful graphical interfaces and “feature-rich” software are the modern equivalent of chrome and tailfins. Compelling indeed, but far from safe or secure, unless meaningful incentives exist to make it so.

Consumers are not without culpability however. Consumers are participants in the software market just as much as software manufacturers. Consumers too have an impact in what they demand, or do not demand, from software manufacturers.

Arguing which is more culpable for the sorry state of cyber space, consumers or software manufacturers, simply benefits the third group: hackers. The incentives of the software market must change for both consumers and manufacturers. The cyber attackers exploiting our computer systems are hungry, relentless, and cunning. Software needs to be suitable to the task and position we have given it within our national infrastructures. The incentives for attackers are simply too compelling to do otherwise.

The Real Cost of Insecure Software

• In 1996, software defects in a Boeing 757 caused a crash that killed 70 people…

• In 2003, a software vulnerability helped cause the largest U.S. power outage in decades…

• In 2004, known software weaknesses let a hacker invade T-Mobile, capturing everything from passwords to Paris Hilton’s photos…

• In 2005, 23,900 Toyota Priuses were recalled for software errors that could cause the cars to shut down at highway speeds…

• In 2006 dubbed “The Year of Cybercrime,” 7,000 software vulnerabilities were discovered that hackers could use to access private information…

• In 2007, operatives in two nations brazenly exploited software vulnerabilities to cripple the infrastructure and steal trade secrets from other sovereign nations…

Software has become crucial to the very survival of civilization. But badly written, insecure software is hurting people–and costing businesses and individuals billions of dollars every year.

This must change. In Geekonomics, David Rice shows how we can change it.

• Hardcover: 384 pages
• Publisher: Addison-Wesley Professional; 1 edition (December 9, 2007)
• Language: English
• ISBN-10: 0321477898
• ISBN-13: 978-0321477897

Geekonomics: The Real Cost of Insecure Software

Reputation is what others say about you.

Character is what you really are as evidenced by your actions when no one is observing.

IMPORTANT DISCLAIMER: Readers are advised that this essay be considered as common sense advice, not legal advice. For that you need to go to a lawyer.

IT security is a multibillion dollar industry which has necessitated new and constantly revised laws in almost every state on earth. These laws address the criminal aspects of aggressive and deliberate business or personal privacy invasion and information disruption or destruction via various technology mediums; commonly referred to as “hacking”, or more accurately “cracking”.

So what is the “low” technology threat that goes largely unnoticed by the community, ignored by criminal prosecutors and yet the cause of billions of dollars in irreparable damage to business goodwill, personal reputation, and very significantly to the emotional well being of the human victims? The threat is called “LIBEL”; a form of the ancient legal theory of “SLANDER” with origins in Roman jurisprudence.

This issue is close to my heart because I have had a very frustrating and bitter experience therein. I have purposed to collaborate with experts from various fields including psychology, technology, legal and public relations to produce resources to assist victims in their efforts to remedy the wrongs and for potential victims to mitigate the risks. These resources will be made available for free as they become available through the Mile2 website. Victims of online libel are invited to contact me if they would like access to templates, resources and specific advice.

"Defamation" is the term used internationally to generally describe an injury to reputation. “Slander” and “Libel” are false or malicious claims that may harm someone's reputation. Slander and libel both require publication with the fundamental distinction between the two lying solely in the form in which the defamatory material is published. If published in some fleeting form, such as spoken words or sounds, sign language, gestures and the like, then this would be slander. If it is published in more durable form, such as in written words, film, data disc (CD or DVD), blogging, web sites and the like, then it is considered libel. The key to these definitions is that the statements must be false. If someone published the truth about a person, it IS NOT slander or libel. Slander and libel are not protected forms of free speech under the US First amendment.

In law, defamation is the communication of a statement that makes a false or deceptive claim, expressively stated or implied to be factual, that may harm the reputation of an individual, business, product, group, government or nation. Most jurisdictions allow legal actions, civil and/or criminal, to deter various kinds of defamation and retaliate against groundless criticism. Related to defamation is public disclosure of private facts where one person reveals information which is not of public concern and the release of which would offend a reasonable person. Unlike libel or slander, truth is not a defense for invasion of privacy.

See the full essay here: Michael Roberts of Mile2 IT Security Discusses Libel & Google Reputation

April 2008 Contest

This month we're stepping it up a bit and giving away a Check Point Safe@Office Wireless firewall appliance to one lucky registered user.

There's a catch though. You must submit a 500 word article discussing any topic that is information security related.

Submissions are posted below where the community will have the opportunity to vote on the best article.

All submissions should be sent to peter@theacademy.ca.

Please post your votes in the forum using the Monthly Contests -> April 2008 thread at:

http://www.theacademy.ca/index.php?option=com_fireboard&Itemid=138&func=showcat&catid=44

The article with the most votes will win.

Deadline for article submission is April 27. All votes must be in by April 30.

Someone listed the total number of CISSP's worldwide as of 4/22/2008.

There are total 57602 members overall.
(56791 CISSPs and 810 SSCPs)

As it was indicated this number seems to increase by a few hundreds every month.

This is a long way from the few thousands we had about 10 years ago.

Best regards to all

NOTE FROM CLEMENT:
===============

Dan is someone who has been a long time supporter of the cccure.org website. I strongly encourage you to join his mailing list. It is always packed with treasures and great resources. Dan spends a lot of time researching resources and evaluating them. It is really worth subscribing to his mailing list.

Here is a note from Dan:

Good afternoon,