PraxIS March 2003                    ISSN 1649-2374

Contents:  Information security, Honeynets, Pair Programming, Euro news, error zen

This issue online at http://www.sysmod.com/praxis/prax0303.htm

IN THIS ISSUE

Systems Modelling Ltd.: Managing reality in Information Systems - strategies for success

Internet Security

ISSA talks by Winn Schwartau and Lance Spitzner

Software Quality

A report on XP Pair Programming productivity improvements

Euro news

Malta says yes

On the lighter side 

Is this an error?

15 Web links in this newsletter
About this newsletter and Archives
Disclaimer
Subscribe and Unsubscribe information

_______________________________________________________
 

WELCOME

The main focus of this issue is Internet Security,

I'm always ready for your comments!

Thanks for your interest,

Patrick O'Beirne

_______________________________________________________

_______________________________________________________

 

Risk Management

Internet Security

I attended the launch of the Information Systems Security Association in Dublin last month.

http://www.issaireland.org 

A good number (more than 100) turned up to hear Winn Schwartau, President & CEO Interpact Inc., talk and catch the books he threw at people who answered questions. In parallel with that, the TCD Network Society heard Lance Spitzner, a Senior Security Architect for Sun Microsystems Inc, talk about Honeynets.

Changing audience from the suits to the sweatshirts, I heard Lance Spitzner give a fascinating rapid-fire description of how the honeynets attract hackers all over the world. He teased his audience with geek questions, clicking his fingers to imitate the ticking of a clock as he waited for answers, but didn't throw any books at the respondents.

He is founder of the Honeynet Project, moderator of the honeypot maillist, and author of "Honeypots: Tracking Hackers", co-author of "Know Your Enemy". You can read Lance's articles at  www.spitzner.net

For a review of those books and others on security, I recommend Robert M. Slade's reviews at http://victoria.tc.ca/int-grps/books/techrev/review.htm (that is a *long* page, a 300K file!). You can also join the techbooks review list at yahoogroups.com.

TechCentral.ie has an article on the Irish Honeynet experiment. http://www.honeynet.ie/ "The blackhats and the hackers unwittingly show us step-by-step how they operate in the real world, thus enabling us to better secure our organisations against attack."

http://www.techcentral.ie/techcentral/corporate_it/security/honeynet_hack_attacks_come_daily_by_the_dozen.xml 

Winn Schwartau outlined the pitfalls in many common assumptions and described his own "Time Based Security" (TBS) approach.

The content of his talk can be obtained from his articles on line at:
http://www.shockwavewriters.com/Articles/art,WS.htm 

Itís About Time: Can We Actually Measure Information Security?
http://www.shockwavewriters.com/Articles/WS/itsabouttime.htm

"Some people unfortunately think that buying the strongest firewall or other security device is the answer to their problems. Wrong. Using TBS, my colleagues and I find that the first steps are to measure existing detection and reaction systems and then determine if they are acceptable. Getting several [time] values to approach 0 is core to TBS."

He's not afraid to be politically incorrect. While such fears are too easily easily stimulated in the present sense of tension in the USA, the job of security officers is to ask the unpopular questions.

What Keeps Me Up At Night!

"When we look at the politically incorrect, I get really scared. From what countries did we import tons of high-tech talent in the 1990s? Hundreds of thousands of people whose allegiance may not be to your company, to our country, to our style of life and culture."

http://www.shockwavewriters.com/Articles/WS/whatkeepsmeup.htm 

 

Are Your Systems Too Available?

http://www.shockwavewriters.com/Articles/WS/tooavaliable.htm 

"What two groups of people have virtually unlimited access to your entire facility?

The CEO? The Chief Information Officer? Accounting? Think again. Most companies give unfettered access to their cleaning staffs and private security forces.

Question two: Who are the two lowest paid groups at your company? You might think yourself, but the right answer is the cleaning staff and physical security guards again. "

 

Two Is Worse Than One

http://www.shockwavewriters.com/Articles/WS/twoisworse.htm 

"In some cities, companies buy redundant communications cables in the event of a disaster. However, if we trace the Ďredundantí wires a few blocks, what do we find? They end up in the same room of the same building, sharing the same wiring rack and sometime being combined onto an even higher bandwidth cable. So what are you paying thousands of dollars per month for? "

Personal Computer Security for Home and on the Road

http://www.shockwavewriters.com/Articles/WS/personalsec.htm 

"Itís really not that hard to get secure at the desktop or laptop, if you pay a bit of attention. Keep a few things in mind:

Use your passwords.
Make them strong.
Change them once in a while.
Enable secure screen savers
Use good A/V software
Update the A/V software often
Unbind your protocols
Add a personal firewall
Test your security periodically
Configure your applications
Compute responsibly, with care. "

 

A List of Security Mailing lists

http://lists.insecure.org 

 

_______________________________________________________ _______________________________________________________
 

Software Quality

XP: A Pair Programming Experience

I saw an interesting report on XP (eXtreme Programming) in the March 2003 Crosstalk magazine from the Software Technology Support Centre of the US Department of Defence. I.T. managers are usually reluctant to implement the XP practice of programmers working in pairs, because of a fear of a loss of productivity.   STSC tried pair programming and reported:

"The 127 percent gain achieved was phenomenal and a cause for celebration.

The error analysis showed the project had achieved an error rate that was three orders of magnitude less than normal for the organization. "

http://www.stsc.hill.af.mil/crosstalk/2003/03/jensen.html 

 

_______________________________________________________

_______________________________________________________

 

EURO:

http://www.rte.ie/news/2003/0309/malta.html

Malta 'votes yes to EU'

March 9, 2003

(19:20) The electorate in Malta's referendum yesterday voted by a narrow margin in favour of the country joining the EU.

Preliminary results showed the 'yes' campaign had obtained 53.5% of the vote in Saturday's poll. There was a huge turnout - electoral officials said 91% of the nearly 300,000-strong electorate had voted.

The result of the referendum is non-binding and will have to be validated by a general election, which is expected to be called soon. The most likely date is April 12, four days before the ten EU candidate countries are due to sign the EU accession treaty in Athens.

_______________________________________________________ _______________________________________________________

 

FEEDBACK

Simply send your comments to FEEDBACK (at) SYSMOD (dot) COM

Thank you! Patrick O'Beirne, Editor

_______________________________________________________ _______________________________________________________

 

On the lighter side

Zen-like error messages

"The Register" online news site had an amusing (well, funny to some of us, anyway) piece on error messages such as:

    "Nothing beyond".

    "The expected error did not occur".

    'There is no then'

http://www.theregister.co.uk/content/35/29487.html 

 

_______________________________________________________

_______________________________________________________
_______________________________________________________


Copyright 2003 Systems Modelling Limited, http://www.sysmod.com . Reproduction allowed provided the newsletter is copied in its entirety and with this copyright notice.

We appreciate any feedback or suggestions for improvement. If you have received this newsletter from anybody else, we urge you to sign up for your personal copy by sending a blank email to 
EuroIS-subscribe (at) yahoogroups (dot) com
- it's free!

For those who would like to do more than receive the monthly newsletter, the EuroIS list makes it easy for you to discuss issues raised, to share experiences with the rest of the group, and to contribute files to a common user community pool independent of the sysmod.com web site. I will be moderating posts to the EuroIS list, to screen out inappropriate material.

Patrick O'Beirne, Editor
_______________________________________________________
ABOUT THIS NEWSLETTER

"Praxis" means model or example, from the Greek verb "to do". The name is chosen to reflect our focus on practical solutions to IS problems, avoiding hype. If you like acronyms, think of it as "Patrick's reports and analysis across Information Systems".


_______________________________________________________
ARCHIVES

To read previous issues of this newsletter please visit our web site at http://www.sysmod.com/praxis.htm

DISCLAIMER

This newsletter is prepared in good faith and the information has been taken from observation and other sources believed to be reliable. Systems Modelling Ltd. (SML) does not represent expressly or by implication the accuracy, truthfulness or reliability of any information provided. It is a condition of use that users accept that SML has no liability for any errors, inaccuracies or omissions. The information is not intended to constitute legal or professional advice. You should consult a professional at Systems Modelling Ltd. directly for advice that is specifically tailored to your particular circumstances.

Copyright (c) SML 2003

_______________________________________________________
Please tell a friend about this newsletter.
We especially appreciate a link to www.sysmod.com from your web site!

PRIVACY POLICY:

We guarantee not to sell, trade or give your e-mail address to anyone.
To subscribe to this Newsletter send an email to
EuroIS-subscribe (at) yahoogroups (dot) com
To unsubscribe from this Newsletter send an email to
EuroIS-unsubscribe (at) yahoogroups (dot) com
EuroIS is the distribution list server of the PraxIS newsletter. It also offers a moderated discussion list for readers and a free shared storage area for user-contributed files. The archives of this group are on YahooGroups website http://groups.yahoo.com/group/EuroIS/ 

_______________________________________________________