G Saunders' Home Page

Security & Professional Standards in IT

Any discussion of Software these days needs to start with the admonitions that security should be _designed_ into systems, that it's not always feasible to _add_ security to a system without it, and that a system's first security breach may result in the failure of the system's owners' enterprise or organization. IT Professionals have developed a legacy of standards and recommendations for securing and operating information systems -- ignorance of them is no defence against blame or liability claims when a system is robbed of 'sensitive' data or it is otherwise lost or corrupted.

Most security breaches are the fault of application software, not operating systems. For example: WordPress, the heart of more than 300,000 of the blogosphere's engines, has had a recent spate of vulnerabilities in the add-on applications available for WordPress which made inappropriate disclosure of personal information or allowed destruction or defacement of the stuff of blogs.

Windoze and the *ixes (Linux & proprietary unix) all provide super-adequate capabilities for securing an application environment's OS, DBMS, EMail and Web servers. But much of a typical application environment's security is provided by the application software.

Most of the 'vulnerability' in systems today comes from poorly designed or detailed application software that fails to provide 'access control', 'non-repudiation', 'version control', 'authentication & authorization' or other key components of system security.

Recent & Current Issues in IT Security

This section, originally posted a few years back, introduces issues that continue to be hot today. We're waiting on word from the Supreme Court about legality of tracking cell-phone movements using records from cell-towers...

Prism and Upstream are two continuing NSA projects to collect every shred of data stored or transmitted on-line and phone calls overseas + what's 'tapped' onshore. This Massive Data Center in Utah is coming up in phases to keep it all indefinitely. The NSA provides an excellent pdf, Defense In Depth, a practical guide to IT security.

The NSA's not the only outfit snooping your Web traffic. Here's What an Eavesdropper Sees when you use an unsecured WiFi. Anybody with access to the Internet's routers or application servers is able to see and soak up your packets as they fly by. I set up my elderly sister's email on earthlink, using an entirely new and unique address and within a week she had so much spam in her inbox that it was hard to see the few emails from me and my nephews and neices and somebody hijacked her account. Insecure pop3 was the culprit here, easy for crackers to filter out packets carrying userids and passwords.

Way before email, texting, and Web 2's social networking Microwave Spying was soaking up trans-oceanic traffic, sometimes with satellites, others by sticking an antenna into the signal between the transceivers on the roof or in the window of a building that just happens to be in the stream. It's more difficult to tap into fiber-optic cables mid-ocean than the copper-wired, but it's possible. Spying on digital circuits may be legal through court orders, but contractors and employees of long-line and local communications carriers can do it without any such order...

Here are some links about security issues in application code: Top 25 Most Dangerous Software Errors; SANS provides 20 Critical Security Controls.

CyberCiti suggests20 Linux Server Hardening Tips.

Study guides for Security+, Certified Ethical Hacker, and other IT Security related certificates provide more detail and are heartily recommended for any student wanting a career in IT, along with setting up your own web and mail server, securing it, studying its logs...

Lecture Topics:

G Saunders,
Dept of Information Systems
VCU School of Business

G Saunders Wings

Content © 1999 - Today
By G Saunders
Images are Available on the Web