- Email: [email protected]
Computer security: Readings from security management magazine
Vol.
9, No.
9, Page
13
or Fischer International Systems Corp, 4073 Merchantile Avenue, in Florida, Naples, FL 33942, USA; tel: toll-free 800-237-4510; call collect 813-643-1500.
SECURE DISK UTILITY
ERASURE
Sophos, the Oxford-based data security specialists, have announced a software utility for secure erasure of entire floppy The PURGE program completely erases all or Winchester disks. information held on a disk, with no danger that any of it could be Disks with sensitive information left recovered, Sophos claims. on unused sectors present the single most common computer security risk. PURGE can either perform 'quick' erasure, or for top security applications it can erase a disk to full Government specification. It is simple to operate and can be used by ordinary mortals as well as by computer experts. PURGE has safety features which prevent inadvertent erasure of the wrong disk. PURGE is available for most computers running MS-DOS or PC-DOS, including the entire IBM and compatible range. It costs g29.50+VAT. For further information, contact: Dr. Peter Lammer, Sophos Partners, 20 Hawthorn Way, Kidlington, Oxford OX5 lEZ, UK; tel: 0865-853668.
BOOK
REVIEW
FILE
Computer Security: Readings from Security Management Magazine, edited by Shari Mendelson Gallery, published by Butterworths, f31.00 (softbound), 1987 292pp+index. Security Management is the monthly magazine of the American Society for Industrial Security, a worldwide body devoted to the protection of corporate and institutional assets. This book is a compilation of articles on computer security, arranged by topics, written between 1979 and 1986. A few articles from other sources have also been included. Compilations can be a cheap substitute for good writing where an author can develop a topic and cover the ground as he sees fit in the text. The problem with today's computer systems is that the range and depth of knowledge is frequently beyond that of a single author. Collections of articles (when well selected) are far better since each author concentrates on his areas of expertise. This book contains a particularly good selection of authors and it is clear that the editor has done her task of selection very well. Part I, "Computers - a source of security concern", outlines the principles behind dealing with the problem, and indeed the nature of the problem itself. For instance, one article stresses that as people are the weakest link in any security system, the success of any security efforts should depend on the integrity of the smallest number of people possible. Elsewhere we read that DP people and security people have different work attitudes, needs, and experience - there is a real need for each group to understand the other.
o 1987 No
Elsevier
Science
Publishers
B.V.,
Amslerdam./87/$0.00
+ 2.20
part of this publication may be reproduced, stored in a retrieval system, or transmitted by any form or by any means, electronic, mechanical, photocopying, recording or otherwise, without the prior permission of the publishers (Readers in the U.S.A.-please see special regulations listed on back cover.)
Vol.
9, No.
9, Page
14
the risks", deals with the Part II, "Evaluating quantification of various species of risk, e.g. financial, Various methods are presented. The physical, and legal risks. reader is cautioned that US law may have moved on since these articles were written. However, as might be expected in a compilation from a US magazine, there is no mention of the UK and European legal positions. The following section, "Focusing Protection Effects", deals with the application of security procedures to specific fields. For example, a General Electric executive describes how the company set up a task force to research and manage its particular needs. Further on, a fierce little article tells you how to debrief - which means scare the pants off - a departing employee. What it does not cover, however, is the problem of computer staff working out their notice. the Threat", the first article In Part IV, "Identifying This may be too discusses who the computer criminals are. anecdotal to be of general application but it could help in developing risk management rules for evaluating personnel in an Expert System. The second article is about a project carried on between 1975 and 1979, researching into computer crime in the US. One doubts whether much of this will be of help today because the technology and the systems in use now have different vulnerabilities. Part V is entitled "Managing EDP and Information Security", and contains both theoretical and specific material, ranging over For instance, two articles deal with disaster a broad area. recovery. Another deals with the struggle of security staff to keep up with technical change. Further on there is an introduction to the uses of cryptography in computing. Part VI deals with physical security issues, such as fire precautions, protection of underfloor wiring, and the destruction It is interesting to note that one author of sensitive waste. praises the safety of Halon as a fire suppressant, while another author points out that under certain conditions it can decompose into toxic compounds. Part VII deals with software controls and how to select and The final part of the book contains a short piece implement them. the on the rapidly changing area of proof of facts in litigation: role of the document expert in proving the origin of contested documents in computer abuse investigation.
To sum up, this work packs into a short volume a great deal of expert advice. It could be very useful to auditors and trainee auditors who are getting to grips with the technology. Feliks
0 1987 Elsevier
Science
Publishers
B.V.. Amsterdm.187/$0.00
Kwiatkowski
and Alistair
Kelman.
+ 2.20
No part of this publication may be reproduced. stored in a retrieval system, or transmitted by any form or by any means, electronic, mechanical, photocopying, recording or otherwise, without the prior permission of the publishers (Readers in the U.S.A. - please see special regulations listed on back cover.]
9, No.
9, Page
13
or Fischer International Systems Corp, 4073 Merchantile Avenue, in Florida, Naples, FL 33942, USA; tel: toll-free 800-237-4510; call collect 813-643-1500.
SECURE DISK UTILITY
ERASURE
Sophos, the Oxford-based data security specialists, have announced a software utility for secure erasure of entire floppy The PURGE program completely erases all or Winchester disks. information held on a disk, with no danger that any of it could be Disks with sensitive information left recovered, Sophos claims. on unused sectors present the single most common computer security risk. PURGE can either perform 'quick' erasure, or for top security applications it can erase a disk to full Government specification. It is simple to operate and can be used by ordinary mortals as well as by computer experts. PURGE has safety features which prevent inadvertent erasure of the wrong disk. PURGE is available for most computers running MS-DOS or PC-DOS, including the entire IBM and compatible range. It costs g29.50+VAT. For further information, contact: Dr. Peter Lammer, Sophos Partners, 20 Hawthorn Way, Kidlington, Oxford OX5 lEZ, UK; tel: 0865-853668.
BOOK
REVIEW
FILE
Computer Security: Readings from Security Management Magazine, edited by Shari Mendelson Gallery, published by Butterworths, f31.00 (softbound), 1987 292pp+index. Security Management is the monthly magazine of the American Society for Industrial Security, a worldwide body devoted to the protection of corporate and institutional assets. This book is a compilation of articles on computer security, arranged by topics, written between 1979 and 1986. A few articles from other sources have also been included. Compilations can be a cheap substitute for good writing where an author can develop a topic and cover the ground as he sees fit in the text. The problem with today's computer systems is that the range and depth of knowledge is frequently beyond that of a single author. Collections of articles (when well selected) are far better since each author concentrates on his areas of expertise. This book contains a particularly good selection of authors and it is clear that the editor has done her task of selection very well. Part I, "Computers - a source of security concern", outlines the principles behind dealing with the problem, and indeed the nature of the problem itself. For instance, one article stresses that as people are the weakest link in any security system, the success of any security efforts should depend on the integrity of the smallest number of people possible. Elsewhere we read that DP people and security people have different work attitudes, needs, and experience - there is a real need for each group to understand the other.
o 1987 No
Elsevier
Science
Publishers
B.V.,
Amslerdam./87/$0.00
+ 2.20
part of this publication may be reproduced, stored in a retrieval system, or transmitted by any form or by any means, electronic, mechanical, photocopying, recording or otherwise, without the prior permission of the publishers (Readers in the U.S.A.-please see special regulations listed on back cover.)
Vol.
9, No.
9, Page
14
the risks", deals with the Part II, "Evaluating quantification of various species of risk, e.g. financial, Various methods are presented. The physical, and legal risks. reader is cautioned that US law may have moved on since these articles were written. However, as might be expected in a compilation from a US magazine, there is no mention of the UK and European legal positions. The following section, "Focusing Protection Effects", deals with the application of security procedures to specific fields. For example, a General Electric executive describes how the company set up a task force to research and manage its particular needs. Further on, a fierce little article tells you how to debrief - which means scare the pants off - a departing employee. What it does not cover, however, is the problem of computer staff working out their notice. the Threat", the first article In Part IV, "Identifying This may be too discusses who the computer criminals are. anecdotal to be of general application but it could help in developing risk management rules for evaluating personnel in an Expert System. The second article is about a project carried on between 1975 and 1979, researching into computer crime in the US. One doubts whether much of this will be of help today because the technology and the systems in use now have different vulnerabilities. Part V is entitled "Managing EDP and Information Security", and contains both theoretical and specific material, ranging over For instance, two articles deal with disaster a broad area. recovery. Another deals with the struggle of security staff to keep up with technical change. Further on there is an introduction to the uses of cryptography in computing. Part VI deals with physical security issues, such as fire precautions, protection of underfloor wiring, and the destruction It is interesting to note that one author of sensitive waste. praises the safety of Halon as a fire suppressant, while another author points out that under certain conditions it can decompose into toxic compounds. Part VII deals with software controls and how to select and The final part of the book contains a short piece implement them. the on the rapidly changing area of proof of facts in litigation: role of the document expert in proving the origin of contested documents in computer abuse investigation.
To sum up, this work packs into a short volume a great deal of expert advice. It could be very useful to auditors and trainee auditors who are getting to grips with the technology. Feliks
0 1987 Elsevier
Science
Publishers
B.V.. Amsterdm.187/$0.00
Kwiatkowski
and Alistair
Kelman.
+ 2.20
No part of this publication may be reproduced. stored in a retrieval system, or transmitted by any form or by any means, electronic, mechanical, photocopying, recording or otherwise, without the prior permission of the publishers (Readers in the U.S.A. - please see special regulations listed on back cover.]