- Email: [email protected]
Firewalls under fire from analyst
news Fully Updated
Partially Updated
Australia Canada Estonia India Japan Mauritius Peru Phillipines Turkey US
Brazil Chile China Czech Republic Denmark Malasia Poland Spain UK
Figure 1: The status of the cybercrime laws in countries as found by the study. Source: McConnell International. even half of the kinds of cybercrimes which must be addressed. It found that 33 of the 52 countries surveyed (see Figure 1) had made no changes to laws in deference to electronic crime. It calls for the development of an international model code because, “Few have the legal and technical resources necessary to address the complexities of adapting terrestrial criminal statutes to cyberspace.” And, “The weak penalties in most updated criminal statutes provide limited deterrence for crimes that have large scale economic and social effects.” Harris Miller of World Information Technology and Services Alliance (WITSA) — also involved in the research project — said: “This report underscores the importance of ongoing public and private sector efforts to improve the security of cyberspace. By working closely with industry, governments can create legal regimes that deter cybercrimes while assuring continued technological growth and innovation.” McConnell International is at www.McConnellInternational. com and the report, “Cyber Crime... And Punishment? Archaic Laws Threaten Global 4
Information”, is freely available for download, as are copies of the relevant laws. Find Gartner Group at www.Gartner.com.
Management News
Acceptable Usage Policy guidelines free on Internet Content filtering firm SurfControl has published a guide for companies who do not have the in-house expertise to write an effective security policy document. Martino Corbelli, marketing manager at SurfControl, had a hand in the writing of the Acceptable Use Policy (AUP) guide. He feels that the company has responded to a need expressed by businesses: they accept that firms need to have a policy, but do not know how to write or implement one. Even though SurfControl's business is selling filtering software, Corbelli admits that policy adherence can be achieved “though software or otherwise”. He said, “It shouldn't be just the one department... It's not about technology, it's about policy.”
Corbelli told CF&S that the distribution of a usage policy is just as important as its content. “It should be global or else you risk being accused of victimization. If a company monitors information without having a policy, they are infringing human rights.” And the legal complications don't stop there. Corbelli cited the example of contradictory laws in the UK: the Regulation of Investigatory Powers Act and the Human Rights Act, both passed in October 2000. He described the situation as, “A polarisation of legislation, each is looking at it from an opposing view.” And, “Nobody quite knows which way it is going to go and many legal people are still waiting for test cases to clarify the situation.” He also called for guidelines from the data commissioner to clarify the law and furnish businesses in the UK with best practice guidelines. According to Corbelli, the guidelines have been postponed until after the upcoming elections in the UK which are expected to take place in June. Allied to the legal complexities, are the cultural differences which dictate the nature of the relationship between personal privacy and employee monitoring. For example, “Some countries don't mind you looking at pornography on the Internet in the workplace,” Corbelli cited Scandinavia as an example. Although this first AUP is focused on the UK, the company is currently working on rolling out versions for other countries such as the US, parts of central Europe and Australia. Corbelli concluded that companies need to, “Write a
policy and communicate it to all the staff and then continue to update it.” If only it were that simple. The AUP is available for download as a pdf from www.surfcontrol.com/resources.
Firewalls under fire from analyst Analyst Graham Titterington from research group Ovum has warned that companies who depend solely on a firewall to protect their networks are leaving themselves open to attack. Titterington commented, “In any security set-up, a firewall is needed but cannot be relied upon on its own.” And, “People are aware that they need to use a firewall, but are not so aware of its limitations.” He explained, “They succeed in keeping out brute force attacks and go some way towards preventing DoS (denial-of-service) attacks, but they are not going to defend against someone impersonating a valid user. A firewall works well as a filter but doesn't give a secure environment by itself.” As long as businesses are illinformed about the concept of multi-level protection, the firewall will continue to be something of a liability. They are also often misused. Iain Frankin of security firm Entercept, explained, “Firewalls impose a heavy management load and require specialist staff to maintain the logs and security levels.” Because of the shortage of suitably skilled people to do this, many company firewalls are misconfigured.
Partially Updated
Australia Canada Estonia India Japan Mauritius Peru Phillipines Turkey US
Brazil Chile China Czech Republic Denmark Malasia Poland Spain UK
Figure 1: The status of the cybercrime laws in countries as found by the study. Source: McConnell International. even half of the kinds of cybercrimes which must be addressed. It found that 33 of the 52 countries surveyed (see Figure 1) had made no changes to laws in deference to electronic crime. It calls for the development of an international model code because, “Few have the legal and technical resources necessary to address the complexities of adapting terrestrial criminal statutes to cyberspace.” And, “The weak penalties in most updated criminal statutes provide limited deterrence for crimes that have large scale economic and social effects.” Harris Miller of World Information Technology and Services Alliance (WITSA) — also involved in the research project — said: “This report underscores the importance of ongoing public and private sector efforts to improve the security of cyberspace. By working closely with industry, governments can create legal regimes that deter cybercrimes while assuring continued technological growth and innovation.” McConnell International is at www.McConnellInternational. com and the report, “Cyber Crime... And Punishment? Archaic Laws Threaten Global 4
Information”, is freely available for download, as are copies of the relevant laws. Find Gartner Group at www.Gartner.com.
Management News
Acceptable Usage Policy guidelines free on Internet Content filtering firm SurfControl has published a guide for companies who do not have the in-house expertise to write an effective security policy document. Martino Corbelli, marketing manager at SurfControl, had a hand in the writing of the Acceptable Use Policy (AUP) guide. He feels that the company has responded to a need expressed by businesses: they accept that firms need to have a policy, but do not know how to write or implement one. Even though SurfControl's business is selling filtering software, Corbelli admits that policy adherence can be achieved “though software or otherwise”. He said, “It shouldn't be just the one department... It's not about technology, it's about policy.”
Corbelli told CF&S that the distribution of a usage policy is just as important as its content. “It should be global or else you risk being accused of victimization. If a company monitors information without having a policy, they are infringing human rights.” And the legal complications don't stop there. Corbelli cited the example of contradictory laws in the UK: the Regulation of Investigatory Powers Act and the Human Rights Act, both passed in October 2000. He described the situation as, “A polarisation of legislation, each is looking at it from an opposing view.” And, “Nobody quite knows which way it is going to go and many legal people are still waiting for test cases to clarify the situation.” He also called for guidelines from the data commissioner to clarify the law and furnish businesses in the UK with best practice guidelines. According to Corbelli, the guidelines have been postponed until after the upcoming elections in the UK which are expected to take place in June. Allied to the legal complexities, are the cultural differences which dictate the nature of the relationship between personal privacy and employee monitoring. For example, “Some countries don't mind you looking at pornography on the Internet in the workplace,” Corbelli cited Scandinavia as an example. Although this first AUP is focused on the UK, the company is currently working on rolling out versions for other countries such as the US, parts of central Europe and Australia. Corbelli concluded that companies need to, “Write a
policy and communicate it to all the staff and then continue to update it.” If only it were that simple. The AUP is available for download as a pdf from www.surfcontrol.com/resources.
Firewalls under fire from analyst Analyst Graham Titterington from research group Ovum has warned that companies who depend solely on a firewall to protect their networks are leaving themselves open to attack. Titterington commented, “In any security set-up, a firewall is needed but cannot be relied upon on its own.” And, “People are aware that they need to use a firewall, but are not so aware of its limitations.” He explained, “They succeed in keeping out brute force attacks and go some way towards preventing DoS (denial-of-service) attacks, but they are not going to defend against someone impersonating a valid user. A firewall works well as a filter but doesn't give a secure environment by itself.” As long as businesses are illinformed about the concept of multi-level protection, the firewall will continue to be something of a liability. They are also often misused. Iain Frankin of security firm Entercept, explained, “Firewalls impose a heavy management load and require specialist staff to maintain the logs and security levels.” Because of the shortage of suitably skilled people to do this, many company firewalls are misconfigured.