- Email: [email protected]
Security job descriptions in disarray
printlayout.qxd
8/13/02
10:26 AM
Page 2
news According to MrHappy “roaming wireless networks is a grey area when it comes to intrusion. The airwaves belong to the people and not to the corporations and companies that use them. This is very different from a physically-wired network in which it all does in fact belong to someone”. The WISE project has reportedly not encountered anything blatently malevolent so far. If other projects are strategically positioned in major cities, it may help to get a clear picture of the threats. Of course it may not attract the number of hackers that a conventional honeypot manages to capture because of the fact that a hacker must be physically accessible to the access point involved. Hackers can’t sit comfortably in a safe environment and breach networks; they must make a physical effort to gain physical closeness to the network. There are different types of Honeypots; hardware-based, software emulation honeypots, and honeynets, which are a network of honeypots. Lance Spitzner an engineer at Sun Microsystems Inc. was involved in the creation of the Honeynet Project. According to Spitzner Honeypots are “beter than intrusion detection
systems because they IDS give s you a lot of false positives” he as reported in IT Managment. “You get 8000-10 000 alerts a day with IDS. You don’t know what to pay attention to. You get overwhelmed and you start ignoring it all. When a honeypot generates an alert, it’s a real attack. No one should be connecting to it because it’s not an actual production network.” Some experts are recommending that honeypots should be an integral part of a companies defence line.
industry news
Security job descriptions in disarray There is no European or US consistency for security job descriptions in online advertisements as indicated by recent research conducted for Network Security. The results revealed absolutely no correlation across a variety of countries for a mixture of corporations. Remarkable inconsistencies were apparent relating to job titles, job descriptions and desired qualifications. The only two job titles, which appeared over three
ISSN: 1353-4858/02/$22.00 © 2002 Elsevier Science Ltd. All rights reserved. This journal and the individual contributions contained in it are protected under copyright by Elsevier Science Ltd, and the following terms and conditions apply to their use: Photocopying Single photocopies of single articles may be made for personal use as allowed by national copyright laws. Permission of the publisher and payment of a fee is required for all other photocopying, including multiple or systematic copying, copying for advertising or promotional purposes, resale, and all forms of document delivery. Special rates are available for educational institutions that wish to make photocopies for non-profit educational classroom use. Permissions may be sought directly from Elsevier Science Rights & Permissions Department, PO Box 800, Oxford OX5 1DX, UK; phone: (+44) 1865 843830, fax: (+44) 1865 853333, E-mail: [email protected]. You may also contact Rights & Permissions directly through Elsevier’s home page (http://www.elsevier.nl), selecting first ‘Customer Support’, then ‘General Information’, then ‘Permissions Query Form’. In the USA, users may clear permissions and make payments through the Copyright Clearance Center, Inc., 222 Rosewood Drive, Danvers, MA 01923, USA; phone: (978) 7508400, fax: (978) 7504744, and in the UK through the Copyright Licensing Agency Rapid Clearance Service (CLARCS), 90 Tottenham Court Road, London W1P 0LP, UK; phone: (+44) 171 436 5931; fax: (+44) 171 436 3986. Other countries may have a local reprographic rights agency for payments. Derivative Works Subscribers may reproduce tables of contents or prepare lists of articles including abstracts for internal
2
times were the titles of Security Administrator and Security Analyst. The Security Administrator job title was used in 15 out of 100 online postings. Many of the job descriptions listed were vague with little detail. This could lead to an increase in the applications of unqualified candidates. But on the other hand Charles Cresson Wood, a security author comments that “companies do not want to externally publish information security details in advertisements because this could lead to a compromise”. Also the widespread inconsistencies could be due to the “vast differences in job profiles within many diverse organizations in different market sectors” according to Cresson Wood.
piracy news
Hollywood crack down on piracy Copyright holders may now be legally authorized to hack user computers with downloaded pirate software. US Rep. Howard L. Berman (D-Calif.) proposed legislation to allow
copyright holders to impose new technological measures to stop peer-to-peer network piracy. After the collapse of Napster, music piracy has begun to exploit peer-to-peer networks, which don’t have a central server like Napster to target. Copyright holders have to deal with piracy on a computer-by-computer basis. Berman told Congress that there is no “silver bullet” to halt piracy using peer-to-peer networks but he intends that this bill will, “enable responsible usage of technological self-help measures to stop copyright infringements on P-to-P networks”. The advantages of broadband and more sophisticated software have led to the acceleration of piracy. Although the actual details of what technologies could be used by copyright holders were not unveiled to Congress, Berman commented that the methods employed should not damage user’s computers or files or cause financial loss of over $50 per impairment. In the past Berman has suggested that spoofing and file blocking could be employed. The law requires that copyright holders must check with the US Department of Justice before embarking on
circulation within their institutions. Permission of the publisher is required for resale or distribution outside the institution. Permission of the publisher is required for all other derivative works, including compilations and translations. Electronic Storage or Usage Permission of the publisher is required to store or use electronically any material contained in this journal, including any article or part of an article. Contact the publisher at the address indicated. Except as outlined above, no part of this publication may be reproduced, stored in a retrieval system or transmitted in any form or by any means, electronic, mechanical, photocopying, recording or otherwise, without prior written permission of the publisher. Address permissions requests to: Elsevier Science Rights & Permissions Department, at the mail, fax and e-mail addresses noted above. Notice No responsibility is assumed by the Publisher for any injury and/or damage to persons or property as a matter of products liability, negligence or otherwise, or from any use or operation of any methods, products, instructions or ideas contained in the material herein. Because of rapid advances in the medical sciences, in particular, independent verification of diagnoses and drug dosages should be made. Although all advertising material is expected to conform to ethical (medical) standards, inclusion in this publication does not constitute a guarantee or endorsement of the quality or value of such product or of the claims made of it by its manufacturer. 02158 Printed by Mayfield Press (Oxford) Ltd
8/13/02
10:26 AM
Page 2
news According to MrHappy “roaming wireless networks is a grey area when it comes to intrusion. The airwaves belong to the people and not to the corporations and companies that use them. This is very different from a physically-wired network in which it all does in fact belong to someone”. The WISE project has reportedly not encountered anything blatently malevolent so far. If other projects are strategically positioned in major cities, it may help to get a clear picture of the threats. Of course it may not attract the number of hackers that a conventional honeypot manages to capture because of the fact that a hacker must be physically accessible to the access point involved. Hackers can’t sit comfortably in a safe environment and breach networks; they must make a physical effort to gain physical closeness to the network. There are different types of Honeypots; hardware-based, software emulation honeypots, and honeynets, which are a network of honeypots. Lance Spitzner an engineer at Sun Microsystems Inc. was involved in the creation of the Honeynet Project. According to Spitzner Honeypots are “beter than intrusion detection
systems because they IDS give s you a lot of false positives” he as reported in IT Managment. “You get 8000-10 000 alerts a day with IDS. You don’t know what to pay attention to. You get overwhelmed and you start ignoring it all. When a honeypot generates an alert, it’s a real attack. No one should be connecting to it because it’s not an actual production network.” Some experts are recommending that honeypots should be an integral part of a companies defence line.
industry news
Security job descriptions in disarray There is no European or US consistency for security job descriptions in online advertisements as indicated by recent research conducted for Network Security. The results revealed absolutely no correlation across a variety of countries for a mixture of corporations. Remarkable inconsistencies were apparent relating to job titles, job descriptions and desired qualifications. The only two job titles, which appeared over three
ISSN: 1353-4858/02/$22.00 © 2002 Elsevier Science Ltd. All rights reserved. This journal and the individual contributions contained in it are protected under copyright by Elsevier Science Ltd, and the following terms and conditions apply to their use: Photocopying Single photocopies of single articles may be made for personal use as allowed by national copyright laws. Permission of the publisher and payment of a fee is required for all other photocopying, including multiple or systematic copying, copying for advertising or promotional purposes, resale, and all forms of document delivery. Special rates are available for educational institutions that wish to make photocopies for non-profit educational classroom use. Permissions may be sought directly from Elsevier Science Rights & Permissions Department, PO Box 800, Oxford OX5 1DX, UK; phone: (+44) 1865 843830, fax: (+44) 1865 853333, E-mail: [email protected]. You may also contact Rights & Permissions directly through Elsevier’s home page (http://www.elsevier.nl), selecting first ‘Customer Support’, then ‘General Information’, then ‘Permissions Query Form’. In the USA, users may clear permissions and make payments through the Copyright Clearance Center, Inc., 222 Rosewood Drive, Danvers, MA 01923, USA; phone: (978) 7508400, fax: (978) 7504744, and in the UK through the Copyright Licensing Agency Rapid Clearance Service (CLARCS), 90 Tottenham Court Road, London W1P 0LP, UK; phone: (+44) 171 436 5931; fax: (+44) 171 436 3986. Other countries may have a local reprographic rights agency for payments. Derivative Works Subscribers may reproduce tables of contents or prepare lists of articles including abstracts for internal
2
times were the titles of Security Administrator and Security Analyst. The Security Administrator job title was used in 15 out of 100 online postings. Many of the job descriptions listed were vague with little detail. This could lead to an increase in the applications of unqualified candidates. But on the other hand Charles Cresson Wood, a security author comments that “companies do not want to externally publish information security details in advertisements because this could lead to a compromise”. Also the widespread inconsistencies could be due to the “vast differences in job profiles within many diverse organizations in different market sectors” according to Cresson Wood.
piracy news
Hollywood crack down on piracy Copyright holders may now be legally authorized to hack user computers with downloaded pirate software. US Rep. Howard L. Berman (D-Calif.) proposed legislation to allow
copyright holders to impose new technological measures to stop peer-to-peer network piracy. After the collapse of Napster, music piracy has begun to exploit peer-to-peer networks, which don’t have a central server like Napster to target. Copyright holders have to deal with piracy on a computer-by-computer basis. Berman told Congress that there is no “silver bullet” to halt piracy using peer-to-peer networks but he intends that this bill will, “enable responsible usage of technological self-help measures to stop copyright infringements on P-to-P networks”. The advantages of broadband and more sophisticated software have led to the acceleration of piracy. Although the actual details of what technologies could be used by copyright holders were not unveiled to Congress, Berman commented that the methods employed should not damage user’s computers or files or cause financial loss of over $50 per impairment. In the past Berman has suggested that spoofing and file blocking could be employed. The law requires that copyright holders must check with the US Department of Justice before embarking on
circulation within their institutions. Permission of the publisher is required for resale or distribution outside the institution. Permission of the publisher is required for all other derivative works, including compilations and translations. Electronic Storage or Usage Permission of the publisher is required to store or use electronically any material contained in this journal, including any article or part of an article. Contact the publisher at the address indicated. Except as outlined above, no part of this publication may be reproduced, stored in a retrieval system or transmitted in any form or by any means, electronic, mechanical, photocopying, recording or otherwise, without prior written permission of the publisher. Address permissions requests to: Elsevier Science Rights & Permissions Department, at the mail, fax and e-mail addresses noted above. Notice No responsibility is assumed by the Publisher for any injury and/or damage to persons or property as a matter of products liability, negligence or otherwise, or from any use or operation of any methods, products, instructions or ideas contained in the material herein. Because of rapid advances in the medical sciences, in particular, independent verification of diagnoses and drug dosages should be made. Although all advertising material is expected to conform to ethical (medical) standards, inclusion in this publication does not constitute a guarantee or endorsement of the quality or value of such product or of the claims made of it by its manufacturer. 02158 Printed by Mayfield Press (Oxford) Ltd