THE MAGAZINE

A buyers guide for managers who need to understand security technologies is now available from the General Accounting Office (GAO). The guide focuses on five technology areas: access controls, system integrity, cryptography, audit and monitoring, and configuration management and assurance.

The convergence of physical and IT security might worry physical security experts who dread the idea of having to learn the intricacies of bits and bytes. But there may be little choice: As CCTV systems increasingly rely on data networks, vendors are beginning to pay more attention to the IT department.

Virus disasters--where 25 or more computers within an organization are infected at the same time--increased 15 percent in 2003 from the previous year, and the costs of recovering from those disasters increased 23 percent over the same time period, from about $81,000 to almost $100,000. Those are some highlights of a survey of 300 companies and government agencies in the 9th Annual ICSA Labs Virus Prevalence Survey. @ More on the survey is available through SM Online.

More than half of the businesses responding to a recent survey by the Yankee Group indicate that they expect IT security budgets to increase over the next three years, compared to only 8 percent who foresaw a decrease and 37 percent who expected the budget to remain the same. The survey was based on interviews with 404 decision makers in medium-size to large companies across a wide range of industries.

An analysis of tens of thousands of computer security attacks over the second half of last year, conducted as part of Symantec's fifth Internet Security Threat Report, has revealed some disturbing trends hidden within the not-surprising news that worms remained the most common vector of attacks.

The Cyber Security Early Warning task force, which includes representatives from businesses, trade groups, and academia, has issued its first set of recommendations. First is a call for the creation of an Early Warning Alert Network (EWAN) that would work with existing public-private information-sharing organizations to establish "trust communities" across industry sectors that would receive critical alerts on vulnerabilities, attacks, and exploits.

The Judicial Conference of the United States has released a guide for allowing remote electronic access to criminal case files. This guidance states that if a document would be available to a member of the public at the courthouse, it should be available through the court's electronic access system. It also calls for the redaction of Social Security numbers and other sensitive data, and explains the types of documents--such as arrest warrants and juvenile records--that will not be available electronically. A separate document provides a model rule for compliance. @ Both documents are at SM Online

While users may forget their passwords easily, computers, like elephants, never forget. The persistence of that memory could pose a security problem if staff with limited access privileges were to figure out how to access the plain text passwords in the computer's database, says Abhishek Kumar, who authored a paper about this vulnerability. No incidents of this exposure being exploited are yet known to have occurred, he says, "but it could happen very soon if we do not plug this vulnerability."

A dozen security IT vendors have established the Cyber Security Industry Alliance with the aim of improving cybersecurity "through public policy initiatives, public sector partnerships, corporate outreach, academic programs, alignment behind emerging industry technology standards, and public education."

Section 404 of the Sarbanes-Oxley Act requires companies to include in their annual reports a report of management of the company's internal control over financial reporting. How IT risks and controls are affected is explained in a Q&A format in a new publication from risk-consulting company Protiviti. The 32-page guide describes an overall approach to IT risk and control considerations, from identifying and prioritizing IT tasks to understanding how outsourcing any part of the IT function might affect reporting. It divides the subject into nine sections, including documentation, testing, IT control considerations in relation to business processes, and addressing deficiencies.

@ Link to the Protiviti paper, Guide to the Sarbanes-Oxley Act: IT Risks and Controls, through SM Online.

The Department of Homeland Security's IT efforts are plagued with inefficiencies and problems, from an "organizationally weak" CIO office and the reliance on outdated technical systems to the need to outsource some benefits and payroll functions to other agencies. Those charges are leveled by Democrats on the House of Representatives' Homeland Security Committee in a recent report, America at Risk: Closing the Security Gap. @ The report is available at SM Online.

The House Transportation and Infrastructure Committee's Subcommittee on Aviation held a hearing to discuss whether general aviation, which includes corporate and private aircraft, will be allowed to operate out of Ronald Reagan Washington National Airport. Most of the witnesses represented industry groups and were in favor of returning general aviation to the airport immediately.

The first 19 chapters (and 700 pages) discuss technologies such as firewalls and VPNs. While these are well-written, there is nothing here that hasn't been published before; all of the information is easily accessible via the Internet for free.

Until just before publication, Computer Security Sourcebook and Communications Security Sourcebook constituted a single work, but they were broken into two books due to the sheer volume of material included. Both books are compilations of previously published material, much if not all of it available free online or in periodical archives at a university library.

The great strength of this work is the balance of its rigorous content and accessible presentation. Dividing the book into three parts allows readers to choose their level of detail. The first section provides easily understandable network principles and methodologies. A more detailed section, on hacking techniques and defenses, follows. At the most detailed level, readers can probe specialist areas such as wireless networks and Web application security.

Well-outlined and comprehensive, the book harnesses the expertise of knowledgeable security veterans. Various authors share their wisdom and experience on environmental and threat considerations, design concepts, protection technologies, and security practices.

Largely viewed as a remote risk as recently as a few years ago, chemical and biological attacks have now taken center stage in terrorism prevention and response planning. As with all threats that first enter the public consciousness, there's a lot of misunderstanding about these kinds of attacks. This guide will help. Fifty-one toxic agents are discussed, including signs and symptoms as well as possible treatments.

The authors present a clear explanation of privacy--what it is, to what it may apply, and why it is important. The listing of resources and laws on specific privacy issues is helpful as well, including advocacy groups and organizations that can explain such laws as the USA Patriot Act.

Need a brief but powerful tool for teaching employees the importance of information security? This high-quality, well-acted 17-minute video offers a glimpse into the world of information security.

Asset protection and management pose unique and ever-shifting challenges, but the foundation principles on which these fields are based remain the same. For those basic components of physical security controls, one need look no further than the third edition of this Lawrence Fennelly work. It's a compilation of informative essays written by security professionals expert in various topics.

Security professionals involved in disaster planning or response should recognize the name Thomas Drabek. For decades, he has been among the preeminent scholars in disaster management. With Drabek's upcoming retirement from the University of Denver, this may be the professor's last major publication, and it updates his thinking on how emergency managers operate.