THE MAGAZINE

The Federal Trade Commission (FTC) is working with dozens of organizations around the world to put pressure on Internet service providers (ISPs) to take voluntary steps, such as quarantining infected computers to try to reduce the onslaught of spam sent through so-called “spam zombies,” computers that have been hijacked to send spam.

Every time you install a new program onto your computer, there is some risk that the program will not play nicely with the rest of the applications you’re running. So imagine the risks of installing a new operating system to see how it works.

The Department of Homeland Security (DHS) has “a lot of work ahead” before it fully addresses its cybersecurity-related responsibilities, according to a recent report to Congress by the Government Accountability Office (GAO).

Thirty-five percent of the world’s top 100 global financial institutions were victimized by attacks from within their organizations (versus 26 percent from external sources), up from 14 percent the previous year, according to the 2005 Global Security Survey conducted by Deloitte Touche Tohmatsu.

Working from home, you can set up your computer so that it is protected by a layer of defenses. For example, I have a firewall on my wireless router as well as a firewall running on the computer itself. But when the average user travels, there are typically fewer layers available to protect the portable computer from the inherent hazards of the Internet.

The late gonzo journalist Hunter S. Thompson once wrote, “Kill the head and the body will die.” For IT professionals, the phrase might be reconfigured “Kill the security products and the network will die,” as was the case with last year’s Witty worm that targeted security software and infected systems worldwide in 75 minutes. Such attacks on security software are increasing, according to the Yankee Group’s

Keeping up with the newest electronic gadgets is one of the best parts of a technophile’s day. Happily, there are plenty of Web sites and blogs dedicated to breaking the news of whatever’s newest and hottest on the market.

Protecting networks against worms and viruses is a trying task. Protecting against a threat targeted specifically at your network is even tougher. That’s a lesson that several Israeli companies learned earlier this year when they discovered that customized Trojan horse programs had been installed on their system, allowing industrial spies access to their networks.

ASIS joins identity-protection coalition, and Jeff Lee, CPP, is profiled.

A major corporation finds that a travel-intelligence service is a smart investment.

Throughout the book, Smith plays the 9-11 card too much. If only the United States had had a massive database of financial transactions, surveillance images, and other personal data, Smith writes, the terrorists might have been stopped. He does admit, however, that technology such as databases and DNA can be used only to mitigate, not eliminate, threats to society.

For the basics, one of the best chapters categorizes fraud into three primary types. One is duplicate-payment fraud, defined as the issuance of two or more identical checks to pay the same debt for a service. Second is multiple-payee fraud, which is similar, but the checks are not identical. The third type is shell fraud, the payment of alleged debts for fictitious projects or services. For each type, detailed analysis and case studies are provided.

The book has six parts, with writings ranging from the historical to the latest in current thought. A discussion of civil liberties during wartime leads off the book. Selections from the U.S. Constitution and a federal habeas corpus statute round out the first chapter and provide a legal context for the subject.

When outsourcing security services, what key characteristics should you look for in a contractor? How can you figure out whether the rates a vendor charges are reasonable? What should you include in a request for proposal (RFP) for security services? In Value-Based Security Procurement, a book newly published by ASIS International, author David R. Serafine, CPP, answers these questions and more.

Author Ed Skoudis provides amazing insight into the types of tools attackers use to bring down computers and networks or to steal and manipulate information stored on those systems. As would be expected, worms and viruses receive considerable attention, but Skoudis also is adept at explaining backdoors, Trojan horses, malicious mobile code, rootkits, and numerous other tools and scenarios.

Jim Kennedy’s chapter, “Business Continuity and Disaster Recovery,” deserves special mention because it is an excellent overview of the changes to traditional disaster planning brought about by the World Trade Center attacks. Less successful is a chapter entitled “Blending Corporate Governance with Corporate Security,” which discusses Sarbanes-Oxley. The author asserts that Section 404 of the act deals with “systems of control,” which he says are by their very nature computer information systems. Yet Section 404 does not specifically mention computer systems, and any security requirements beyond those necessary to ensure accurate financial accounting and reporting are beyond the scope of Sarbanes-Oxley. To flatly state that increased information security measures are required under this law is misleading.