Bright Stove

Reflecting information risk journey

Archive for October 2008

Protecting yourself in the Cyberspace

leave a comment »

A while back, I blogged about some findings on users’ experiences of security breaches. This morning, just come across this new site, known as Security Garden, that is providing "Tip of the Day" to help users protect themselves when using the Internet, in particular, when using applications such as Facebook, MySpace, Twitter, Windows Live Spaces, etc. The site is RSS enabled, so you could subscribe it to your home page to get the latest tips each day.
On another note, ZDNet reported yesterday that "A team of Swiss researchers say there are several ways to recover keystrokes from wired keyboards by simply measuring the electromagnetic radiations emitted when keys are pressed". Not sure what they are trying to prove. Commercialization of tempest technology? Perhaps together with the Green movement, this could signal the possible rise of a mechanical keyboard–or the re-incarnation of the typewriter, just like we have "unplugged" music nowadays.

Written by mengchow

October 21, 2008 at 3:57 am

Posted in Awareness

Leaving Limassol

leave a comment »

Another week has gone by, closing off the 5th ISO/IEC JTC 1/SC 27/WG 4 meeting at Limassol, Cyprus.  There were some fun during the week, but more importantly, work-wise, significant progress has been accomplished for a number of projects–thanks to the project editors, rappoteurs, and experts.

One of the projects is the ISO/IEC 27032 on "Guidelines for Cybersecurity". The members have agreed upon a working definition and the scope of the document has also been refined. By the next working draft (WD), we should see more and more focus on the contents, i.e., the guidance that are required to improve the security and safety of the Cyberspace environment. Yes, the term Cyberspace has been agreed upon, and is the focused and targeted environment where the guidelines should apply. It is now agreed that Cyberspace is the complex environment that has no physical form but results from the interaction of software and people connected through a variety of technology devices/systems. Cybersecurity is about the security of this complex environment, which needs organizations, including service providers to play a role to ensure the security and safety of the environment. This definition matches the scope that I helped drafted earlier, along the line of thoughts that were previously discussed.

Of the three Study Periods that progressed from the previous meeting (in April 2008), two have resulted in new work item proposals (NP), for the development of a "Guidelines on Security of Outsourcing", and a "Guidelines on Identification, Collection and/or Acquisition, and Preservation of Digital Evidence", respectively. The former should help organizations in the implementation of security controls required for ICT and other outsourcing activities, and I envisage this to be important not simply for the outsourcing works that have been ongoing in the industry, but also the move towards Cloud Computing, in which the use of external services are likely to proliferate in the near term. The latter NP was motivated firstly by the need to implement controls to support relevant sections in ISO/IEC 27002 on digital evidence collection and preservation, and more importantly, establishing a baseline of controls that could potentially be relied upon to support cross-border investigation needs. The Study Period that did not emerge as a new project was the work on the "Categorization and Classification of Information Security Incidents" study. This work item was recognized to be relevant and important to help organizations prepare for incident handling and management. However, a number of experts felt that it should be developed as an integral part of the ISO/IEC 27035 standard on "Information Security Incident Management", a revision of the previous ISO/IEC TR 18044:2002 of the same title. Through a voting process, the decision was taken to have the work integrated as such.

The other three projects, ISO/IEC 27031 on "ICT Readiness for Business Continuity", ISO/IEC 27033 on "Network Security", and ISO/IEC 27034 on "Application Security" focused their efforts mainly on refining the various drafts, editing, and making the contents more readable and usable by the respective intended audiences. While the actual completion of these standards are not in the very near term, I can certainly say that they are making positive progress, and if things continue in the current pace and development, in about 12-18 months period, we should start to see new publications coming out from these projects, probably one after another, starting with the Network Security Part 1 document to get to its finish line first.

On the fun side, I was invited during the gala dinner on Wednesday to participate in a acrobatic dance in which the dancers placed drinks on my head. The dancer himself did the stunt with 10 glasses of drinks on his head. I was made to believe that they were adding the number of glasses each round, but in reality, there were only two glasses. While I felt that the weight on my head has not changed, which was strange, I didn’t protest but danced on. This made everybody happy.  Anyway, it was all for the fun of it, and everyone had a great evening. Perception always prevail, and makes one gains confidence in the process. This time, it was for fun. In real life, it could be something else.

P1130538  P1130527

During the week, I was introduced to a well-paved jogging path that runs from the Grand Resort along the edge of the beach all the way westward for more than 5km. I had a few satisfying runs in the week along that path, clocking another 30+km for the week.


Saturday morning, with four hours before my flight out from Larnaca (Cyprus International airport), I joined two colleagues for a short tour of Limassol, visiting the archeological site, medieval museum and ancient stadium nearby. It is indeed a beautiful island.

Written by mengchow

October 12, 2008 at 6:56 am

Posted in Security Standards


leave a comment »

DSC04100Yet another security standards meeting this week. This may sound like a boring thing, and I guess that’s why our host in Cyprus (like many other hosts of SC 27 meetings in the past) has chosen a beach resort for the meeting. I have taken some pictures of the scenery here yesterday evening and earlier today and put together in a set of Photosynth collection here, here, here, and here, and also some shots below (in case Photosync doesn’t work). The location is Grand Resort, Limassol, Cyprus. It is more than 10,000 km away from Beijing. The total travelling time to get here is approximately 17.5 hours. It could have been longer if not for the taxi driver who drove at 140 km/hr to cover 77km in about 30 minutes, across the desert-like highway from the airport to the hotel.

While the beach and hotel look great, and the weather is also quite comfortable (at around 22 degree Celsius), the place here seems to have nothing else in particular to look forward to. Besides hotels and some apartments (low-rise) nearby, it is actually quite deserted when I jogged out yesterday for about 5.5 km eastward. Can’t really find a good route as well, as the road just runs parallel to the beach and gets narrower and more deserted after a while.

In any case, the trip here iDSC04017s for the 5th WG 4 Meeting, and perhaps I should say a few words about the WG’s plan and my expectation of this week. At this point, there are six projects that are in the development stage, ISO/IEC 27031 to 27035, and 29149 (Time Stamping Services), and three Study Periods. Study Periods are new ideas for exploration and to gauge interest from members. ISO/IEC 27035 (Incident Management) is an upgrading project to convert the previous TR 18044 on the same topic to an IS, as a Guideline to be more specific. 27033 itself has multiple parts, as revision of the previous IS 18028 standard on Network Security, and right now, four of the eight parts are in development. These projects should progress thru’ the meeting, and in this meeting, unlikely to see anyone of them escalating to FCD stage, except for 27033-1, if it can get thru’ the many comments on its first Committee Draft (CD). I’m also delighted to see that there are many comments and contributions received for these projects, which means that they are projects that many national bodies are paying attentions and have an interest in wanting the eventual standards to be useful. The many comments and contributions are necessary to improve the rigor of these work and the final quality.

DSC04076As for the three Study Periods, a number of contributions have also been received, and it looks like we should be able to move them to the next stage of development upon completion of this meeting, i.e., to propose for new projects to be started in the three areas: (1) Security of Outsourcing; (2) Evidence Acquisition and Digital Forensic; and (3) Information Security Incident Classification and Categorization. With the industry’s current focus on Cloud Computing, perhaps the Security of Outsourcing project may have a much more expanded scope that it was originally planned to be as well.

Written by mengchow

October 5, 2008 at 2:27 pm

Posted in Security Standards

%d bloggers like this: