IS Assurance

Blog of the University of Waterloo Centre For Information System Assurance (UWCISA)

Monday, April 12, 2010

This blog has moved

This blog is now located at
You will be automatically redirected in 30 seconds, or you may click here.

For feed subscribers, please update your feed subscriptions to

Gartner Security & Risk Management Summit 2010
21 – 23 June 2010 | National Harbor, MD (Washington, DC area)

This year's event will focus on the importance of, as IT security and risk disciplines converge, developing a comprehensive strategy across roles. "To address this priority, the newly expanded Gartner Security & Risk Management Summit brings the entire IT security and risk management team together for a comprehensive strategic update focused on and aligned with business goals. Four complete programs within the conference drill down on Security, Risk Management, Business Continuity Management, and CISO roles to deliver the detailed, role-specific content and networking that is essential to success. Each program offers a full agenda of analyst sessions, keynotes, roundtable discussions, case studies, workshops, and more."

There is more on the Gartner website about this important event.

Tuesday, April 6, 2010

How to Buy an SSL Certificate

SSL Certificates are the standard technique for users to verify who someone says they are and that they own a particular site. Most browsers will flag a site without a valid certificate. But how good is this precaution? Two researchers recently uncovered a way of purchasing a SSL certificate for any site you might choose at random, whether you own it or not. Their method is possible for anyone who has a credit card. Needless to say, this undermines the value of SSL Certificates. Read more here.

Wednesday, March 31, 2010

Data Protection Strategies

A recent survey by Ponemon Institute of 115 C-level executives in the UK clearly points to the fact that the need for a data level security strategy is gaining traction with that group. All of them said that their organization had been targeted during the past year with attacks on their data. All understand the damage that such attacks can do to the organization and also recognize the effect that such attacks can have on their bottom line. For a summary of the survey, check out this link.

Wednesday, March 24, 2010

It's Time to Scrap the Password System

Passwords are out of hand. They are based on an archaic approach that is outdated and no longer manageable or effective. The idea of most password systems is the same as it was when computers were used through a terminal on a desk by one person to access specific applications. The idea is that the user should remember that password and not write it down anywhere.

But times have changed. users now use a variety of devices to access a variety of applications. Many of the applications are on the web. They have numerous passwords to "remember". This writer, for example, has 81 passwords for the applications he uses. Nobody can remember 81 passwords, so they need to be recorded somewhere, automatically creating a security risk. This is not uncommon. People often make use of password management software, but the security of that software is often weak or virtually non-existant.

Also, the passwords are used for multiple sessions, meaning if they are stolen they can be used fraudulently. This is at the core of much of the hacking that goes on.

The answer to this unfortunate dilemma lies in establishing a new password paradigm under which passwords are used only once. So if they are stolen they cannot be used. Since users couldn't remember these passwords either, there needs to be a system that recognizes a user and then hands out a password when needed and then makes it expire after the user logs out. Such systems are possible, and some examples of them are in use, but to make them available across the board requires the involvement of the internet service providers, who would supply the infrastructure to make the system work globally. The time for making this change is long past due. For an interesting take on this issue, see this article.

Thursday, March 18, 2010

APT Attacks Can't be Stopped

One would think that with all the money and effort going into security of corporate systems, it would be getting more and more difficult to break into those systems. However, that's not the way it's playing out. Instead the advances in technology, plus the availability of tools and technology on the Web are making it much more difficult to stay (or get?) ahead of the crooks out there. They can run quick tests of vulnerabilities in systems and if they find even one, can leverage it to gain access. This is working for them through a technique known as Advanced Persistent Threat (APT) Attacks. The technology just escalates, but the attacks can't be stopped. Read about it here.

Tuesday, March 16, 2010


The Institute of Internal Auditors has a useful introductory article on e-discovery on its website. E-discovery is the process of retrieving and preparing data and documents that can be used in legal proceedings. This is a relatively new procedure, because until the past few years, only paper documents were used in court. Now, however, this has changed drastically, and presents new challenges with regard to data storage and retrieval as well as compliance with established data handling policies. The article is at this website.