P. 1
Data Security For the Business Owner

Data Security For the Business Owner

|Views: 95|Likes:
Published by Eric Vought
This a partial draft of a manual on data security for a non-computer nerd small to mid-sized business owner. it explains security concepts, contains a glossary, an annotated bibliography, and identifies ways to manage the risk represented by information technology. I worked on this a couple of years ago and gave up at least temporarily because the technology and threats were changing faster than I could write. I have put up the partial draft because it might be useful to some people and I occasionally refer folks to sections I wrote when they ask related questions. If the draft does appear to be useful and there is sufficient interest, I may continue working on it.
This a partial draft of a manual on data security for a non-computer nerd small to mid-sized business owner. it explains security concepts, contains a glossary, an annotated bibliography, and identifies ways to manage the risk represented by information technology. I worked on this a couple of years ago and gave up at least temporarily because the technology and threats were changing faster than I could write. I have put up the partial draft because it might be useful to some people and I occasionally refer folks to sections I wrote when they ask related questions. If the draft does appear to be useful and there is sufficient interest, I may continue working on it.

More info:

Published by: Eric Vought on Jun 24, 2010
Copyright:Attribution Non-commercial

Availability:

Read on Scribd mobile: iPhone, iPad and Android.
download as PDF, TXT or read online from Scribd
See more
See less

04/11/2014

pdf

text

original

[AliPabrai-2005] Certification Magazine29

. MediaTec Publishing, Inc. “The CobiT Security Baseline30

”. Uday O. Ali

Pabrai. July 2005.

[Bbc-2007a] BBC News31

. BBC. “Malicious code rise driven by web32

”. The number of new pieces of malicious
software has doubled in the last year with the web being used increasingly to distribute the code, a report
says. March 19, 2007.

[Bbc-2007b] BBC News33

. BBC. “'Surge' in hijacked PC networks34

”. April 25, 2007.

[BrownleeGuttman-1998] N. Brownlee and E. Guttman. “Request for Comments: 2350 - Expectations for Computer
Security Incident Response35

”. Internet Engineering Task Force. June 1998. RFC: 2350.

[CaSenate-2003] California State Senate. “California Information Practice Act of 2003”. SB 1386. September 26,
2002. This bill became law in 2003. The text of the law is available online36
.

29

http://www.certmag.com

30

http://www.certmag.com/articles/templates/cmag_department_sec.asp?articleid=1239&zoneid=43#

31

http://news.bbc.co.uk/

32

http://news.bbc.co.uk/2/hi/technology/6465833.stm

33

http://news.bbc.co.uk/

34

http://news.bbc.co.uk/2/hi/technology/6591183.stm

35

http://www.ietf.org/rfc/rfc2350.txt

36

http://info.sen.ca.gov/pub/01-02/bill/sen/sb_1351-1400/sb_1386_bill_20020926_chaptered.html

Business Data Security

64

[Dhhs-2003] The Federal Register. National Archives and Records Administration. 45 CFR Parts 160, 162, and 164
Health Insurance Reform: Security Standards; Final Rule
37

. February 20, 2003. 68. 34.

[Evett-2007] Top Ten Reviews. TopTenReviews, Inc. Don Evett. “Spam Statistics 200638

”. January 18, 2007.

[FbiIc3-2006] Internet Crime Complaint Center 2006 Internet Fraud Crime Report39

. January 1, 2006 - December 31,
2006. National White Collar Crime Center. Federal Bureau of Investigation. FBI Internet Crime Complaint
Center. Washington D.C.. 2007.

[FeynmanEtAl-1985] Richard Phillips Feynman, Ralph Leighton, and Edward Hutchings. Edward Hutchings. Surely
you're joking, Mr. Feynman!
. adventures of a curious character / Richard P. Feynman as told to Ralph
Leighton. W.W. Norton. New York. 1985. 0393019217.

[GarfinkleMalan-2006] “One Big File Is Not Enough: A Critical Evaluation of the Dominant Free-Space Sanitization
Technique”. Simson L. Garfinkle and David J. Malan. 2006. A copy of this paper is available from the authors,
or on the web40
.

[GordonEtAl-2006] 2006 CSI/FBI Computer Crime and Security Survey. Lawrence A. Gordon, Martin P. Loeb,
William Lucyshyn, and Robert Richardson. Federal Bureau of Investigation. Computer Security Institute.
Copyright © 2006 Computer Security Institute. 2005. The report can be obtained online by following links
from http://www.gocsi.com/press/20060712.jhtml and registering..

[Harbert-2006] IQ Magazine41

. Cisco Systems, Inc.. Tom Harbert. Mick Wiggins. “Combining Security and

Regulatory Compliance42

”. Using best practices for network security sets a course to time savings, asset

protection, and sales to big customers. 3rd Quarter 2006.

[Higgins-2007] Dark Reading43

. Light Reading, Inc.. New York, NY. Kelly Jackson Higgins. “How to Cheat Hardware

Memory Access44

”. February 27, 2007.

[Isf-2005a] Information Security Forum. The Standard of Good Practice for Information Security. 4.1. Copyright
© 2005 Information Security Forum. January, 2005. The standard can be obtained online from http://
www.isfsecuritystandard.com/index_ie.htm. Registration is required. As of the time of this writing, their site
will not function if javascript is not enabled.

[Isf-2005b] Information Security Forum. ISF Digest: The Disappearance of the Network Boundary. Copyright
© 2005 Information Security Forum. April, 2005. The report can be obtained online from http://
www.securityforum.org/html/view_pub01.asp. Registration is required. As of the time of this writing, their
site will not function if javascript is not enabled.

[IsoIec-2005] ISO. Information Technology - Security Techniques. Code of practice for information security
management. 2005. ISO. Geneva Switzerland. ISO/IEC 17799. 2005. Copies can be obtained from the ISO
Online Store45
.

[Itgi-2004] IT Governance Institute. COBIT® Security Baseline. An Information Security Survival Kit. IT Governance
Institute. Rolling Meadows, Illinois. 2004. 1-893209-79-2. Note that a PDF is available online46

with site
registration. The download PDF has several pages of ads and membership material at the front— it is the
correct document.

37

http://www.cms.hhs.gov/SecurityStandard/Downloads/securityfinalrule.pdf

38

http://spam-filter-review.toptenreviews.com/spam-statistics.html

39

http://www.ic3.gov/media/annualreport/2006_IC3Report.pdf

40

http://www.simson.net/clips/academic/2006.PET.bigfile.pdf

41

http://www.cisco.com/web/about/ac123/iqmagazine/index.html

42

http://www.cisco.com/web/about/ac123/iqmagazine/archives/q3_2006/COMP_sailingcompliance.html

43

http://www.darkreading.com/default.asp

44

http://www.darkreading.com/document.asp?doc_id=118291

45

http://www.iso.org/iso/en/CatalogueDetailPage.CatalogueDetail?CSNUMBER=39612&ICS1=35&ICS2=40&ICS3=

46

http://www.isaca.org/TemplateRedirect.cfm?template=/ContentManagement/ContentDisplay.cfm&ContentID=20290

Business Data Security

65

[Itgi-2005] IT Governance Institute. COBIT® 4.0. Control Objectives Management Guidelines Maturity Models. IT
Governance Institute. Rolling Meadows,Illinois. 2005. 1-933284-37-4. Note that a PDF is available online47
with site registration.

[Itgi-2006] Cobit® Focus48

. IT Governance Institute. Rolling Meadows,Illinois. IT Governance Institute. “Harley-
Davidson: Using COBIT to Simplify Compliance”. pp 8-9. December 2006. 2. Copyright © 2006 IT
Governance Institute. This issue available in PDF form online49

. Note that the table of contents is wrong,

the article begins on page 8.

[Kantor-2005] USA Today50

. USA Today. Andrew Kantor. “Sony: The rootkit of all evil?51

”. November 17, 2005

5:00 PM. Copyright © 2005 USA Today.

[Keizer-2007] ComputerWorld52

. ComputerWorld, Inc.. George Keizer. “Massive spam shot of 'Storm Trojan' reaches

record proportions53

”. It's the biggest spam blast in the last year. April 12, 2007. Copyright © 2007

ComputerWorld, Inc..

[Krazit-2006] ZDNet News54

. CNet Networks, Inc.. Tom Krazit. “FAQ: The HP 'pretexting' scandal55

”. September 6,

2006, 4:42 PM PT. Copyright © 2006 CNet Networks, Inc..

[Krebs-2007] Security Fix56

. The Washington Post Company. Brian Krebs. “Fortune 500s Unwittingly Become

Spammers57

”. March 29, 2007; 11:11 AM ET. Copyright © 2007 The Washington Post Company.

[Lazarus-2006] The San Francisco Chronicle58

. Hearst Communications, Inc.. David Lazarus. “Data theft may hurt

workers59

”. August 16, 2006. Copyright © 2006 Hearst Communications, Inc.. This article appeared on page

C - 1 of the San Francisco Chronicle.

[Lemos-2007a] SecurityFocus™60

. SecurityFocus™. Robert Lemos. “Consumers dump breached retailers, says

study61

”. April 11, 2007. Copyright © 2007 SecurityFocus.

[Lemos-2007b] SecurityFocus™62

. SecurityFocus™. Robert Lemos. “Report: TJX thieves exploited wireless

insecurities63

”. May 4, 2007. Copyright © 2007 SecurityFocus.

[LioyEtAl-1997] Antonio Lioy, Fabio Maino, and Marco Mezzalama. “Secure Document Management and
Distribution in an Open Network Environment”. Polytecnico di Torino, Dip. di Automatica e Informatica.
Torino, Italy. 1997.

[MatsumotoEtAl-2002] Proceedings of SPIE Vol. #4677, Optical Security and Counterfeit Deterrence Techniques
IV
. T. Matsumoto, H. Matsumoto, K. Yamada, and S. Hoshino. “Impact of Artificial Gummy Fingers on
Fingerprint Systems”. Copies of this paper can be obtained from the author by email64

or online from

47

http://www.isaca.org/cobit.htm

48

http://www.isaca.org/Template.cfm?Section=Home&CONTENTID=31703&TEMPLATE=/ContentManagement/ContentDisplay.cfm

49

http://www.isaca.org/Template.cfm?Section=Home&Template=/ContentManagement/ContentDisplay.cfm&ContentID=28423

50

http://www.usatoday.com

51

http://www.usatoday.com/tech/columnist/andrewkantor/2005-11-17-sony-rootkit_x.htm

52

http://www.computerworld.com

53

http://www.computerworld.com/action/article.do?command=viewArticleBasic&articleId=9016420

54

http://news.zdnet.com/

55

http://news.zdnet.com/2100-9595_22-6113011.html

56

http://blog.washingtonpost.com/securityfix/

57

http://blog.washingtonpost.com/securityfix/2007/03/fortune_500s_unwittingly_becom.html

58

http://www.sfgate.com/

59

http://www.sfgate.com/cgi-bin/article.cgi?f=/c/a/2006/08/16/BUG1EKJ14T1.DTL

60

http://www.securityfocus.com

61

http://www.securityfocus.com/brief/481

62

http://www.securityfocus.com

63

http://www.securityfocus.com/brief/496

64

mailto:tsutomu@mlab.jks.ynu.ac.jp

Business Data Security

66

Cryptome.org65

. There is also a summary of the findings in the May 15th, 2002 Crypto-Gram Newsletter66

from Counterpane Internet Security, Inc.

[Maxcer-2007] TechNewsWorld™67

. ECT News Network™. Chris Maxcer. “Fail-Safe System Fails in Alaska's Data

Debacle68

”. March 21, 2007 2:30 AM PT. Copyright © 2007 ECT News Network, Inc..

[MythBusters-2006] MythBusters. Beyond International. Crimes and Myth-Demeanors 2. August 23, 2006. 4. 59. An
online summary of this episode is available in the Online Wikipedia69
.

[Osi-2006] Open Source Initiative70

. Open Source Initiative. Open Source Initiative. Open Source Definition71

. July

7, 2006 3:49. Copyright © 2006 Open Source Initiative. There is also an annotated version72

with some

additional rationale.

[PciSsc-2006] Payment Card Industry Data Security Standard73

. 1.1. PCI Security Standards Council, LLC. PCI

Security Standards Council, LLC. Wakefield, Ma . September 2006.

[PciSsc-2007] PCI Security Standards Council™74

. PCI Security Standards Council, LLC. The PCI Security Standards

Council Frequently Asked Questions - General Information75

. PCI Security Standards Council, LLC. PCI
Security Standards Council, LLC. Wakefield, Massachusettes . April 17, 2007. Copyright © 2007 PCI
Security Standards Council, LLC.

[Rasch-2007] SecurityFocus™76

. SecurityFocus™. Mark Rasch. “The Politics of E-Mail77

”. April 17 2007. Copyright

© 2007 SecurityFocus.

[Schneier-2005] Wired78

. CondéNet, Inc. Bruce Schneir. “Real Story of the Rogue Rootkit79

”. November 17 2005

2:00 AM. Copyright © 2005 CondéNet, Inc.

[Schneier-2007] Wired80

. CondéNet, Inc. Bruce Schneir. “How Security Companies Sucker Us With Lemons81

”. April

19, 2007 2:00 AM. Copyright © 2007 CondéNet, Inc.

[SeiCm-2001] CERT Coordination Center82

. Carnegie Mellon Software Engineering Institute. Pittsburgh, PA
15213-3890. Software Engineering Institute Carnegie Mellon. CERT® Coordination Center Incident
Reporting Guidelines
83

. Jul 30, 2001. Copyright © 2001 Carnegie Mellon University.

[SeiCm-2007] Software Engineering Institute - Carnegie Mellon84

. Carnegie Mellon Software Engineering Institute.
Pittsburgh, PA 15213-3890. Software Engineering Institute Carnegie Mellon. Open Systems Glossary85
.

March 20, 2007 8:38:06. Copyright © 2007 Carnegie Mellon University.

65

http://cryptome.org/gummy.htm

66

http://www.schneier.com/crypto-gram-0205.html#5

67

http://www.technewsworld.com

68

http://www.technewsworld.com/story/56414.html

69

http://en.wikipedia.org/w/index.php?title=MythBusters_%28season_4%29&oldid=127130877

70

http://opensource.org

71

http://opensource.org/docs/osd

72

http://opensource.org/docs/definition.php

73

https://www.pcisecuritystandards.org/pdfs/pci_dss_v1-1.pdf

74

https://www.pcisecuritystandards.org

75

https://www.pcisecuritystandards.org/about/faqs.htm

76

http://www.securityfocus.com

77

http://www.securityfocus.com/columnists/440/1

78

http://www.wired.com

79

http://www.wired.com/politics/security/commentary/securitymatters/2005/11/69601

80

http://www.wired.com

81

http://www.wired.com/politics/security/commentary/securitymatters/2007/04/securitymatters_0419

82

http://www.cert.org

83

http://www.cert.org/tech_tips/incident_reporting.html

84

http://www.sei.cmu.edu/opensystems/welcome.html

85

http://www.sei.cmu.edu/opensystems/glossary.html#o

Business Data Security

67

[SoleckiRosenberg-2004] Law Journal Newsletters - Employment Law Strategist. ALM Properties, Inc.. Albert J.
Solecki, Jr. and Melissa G. Rosenberg. “Workplace E-mail86

”. Employers Beware!. 12. 7. November 2004.

Copyright © 2004 ALM Properties, Inc..

[Sullivan-2006] The Red Tape Chronicles87

. MSNBC. Bob Sullivan. “'I just bought your hard drive'88

”. June 5, 2006

3:00 am CT. Copyright © 2006 MSNBC.com.

[TewsEtAl-2007] Erik Tews, Ralph-Philipp Weinmann, and Andrei Pyshkin. “Breaking 104 bit WEP in less than
60 seconds89

”. Technische Universität Darmstadt, Fachbereich Informatik. Hochschulstrasse 10 Darmstadt

D-64289. April 3, 2007.

[Tweakers-2007] Tweakers.net90

. Tweakers.net. Tweakers.net. “Secustick gives false sense of security91

”. April 12,

2007 08:59. Copyright © 2007 Tweakers.net. This article is translated from the Dutch.

[Usc-1996] HEALTH INSURANCE PORTABILITY AND ACCOUNTABILITY ACT OF 1996. 104,191 USC. 1996.
The text of the law is available online92
.

[Vijayan-2007a] ComputerWorld93

. ComputerWorld, Inc. Jaikumar Vijayan. “TJX data breach: At 45.6M card

numbers, it's the biggest ever94

”. It eclipses the compromise in June 2005 at CardSystems Solutions. March

29, 2007. Copyright © 2007 ComputerWorld, Inc.

[Vijayan-2007b] ComputerWorld (Australia)95

. IDG Communications, Inc. Jaikumar Vijayan. “Hackers offer

subscription, support for their malware96

”. Organised hacking gangs set up malware subscription sites. April

5, 2007 08:17:16. Copyright © 2007 IDG Communications, Inc.

[Weber-2007] BBC News97

. BBC. Tim Weber. “Criminals 'may overwhelm the web'98

”. 25 January 2007.

[West-BrownEtAl-2003] Moira J. West-Brown, Don Stikvoort, Klaus-Peter Kossakowski, Georgia Kilcrece, Robin
Ruefle, and Mark Zajicek. Handbook for Computer Security Incident Response Teams (CSIRTs)99

. 2.
Carnegie Mellon Software Engineering Institute. Pittsburgh, PA 15213-3890. April 2003. Copyright © 2003
Carnegie Mellon University.

Thanks to Bruno Vernay for the CSS template I started from for the HTML version. Many thanks to the
folks at OASIS and everyone else who makes DocBook a wonderful tool.

86

http://www.goodwinprocter.com/getfile.aspx?filepath=/Files/publications/solecki_rosenberg_11_04.pdf

87

http://redtape.msnbc.com

88

http://redtape.msnbc.com/2006/06/one_year_ago_ha.html

89

http://eprint.iacr.org/2007/120

90

http://www.tweakers.net

91

http://tweakers.net/reviews/683

92

http://aspe.hhs.gov/admnsimp/pl104191.htm

93

http://www.computerworld.com

94

http://www.computerworld.com/action/article.do?command=viewArticleBasic&articleId=9014782

95

http://www.computerworld.com.au

96

http://www.computerworld.com.au/index.php/id;838771320;fp;16;fpid;0

97

http://news.bbc.co.uk/

98

http://news.bbc.co.uk/2/hi/business/6298641.stm

99

http://www.cert.org/archive/pdf/csirt-handbook.pdf

You're Reading a Free Preview

Download
scribd
/*********** DO NOT ALTER ANYTHING BELOW THIS LINE ! ************/ var s_code=s.t();if(s_code)document.write(s_code)//-->