Tech Risk & Security

Yesterday, PISA invited security experts to have a discussion forum and share the challenges in management IT security. 3 keynotes speakers are coming from banking, telecom and public organization respectively. Below are the key points of the 2 hours discussions: Both banking and telecom are highly regulated industries. IT security planning and management are driven by regulators. And both security managers in these industries believe more regulation will come!! Be prepared. But WHY the regulator wants more regulations? (An interesting question although knowing the answer will not stop them) IT security managers sometimes need to educate business manager about risk and sometimes need to control them. It is a delicate relationship. In other word, IT security manager need to control our customer. The following were shared: One organization has a security steering committee and it is a collective decision on whether to implement a control. Security manager’s role is to advice and advocate

There is a few paper on the net discuss how to divert and mitigate the damages caused by network attacks, in particular DDOS. Both papers describe a means to create a “black hole” on the network. One is on the network layer and one is on the web server layer Cisco Black Hole Filtering Cisco's paper explain a specifically built infrastructure can help ISP to route malicious packets to a null interface(blackhole filtering). Microsoft Beat Hackers At Their Own Game With A Hackerbasher Site Utilizing the principle that all vistors must know my name. This method divert incoming traffic using IP address not hostname. These papers give a good illustration that security can be achieved by thoughtful design. All the tools and technology is available to everyone or what they call built-in. By good designing, we increase the effectiveness of our security investment.

This morning I joined a talk show on RTHK and discussed risk of usnig credit cards. Media attendtion is high after the recent security breach at Cardsystems. The story was uncovered on 17 June 2005, but after 6 days it is still lingering on. WHY? First, I believe this incident is huge in terms of people affected. 40 million card numbers were lost. Secondly, it was uncovered on SAT. I am not joking. One of my lectures in a Crisis Management class told his student in class that when reporters are hungry for news, even lost of a penny can be headline news. On Saturday, when reporters unable to find new story, a incident like this one will be reported by every newspaper. Back to the talk show, there were few people called in. And one mentioned that when he visited a Indian online shop and was diverted to a HSBC credit card website. This website asked him to enter his personal information like birthday and passport number. He worried this may be fraudulent website and asked for advice. As