GOVERNANCE OF INFORMATION SECURITY & OTHER INITIATIVES SAFE ...

useoreganoSecurity

Jun 16, 2012 (5 years and 2 months ago)

808 views

ISSUE 22 |
JANUARY 2012
| www.pliroforiki.org
ŒÎ‰ÔÛË ÙÔ˘ ∫˘ÚÈ·ÎÔ‡ ™‡Ó‰ÂÛÌÔ˘ ¶ÏËÚÔÊÔÚÈ΋˜
Publication of the Cyprus Computer Society
ISSN 1450-152X
GOVERNANCE OF INFORMATION
SECURITY & OTHER INITIATIVES
p.14
THE FUTURE OF INFORMATION
SECURITY: NEW PRIORITIES,
NEW SKILLS AND NEW
TECHNOLOGIES
p.24
SAFE COMPUTING IN AN
INCREASINGLY HOSTILE WORLD:
SECURITY 2.0
p.19
π‰ÈÔÎÙ‹Ù˘
∫˘ÚÈ·Îfi˜ ™‡Ó‰ÂÛÌÔ˜ ¶ÏËÚÔÊÔÚÈ΋˜
N¤· ‰È‡ı˘ÓÛË:
ºÏˆÚ›Ó˘ 11, City Forum, 3Ô˜ fiÚÔÊÔ˜,
°Ú. 303, 1065 §Â˘ÎˆÛ›·
Δ£ 27038
1641 §Â˘ÎˆÛ›·
∫‡ÚÔ˜
ΔËÏ.: 22 460680
º·Í: 22 767349
info@ccs.org.cy
www.ccs.org.cy
™˘ÓÙ·ÎÙÈ΋ ∂ÈÙÚÔ‹
°È¿ÓÓÔ˜ ∞ÏÂÙÚ¿Ú˘
∫˘ÚÈ¿ÎÔ˜ E. °ÂˆÚÁ›Ô˘
∫ˆÓÛÙ·ÓÙ›ÓÔ˜ ∑ÂÚ‚›‰Ë˜
∫ˆÓÛÙ·ÓÙ›ÓÔ˜ º·ÓÔ˘Ú›Ô˘
ª›Óˆ˜ °ÂˆÚÁ¿Î˘
¶·Ó›ÎÔ˜ ª·ÛÔ‡Ú·˜
º›ÏÈÔ˜ ¶ÂÏÂÙȤ˜
ÀÔ‚ÔϤ˜ ÕÚıÚˆÓ
www.pliroforiki.org
∂È̤ÏÂÈ· - ¢È·ÊËÌ›ÛÂȘ
ÃÚÈÛÙ›Ó· ¶··ÌÈÏÙÈ¿‰Ô˘
ΔËÏ.: 22 460680
c_papamiltiadou@ccs.org.cy
∂È̤ÏÂÈ· - ™ÂÏ›‰ˆÛË - ∂ÍÒÊ˘ÏÏÔ
GRA.DES
gra.des@cytanet.com.cy
www.gra-des.com
∫˘ÚÈ·Îfi˜ ™‡Ó‰ÂÛÌÔ˜ ¶ÏËÚÔÊÔÚÈ΋˜
ISSN 1450-152X
ΠΕΡΙΕΧΟΜΕΝΑ
CONTENTS
ISSUE 22 - JANUARY 2012
Δ∂ÀÃ√™ 22 - IANOÀ∞ƒπ√™ 2012
02
ªH¡Àª∞ ™À¡Δ∞∫Δπ∫H™ ∂¶πΔƒ√¶H™
06
Δ∞ ¡E∞ ª∞™
09
Dr EUGENE SCHULTZ (1946 – 2011)
Yiannos Aletraris
11
ISACA CYPRUS CHAPTER
∫À¶ƒπ∞∫O π¡™ΔπΔ√YΔ√ ∂§E°Ã√À ™À™Δ∏ªAΔø¡ ¶§∏ƒ√º√ƒπ∫H™
¶·Û¯¿Ï˘ ¶ÈÛÛ·Ú›‰Ë˜
14
GOVERNANCE OF INFORMATION SECURITY
& OTHER INITIATIVES
Vernon Poole
19
SAFE COMPUTING IN AN INCREASINGLY HOSTILE WORLD:
SECURITY 2.0
Dr Andrew Jones
24
THE FUTURE OF INFORMATION SECURITY:
NEW PRIORITIES, NEW SKILLS AND NEW TECHNOLOGIES
David Lacey
44
DO YOU KNOW THIS MAN?
Dr Philippos Peleties
www.pliroforiki.org
|
1
28
TO WHAT EXTEND IS THE TURING TEST STILL IMPORTANT?
Christos Papademetriou
33
THE ROLE OF EFFECTIVE PROJECT MANAGEMENT IN
PROJECT SUCCESS: IDENTIFYING SUCCESS CRITERIA
& THE CRITICAL SUCCESS FACTORS
Andreas Solomou, Kyriakos E. Georgiou
ªH¡Àª∞ ™À¡Δ∞∫Δπ∫H™
∂¶πΔƒ√¶H™
Στὸν κόσµο τῆς Κύπρου, Μνήµη καὶ Ἀγάπη ...
Κύπρον, οὗ µ᾿ ἐθέσπισεν...
«Κύριε, βόηθα νὰ θυµόµαστε
πῶς ἔγινε τοῦτο τὸ φονικὸ-
τὴν ἁρπαγὴ τὸ δόλο τὴν ἰδιοτέλεια,
τὸ στέγνωµα τῆς ἀγάπης-
Κύριε, βόηθα νὰ τὰ ξεριζώσουµε...
i
».
Γίωργος Σεφέρης
Σαλαµίνα της Κύπρου, Ἡµερολόγιο
Καταστρώµατος Γ´
∞Á·ËÙÔ› Ê›ÏÔÈ Î·È Ê›Ï˜,
∂π™∞°ø°∏
To ·ÚfiÓ Ì‹Ó˘Ì· ¿Ú¯ÈÛ ӷ ÁÚ¿ÊÂÙ·È Û¯Â‰fiÓ ·Ú¿ÏÏËÏ· Ì ÙÔ
ÚÔËÁÔ‡ÌÂÓÔ ª‹Ó˘Ì· Ù˘ ™˘ÓÙ·ÎÙÈ΋˜ ∂ÈÙÚÔ‹˜ Ù˘ ¤Î‰ÔÛ˘
ÙÔ˘ πÔ˘Ó›Ô˘ 2011 ÁÈ·Ù› ÔÈ Û˘Ó¤ÂȘ Ù˘ ΔÚ·Áˆ‰›·˜ Ù˘ 11˘
πÔ˘Ï›Ô˘ 2011 ÂÈ‚¿Ú˘Ó·Ó ¤Ó· ‰‡ÛÎÔÏÔ ‰ÈÂıÓ¤˜ ÂÚÈ‚¿ÏÏÔÓ Î·È
Â¤ÊÂÚ·Ó ‰Ú·Ì·ÙÈΤ˜ Î·È ÚÈ˙ÈΤ˜ ·ÏÏ·Á¤˜ Û fiϘ ÙȘ
ÂÎÊ¿ÓÛÂȘ ÙÔ˘ ‰ËÌfiÛÈÔ˘ Î·È È‰ÈˆÙÈÎÔ‡ ‚›Ô˘. √ ÏfiÁÔ˜ ÙÔ˘ ÔÈËÙ‹
fiˆ˜ ¿ÓÙ· ÚÔÊËÙÈÎfi˜ Î·È Â› Ù˘ Ô˘Û›·˜. Δ· ·ÚÓËÙÈο
Û˘Ó·ÈÛı‹Ì·Ù· Ù˘ ·fiÁÓˆÛ˘, Ù˘ ÓÙÚÔ‹˜, Ù˘ χ˘, Ù˘
·‰˘Ó·Ì›·˜, ÙÔ˘ ı˘ÌÔ‡ Î·È Ù˘ ·Á·Ó¿ÎÙËÛ˘ Ô˘ ‚ÈÒÛ·ÌÂ, ÙfiÙÂ,
¤¯Ô˘Ó ÂÓ Ì¤ÚÂÈ ·ÓÙÈηٷÛÙ·ı› ·fi ÌÈ· ¢ڇÙÂÚË ·ÁˆÓ›· ÁÈ· ÙÔ
̤ÏÏÔÓ, ÙË Ê˘ÛÈ΋ ÂÈ‚›ˆÛË Î·È ÙË ‰È·Ù‹ÚËÛË ÙÔ˘ ÂÈ¤‰Ô˘ ˙ˆ‹˜
Ô˘ ¤¯Ô˘ÌÂ Û˘ÓËı›ÛÂÈ. °È· ÙËÓ ¤ÁÓÔÈ· Ì‹ˆ˜ Ë ÂÚ›Ô‰Ô˜ Ù˘
Â˘Ì¿ÚÂÈ·˜ Î·È Ù˘ ·ÛÊ¿ÏÂÈ·˜ ¤¯ÂÈ ·Ú¤ÏıÂÈ ÔÚÈÛÙÈο Î·È Ë
ÂfiÌÂÓË ÂÚ›Ô‰Ô˜ ı· Â›Ó·È ÈÔ ‰‡ÛÎÔÏË Î·È ·‚¤‚·ÈË.
∏ Úfi‚ÏÂ„Ë ÁÈ· ÙËÓ ·Ú·ÙÂٷ̤ÓË ÂÚ›Ô‰Ô ÎÚ›Û˘ ηÈ
·ÛÙ¿ıÂÈ·˜ Û fiÏ· Ù· Â›‰· ¤¯ÂÈ, ‰˘ÛÙ˘¯Ò˜, Â·ÏËı¢ı›.
ƒÂ·ÏÈÛÙÈο ÔÌÈÏÔ‡ÓÙ˜ Ù· ‰ËÌÔÛÈÔÓÔÌÈο ‰Â‰Ô̤ӷ Ù˘ ∫‡ÚÔ˘
‰ÂÓ Â›Ó·È Û Â›Â‰Ô Ô˘ Ó· ‰ÈηÈÔÏÔÁÔ‡Ó ÙËÓ ˘ÊÈÛÙ¿ÌÂÓË
ηÙËÁÔÚÈÔÔ›ËÛË ÙˆÓ ‰ÈÂıÓÒÓ ÂÙ·ÈÚÂÈÒÓ ·ÍÈÔÏfiÁËÛ˘ Î·È Î·Ù’
Â¤ÎÙ·ÛË ÙËÓ ·‰˘Ó·Ì›· ÙÔ˘ ÎÚ¿ÙÔ˘˜ Ó· ·¢ı˘Óı› ÛÙȘ
‰ÈÂıÓ›˜ ·ÁÔÚ¤˜ ÁÈ· ‰·ÓÂÈÛÌfi. √È ·ÔÊ¿ÛÂȘ Î·È Ù· ‰Ú·ÎfiÓÙÂÈ·
ÔÈÎÔÓÔÌÈο ̤ÙÚ· Ù˘ ÔÏÈÙÈ΋˜ ËÁÂÛ›·˜ ¤¯Ô˘Ó ‰ÚÔÌÔÏÔÁËı›
ÙfiÛÔ ·fi ÙËÓ ÎÚ›ÛË ÙÔ˘ ∂˘ÚÒ Ô˘ Ù·Ï·Ó›˙ÂÈ ÙËÓ ∂˘ÚÒË fiÛÔ Î·È
·fi ÙËÓ ·ÒÏÂÈ· ÂÌÈÛÙÔÛ‡Ó˘ ÙˆÓ ·ÁÔÚÒÓ ÛÙË ‰˘Ó·ÙfiÙËÙ· Ù˘
∫‡ÚÔ˘ Ó· ‰È·¯ÂÈÚÈÛı› Ù· ÙÔ˘ Ô›ÎÔ˘ Ù˘ Û ÌÈ· ‰‡ÛÎÔÏË
ÔÈÎÔÓÔÌÈ΋ Û˘Á΢ڛ·. ∞˘Ù¤˜ ÔÈ ÂÍÂÏ›ÍÂȘ ÂÍ·Ó¤ÌÈÛ·Ó ÙȘ fiÔȘ
·Ì˘‰Ú¤˜ ÂÏ›‰Â˜ ÁÈ· ·Ó¿Î·Ì„Ë Ù˘ ÔÈÎÔÓÔÌ›·˜ ÙÔ 2012 Î·È ÙËÓ
Ô‰ËÁÔ‡Ó ›Ûˆ ÛÙËÓ ‡ÊÂÛË ( recession) ·Ó fi¯È Î·È ÙËÓ ‚·ıÈ¿ ηÈ
·Ú·ÙÂٷ̤ÓË ‡ÊÂÛË (depression).
Δ· ÂÓ ÔÏÏÔ›˜ ·Ó·Áη›·, ‰Ú·ÎfiÓÙÂÈ· ̤ÙÚ· Ì›ˆÛ˘ ÙÔ˘
ÌÈÛıÔÏÔÁ›Ô˘ ÙÔ˘ ¢ڇÙÂÚÔ˘ ÎÚ·ÙÈÎÔ‡ ÙÔ̤· ÁÈ· Ù· ÂfiÌÂÓ· ‰‡Ô
¤ÙË ı· Û˘ÓÙ›ÓÔ˘Ó ÛÙË Ì›ˆÛË ÙÔ˘ ÂÏÏ›ÌÌ·ÙÔ˜ ÙÔ˘
ÚÔ¸ÔÏÔÁÈÛÌÔ‡. ∏ ·Ï‹ıÂÈ· Â›Ó·È fiÙÈ ÙÔ ÌÈÛıÔÏfiÁÈÔ ÛÙÔÓ
¢ڇÙÂÚÔ ‰ËÌfiÛÈÔ ÙÔ̤· ·˘Í·ÓfiÙ·Ó Ù· ÚÔËÁÔ‡ÌÂÓ· ¯ÚfiÓÈ·
ηٿ 10% Û ÂÙ‹ÛÈ· ‚¿ÛË. ∞˘Ù‹ Ë ·‡ÍËÛË Â›Ó·È ÔÏÏ·Ï¿ÛÈ·
Ù˘ ‚ÂÏÙ›ˆÛ˘ Ù˘ ·Ú·ÁˆÁÈÎfiÙËÙ·˜ Î·È Î·Ù’ Â¤ÎÙ·ÛË ÌË
‚ÈÒÛÈÌË. ∞ÓÙ›ıÂÙ· Ë ·‡ÍËÛË ÙÔ˘ º¶∞ ·fi ÙÔ ª¿ÚÙÈÔ ÙÔ˘ 2012
‰ÂÓ Â›Ó·È Û›ÁÔ˘ÚÔ fiÙÈ ı· ·˘Í‹ÛÂÈ Ù· ¤ÛÔ‰· ÙÔ˘ ÎÚ¿ÙÔ˘˜. À¿Ú¯ÂÈ
ÌÈ· ηϋ Èı·ÓfiÙËÙ· Ô Û˘Ó‰˘·ÛÌfi˜ ÙˆÓ ‰‡Ô ·˘ÙÒÓ Ì¤ÙÚˆÓ Ì·˙›
Ì ÙËÓ ·ÔÚÚfiÊËÛË ·fi ÙÔ ∫Ú¿ÙÔ˜ Ù˘ fiÔÈ·˜ ‰È·ı¤ÛÈÌ˘
ÙÔÈ΋˜ Ú¢ÛÙfiÙËÙ·˜ ˘fi ÙË ÌÔÚÊ‹ ‰·ÓÂÈÛÌÔ‡ Ó· Ô‰ËÁ‹ÛÂÈ ÛÙË
Ì›ˆÛË Ù˘ ‰È·ı¤ÛÈÌ˘ Ú¢ÛÙfiÙËÙ·˜ Î·È ÛÙË Ì›ˆÛË Ù˘ ˙‹ÙËÛ˘
ÛÙËÓ ·ÁÔÚ¿, fiˆ˜ ¤¯ÂÈ Û˘Ì‚Â› Î·È ÛÙËÓ ∂ÏÏ¿‰·, Ô˘ ı· ¤¯ÂÈ
Ôχ ·ÚÓËÙÈΤ˜ ÂÈÙÒÛÂȘ ÛÙ· ¤ÛÔ‰· ÙÔ˘ ∫Ú¿ÙÔ˘˜ Î·È ÛÙËÓ
·Ó¿Ù˘ÍË ÁÈ· ÙÔ 2012 Î·È Ù· ÂfiÌÂÓ· ¤ÙË. ∞fi ÙËÓ ¿ÏÏË Ë
π·ÓÔ˘¿ÚÈÔ˜ 2012
2
|
www.pliroforiki.org
i.√È ÛÙÔ›¯ÔÈ Â›Ó·È ÂχıÂÚË ·fi‰ÔÛË ÌÈ·˜ ÚÔÛ¢¯‹˜ Ô˘ ›¯Â ÊÙÈ¿ÍÂÈ ÁÈ· ÙÔ Î·Ú¿‚È ÙÔ˘ Ô ·ÓÙÈÏÔ›·Ú¯Ô˜ Lord Hugh Beresoft Î·È Ô ÔÔ›Ô˜ ¤ÂÛ ÛÙË ª¿¯Ë
Ù˘ ∫Ú‹Ù˘ ÙÔÓ ∞Ú›ÏÈÔ ÙÔ˘ 1941. ∏ ÚÔÛ¢¯‹ ›¯Â ‰ËÌÔÛÈ¢ı› Û ÌÈ· ÓÔÙÈÔ·ÊÚÈηÓÈ΋ ÂÊËÌÂÚ›‰· ÙÔ ™Â٤̂ÚÈÔ ÙÔ˘ 1941.
¶ÔÏÈÙ›· Ôχ Ï›Á· ¤¯ÂÈ Î¿ÓÂÈ ÁÈ· ÙËÓ ·Ó¿Ù˘ÍË Ù˘ ÔÈÎÔÓÔÌ›·˜
Î·È Ù˘ ··Û¯fiÏËÛ˘.
HARRY S. TRUMAN (1884 – 1972)
THE BUCK STOPS HERE
√ Harry S. Truman ˘ËÚ¤ÙËÛ ˆ˜ Ô 33Ô˜ ¶Úfi‰ÚÔ˜ ÙˆÓ
∏ÓˆÌ¤ÓˆÓ ¶ÔÏÈÙÂÈÒÓ (1945–1953) Û ‰È·‰Ô¯‹ ÙÔ˘ Franklin D.
Roosevelt, fiÙ·Ó ·˘Ùfi˜ ·‚›ˆÛ ÙÚ›˜ ÌfiÓÔ Ì‹Ó˜ ÌÂÙ¿ ·ÊÔ‡
¿Ú¯ÈÛ ÙËÓ ÈÛÙÔÚÈ΋ 4Ë ¶ÚÔ‰ڛ· ÙÔ˘. O Harry S. Truman
ÚÔ¤Ú¯ÔÓÙ·Ó ·fi ÙÔ ªÈÛÔ‡ÚÈ, ‹Ù·Ó Ù·ÂÈÓ‹˜ ηٷÁˆÁ‹˜, ‰ÂÓ
‹Ù·Ó ·fiÊÔÈÙÔ˜ ¶·ÓÂÈÛÙËÌ›Ô˘ Î·È fiÙ·Ó ¤Ê˘Á ·fi ÙËÓ
¶ÚÔ‰ڛ· ÙÔ 1953 ÙÔ ÌfiÓÔ ÙÔ˘ ÂÈÛfi‰ËÌ· ‹Ù·Ó Ë Û‡ÓÙ·ÍË ÙÔ˘
§Ô¯·ÁÔ‡ ·fi ÙËÓ ˘ËÚÂÛ›· ÙÔ˘ ÛÙÔ ÛÙÚ·Ùfi ηٿ ÙË ‰È¿ÚÎÂÈ· ÙÔ˘
1Ô˘ ¶·ÁÎÔÛÌ›Ô˘ ¶ÔϤÌÔ˘. ∞ÚÓ‹ıËΠӷ ‰Â¯Ù› ‚Ô‹ıÂÈ· ‹
ÂÚÁ·Û›· ÁÈ· Ó· ÌËÓ ÂÎı¤ÛÂÈ ÙÔ ıÂÛÌfi Ù˘ ¶ÚÔ‰ڛ·˜. ∞ÚÁfiÙÂÚ·
fiÙ·Ó Û˘ÓÂȉËÙÔÔÈ‹ıËÎÂ Ë ¤Ó‰˘· ÙÔ˘ Î·È fiÙÈ ·Ó·ÁοÛÙËΠӷ
˙ËÙ‹ÛÂÈ ‰¿ÓÂÈÔ ÁÈ· Ó· ˙‹ÛÂÈ Ë ¶ÔÏÈÙ›· „‹ÊÈÛ ÓfiÌÔ ÁÈ· ÙË
Û˘ÓÙ·ÍÈÔ‰fiÙËÛË ÙˆÓ ¶ÚÔ¤‰ÚˆÓ.
∫·Ù¿ ÙË ‰È¿ÚÎÂÈ· Ù˘ ¶ÚÔ‰ڛ·˜ ÙÔ˘ ·Ó·ÁοÛÙËΠӷ ¿ÚÂÈ
‰‡ÛÎÔϘ ·ÔÊ¿ÛÂȘ fiˆ˜ Ë Ú›„Ë ÙˆÓ ‰‡Ô ˘ÚËÓÈÎÒÓ ‚ÔÌ‚ÒÓ
ÛÙËÓ π·ˆÓ›·, Ë ·fiÏ˘ÛË ÙÔ˘ ‰ËÌÔÊÈÏÔ‡˜ ÛÙÚ·ÙËÁÔ‡ MacArthur,
Ô fiÏÂÌÔ˜ Ù˘ ∫ÔÚ¤·˜, Ë ·Ó·ÁÓÒÚÈÛË ÙÔ˘ ÎÚ¿ÙÔ˘˜ ÙÔ˘ πÛÚ·‹Ï,
Ë ·fiÊ·ÛË Ó· ÛÙËÚȯı› ÔÈÎÔÓÔÌÈο Ë ¢˘ÙÈ΋ ∂˘ÚÒË Î·È ÙÔ
Û¯¤‰ÈÔ Marshal. ø˜ ·ÔÙ¤ÏÂÛÌ· Ë ‰ËÌÔÙÈÎfiÙËÙ· ÙÔ˘ ʇÁÔÓÙ·˜
·fi ÙÔÓ §Â˘Îfi √›ÎÔ ‹Ù·Ó ¯·ÌËÏfiÙÂÚË Î·È ·fi ·˘Ù‹Ó ÙÔ˘ Richard
Nixon (1968 -1974) o ÔÔ›Ô˜ ·Ó·ÁοÛÙËΠӷ ·Ú·ÈÙËı› ÏfiÁˆ
ÙÔ˘ ÛηӉ¿ÏÔ˘ Watergate. ∞ÚÁfiÙÂÚ· Ì ÙÔ ¤Ú·ÛÌ· ÙÔ˘ ¯ÚfiÓÔ˘
Î·È ÙË Û˘ÓÂȉËÙÔÔ›ËÛË Ù˘ Û˘ÓÂÈÛÊÔÚ¿˜ ÙÔ˘ Ë ¿Ô„Ë ÁÈ· ÙÔ
¤ÚÁÔ ÙÔ˘ ·ÓÙÈÛÙÚ¿ÊËΠÛÙÔ ÛËÌÂ›Ô Ô˘ Ó· ıˆÚÂ›Ù·È ÌÂٷ͇ ÙˆÓ
ÂȉÈÎÒÓ ·ÏÏ¿ ÙˆÓ ÔÏÈÙÒÓ ˆ˜ ¤Ó·˜ Ôχ ηÏfi˜ Úfi‰ÚÔ˜ ηÈ
Ó· ·ÍÈÔÏÔÁÂ›Ù·È ÌÂٷ͇ ÙˆÓ ‰¤Î· Î·Ï˘Ù¤ÚˆÓ.
ΔÔ ÁÚ·ÊÂ›Ô ÙÔ˘, Oval Office, ÎÔÛÌÔ‡Û ÌÈ· ͇ÏÈÓË ÂÈÁÚ·Ê‹ Ë
ÔÔ›· ·fi ÌÚÔÛÙ¿ ¤ÁÚ·Ê "The buck stops here" Î·È ·fi ›Ûˆ
“I am from Missouri”. ∏ ÂÈÁÚ·Ê‹ ·Ú¤ÌÂÈÓ ÛÙÔ Oval Office
ÙÔ˘Ï¿¯ÈÛÙÔÓ Ì¤¯ÚÈ ÙËÓ ¶ÚÔ‰ڛ· ÙÔ˘ Jimmy Carter (1976 –
1980). ∏ ¤ÎÊÚ·ÛË "The buck stops here" Û’ ·˘Ùfi ÙÔ Ï·›ÛÈÔ
·ÊÔÚ¿ ÛÙËÓ Ú·ÁÌ·ÙÈÎfiÙËÙ· ÙÔ˘ ·ÍÈÒÌ·ÙÔ˜. √ ¶Úfi‰ÚÔ˜ ı·
Ú¤ÂÈ Ó· ·›ÚÓÂÈ ·ÔÊ¿ÛÂȘ Î·È Ê˘ÛÈο Ó· Ï·Ì‚¿ÓÂÈ ÙËÓ ÙÂÏÈ΋
¢ı‡ÓË ÁÈ· ÙȘ ·ÔÊ¿ÛÂȘ ÙÔ˘. ¢ÂÓ ˘¿Ú¯ÂÈ ÂÚÈıÒÚÈÔ Ó·
ÂÚ¿ÛÂÈ ÙËÓ Â˘ı‡ÓË (buck) ÁÈ· ÙËÓ ·fiÊ·ÛË Û’ ¿ÏÏÔ˘˜ Ô‡Ù ηÈ
Ó· ·ÔÔÈËı› ÙˆÓ Â˘ıËÓÒÓ ÙÔ˘. ∏ ÙÂÏÈ΋ ¢ı‡ÓË Â›Ó·È ‰È΋ ÙÔ˘.
Δ√ ¡∂º√™ (CLOUD) ∫∞π ∏ ∫À¶ƒ√™ Δ√À 2011:
∞™Àªμ∞Δ∂™ ∂¡¡√π∂™;
ΔÔ ¡¤ÊÔ˜ (Cloud) Â›Ó·È ÌÈ· ¤ÓÓÔÈ· Î·È ÂÊ·ÚÌÔÁ‹ Ù¯ÓÔÏÔÁ›·˜
Ô˘ Ù›ÓÂÈ Ó· ʤÚÂÈ Â·Ó¿ÛÙ·ÛË ÛÙÔ ÙÚfiÔ Ô˘ ηٷÓÔԇ̠ηÈ
·ÍÈÔÔÈԇ̠ÙËÓ Ù¯ÓÔÏÔÁ›·, ÙËÓ ÏËÚÔÊÔÚ›· Î·È ÙË ÁÓÒÛË. ΔÔ
ÂÚÒÙËÌ· fï˜ ·Ó ÙÔ Ó¤ÊÔ˜ ·ÔÙÂÏ› fiÓÙˆ˜ ·ÏÏ·Á‹
˘ԉ›ÁÌ·ÙÔ˜ ‹ ·Ï¿ Â›Ó·È ÌÈ· ÛÂÈÚ¿ ·fi Ù¯ÓÔÏÔÁ›Â˜ ÛÙȘ
Ôԛ˜ ¤¯ÂÈ ·Ô‰Ôı› ¤Ó· ·˘ÍË̤ÓÔ ÔÛÔÛÙfi ˘ÂÚ‚ÔÏ‹˜ Ô˘
Û¯ÂÙ›˙ÂÙ·È Ì ÙËÓ ·Ó¿ÁÎË ·‡ÍËÛ˘ ÙˆÓ ˆÏ‹ÛÂˆÓ ·Ú·Ì¤ÓÂÈ.
ÕÏψÛÙ ÔÈ ÌÂÁ¿Ï˜ ÂÙ·ÈÚ›˜ ÙÔ˘ ÎÏ¿‰Ô˘ ‰›‰Ô˘Ó ÂÚÈÛÛfiÙÂÚË
ÛËÌ·Û›· ÛÙÔÓ ÙÔ̤· ˆÏ‹ÛÂˆÓ ·Ú¿ ÛÙÔÓ ÙÔ̤· ·Ú·ÁˆÁ‹˜ ‹
ÈηÓÔÔ›ËÛ˘ ÙˆÓ ·Ó·ÁÎÒÓ ÙˆÓ ÂÏ·ÙÒÓ / ¯ÚËÛÙÒÓ. ÿÛˆ˜ Ë
·Ï‹ıÂÈ· ÛÙÔ ÈÔ ¿Óˆ ÂÚÒÙËÌ· Ó· Â›Ó·È Î¿Ô˘ ÛÙË Ì¤ÛË ÌÂٷ͇
ÙˆÓ ‰‡Ô ·ÎÚ·›ˆÓ ı¤ÛˆÓ.
™Â ¤Ó· ·Ú·‰ÔÛÈ·Îfi Û‡ÛÙËÌ· ËÏÂÎÙÚÔÓÈÎÔ‡ ˘ÔÏÔÁÈÛÙ‹ Ù·
Ì˯·Ó‹Ì·Ù·, Ù· ÏÔÁÈÛÌÈο Î·È ÔÈ ÏËÚÔÊÔڛ˜ ‚Ú›ÛÎÔÓÙ·Ó ÛÙÔ
›‰ÈÔ Ê˘ÛÈÎfi ¯ÒÚÔ. √ ¯ÒÚÔ˜ ÌÔÚÔ‡Û ӷ Â›Ó·È ¤Ó· ÎÙ‹ÚÈÔ ‹ ηÈ
¤Ó· ‰ˆÌ¿ÙÈÔ ·fi Ô‡ ÙÔ ·Ú·‰ÔÛÈ·Îfi Û‡ÛÙËÌ· ‰ÂÓ ÌÔÚÔ‡ÛÂ
Ó· ÌÂÙ·ÎÈÓËı› Ì ¤Ó· ‡ÎÔÏÔ ÙÚfiÔ. ™Ù·‰È·Î¿ Ù· Û˘ÛÙ‹Ì·Ù·
¤ÁÈÓ·Ó ÌÈÎÚfiÙÂÚ· Û ̤ÁÂıÔ˜, ÈÛ¯˘ÚfiÙÂÚ· Û ˘ÔÏÔÁÈÛÙÈ΋
‰‡Ó·ÌË Î·È ¯ÒÚÔ ·Ôı‹Î¢Û˘ Â› Ù˘ Ô˘Û›·˜ ÌÂÙ·ÊÂÚfiÌÂÓ·
Î·È ·˘ÙfiÓÔÌ·. ™’ ·˘Ù‹Ó ÙËÓ ÂͤÏÈÍË ¤¯ÂÈ ÚÔÛÙÂı› Ë ÌÂÁ¿ÏË
Â·Ó¿ÛÙ·ÛË ÙÔ˘ ‰È·‰ÈÎÙ‡Ô˘ Ô˘ Ô‰ËÁ› Û ʷÈÓfiÌÂÓ· fiÔ˘ Ë
Ê˘ÛÈ΋ ·ÚÔ˘Û›· ÙˆÓ Û˘ÓÙÂÏÂÛÙÒÓ ÂÂÍÂÚÁ·Û›·˜ Ù˘
ÏËÚÔÊÔÚ›·˜ (Ì˯·Ó‹Ì·Ù·, ÏÂÈÙÔ˘ÚÁÈÎfi Û‡ÛÙËÌ·, ÏÔÁÈÛÌÈÎfi,
‰›ÎÙ˘Ô, ÂÊ·ÚÌÔÁ‹, ‰Â‰Ô̤ӷ) ‰ÂÓ Â›Ó·È ÛËÌ·ÓÙÈο ÛÙË ÏÂÈÙÔ˘ÚÁ›·
Î·È ÂÂÍÂÚÁ·Û›· Ù˘ ÏËÚÔÊÔÚ›·˜ Î·È ÛÙË ‰ÈÂÍ·ÁˆÁ‹ Ù˘
ÂÚÁ·Û›·˜. ∞˘Ùfi ‚‚·›ˆ˜ ÌÂÙ·ÌÔÚÊÒÓÂÈ ÙÔÓ ÙÚfiÔ ÏÂÈÙÔ˘ÚÁ›·˜
ÙˆÓ ÔÚÁ·ÓÈÛÌÒÓ Î·È ÙË ÌÔÚÊ‹ Î·È ÙÚfiÔ ÂÚÁ·Û›·˜ Î·È ‰ËÌÈÔ˘ÚÁ›
Ӥ˜ ¢ηÈڛ˜ Î·È ÚÔÎÏ‹ÛÂȘ.
°È· ·Ú¿‰ÂÈÁÌ· ·ÂÏ¢ıÂÚÒÓÂÈ ÙÔÓ ¯Ú‹ÛÙË ¯ˆÚÈο Î·È ¯ÚÔÓÈο
Î·È ·fi ÙËÓ ·Ó¿ÁÎË ÁÈ· ·ÎÚÈ‚fi Î·È ÌÂÁ¿ÏÔ ÚÔÛˆÈÎfi Û‡ÛÙËÌ·
Î·È ÙÔ˘ ÂÈÙÚ¤ÂÈ Ó· ÂÚÁ¿˙ÂÙ·È fiÔ˘ Î·È Ó· ‚Ú›ÛÎÂÙ·È ÊÙ¿ÓÂÈ Ó·
˘¿Ú¯ÂÈ Â·Ú΋˜ Î·È ·ÛÊ·Ï‹˜ ÚfiÛ‚·ÛË ÛÙÔ ‰È·‰›ÎÙ˘Ô. ΔÔ
ÚÔÛˆÈÎfi Û‡ÛÙËÌ· ÌÔÚ› Ó· ¤¯ÂÈ ÔÏϤ˜ ÌÔÚʤ˜ ÌÔÚ› Ó·
Â›Ó·È ¤Ó·˜ ÛÙ·ıÂÚfi˜ ÛÙ·ıÌfi˜ ÂÚÁ·Û›·˜, ¤Ó·˜ ÂÈÁÔÓ¿ÙÈÔ˜
˘ÔÏÔÁÈÛÙ‹˜, ÌÈ· Ù·ÌϤٷ Ù‡Ô˘ ipod, ipad ‹ Î·È Kindle ‹ ·ÎfiÌË
Î·È ¤Ó· Â˘Ê˘¤˜ ÙËϤʈÓÔ Ù‡Ô˘ iphone, blackberry, Nokia Î.·..
∞˘Ù‹ Ë ÂͤÏÈÍË ·ÂÏ¢ıÂÚÒÓÂÈ ÙÔÓ ¯Ú‹ÛÙË ·fi ÙÔ˘˜ ¯ˆÚÈÎÔ‡˜
Î·È ¯ÚÔÓÈÎÔ‡˜ ÂÚÈÔÚÈÛÌÔ‡˜ Ù˘ ÂÚÁ·Û›·˜ Î·È ÙÔ˘ ÂÈÙÚ¤ÂÈ Ó·
¤¯ÂÈ ÌÂÁ·Ï‡ÙÂÚË Â˘ÂÏÈÍ›· Î·È ÂÏ¢ıÂÚ›· ÛÙË ‰ÈÂÎÂÚ·›ˆÛË Ù˘.
μ‚·›ˆ˜ Ë Î·Ù¿¯ÚËÛË ·˘Ù‹˜ Ù˘ ·ÂÏ¢ı¤ÚˆÛ˘ Ô‰ËÁ› Û ÌÈ·
Ó¤·˜ ÌÔÚÊ‹˜ ·˘Ùfi‚Ô˘ÏÔ˘ ÂÚÈÔÚÈÛÌÔ‡ fiÔ˘ Ù· fiÚÈ· ÌÂٷ͇
ÂÚÁ·Û›·˜ Î·È È‰ÈˆÙÈ΋˜ ˙ˆ‹˜ ‰ÂÓ ¤¯Ô˘Ó Û·Ê‹ fiÚÈ· Î·È Ô
ÂÚÁ·˙fiÌÂÓÔ˜ Ù›ÓÂÈ Ó· ÂÚÁ¿˙ÂÙ·È fiϘ Ù˘ ÒÚ˜ Ù˘ Ë̤ڷ˜ ηÈ
Ù˘ Ó‡ÎÙ·˜ Î·È ·ÓÙÔ‡.
www.pliroforiki.org
|
3
∏ ÏÂÈÙÔ˘ÚÁ›· ÂÓfi˜ Ù¤ÙÔÈÔ˘ Û˘ÛÙ‹Ì·ÙÔ˜ ¿Óˆ ·fi fiÏ·
ÚÔ¸Ôı¤ÙÂÈ ÌÈ· ÈÛ¯˘Ú‹ Î·È ·ÛÊ·Ï‹ ˘Ô‰ÔÌ‹ (Û˘Ó¯‹
ËÏÂÎÙÚÔ‰fiÙËÛË Î·È ÁÚ‹ÁÔÚÔ ‰È·‰›ÎÙ˘Ô) Ô˘ ı· ‰È·ÛÊ·Ï›˙ÂÈ ÙËÓ
Û˘Ó¯‹ Î·È ÁÚ‹ÁÔÚË ÚfiÛ‚·ÛË ÛÙÔ ‰È·‰›ÎÙ˘Ô Î·È ÛÙ·
Ì˯·Ó‹Ì·Ù·, ÏÔÁÈÛÌÈÎfi Î·È ‰Â‰Ô̤ӷ ÙÔ˘ ¯Ú‹ÛÙË ÒÛÙ ӷ ÌÔÚ›
Ó· ÂÎÙÂÏ› ÙËÓ ÂÚÁ·Û›· ÙÔ˘ ·ÓÂÌfi‰ÈÛÙ·. ªÂÙ¿ ÙÔÓ πÔ‡ÏÈÔ ÙÔ˘
2011 Î·È ÁÈ· ‰‡Ô ÂÚ›Ô˘ Ì‹Ó˜ Ù· ·˘ÙÔÓfiËÙ· ·˘Ù¿
·ÔÙÂÏÔ‡Û·Ó ·ÛÙ¿ıÌËÙÔ˘˜ ·Ú¿ÁÔÓÙ˜ ÛÙËÓ ∫‡ÚÔ ÌÈ· Î·È Ë
·Ú·ÁfiÌÂÓË ËÏÂÎÙÚÈ΋ ÂÓ¤ÚÁÂÈ· ‰ÂÓ Â·ÚÎÔ‡Û ÁÈ· ÙȘ ·Ó¿ÁΘ
Ù˘ ¯ÒÚ·˜. ¶ÔÏϤ˜ ÂÚÁ·ÙÔÒÚ˜ ›¯·Ó ¯·ı› ÂΛÓË ÙËÓ ÂÚ›Ô‰Ô
Î·È ÔÏÏÔ› ¯Ú‹ÛÙ˜ ¤ÊÙ·Û·Ó ÛÙÔ ¯Â›ÏÔ˜ Ù˘ ·fiÁÓˆÛ˘ fiÙ·Ó Ë
·ÒÏÂÈ· Ù˘ ËÏÂÎÙÚÈ΋˜ ÂÓ¤ÚÁÂÈ·˜ Û˘ÓÙÂÏÔ‡Û ÛÙËÓ ·ÒÏÂÈ·
Ù˘ ÂÚÁ·Û›·˜ Î·È ÙˆÓ ‰Â‰ÔÌ¤ÓˆÓ Ô˘ ‚ÚÈÛÎfiÓÙÔ˘Û·Ó ˘fi
ÂÂÍÂÚÁ·Û›·. ΔËÓ ÂÔ¯‹ ÂΛÓË ÔÈ ÂÙ·ÈÚ›˜ ÙÔ˘ ÎÏ¿‰Ô˘ ‹Ù·Ó
ÛÂ Û˘Ó¯‹ ÂÈÊ˘Ï·Î‹ ÁÈ· Ó· Â͢ËÚÂÙÔ‡Ó ÂÏ¿Ù˜ Û ·fiÁÓˆÛË
Î·È Ó· ÚÔÌËıÂ‡Ô˘Ó ÂÙ·ÈÚ›˜ Ì Ì˯·Ó¤˜ ·Ú·ÁˆÁ‹˜
ËÏÂÎÙÚÈ΋˜ ÂÓ¤ÚÁÂÈ·˜ Î·È Û˘ÛÙ‹Ì·Ù· ·‰È¿ÏÂÈÙ˘ ·ÚÔ¯‹˜
ËÏÂÎÙÚÈ΋˜ ÂÓ¤ÚÁÂÈ·˜ (UPS). ∏ ÂÎÙ›ÌËÛË ÁÈ· ÙÔ ÂÂÚ¯fiÌÂÓÔ
ηÏÔη›ÚÈ Î·È ÙËÓ ·˘Í·ÓfiÌÂÓË ·Ó¿ÁÎË Û ËÏÂÎÙÚÈÛÌfi ›ӷÈ
Ì¿ÏÏÔÓ ·ÚÓËÙÈ΋ ÁÈ·Ù› Ë Â¿ÚÎÂÈ· ÂÍ·ÎÔÏÔ˘ı› Ó· ›ӷÈ
ÂÈÛÊ·Ï‹˜.
μ‚·›ˆ˜ ÙÔ ‰›ÏËÌÌ· ˆ˜ ÚÔ˜ ÙÔ ÙÈ Â›Ó·È ÚÔÙÈÌËÙ¤Ô ¤Ó·
·˘ÙÔ‰‡Ó·ÌÔ ÂÙ·ÈÚÈÎfi ‹ Î·È ÚÔÛˆÈÎfi Û‡ÛÙËÌ· Ì ÂÚÈÔÚÈṲ̂ÓË
·Ó¿ÁÎË ÁÈ· ÚfiÛ‚·ÛË ÛÙÔ ‰È·‰›ÎÙ˘Ô ‹ ¤Ó· Û‡ÛÙËÌ· ÌÂ Û˘Ó¯‹
ÚfiÛ‚·ÛË ÛÙÔ ‰È·‰›ÎÙ˘Ô Î·È ·ÓÂÌfi‰ÈÛÙË ·ÍÈÔÔ›ËÛË ÏÔÁÈÛÌÈÎÔ‡
Î·È ‰Â‰ÔÌ¤ÓˆÓ Â›Ó·È Â› Ù˘ Ô˘Û›·˜ „¢‰Ô‰›ÏÏËÌ· ÁÈ·Ù› Ë ÛˆÛÙ‹
·¿ÓÙËÛË ¤¯ÂÈ Ó· οÓÂÈ Ì ÙÔ ÙÈ Â͢ËÚÂÙ› ηχÙÂÚ·,
·ÛʷϤÛÙÂÚ· Î·È ÔÈÎÔÓÔÌÈÎfiÙÂÚ· ÙȘ ÂÙ·ÈÚÈΤ˜ Î·È ÚÔÛˆÈΤ˜
·Ó¿ÁΘ. μ‚·›ˆ˜ Ë Ù¿ÛË Â›Ó·È ÁÈ· ÌÈÎÚ¿ ÌÂÙ·ÊÂÚfiÌÂÓ·
Û˘ÛÙ‹Ì·Ù· Ì ÌÂȈ̤ÓË ˘ÔÏÔÁÈÛÙÈ΋ ‰‡Ó·ÌË Î·È ·ÔıË΢ÙÈÎfi
¯ÒÚÔ ·ÏÏ¿ ·˘ÍË̤ÓË ·˘ÙfiÓÔÌË ÏÂÈÙÔ˘ÚÁ›· ¯ˆÚ›˜ ·Ó¿ÁÎË ·ÚÔ¯‹
ËÏÂÎÙÚÈ΋˜ ÂÓ¤ÚÁÂÈ·˜ ·ÏÏ¿ Ì ÚfiÛ‚·ÛË ÛÙÔ ‰È·‰›ÎÙ˘Ô.
CYPRUS INFOSEC WEEK 2011
ΔÔÓ ÂÚ·Ṳ̂ÓÔ √ÎÙÒ‚ÚÈÔ Ô ™‡Ó‰ÂÛÌÔ˜ ÛÂ Û˘ÓÂÚÁ·Û›· Ì ÙÔ
¶·ÓÂÈÛÙ‹ÌÈÔ §Â˘ÎˆÛ›·˜ ÔÚÁ¿ÓˆÛ·Ó ÙËÓ Â‚‰ÔÌ¿‰· Cyprus
Infosec 2011 Ë ÔÔ›· ÂÚÈÂÏ¿Ì‚·Ó Â·ÁÁÂÏÌ·ÙÈο ÛÂÌÈÓ¿ÚÈ·
Î·È ÙÔ Î·ıÈÂڈ̤ÓÔ ÌÔÓÔ‹ÌÂÚÔ Û˘Ó¤‰ÚÈÔ. ∏ ‚‰ÔÌ¿‰·
ÚÔÛ¤ÊÂÚ ¤Ó· ÏÔ‡ÛÈÔ ÚfiÁÚ·ÌÌ· Ì ÔÏÏ¿ Î·È ‰È·ÊÔÚÂÙÈο
ı¤Ì·Ù· ÂÚÈÏ·Ì‚·ÓÔ̤ÓÔ˘ Î·È ÙÔ˘ “η˘ÙÔ‡” ı¤Ì·ÙÔ˜ ·ÛÊ¿ÏÂÈ·˜
ÛÙÔ “cloud”. ¶·ÚfiÏÔ ÙÔ ‰‡ÛÎÔÏÔ ÔÈÎÔÓÔÌÈÎfi ÂÚÈ‚¿ÏÏÔÓ Ë
‚‰ÔÌ¿‰· ·ÏÈÛ ÔÌ·Ï¿ Î·È ‹Ù·Ó ÂÈÙ˘¯‹˜. ™Ù· Ï·›ÛÈ· ÙÔ˘
Û˘Ó‰ڛԢ ¤ÁÈÓ ÁÈ· ÚÒÙË ÊÔÚ¿ ·ÚÔ˘Û›·ÛË Ì¤Ûˆ
ÙËωȿÛ΄˘, ηٿ ÙËÓ ÔÔ›· Ô “ÁÎÔ˘ÚÔ‡” Mr. Winn
Schwartau Ì›ÏËÛ ·fi ÙȘ ∏¶∞ ÁÈ· Ù· ÊϤÁÔÓÙ· ı¤Ì·Ù· ÛÙÔÓ
ÙÔ̤· ·ÛÊ¿ÏÂÈ·˜ Ô˘ ÙÔÓ ÎÚ·ÙÔ‡Ó “͇ÓÈÔ Ù· ‚Ú¿‰È·”. ™Ù·
‰˘Û¿ÚÂÛÙ· ÙÔ˘ Cyprus Infosec 2011 Û˘ÌÂÚÈÏ·Ì‚¿ÓÂÙ·È Ô
·‰fiÎËÙÔ˜ ¯·Ìfi˜ ÙÔ˘ Ì·ÎÚÔ¯ÚfiÓÈÔ˘ Û˘ÓÂÚÁ¿ÙË ÙÔ˘ £ÂÛÌÔ‡
Cyprus Infosec Î·È ÙÔ˘ ÂÚÈÔ‰ÈÎÔ‡ ÙÔ˘ ™˘Ó‰¤ÛÌÔ˘, Dr Eugene
Shultz. ø˜ ÂÎ ÙÔ‡ÙÔ˘ Ë Â‚‰ÔÌ¿‰· ‹Ù·Ó ·ÊÈÂڈ̤ÓË ÛÙË ÌÓ‹ÌË
ÙÔ˘. √ °È¿ÓÓÔ˜ ∞ÏÂÙÚ¿Ú˘ ÂΠ̤ÚÔ˘˜ ÙÔ˘ ¢ÈÔÈÎËÙÈÎÔ‡
™˘Ì‚Ô˘Ï›Ô˘ ·Ô¯·ÈÚÂÙ¿ ÙÔ Gene Ì ¤Ó· Û‡ÓÙÔÌÔ ·ÊȤڈ̷ ÛÙËÓ
·ÚÔ‡Û· ¤Î‰ÔÛË.
£∂ª∞Δ√§√°π∞
™ÙËÓ ™˘ÓÙ·ÎÙÈ΋ ∂ÈÙÚÔ‹ ÙÔ˘ ÂÚÈÔ‰ÈÎÔ‡ ¤¯ÂÈ ÚÔÛÙÂı› ¤Ó·
·ÎfiÌË Ì¤ÏÔ˜ Ô ¢Ú. ∫ˆÓÛÙ·ÓÙ›ÓÔ˜ ∑ÂÚ‚›‰Ë˜, Ô ÔÔ›Ô˜ ÚfiÛÊ·Ù·
‰ÈÔÚ›ÛÙËΠÛÙÔ ΔÌ‹Ì· ∂ÈıÂÒÚËÛ˘ ∂ÚÁ·Û›·˜, ∫Ï¿‰Ô˜
∞ÎÙÈÓÔÚÔÛÙ·Û›·˜ ÙÔ˘ ÀÔ˘ÚÁ›Ԣ ∂ÚÁ·Û›·˜ Î·È ∫ÔÈÓˆÓÈÎÒÓ
∞ÛʷϛۈÓ. ΔÔÓ Î·ÏˆÛÔÚ›˙Ô˘Ì ÛÙËÓ ÔÌ¿‰· Ì·˜. H
ıÂÌ·ÙÔÏÔÁ›· Ù˘ ¤Î‰ÔÛ˘ ÂÚÈÏ·Ì‚¿ÓÂÈ ÌÈ· ÛÂÈÚ¿ ·fi
ÂӉȷʤÚÔÓÙ· Î·È ÔÈΛϷ ¿ÚıÚ· Ô˘ ηχÙÔ˘Ó ¤Ó· ¢ڇ Ê¿ÛÌ·
ıÂÌ¿ÙˆÓ Ì ÂÈΤÓÙÚˆÛË fï˜ ÛÙËÓ ·ÛÊ¿ÏÂÈ· Ù˘ ÏËÚÔÊÔÚ›·˜
ÌÈ·, ˆ˜ ·ÔÙ¤ÏÂÛÌ· Ù˘ ‚‰ÔÌ¿‰·˜ Infosec2011, ηÈ
ÂÚÈÏ·Ì‚¿ÓÂÈ Ù· ·ÎfiÏÔ˘ı· ΛÌÂÓ·:
∫·Ù’ ·Ú¯‹Ó Ô °È¿ÓÓÔ˜ ∞ÏÂÙÚ¿Ú˘ ·ÚÔ˘ÛÈ¿˙ÂÈ ÙË ÓÂÎÚÔÏÔÁ›· ÁÈ·
ÙÔ Ì·ÎÚÔ¯ÚfiÓÈÔ Ê›ÏÔ ÙÔ˘ ™˘Ó‰¤ÛÌÔ˘ Î·È Ù·ÎÙÈÎfi Û˘ÓÂÚÁ¿ÙË ÙÔ˘
Cyprus Infosec ÙÔÓ Dr Eugene Shultz.
√ ¶·Û¯¿Ï˘ ¶ÈÛÛ·Ú›‰Ë˜, ¶Úfi‰ÚÔ˜ ÙÔ˘ ∫˘ÚÈ·ÎÔ‡ πÓÛÙÈÙÔ‡ÙÔ˘
∂ϤÁ¯Ô˘ ™˘ÛÙËÌ¿ÙˆÓ ¶ÏËÚÔÊÔÚÈ΋˜ (ISACA Cyprus Chapter)
ÁÚ¿ÊÂÈ ÁÈ· ÙËÓ ›‰Ú˘ÛË Î·È ÏÂÈÙÔ˘ÚÁ›· ÙÔ˘ πÓÛÙÈÙÔ‡ÙÔ˘ Î·È ÙË
ÛËÌ·ÓÙÈ΋ ·ÔÛÙÔÏ‹ ÙÔ˘ ÛÙËÓ ·ÓÙÈÌÂÙÒÈÛË ÙˆÓ ·˘Í·ÓfiÌÂÓˆÓ
ÎÈÓ‰‡ÓˆÓ, ÙˆÓ ÂϤÁ¯ˆÓ ÈÛÙÔÔ›ËÛ˘ Ù˘ ·ÛÊ¿ÏÂÈ·˜ Î·È Ù˘
ÔÚı‹˜ ‰È·Î˘‚¤ÚÓËÛ˘ ÙˆÓ ™˘ÛÙËÌ¿ÙˆÓ ¶ÏËÚÔÊÔÚÈ΋˜, ηÈ
ÁÂÓÈÎfiÙÂÚ· Ù˘ ÚÔÛÙ·Û›·˜ Ù˘ ÏËÚÔÊÔÚ›·˜.
√ Vernon Poole, ¤Ó·˜ Ù·ÎÙÈÎfi˜ Û˘ÓÂÚÁ¿Ù˘ ÛÙ· Ï·›ÛÈ· ÙÔ˘
Infosec Î·È ÙÔ˘ ÂÚÈÔ‰ÈÎÔ‡, ‰›ÓÂÈ Û˘Ì‚Ô˘Ï¤˜ ÛÙȘ ‰È¢ı‡ÓÛÂȘ
Î·È ‰ÈÔÈ΋ÛÂȘ ÙˆÓ ÔÚÁ·ÓÈÛÌÒÓ Ò˜ Ó· ¯ÂÈÚÈÛÙÔ‡Ó ÙÔ˘˜ ÚfiÏÔ˘˜
ÙÔ˘˜ Û ۯ¤ÛË Ì ÙËÓ ‰È·¯Â›ÚÈÛË Ù˘ ·ÛÊ¿ÏÂÈ·˜ Ù˘
ÏËÚÔÊÔÚ›·˜ ÌÂ ÙÔ ¿ÚıÚÔ ÙÔ˘ “Governance of Information
Security & Other Initiatives”.
O Dr Andrew Jones ÁÚ¿ÊÂÈ ÛÙÔ ¿ÚıÚÔ ÌÂ Ù›ÙÏÔ “Safe Computing
in an Increasingly Hostile World: Security 2.0” ÁÈ· ÙËÓ
·˘ÍË̤ÓË ·Ó¿ÁÎË ·ÓÙÈÌÂÙÒÈÛ˘ Ù˘ ·ÛÊ¿ÏÂÈ·˜ Ù˘
ÏËÚÔÊÔÚ›·˜ ̤۷ ·fi ÙÔ Û¯Â‰È·ÛÌfi ‰ÈÎÙ‡ˆÓ Î·È ÂÊ·ÚÌÔÁÒÓ
fiÔ˘ Ë ·ÛÊ¿ÏÂÈ· Â›Ó·È ÌÂٷ͇ ÙˆÓ Û¯Â‰È·ÛÙÈÎÒÓ ÎÚÈÙËÚ›ˆÓ
√ David Lacey ÛÙÔ ¿ÚıÚÔ ÙÔ˘ “The Future of Information
Security: New Priorities, New Skills and New Technologies”
ÁÚ¿ÊÂÈ ÁÈ· ÙÔÓ ·Ó·‰˘fiÌÂÓÔ ÎfiÛÌÔ fiÔ˘ Ù· fiÚÈ· ÌÂٷ͇ ÙÔ˘
Â·ÁÁÂÏÌ·ÙÈÎÔ‡ Î·È ÙÔ˘ ÚÔÛˆÈÎÔ‡ ÂÚÈ‚¿ÏÏÔÓÙÔ˜
ηٷÚÁÔ‡ÓÙ·È Î·È fiÔ˘ fiÏÔÈ Î·È fiÏ· ‚Ú›ÛÎÔÓÙ·È ÛÙÔ ‰È·‰›ÎÙ˘Ô
4
|
www.pliroforiki.org
Î·È ÙȘ Â·ÁÁÂÏÌ·ÙÈΤ˜ ÚÔÎÏ‹ÛÂȘ Ô˘ ·˘Ù‹ Ë ÂͤÏÈÍË
‰ËÌÈÔ˘ÚÁ›.
√ ˘Ô„‹ÊÈÔ˜ ‰È‰¿ÎÙˆÚ ÃÚ›ÛÙÔ˜ ¶··‰ËÌËÙÚ›Ô˘ ·ÚÔ˘ÛÈ¿˙ÂÈ ¤Ó·
ÂӉȷʤÚÔÓ ¿ÚıÚÔ ÁÈ· ÙËÓ Ù¯ÓËÙ‹ ÓÔËÌÔÛ‡ÓË Ì ÙÔ ¿ÚıÚÔ ÙÔ˘
“To What Extend is the Turing Test Still Important?” ÛÙÔ ÔÔ›Ô
·ÚÔ˘ÛÈ¿˙ÂÈ Î·È ·Ó·Ï‡ÂÈ ¤Ó· ÓÔËÙÈÎfi ›ڷ̷ ÙÔ˘ Alan Turing
ÂÓfi˜ ÚˆÙÔfiÚÔ˘ ÛÙÔ ¯ÒÚÔ.
√ ∞Ó‰Ú¤·˜ ™ÔÏÔÌÔ‡ Î·È Ô ∫˘ÚÈ¿ÎÔ˜ °ÂˆÚÁ›Ô˘, ÂÎ ÙˆÓ ÌÂÏÒÓ
Ù˘ Û˘ÓÙ·ÎÙÈ΋˜ ÂÈÙÚÔ‹˜, ÛÙÔ ¿ÚıÚÔ ÙÔ˘˜ “The Role of
Effective Project Management in Project Success: Identifying
Success Criteria and Critical Success Factors” ¶ÂÚÈÁÚ¿ÊÔ˘Ó
ÙȘ ÚÔÎÏ‹ÛÂȘ ÛÙË ‰È·¯Â›ÚÈÛË ¤ÚÁˆÓ ÏËÚÔÊÔÚÈ΋˜ Î·È ÙÔ˘˜
ÎÚ›ÛÈÌÔ˘˜ ·Ú¿ÁÔÓÙ˜ Ô˘ ηıÔÚ›˙Ô˘Ó ÙËÓ ÂÈÙ˘¯›· ÂÓfi˜ ¤ÚÁÔ˘.
∏ ¤Î‰ÔÛË Û˘ÌÏËÚÒÓÂÙ·È Ì ÙË ÌfiÓÈÌË ÛÙ‹ÏË ÙÔ˘ ¢Ú·. º›ÏÈÔ˘
¶ÂÏÂÙȤ “Do you know this Man”, Ì ̛· ÂÍ·ÈÚÂÙÈ΋ ÓÂÎÚÔÏÔÁ›·
·ÊÈÂڈ̤ÓË ÛÙÔÓ ÙÔ˘ Steven Jobs, π‰Ú˘Ù‹ Î·È ¢È¢ı‡ÓÔÓÙ·
™‡Ì‚Ô˘ÏÔ Ù˘ Apple.
∂¶π§√°√™
∫·ıËÌÂÚÈÓ¿ ÁÈÓfiÌ·ÛÙ ̿ÚÙ˘Ú˜ ÛÙËÓ ∫‡ÚÔ Î·È ÛÙËÓ ∂ÏÏ¿‰·
ÚˆÙfiÁÓˆÚˆÓ ÎÔÈÓˆÓÈÎÒÓ Î·Ù·ÛÙ¿ÛÂˆÓ Î·È Ê·ÈÓÔÌ¤ÓˆÓ ¤Ó‰ÂÈ·˜
Î·È ÂÍ·ıÏ›ˆÛ˘ Ô˘ ‰ÂÓ ¤¯Ô˘Ì ˙‹ÛÂÈ Ô‡Ù ÙËÓ ÂÚ›Ô‰Ô Ù˘
ΔÔ˘ÚÎÈ΋˜ ∂ÈÛ‚ÔÏ‹˜ ÙÔ Î·ÏÔη›ÚÈ ÙÔ˘ 1974. ∞ÎfiÌË ˙ԇ̠ÌÈ·
¤Í·ÚÛË ÙÔ˘ ÂÁÎÏ‹Ì·ÙÔ˜ ·ÚÈ· ˘fi ÙË ÌÔÚÊ‹ ÎÏÔÒÓ, ÏËÛÙÂÈÒÓ
Î·È ‰È·ÚÚ‹ÍÂˆÓ ·fi ·ÓıÚÒÔ˘˜ Ô˘ ‰ÂÓ ¤¯Ô˘Ó Ù· ÛÙÔȯÂÈÒ‰Ë
Î·È ÚÔÛ·ıÔ‡Ó Ì ·Ú¿ÓÔÌÔ˘˜ ÙÚfiÔ˘˜ Ó· ηχ„Ô˘Ó ÙȘ
·Ó¿ÁΘ ÙˆÓ ÔÈÎÔÁÂÓÂÈÒÓ ÙÔ˘˜. ∏ ‰˘Ó·ÙfiÙËÙ· ÙÔ˘ ÎÚ¿ÙÔ˘˜ ηÈ
Ù˘ ÎÔÈÓˆÓ›·˜, ÂÓ Á¤ÓÂÈ, Ó· ·ÓÙÈÌÂÙˆ›ÛÔ˘Ó ·˘Ù¿ Ù· Ê·ÈÓfiÌÂÓ·
Ê·›ÓÂÙ·È Ó· Â›Ó·È ÂÚÈÔÚÈṲ̂ÓË Î·È ·Ó›Î·ÓË Ó· ·ÓÙÈÌÂÙˆ›ÛÂÈ ÌÂ
Â¿ÚÎÂÈ· ÙȘ ÛÙÔȯÂÈÒ‰ÂȘ ·Ó¿ÁΘ ÙˆÓ Û˘Ó·ÓıÚÒˆÓ Ì·˜.
¶ÔÏÏ¿ ı· Ú¤ÂÈ Ó· Á›ÓÔ˘Ó Î‡ÚÈ· ·fi ÏÂ˘Ú¿˜ ËÌÒÓ ÙˆÓ
ÔÏÈÙÒÓ Ô˘ ¤¯Ô˘Ì ÙË ‰˘Ó·ÙfiÙËÙ· Î·È ı· Ú¤ÂÈ Ó· ÛÙ·ıÔ‡ÌÂ
·ÚˆÁÔ› ÛÙÔ˘˜ Û˘Ó·ÓıÚÒÔ˘˜ Ì·˜ Ô˘ ‚Ú›ÛÎÔÓÙ·È Á‡Úˆ Ì·˜, ÛÙË
ÁÂÈÙÔÓÈ¿ Ì·˜ ÛÙËÓ ÎÔÈÓfiÙËÙ· Ì·˜ ÛÙÔ ‰ÈÏ·Ófi Ì·˜ Û›ÙÈ. ı·
Ú¤ÂÈ Ó· οÓÔ˘Ì ÙËÓ ÊÈÏ·ÓıÚˆ›· ÚÔÙÂÚ·ÈfiÙËÙ·.
∫·È fiÙ·Ó ÓÔÈÒıÂÙ ¤ÓÙÔÓ· ¤Ó· ·›ÛıËÌ· ·fiÁÓˆÛ˘ ηÈ
·‰ÈÂÍfi‰Ô˘ ÁÈ· ÙËÓ ·ıÏÈfiÙËÙ· Î·È ÙËÓ ¤Ó‰ÂÈ· Ô˘ Ì·˜ ÂÚÈ‚¿ÏÏÂÈ
Ó· ʤÚÓÂÙ ÛÙÔ ÓÔ˘Ó ÙÔ˘˜ ÛÙ›¯Ô˘˜ ÙÔ˘ ÌÂÁ¿ÏÔ˘ ÔÈËÙ‹ ∫ˆÛÙ‹
¶·Ï·Ì¿ (¶¿ÙÚ·, 13 π·ÓÔ˘·Ú›Ô˘ 1859 - ∞ı‹Ó·, 27 ºÂ‚ÚÔ˘·Ú›Ô˘
1943) ÛÙÔ ¢ˆ‰ÂοÏÔÁÔ ÙÔ˘ °‡ÊÙÔ˘.
∫È ·Ó ¤Û·Ì Û ¤ÛÈÌÔ ÚˆÙ¿ÎÔ˘ÛÙÔ
Î·È Û ÁÎÚÂÌfi ηÙÚ·Î˘Ï‹Û·ÌÂ
Ô˘ ÈÔ ‚·ı‡ ηÌÈ¿ Ê˘Ï‹ ‰ÂÓ Â›‰Â ˆ˜ ÙÒÚ·,
Â›Ó·È ÁÈ·Ù› ÌÂ ÙˆÓ Î·ÈÚÒÓ ÙÔ ϋڈ̷
fiÌÔÈ· ‚·ı‡ ÂÓ' ·Ó¤‚·ÛÌ· Ì·˜ ̤ÏÏÂÙ·È
ÚÔ˜ ‡„Ë Ô˘Ú·ÓÔÊfiÚ·!
www.pliroforiki.org
|
5
¢π∞º∏ªπ™Δ∂πΔ∂ ™Δ∏¡ ¶§∏ƒ√º√ƒπ∫∏!
¢È·ÊËÌ›˙ÔÓÙ·˜ ÛÙÔ ÂÚÈÔ‰ÈÎfi ¶ÏËÚÔÊÔÚÈ΋ ÚÔˆı›Ù ÙȘ ˘ËÚÂۛ˜ Î·È Ù· ÚÔÈfiÓÙ· Û·˜
Û ÂÚÈÛÛfiÙÂÚÔ˘˜ ·fi 1000 ·Ó·ÁÓÒÛÙ˜, Â·ÁÁÂÏ̷ٛ˜, ÂȉÈÎÔ› Î·È Ê›ÏÔÈ ÙÔ˘ ÙÔ̤·
¶ÏËÚÔÊÔÚÈ΋˜, Δ¯ÓÔÏÔÁ›·˜ Î·È ∂ÈÎÔÈÓˆÓÈÒÓ ÛÙËÓ ∫‡ÚÔ!
°È· ÏËÚÔÊÔڛ˜ Û¯ÂÙÈο Ì ÙÈ̤˜ Î·È ÎÚ·Ù‹ÛÂȘ ÁÈ· Ù· ÂfiÌÂÓ· Ì·˜ Ù‡¯Ë, ÂÈÎÔÈÓˆÓ‹ÛÙÂ
Ì ÙËÓ À‡ı˘ÓË ¢ËÌÔÛ›ˆÓ ™¯¤ÛÂˆÓ ÙÔ˘ ∫˘ÚÈ·ÎÔ‡ ™˘Ó‰¤ÛÌÔ˘ ¶ÏËÚÔÊÔÚÈ΋˜ ÃÚÈÛÙ›Ó·
¶··ÌÈÏÙÈ¿‰Ô˘ ÙËÏ. 22460680
email: c_papamiltiadou@ccs.org.cy .
ADVERTISE IN PLIROFORIKI!
By advertising in Pliroforiki you are promoting your services and products to more than 1000
readers, professionals, specialists and friends of Computers, Information, Technology and
Communications Industry in Cyprus!
For information regarding prices and reservations you can contact the Cyprus Computer
Society Public Relations Officer Christina Papamiltiadou at tel. 22460680,
email: c_papamiltiadou@ccs.org.cy .
6
|
www.pliroforiki.org
Δ∞ ¡∂∞ ª∞™
∂∫¢∏§ø™∂π™ CCS
CALL OF THE WHITE
∫·È ·˘Ù‹ ÙË ¯ÚÔÓÈ¿ ÙÔ √ ™‡Ó‰ÂÛÌÔ˜ ¿ÓÙÔÙ ÛÙËÚ›˙ÂÈ ·ÓıÚÒÔ˘˜ ηÈ
Ú¿ÍÂȘ Ô˘ ÂȉÂÈÎÓ‡Ô˘Ó ÙfiÏÌË, ÚˆÙÔÔÚ›·, „˘¯È΋ ‰‡Ó·ÌË Î·È
ı¿ÚÚÔ˜. ŒÙÛÈ, ÁÈ· ‰Â‡ÙÂÚË ÊÔÚ¿ Ù›ÌËÛ ÙËÓ ÚÒÙË ∫‡ÚÈ· Ô˘
η٤ÎÙËÛ ÙÔ ¡fiÙÈÔ ¶fiÏÔ Î·È ÙÔ ÛËÌ·ÓÙÈÎfi Â›Ù¢ÁÌ· Ù˘,
‰ÈÔÚÁ·ÓÒÓÔÓÙ·˜ ÂΉ‹ÏˆÛË Ì ı¤Ì· ÙËÓ ∞ÔÛÙÔÏ‹ Ù˘
∫ÔÈÓÔÔÏÈÙ›·˜ ÛÙËÓ ∞ÓÙ·ÚÎÙÈ΋ (Kaspersky Lab Commonwealth
Antarctic Expedition) fiÔ˘ Û˘ÌÌÂÙ›¯Â Ë ›‰È· Ì ¿ÏϘ 7 Á˘Ó·›Î˜ Ù˘
∫ÔÈÓÔÔÏÈÙ›·˜. ™ÙËÓ ÂÓ ÏfiÁˆ ÂΉ‹ÏˆÛË Ô˘ Ú·ÁÌ·ÙÔÔÈ‹ıËΠÛÙȘ
13 √ÎÙˆ‚Ú›Ô˘ ÙÔ˘ 2011, ÙÔ CCS ÛÂ Û˘ÓÂÚÁ·Û›· Ì ÙÔ ¶·ÓÂÈÛÙ‹ÌÈÔ
§Â˘ÎˆÛ›·˜, ·ÚÔ˘Û›·Û ÙËÓ ·ÁÎfiÛÌÈ· ÚÂÌȤڷ ÙÔ˘ ÓÙÔÎÈÌ·ÓÙ¤Ú
ÁÈ· ·˘Ù‹ ÙËÓ ·ÔÛÙÔÏ‹ «CALL OF THE WHITE».∂ȉÈο ÁÈ· ÙËÓ
ÂΉ‹ÏˆÛË ‹Úı ÛÙËÓ ∫‡ÚÔ Ë ·Ú¯ËÁfi˜ Ù˘ ·ÔÛÙÔÏ‹˜ Felicity Aston,
Ë fiÔÈ· ¤¯ÂÈ Û˘ÁÁÚ¿„ÂÈ ÙÔ ÔÌÒÓ˘ÌÔ ‚È‚Ï›Ô Î·È Ë Û˘ÌÌÂÙ¤¯Ô˘Û· ·fi
ÙË ™ÈÁηÔ‡ÚË Sophia Pang. ªÂÙ¿ ÙËÓ ÚÔ‚ÔÏ‹ Ù˘ Ù·ÈÓ›·˜, Ë Felicity,
Ë Sophia Î·È Ë ∫‡ÚÈ· ™Ù¤Ê·ÓË, Ì›ÏËÛ·Ó ÁÈ· ÙȘ ÂÌÂÈڛ˜ ÙÔ˘˜ ηÈ
·¿ÓÙËÛ·Ó Û ÂÚˆÙ‹ÛÂȘ ·fi ÙÔ ÎÔÈÓfi. ¶¤Ú·Ó ÙˆÓ 150
·Ú¢ÚÈÛÎÔÌ¤ÓˆÓ ÂÓÙ˘ˆÛÈ¿ÛÙËÎ·Ó ·fi ÙËÓ ÙÂÚ¿ÛÙÈ· ÚÔÛ¿ıÂÈ·
ÙˆÓ 8 Á˘Ó·ÈÎÒÓ Ô˘ ‰È¤Ó˘Û·Ó 900 ¯ÈÏÈfiÌÂÙÚ· Û ·ÓÙ›ÍÔ˜ Û˘Óı‹Î˜
ÒÛÙ ӷ ηٷÎÙ‹ÛÔ˘Ó ÙÔ ÓÔÙÈfiÙÂÚÔ ¿ÎÚÔ ÙÔ˘ Ï·Ó‹ÙË.
AGM
™ÙȘ 24 ¡ÔÂÌ‚Ú›Ô˘, ÛÙÔ ÍÂÓÔ‰Ô¯Â›Ô ∫ÏÂÔ¿ÙÚ· Ú·ÁÌ·ÙÔÔÈ‹ıËÎÂ Ë ∂Ù‹ÛÈ· °ÂÓÈ΋ ™˘Ó¤Ï¢ÛË ÙÔ˘ ™˘Ó‰¤ÛÌÔ˘ ÁÈ· ÙÔ 2011. √
¶Úfi‰ÚÔ˜ ÙÔ˘ ¢.™. ÎÔ˜ ∫ÒÛÙ·˜ ∞ÁÚfiÙ˘ Ì›ÏËÛ ÁÈ· ÙÔÓ ·ÔÏÔÁÈÛÌfi Î·È Ë Δ·Ì›·˜ ÁÈ· ÙËÓ ÔÈÎÔÓÔÌÈ΋ ηٿÛÙ·ÛË ÙÔ˘ ÚÔËÁÔ‡ÌÂÓÔ˘
¤ÙÔ˘˜ 2010, ÂÓÒ fiÏ· Ù· ̤ÏË ÙÔ˘ ¢.™. Û˘˙‹ÙËÛ·Ó Ì ÙÔ˘˜ 50 ·Ú¢ÚÈÛÎÔ̤ÓÔ˘˜ ÁÈ· ÙÚ¤¯ÔÓÙ· ˙ËÙ‹Ì·Ù· Î·È ‰Ú·ÛÙËÚÈfiÙËÙ˜.
www.pliroforiki.org
|
7
™Àªª∂Δ√Ã∂™ ECDL/CCS
ŒÎıÂÛË ™Ù·‰ÈÔ‰ÚÔÌ›·˜
°È· ¿ÏÏË ÌÈ· ¯ÚÔÓÈ¿ Ô ∫˘ÚÈ·Îfi˜ ™‡Ó‰ÂÛÌÔ˜ ¶ÏËÚÔÊÔÚÈ΋˜ ¤Ï·‚Â
̤ÚÔ˜ ÛÙËÓ ŒÎıÂÛË ™Ù·‰ÈÔ‰ÚÔÌ›·˜ Ô˘ ‰ÈÔÚÁ·ÓÒıËΠ·fi ÙÔÓ
∫˘ÚÈ·Îfi ™‡Ó‰ÂÛÌÔ˜ ∫·ıËÁËÙÒÓ ™˘Ì‚Ô˘Ï¢ÙÈ΋˜ Î·È ∂·ÁÁÂÏÌ·ÙÈ΋˜
∞ÁˆÁ‹˜ (√∂§ª∂∫) Î·È ÙÔ Û˘ÁÎÚfiÙËÌ· Ù˘ ΔÚ¿Â˙·˜ ∫‡ÚÔ˘ ÛÙȘ 19
Î·È 20 ¡ÔÂÌ‚Ú›Ô˘. ™Ù· ·È‰È¿ Ô˘ ÂӉȷʤÚÔÓÙ·È Ó· ·ÎÔÏÔ˘ı‹ÛÔ˘Ó
ÙÔ Â¿ÁÁÂÏÌ· Ù˘ ¶ÏËÚÔÊÔÚÈ΋˜ ÂÎÙfi˜ ·fi ÙȘ ·Ó¿ÏÔÁ˜ Û˘Ì‚Ô˘Ï¤˜
ÚÔÛʤÚıËÎÂ Î·È ¤ÓÙ˘Ô ˘ÏÈÎfi Ì ÂÂÍ‹ÁËÛË ÙˆÓ Â·ÁÁÂÏÌ¿ÙˆÓ
¶ÏËÚÔÊÔÚÈ΋˜.
INFOSEC
ªÂ ·fiÏ˘ÙË ÂÈÙ˘¯›· ÛÙ¤ÊıËΠÙÔ 8Ô ¢ÈÂıÓ¤˜ ™˘Ó¤‰ÚÈÔ Ì ı¤Ì·
ÙËÓ «∞ÛÊ¿ÏÂÈ· Ù˘ ¶ÏËÚÔÊÔÚ›·˜» INFOSEC 2011 Ô˘ ‰ÈÔÚÁ·ÓÒıËÎÂ
·fi ÙÔÓ ∫˘ÚÈ·Îfi ™‡Ó‰ÂÛÌÔ ¶ÏËÚÔÊÔÚÈ΋˜ ÙÔ ¡Ô¤Ì‚ÚÈÔ 2011, ÛÙÔ
¶·ÓÂÈÛÙ‹ÌÈÔ §Â˘ÎˆÛ›·˜. ™ÙÔ Û˘Ó¤‰ÚÈÔ, ÙÔ ÔÔ›Ô Ê¤ÙÔ˜ ›¯Â Ù›ÙÏÔ
«Information Security: The Cloud And Beyond», ‰È·ÎÂÎÚÈ̤ÓÔÈ
ÂÈÛÙ‹ÌÔÓ˜ Î·È ÂÈÛËÁËÙ¤˜ ·fi fiÏÔ ÙÔÓ ÎfiÛÌÔ ·Ú›¯·Ó
·ÚÔ˘ÛÈ¿ÛÂȘ Î·È ÂÚÁ·ÛÙ‹ÚÈ· ÁÈ· ÙȘ ÙÂÏÂ˘Ù·›Â˜ ‰ÈÂıÓ›˜ ÂÍÂÏ›ÍÂȘ
ÛÙÔÓ ÙÔ̤· Ù˘ ∞ÛÊ¿ÏÂÈ·˜ ÙˆÓ ¶ÏËÚÔÊÔÚÈÒÓ. ø˜ ÂÎ ÙÔ‡ÙÔ˘, ¿Óˆ
·fi 100 Û˘ÌÌÂÙ¤¯ÔÓÙ˜, Â·ÁÁÂÏ̷ٛ˜ ÏËÚÔÊÔÚÈ΋˜ ηÈ
ÂȯÂÈÚËÌ·ÙÈο ÛÙÂϤ¯Ë ›¯·Ó ÙËÓ Â˘Î·ÈÚ›· Ó· ÂÓËÌÂÚˆıÔ‡Ó ÁÈ· ÙȘ
ÎÚ›ÛÈ̘ ·Ú·Ì¤ÙÚÔ˘˜ Ù˘ ·ÛÊ¿ÏÂÈ·˜ Î·È ÁÈ· ÙȘ ‚¤ÏÙÈÛÙ˜
Ú·ÎÙÈΤ˜ ÚÔÛÙ·Û›·˜. √ ∫˘ÚÈ·Îfi˜ ™‡Ó‰ÂÛÌÔ˜ ¶ÏËÚÔÊÔÚÈ΋˜
¢¯·ÚÈÛÙ› fiÛÔ˘˜ Û˘Ó¤‚·Ï·Ó ÛÙËÓ ·ÔÙÂÏÂÛÌ·ÙÈ΋ ˘ÏÔÔ›ËÛË Ù˘
‰ÈÔÚÁ¿ÓˆÛ˘ (CEPIS, ¶·ÓÂÈÛÙ‹ÌÈÔ §Â˘ÎˆÛ›·˜, ECDL, ™∂Δ∏§, Cyta,
IBM, Microsoft & Powersoft) Î·È ˘fiÛ¯ÂÙ·È ÁÈ· ÙË Û˘Ó¤¯ÂÈ· ÙÔ˘
ıÂÛÌÔ‡ INFOSEC ÛÙÔ Ì¤ÏÏÔÓ.
∫˘Ó‹ÁÈ £ËÛ·˘ÚÔ‡
°È· ‰¤Î·ÙË Û˘Ó¯‹ ¯ÚÔÓÈ¿ ‰ÈÔÚÁ·ÓÒıËΠÙÔ ƒ¿ÏÏ˘ ∫˘Ó‹ÁÈ £ËÛ·˘ÚÔ‡,
‰È·ÙËÚÒÓÙ·˜ ÙËÓ Î·Ï‹ ÙÔ˘ Ê‹ÌË ˆ˜ ÌÈ· ·fi ÙȘ ÈÔ “cool” ÂΉËÏÒÛÂȘ
ÙÔ˘ ƒ·‰ÈÔÌ·Ú·ıˆÓ›Ô˘. ΔÔ ECDL Î·È ÙÔ CCS ˘ÔÛÙ‹ÚÈÍ·Ó Î·È Ê¤ÙÔ˜
ÙËÓ ÔÚÁ¿ÓˆÛË Ë ÔÔ›· Ú·ÁÌ·ÙÔÔÈ‹ıËΠÛÙȘ 4 ¢ÂÎÂÌ‚Ú›Ô˘, Î·È Â›¯Â
ÚÂÎfiÚ Û˘ÌÌÂÙÔ¯ÒÓ (75 Û˘ÌÌÂÙ¤¯ÔÓÙ· ·˘ÙÔΛÓËÙ· -·fi 4 ÂÚ›Ô˘
¿ÙÔÌ· ÛÙÔ Î¿ı ¤Ó·) ηıÒ˜ Î·È ÂÈÛÚ¿ÍÂˆÓ Ô˘ ·ÊÔÚÔ‡Û·Ó ÛÙË
ÛÙ‹ÚÈÍË ÙˆÓ ·ÙfiÌˆÓ Ì ÂȉÈΤ˜ ·Ó¿ÁΘ.
∏ÌÂÚ›‰· ÁÈ· ÙË æËÊȷ΋ ∞Ù˙¤ÓÙ· Ù˘ ∂˘ÚÒ˘
√ ∫˘.™˘.¶. Û˘ÌÌÂÙ›¯Â ÛÙËÓ ∏ÌÂÚ›‰· Ì ٛÙÏÔ «Going Local II –
A digital Agenda for Europe and Cyprus» Ô˘ ‰ÈÔÚÁ·ÓÒıËΠÛÙȘ
25 ¡ÔÂÌ‚Ú›Ô˘ ·fi ÙÔ ΔÌ‹Ì· ∏ÏÂÎÙÚÔÓÈÎÒÓ ∂ÈÎÔÈÓˆÓÈÒÓ ÙÔ˘
ÀÔ˘ÚÁ›Ԣ ™˘ÁÎÔÈÓˆÓÈÒÓ Î·È ŒÚÁˆÓ ÛÂ Û˘ÓÂÚÁ·Û›· Ì ÙË °ÂÓÈ΋
¢È‡ı˘ÓÛË ÁÈ· ÙËÓ ∫ÔÈÓˆÓ›· Ù˘ ¶ÏËÚÔÊÔÚ›·˜ Î·È Ù· ªª∂ Ù˘
∂˘Úˆ·˚΋˜ ∂ÈÙÚÔ‹˜. ™ÙËÓ ∏ÌÂÚ›‰·, ÂΠ̤ÚÔ˘˜ ÙÔ˘ ™˘Ó‰¤ÛÌÔ˘
Ì›ÏËÛÂ Ô ÎÔ˜ ¡Ù›ÓÔ˜ ∫ÔÓ‹˜ Ô˘ Î¿Ï˘„ ÙÔ ı¤Ì· ÙˆÓ
∏ÏÂÎÙÚÔÓÈÎÒÓ ¢ÂÍÈÔÙ‹ÙˆÓ – eSkills ·ÚÔ˘ÛÈ¿˙ÔÓÙ·˜ ÙËÓ Î˘Úȷ΋
Ú·ÁÌ·ÙÈÎfiÙËÙ· Û ۯ¤ÛË Ì ÙÔ Â›Â‰Ô ÙˆÓ e-‰ÂÍÈÔÙ‹ÙˆÓ ÛÙȘ
ÂȯÂÈÚ‹ÛÂȘ, ηıÒ˜ Î·È ÙȘ ÂÓ¤ÚÁÂȘ Ù˘ ∂˘Úˆ·˚΋˜
∂ÈÙÚÔ‹˜ ÁÈ· Ó· ‚ÔËı‹ÛÂÈ fiÏÔ˘˜ ÙÔ˘˜ ∂˘Úˆ·›Ô˘˜ Ó·
Û˘ÌÌÂÙ¤¯Ô˘Ó ÛÙË „ËÊȷ΋ ÎÔÈÓˆÓ›·.
∏ÌÂÚ›‰· ÁÈ· ¡¤Â˜ Δ¯ÓÔÏÔÁ›Â˜ ÛÙËÓ ∂Î·›‰Â˘ÛË
ΔÔ ÿ‰Ú˘Ì· ¢È·¯Â›ÚÈÛ˘ ∂˘Úˆ·˚ÎÒÓ ¶ÚÔÁÚ·ÌÌ¿ÙˆÓ ¢È· μ›Ô˘ ª¿ıËÛ˘ ‰ÈÔÚÁ¿ÓˆÛ ∏ÌÂÚ›‰· Ì ٛÙÏÔ «ÃÚ‹ÛË ¡¤ˆÓ Δ¯ÓÔÏÔÁÈÒÓ ÛÙËÓ
∂Î·›‰Â˘ÛË Î·È ÙËÓ ∫·Ù¿ÚÙÈÛË – ∏ÏÂÎÙÚÔÓÈ΋ ª¿ıËÛË». ™Ù· Ï·›ÛÈ· Ù˘ ÂΉ‹ÏˆÛ˘ ÏÂÈÙÔ‡ÚÁËÛ ŒÎıÂÛË Û˘ÌÌÂÙ¯fiÓÙˆÓ ÛÂ
¶ÚÔÁÚ¿ÌÌ·Ù· ¢È· μ›Ô˘ ª¿ıËÛ˘, fiÔ˘ ¤Ï·‚ ̤ÚÔ˜ ÙÔ CCS Î·È ÙÔ ECDL ·ÚÔ˘ÛÈ¿˙ÔÓÙ·˜ ÙË Û˘ÌÌÂÙÔ¯‹ ÙÔ˘ ™˘Ó‰¤ÛÌÔ˘ ÛÙÔ Leonardo
Da- Vinci – ‰Ú¿ÛË ÎÈÓËÙÈÎfiÙËÙ·, Ì ÛÙfi¯Ô ÙËÓ ÂÓË̤ڈÛË ÁÈ· ÙÔ ÚfiÁÚ·ÌÌ· e-guardian Ô˘ ·Ó¤Ù˘Í·Ó ÔÈ §ÈıÔ˘·ÓÔ› ÂÙ·›ÚÔÈ Ì·˜ ÛÙ·
Ï·›ÛÈ· ÙÔ˘ ECDL.
8
|
www.pliroforiki.org
∂Ή‹ÏˆÛË CCS ÁÈ· ÙËÓ ∫Ô‹ Ù˘ μ·ÛÈÏfiÈÙÙ·˜.
ªÂÁ¿ÏË ÂÈÙ˘¯›· ›¯Â Ë ÂΉ‹ÏˆÛË ÙÔ˘ CCS ÁÈ· ÙÔÓ ÂÔÚÙ·ÛÌfi ÙÔ˘
Ó¤Ô˘ ¤ÙÔ˘˜! ™ÙÔ Î·ıÈÂڈ̤ÓÔ ‰Â›ÓÔ ÁÈ· Ù· ̤ÏË ÙÔ˘ ™˘Ó‰¤ÛÌÔ˘
Ì ÙËÓ ÎÔ‹ Ù˘ ‚·ÛÈÏfiÈÙÙ·˜, ·˘Ù‹ ÙË ¯ÚÔÓÈ¿ ÙÔ ¢ÈÔÈÎËÙÈÎfi
™˘Ì‚Ô‡ÏÈÔ ÂÙԛ̷Û ÌÈ· ¢¯¿ÚÈÛÙË ¤ÎÏËÍË ÁÈ· fiÏÔ˘˜: ªÂ ÙËÓ
˘ÔÛÙ‹ÚÈÍË Ù˘ ÂÙ·ÈÚ›·˜ ‰ÈÔÚÁ¿ÓˆÛ˘ ÂΉËÏÒÛÂˆÓ Amaaze.com
‰ÈÔÚÁ·ÓÒıËÎ·Ó ·È¯Ó›‰È· η˙›ÓÔ (Poker, Black Jack, Roulette) ηÈ
Bingo (ÙfiÌÔÏ·), ÁÂÁÔÓfi˜ Ô˘ ÚÔÛ¤ÊÂÚ ‰È·ÛΤ‰·ÛË ÁÈ· ÙÔ˘˜
·Ú¢ÚÈÛÎÔ̤ÓÔ˘˜ ·ÏÏ¿ Î·È ÏÔ‡ÛÈ· ‰ÒÚ· ÁÈ· ÙÔ˘˜ ÓÈÎËÙ¤˜ Ù˘
‚Ú·‰˘¿˜! Δ· ·È¯Ó›‰È· ·˘Ù¿ ÂÓıÔ˘ÛÈ¿Û·Ó ¿Óˆ ·fi 115 ¿ÙÔÌ·
Ô˘ ·Ú¢ڤıËÎ·Ó ÛÙËÓ ÂΉ‹ÏˆÛË, ÛÙȘ 13 π·ÓÔ˘·Ú›Ô˘, ÛÙÔÓ
¶ÔÏ˘¯ÒÚÔ Mondo. √ ∫˘ÚÈ·Îfi˜ ™‡Ó‰ÂÛÌÔ˜ ¶ÏËÚÔÊÔÚÈ΋˜ ı·
‹ıÂÏ ӷ ¢¯·ÚÈÛÙ‹ÛÂÈ ÙÔ˘˜ ¯ÔÚËÁÔ‡˜ Ô˘ ÚÔÛ¤ÊÂÚ·Ó Ù· ‰ÒÚ·,
·ÏÏ¿ Î·È Ù· ̤ÏË Ô˘ Ì ÙËÓ ·ÚÔ˘Û›· Î·È ÙË Û˘ÌÌÂÙÔ¯‹ ÙÔ˘˜
ÛÙ· ·È¯Ó›‰È· ÙÔ˘˜ Û˘Ó¤‚·Ï·Ó ÛÙËÓ ÙÂÚ¿ÛÙÈ· ÂÈÙ˘¯›· Ù˘
ÂΉ‹ÏˆÛ˘.
Dr EUGENE SCHULTZ
(1946 – 2011)
Yiannos Aletraris
Dr Eugene Schultz,a valued associate and dear friend passed
away on Sunday, 2nd October 2011. I came to know Gene, as
he preferred to be called, back in 2004 when he accepted our
invitation to be a presenter at the Cyprus Infosec conference. We
had heard so much about him, and were pleasantly surprised that
such a renown and respected information security guru would
show so much interest in travelling all the way from the United
States to visit our small island and enlighten us with his
knowledge and wisdom. Getting to know him in person was an
even greater surprise, with his humble character, his wit and
delightful humour. The feedback we received from the conference
audience as well as the participants at his workshop completely
confirmed his high reputation, and fellow members started asking
for more follow-on workshops from him.
Gene’s wife, Cathy, had escorted him on that 2004 trip, and I
remember her commenting that she came all the way from the
United States to a small island in the Mediterranean only to find
out she would stay 40 kilometres away from the beach!. That
innocent comment led to Cyprus Infosec 2005 being organised
in Limassol, but unfortunately Gene could not make it due to other
commitments. He did however manage to be with us in 2007 and
in 2009, and Cyprus Infosec was always pencilled-in in his yearly
plans.
2009 was to become the last time Gene participated in Cyprus
Infosec. He contacted us in early 2010 to agree on the 2011
dates, and he even suggested other information security
presenters that he admired. He had come to consider himself as
part of the team, and cherished the time he spent in Cyprus with
us. This year he planned to talk about Cloud Security and present
a newly developed 2-day workshop on the subject. However, in
September, his close associate Paul Underwood sent us a
worrying email telling us that Gene would not be able to participate
due to a serious illness. A blog was set up to inform his friends
and colleagues on his health status, and through that, his wife
Cathy finally informed us of his passing away.
As a tribute to Gene, the Cyprus Infosec 2011 conference was
held on November 2nd 2011 in his memory.
Yiannos Aletraris
Member of the Cyprus Infosec Organising Committee
www.pliroforiki.org
|
9
DR EUGENE SCHULTZ IN BRIEF
Gene was born September 10, 1946, in Chicago to E. Eugene Sr.
and Elizabeth Schultz. He graduated from UCLA, and earned his
MS and PhD (in Cognitive Science, 1977) at Purdue University in
Indiana.
While at Purdue University, Gene met and married Cathy Brown.
They were married for 36 years, and raised three daughters: Sarah,
Rachel and Leah.
Gene was an active member of Cornerstone Fellowship, and
belonged to a men’s Bible study. His many interests included family,
going to his mountain home in Twain Harte, model trains, music,
travelling, the outdoors, history, reading and sports.
Gene was one of the more notable
and accomplished figures in
computing security over the last few
decades. During the course of his
career, Gene was professor of
computer science at several
universities, including the University
of California at Davis and Purdue
University, and retired from the
University of California at Berkeley.
He consulted for a wide range of clients, including U.S. and foreign
governments and the banking, petroleum, and pharmaceutical
industries. He also managed several information security practices
and served as chief technology officer for two companies.
Gene formed and managed the Computer Incident Advisory
Capability (CIAC) — an incident response team for the U.S.
Department of Energy — from 1986–1992. This was the first
formal incident response team, predating the CERT/CC by several
years. He also was instrumental in the founding of FIRST — the
Forum of Incident Response & Security Teams.
During his 30 years of work in security, Gene authored or co-
authored over 120 papers, and five books. He was manager of the
I4 program at SRI from 1994–1998. From 2002–2007, he was the
Editor-in-Chief of Computers and Security — the oldest journal in
computing security — and continued to serve on its editorial board.
Gene was also an associate editor of Network Security. He was a
member of the accreditation board of the Institute of Information
Security Professionals (IISP).
Gene testified as an expert several times before both Senate and
House Congressional Committees. He also served as an expert
advisor to a number of companies and agencies. Gene was a
certified SANS instructor, instructor for ISACA, senior SANS analyst,
member of the SANS NewsBites editorial board, and co-author of
the 2005 and 2006 Certified Information Security Manager
preparation materials.
Dr Schultz was honored numerous times for his research, service,
and teaching. Among his many notable awards, Gene received the
NASA Technical Excellence Award, Department of Energy
Excellence Award, the Vanguard Conference Top Gun Award (for
best presenter) twice, the Vanguard Chairman's Award, the ISACA
John Kuyers Best Speaker/Best Conference Contributor Award and
the National Information Systems Security Conference Best Paper
Award. One of only a few Distinguished Fellows of the Information
Systems Security Association (ISSA), he was also named to the
ISSA Hall of Fame and received ISSA's Professional Achievement
and Honor Roll Awards.
At the time of his death, Dr Schultz was the CTO of Emagined
Security, an information security consultancy based in San Carlos,
California. He held certifications as a CISM, CISSP, and GSLC.
E. Eugene Schultz, Jr., 10/9/46–2/10/11. Rest in Peace.
10
|
www.pliroforiki.org
www.pliroforiki.org
|
11
™Â Ì›· ÂÔ¯‹ fiÔ˘ Ù· ı¤Ì·Ù· Ù˘ ÚÔÛÙ·Û›·˜, Ù˘
·ÓÙÈÌÂÙÒÈÛ˘ ÙˆÓ ·˘Í·ÓfiÌÂÓˆÓ ÎÈÓ‰‡ÓˆÓ, ÙˆÓ ÂϤÁ¯ˆÓ
ÈÛÙÔÔ›ËÛ˘ Ù˘ ·ÛÊ¿ÏÂÈ·˜ Î·È Ù˘ ÔÚı‹˜ ‰È·Î˘‚¤ÚÓËÛ˘ ÙˆÓ
™˘ÛÙËÌ¿ÙˆÓ ¶ÏËÚÔÊÔÚÈ΋˜, Î·È ÁÂÓÈÎfiÙÂÚ· Ù˘ ÚÔÛÙ·Û›·˜ Ù˘
ÏËÚÔÊÔÚ›·˜ Â›Ó·È Î·ıËÌÂÚÈÓ¿ ÛÙËÓ ÂÈηÈÚfiÙËÙ· ηÈ
·Ó·‰ÂÈÎÓ‡ÔÓÙ·È ˆ˜ ÛËÌ·ÓÙÈÎfiÙ·ÙÔÈ ˘ÏÒÓ˜ ÁÈ· ÙËÓ ÔÈÎÔÓÔÌÈ΋
Â˘ÚˆÛÙ›· Î·È ÙËÓ Â›Ù¢ÍË ÙˆÓ ÛÙÚ·ÙËÁÈÎÒÓ Î·È ÂȯÂÈÚËÌ·ÙÈÎÒÓ
ÛÙfi¯ˆÓ οı ÔÚÁ·ÓÈÛÌÔ‡, ÎÚ›ÓÂÙ·È ˆ˜ ·Ó·ÁηÈfiÙËÙ· Ë ÂÓ›Û¯˘ÛË
Î·È ıÂÛÌÔı¤ÙËÛË Ù˘ ÚÔÛÙ·Û›·˜ Î·È ÙÔ˘ ÂϤÁ¯Ô˘ ÙˆÓ
™˘ÛÙËÌ¿ÙˆÓ ¶ÏËÚÔÊÔÚÈ΋˜.
∏ ›‰Ú˘ÛË Î·È ÏÂÈÙÔ˘ÚÁ›· ÙÔ˘ «∫˘ÚÈ·ÎÔ‡ πÓÛÙÈÙÔ‡ÙÔ˘ ∂ϤÁ¯Ô˘
™˘ÛÙËÌ¿ÙˆÓ ¶ÏËÚÔÊÔÚÈ΋˜» ÛÙËÓ ∫‡ÚÔ ‰ÂÓ ı· ÌÔÚÔ‡Û ӷ
‰ËÌÈÔ˘ÚÁËı› Û ÈÔ Î·Ù¿ÏÏËÏË ÂÔ¯‹ Î·È ¤Ú¯ÂÙ·È Ó·
Û˘ÌÏËÚÒÛÂÈ ¤Ó· ÎÂÓfi Ô˘ ˘‹Ú¯Â ÛÙÔÓ ÂȯÂÈÚËÌ·ÙÈÎfi ÎfiÛÌÔ,
·˘Ùfi Ù˘ ıÂÛÌÔı¤ÙËÛ˘ ÙÔ˘ ÂϤÁ¯Ô˘ Î·È Ù˘ ÔÚı‹˜
‰È·Î˘‚¤ÚÓËÛ˘ ÙˆÓ Û˘ÛÙËÌ¿ÙˆÓ ÏËÚÔÊÔÚÈ΋˜.
√È ÚÔÛ¿ıÂȘ Ù˘ √ÚÁ·ÓˆÙÈ΋˜ ∂ÈÙÚÔ‹˜ ÛÙ¤ÊıËÎ·Ó ÌÂ
ÂÈÙ˘¯›· ÛÙȘ 16 πÔ˘Ó›Ô˘ 2010 fiÙ·Ó ÙÔ ¢ÈÔÈÎËÙÈÎfi ™˘Ì‚Ô‡ÏÈÔ ÙÔ˘
‰ÈÂıÓÔ‡˜ πÓÛÙÈÙÔ‡ÙÔ˘ «ISACA» (Information Systems Audit &
Control Association), Ô˘ ‰Ú‡ÂÈ ÛÙÔ ™ÈοÁÔ ÙˆÓ ∏.¶.∞. ¤‰ˆÛÂ
ÙËÓ Â›ÛËÌË ¤ÁÎÚÈÛË ÙÔ˘ ÁÈ· ÙËÓ ·Ô‰Ô¯‹ ÙÔ˘ ISACA Cyprus
Chapter Û·Ó Ï‹Ú˜ Î·È ·Ó·ÁÓˆÚÈṲ̂ÓÔ Ì¤ÏÔ˜ ÙÔ˘ Ì ¤‰Ú· ÙË
§Â˘ÎˆÛ›·. ™ÙȘ 20 √ÎÙˆ‚Ú›Ô˘ ÙÔ˘ 2011, ÙÔ ISACA Cyprus
Chapter ‹ÚÂ Î·È ÈÛÙÔÔÈËÙÈÎfi ÂÁÁÚ·Ê‹˜ Î·È ÏÂÈÙÔ˘ÚÁ›·˜ Û·Ó
™ˆÌ·ÙÂ›Ô Û‡Ìʈӷ Ì ÙÔÓ ÂÚ› ™ˆÌ·Ù›ˆÓ Î·È π‰Ú˘Ì¿ÙˆÓ ¡fiÌÔ
Ì ÙËÓ ÂˆÓ˘Ì›· «∫˘ÚÈ·Îfi πÓÛÙÈÙÔ‡ÙÔ ∂ϤÁ¯Ô˘ ™˘ÛÙËÌ¿ÙˆÓ
¶ÏËÚÔÊÔÚÈ΋˜».
ΔÔ ‰ÈÂıÓ¤˜ πÓÛÙÈÙÔ‡ÙÔ «ISACA» ‰ËÌÈÔ˘ÚÁ‹ıËΠÛÙȘ ∏.¶.∞. ÙÔ
1969 Î·È ÏÂÈÙÔ˘ÚÁ› Û·Ó ÎÂÓÙÚÈÎfi˜ ÊÔÚ¤·˜ ÏËÚÔÊfiÚËÛ˘ ηÈ
ηıÔ‰‹ÁËÛ˘ Û¯ÂÙÈ˙fiÌÂÓÔ˜ Ì ÙÔÓ ¤ÏÂÁ¯Ô ™˘ÛÙËÌ¿ÙˆÓ
¶ÏËÚÔÊÔÚÈ΋˜. ŒÎÙÔÙ ÙÔ «ISACA» ÂÍÂÏ›¯ıËΠ۠¤Ó· ‰ÈÂıÓ‹
Î·È Î·Ù·ÍȈ̤ÓÔ ÔÚÁ·ÓÈÛÌfi Ì ·ÚÔ˘Û›· Û ÂÚÈÛÛfiÙÂÚ˜ ·fi
160 ¯ÒÚ˜ Î·È ¤Ú·Ó ÙˆÓ 86,000 ÌÂÏÒÓ Ô˘ ·Û¯ÔÏÔ‡ÓÙ·È
Â·ÁÁÂÏÌ·ÙÈο Ì ÙËÓ ÚÔÛÙ·Û›·, ÙÔÓ ¤ÏÂÁ¯Ô, Î·È ÙËÓ
‰È·Î˘‚¤ÚÓËÛË ÙˆÓ ™˘ÛÙËÌ¿ÙˆÓ ¶ÏËÚÔÊÔÚÈ΋˜. ™‹ÌÂÚ· ÙÔ
«ISACA» Ù˘Á¯¿ÓÂÈ ·ÁÎfiÛÌÈ·˜ ·Ó·ÁÓÒÚÈÛ˘ Û·Ó Ô Î·ÙÂÍÔ¯‹Ó
ÔÚÁ·ÓÈÛÌfi˜ Ô˘ ÂȉÈ·ÂÙ·È Û ı¤Ì·Ù· ·ÓÙÈÌÂÙÒÈÛ˘ ÎÈÓ‰‡ÓˆÓ,
ÚÔÛÙ·Û›·˜, ÂϤÁ¯Ô˘, Î·È ÔÚı‹˜ ‰È·Î˘‚¤ÚÓËÛ˘ ÙˆÓ
™˘ÛÙËÌ¿ÙˆÓ ¶ÏËÚÔÊÔÚÈ΋˜ ÚÔˆıÒÓÙ·˜ ÌÂٷ͇ ¿ÏÏˆÓ ÙË
ÁÓÒÛË Î·È ÙËÓ ÂÎ·›‰Â˘ÛË Ì¤Û· ·fi ‰ÈÂıÓÒ˜ ·Ó·ÁÓˆÚÈṲ̂ӷ
ÚfiÙ˘·, ‰ÈÂıÓ‹ Û˘Ó¤‰ÚÈ·, ÛÂÌÈÓ¿ÚÈ·, ¤ÓÙ˘· ‰È·ÊÒÙÈÛ˘, ηÈ
Â·ÁÁÂÏÌ·ÙÈο ¤ÓıÂÙ·.
ΔÔ ∫˘ÚÈ·Îfi πÓÛÙÈÙÔ‡ÙÔ ∂ϤÁ¯Ô˘ ™˘ÛÙËÌ¿ÙˆÓ ¶ÏËÚÔÊÔÚÈ΋˜ ·fi
ÙË ÚÒÙË ÛÙÈÁÌ‹ Ù˘ ‰ËÌÈÔ˘ÚÁ›·˜ ÙÔ˘ ¤¯ÂÈ Âȉ›ÍÂÈ Ì›· ÌÔÓ·‰È΋
‰˘Ó·ÌÈ΋, ÁÂÁÔÓfi˜ Ô˘ ·Ô‰ÂÈÎÓ‡ÂÙ·È ·fi ÙËÓ ¤Ó‰ÂÈÍË ÌÂÁ¿ÏÔ˘
ÂӉȷʤÚÔÓÙÔ˜ ÁÈ· Û˘ÌÌÂÙÔ¯‹ ÛÙÔ πÓÛÙÈÙÔ‡ÙÔ ÙÔ ÔÔ›Ô Ì¤Û· ÛÂ
Ï›ÁÔ˘˜ Ì‹Ó˜ ·fi Ù˘ ȉڇÛˆ˜ ÙÔ˘ ¤ÊÙ·Û ӷ ·ÚÈıÌ› 68 ̤ÏË.
∏ ·‰‹ÚÈÙË ·Ó¿ÁÎË ÁÈ· ÙË ‰ËÌÈÔ˘ÚÁ›· ÙÔ˘ πÓÛÙÈÙÔ‡ÙÔ˘ ‰ڷÈÒÓÂÙ·È
Î·È ·fi ÙÔ ÁÂÁÔÓfi˜ fiÙÈ Ô ÚfiÏÔ˜ ÙˆÓ ÂȉÈÎÒÓ ÛÙÔÓ ÎÏ¿‰Ô ÙÔ˘
ÂϤÁ¯Ô˘ Î·È Ù˘ ÚÔÛÙ·Û›·˜ ÙˆÓ ™˘ÛÙËÌ¿ÙˆÓ ¶ÏËÚÔÊÔÚÈ΋˜
·ÔÎÙ¿ ÔÏÔ¤Ó· Î·È ÌÂÁ·Ï‡ÙÂÚË ‚·Ú‡ÙËÙ· ÛÙȘ ÏÂÈÙÔ˘ÚÁ›Â˜ ÙfiÛÔ
ÙÔ˘ ‰ËÌfiÛÈÔ˘ fiÛÔ Î·È ÙÔ˘ ȉȈÙÈÎÔ‡ ÙÔ̤·.
™ÙȘ 5 ¡ÔÂÌ‚Ú›Ô˘, 2009 ‰ÈÂÍ‹¯ıË Ë 1Ë ¶·Á·ÚÈ· π‰Ú˘ÙÈ΋
°ÂÓÈ΋ ™˘Ó¤Ï¢ÛË ÙÔ˘ πÓÛÙÈÙÔ‡ÙÔ˘ ÛÙË ‰È¿ÚÎÂÈ· Ù˘ ÔÔ›·˜
ISACA CYPRUS CHAPTER
∫À¶ƒπ∞∫O π¡™ΔπΔ√YΔ√
∂§E°Ã√À ™À™Δ∏ªAΔø¡
¶§∏ƒ√º√ƒπ∫H™
¶·Û¯¿Ï˘ ¶ÈÛÛ·Úȉ˘
ÂÍÂϤÁË Î·È ÙÔ ÂÓÈ·ÌÂϤ˜ ¢ÈÔÈÎËÙÈÎfi ™˘Ì‚Ô‡ÏÈÔ. ΔÔ ¢ÈÔÈÎËÙÈÎfi
™˘Ì‚Ô‡ÏÈÔ ÂȉÈÒÎÂÈ Ì¤Û· ·fi ÙȘ ‰Ú·ÛÙËÚÈfiÙËÙ˜ ÙÔ˘
πÓÛÙÈÙÔ‡ÙÔ˘ ÙËÓ ÂÎÏ‹ÚˆÛË ÙˆÓ ·ÎÔÏÔ‡ıˆÓ ÛÙfi¯ˆÓ:
ñ ÙËÓ ÂÎ·›‰Â˘ÛË Î·È ÙËÓ ‰È¿¯˘ÛË ÁÓÒÛÂˆÓ ÛÙÔ˘˜ ÙÔÌ›˜ Ù˘
ÂÈıÂÒÚËÛ˘, Ù˘ ÚÔÛÙ·Û›·˜ Î·È ÙÔ˘ ÂϤÁ¯Ô˘ ÙˆÓ
™˘ÛÙËÌ¿ÙˆÓ ¶ÏËÚÔÊÔÚÈ΋˜,
ñ ÙËÓ ˘ÈÔı¤ÙËÛË, ÂÂÍÂÚÁ·Û›· Î·È ‰ËÌÔÛÈÔÔ›ËÛË ÁÂÓÈÎÒÓ
·Ú¯ÒÓ Î·ıÒ˜ Î·È ÚÔÒıËÛË Ù¯ÓÈÎÒÓ Û¯ÂÙÈÎÒÓ Ì ÙËÓ ÔÚı‹
Ú·ÎÙÈ΋ ÛÙÔ˘˜ ÙÔÌ›˜ ÙÔ˘ ÎÏ¿‰Ô˘,
ñ ÙËÓ ÚÔÒıËÛË Î·È ÂÓ›Û¯˘ÛË Ù˘ ¤Ú¢ӷ˜, ÛÔ˘‰‹˜ ηÈ
ÁÓÒÛ˘ Ô˘ ·ÊÔÚÔ‡Ó ÙÔ˘˜ ÙÔÌ›˜ ÙÔ˘ ÎÏ¿‰Ô˘ ·ÏÏ¿ Î·È ÙËÓ
˘ÔÛÙ‹ÚÈÍË ÙˆÓ ÌÂÏÒÓ ÙÔ˘ πÓÛÙÈÙÔ‡ÙÔ˘ Ì ÙËÓ ··Ú·›ÙËÙË
Ù¯ÓÔÁÓˆÛ›· Î·È ÁÂÓÈÎfiÙÂÚ· ÙËÓ Â˘Ú‡ÙÂÚË ÂÈÌfiÚʈÛË ÙˆÓ
ÛÙÂϯÒÓ ÙÔ˘ ÎÏ¿‰Ô˘,
ñ ÙËÓ ÂÓË̤ڈÛË, ˘ÔÛÙ‹ÚÈÍË Î·È ·ÚÔ¯‹ οı ‰˘Ó·Ù‹˜
‚Ô‹ıÂÈ·˜ ÛÙ· ̤ÏË ÙÔ˘ πÓÛÙÈÙÔ‡ÙÔ˘ ÁÈ· ÙËÓ ·fiÎÙËÛË ÙˆÓ
Â·ÁÁÂÏÌ·ÙÈÎÒÓ ÈÛÙÔÔÈ‹ÛÂˆÓ ÔÈ Ôԛ˜ ·Ú¤¯ÔÓÙ·È ·fi
ÙÔÓ ISACA:
* CISA
(Certified Information Systems Auditor)
Ì ¤Ú·Ó
ÙˆÓ 70,000 ÈÛÙÔÔÈËÌ¤ÓˆÓ ÌÂÏÒÓ ·fi ÙËÓ ¤Ó·ÚÍË Ù˘
ÈÛÙÔÔ›ËÛ˘ ÙÔ 1978
* CISM (
Certified Information Security Manager
) Ì ¤Ú·Ó
ÙˆÓ 10,000 ÈÛÙÔÔÈËÌ¤ÓˆÓ ÌÂÏÒÓ ·fi ÙËÓ ¤Ó·ÚÍË Ù˘
ÈÛÙÔÔ›ËÛ˘ ÙÔ 2002
* CGEIT (
Certified in the Governance of Enterprise IT
) ÌÂ
¤Ú·Ó ÙˆÓ 3,000 ÈÛÙÔÔÈËÌ¤ÓˆÓ ÌÂÏÒÓ ·fi ÙËÓ ¤Ó·ÚÍË
Ù˘ ÈÛÙÔÔ›ËÛ˘ ÙÔ 2008 ηÈ
* CRISC (
Certified in Risk and Information Systems Control
)
Ì ¤Ú·Ó ÙˆÓ 1,000 ÈÛÙÔÔÈËÌ¤ÓˆÓ ÌÂÏÒÓ ·fi ÙËÓ
¤Ó·ÚÍË Ù˘ ÈÛÙÔÔ›ËÛ˘ ÛÙȘ ·Ú¯¤˜ ÙÔ˘ 2010
∏ Ú·Á‰·›· ·Ó¿Ù˘ÍË ÙˆÓ Û˘Ó·ÏÏ·ÁÒÓ Ì¤Ûˆ ÙÔ˘ ‰È·‰ÈÎÙ‡Ô˘ ·ÏÏ¿
Î·È ÙÔ ÁÂÁÔÓfi˜ fiÙÈ ˙ԇ̠ۋÌÂÚ· ÛÙËÓ «∫ÔÈÓˆÓ›· Ù˘
¶ÏËÚÔÊÔÚ›·˜» Ë ÔÔ›· ‰ËÌÈÔ˘ÚÁ› Ó¤· ‰Â‰Ô̤ӷ Î·È Ó¤Â˜
¢ηÈڛ˜ ÁÈ· ·Ó¿Ù˘ÍË Ë ÔÔ›· ‚·Û›˙ÂÙ·È ¿ÌÂÛ· ÛÙË Ú·Á‰·›·
ÂͤÏÈÍË ÙˆÓ Ù¯ÓÔÏÔÁÈÒÓ ÏËÚÔÊÔÚ›·˜ Î·È ÂÈÎÔÈÓˆÓ›·˜ Ô˘
·ÔÙÂÏÔ‡Ó Ô˘ÛÈ·ÛÙÈÎfi ÂÚÁ·ÏÂ›Ô ÁÈ· ÈÔ ·ÓÔȯً ηÈ
·ÔÙÂÏÂÛÌ·ÙÈ΋ ‰È·Î˘‚¤ÚÓËÛË Î·ıÒ˜ Î·È ÁÈ· ÙË ‚ÂÏÙ›ˆÛË Ù˘
·ÓÙ·ÁˆÓÈÛÙÈÎfiÙËÙ·˜ ÙˆÓ ÂȯÂÈÚ‹ÛÂˆÓ ÚÔÛ‰›‰Ô˘Ó ȉȷ›ÙÂÚË
ÛËÌ·Û›· ÛÙȘ ·Ó¿ÁΘ ÙˆÓ ÂȯÂÈÚ‹ÛÂˆÓ ÁÈ· ÙËÓ ÚÔÛÙ·Û›· ηÈ
ÙÔÓ ·ÔÙÂÏÂÛÌ·ÙÈÎfi ¤ÏÂÁ¯Ô ÙˆÓ Ù¯ÓÔÏÔÁÈÒÓ ÏËÚÔÊÔÚ›·˜ ηÈ
ÂÈÎÔÈÓˆÓ›·˜ Î·È ÙËÓ ·ÔÙÂÏÂÛÌ·ÙÈ΋ ‰È·¯Â›ÚÈÛË ÙˆÓ ÎÈÓ‰‡ÓˆÓ.
ΔÔ ∫˘ÚÈ·Îfi πÓÛÙÈÙÔ‡ÙÔ ∂ϤÁ¯Ô˘ ™˘ÛÙËÌ¿ÙˆÓ ¶ÏËÚÔÊÔÚÈ΋˜
Ì ÙÔ˘˜ ÛÙfi¯Ô˘˜ Ô˘ ¤¯ÂÈ ı¤ÛÂÈ ÁÈ· ÂÓ›Û¯˘ÛË Î·È ÚÔÒıËÛË
Ù˘ ¤Ú¢ӷ˜, ÙËÓ ‰ÈÔÚÁ¿ÓˆÛË ÂÈÛÙËÌÔÓÈÎÒÓ ËÌÂÚ›‰ˆÓ ηÈ
Û˘Ó‰ڛˆÓ Î·È ÙËÓ ÚÔÒıËÛË ‰ÈÂıÓÒÓ ÚÔÙ‡ˆÓ ηÈ
‰È·‰ÈηÛÈÒÓ Û ۯ¤ÛË Ì ÙËÓ ÚÔÛÙ·Û›· Î·È ÙÔÓ ¤ÏÂÁ¯Ô
Û˘ÛÙËÌ¿ÙˆÓ ÏËÚÔÊÔÚÈ΋˜, ı· Û˘Ì‚¿ÏÂÈ ÙfiÛÔ ÛÙËÓ Û˘Ó¯‹
ÂÎ·›‰Â˘ÛË, ·Ó·‚¿ıÌÈÛË, Î·È ÂÓ‰˘Ó¿ÌˆÛË ÙÔ˘ ·ÓıÚÒÈÓÔ˘
‰˘Ó·ÌÈÎÔ‡ Ô˘ ··Û¯ÔÏÂ›Ù·È ÛÙÔÓ ÙÔ̤· Ù˘ ‰È·¯Â›ÚÈÛ˘
ÎÈÓ‰‡ÓˆÓ fiÛÔ Î·È ÛÙËÓ ÂÊ·ÚÌÔÁ‹ ηٿÏÏËÏˆÓ Ì˯·ÓÈÛÌÒÓ
ÂϤÁ¯Ô˘ Î·È ÚÔÛÙ·Û›·˜ ÙˆÓ Û˘ÛÙËÌ¿ÙˆÓ ÏËÚÔÊÔÚÈ΋˜,
ÁÂÁÔÓfi˜ Ô˘ ı· ÂÓÈÛ¯‡ÛÂÈ ÙËÓ ·ÓÙ·ÁˆÓÈÛÙÈÎfiÙËÙ· Î·È ÙËÓ
·ÍÈÔÈÛÙ›· ÙˆÓ ÂȯÂÈÚ‹ÛˆÓ.
∫·Ù¿ ÙËÓ ‰È¿ÚÎÂÈ· ÙÔ˘ 2011 ÙÔ πÓÛÙÈÙÔ‡ÙÔ ‰ÈÔÚÁ¿ÓˆÛ ÌÂ
ÂÈÙ˘¯›· ‰È·Ï¤ÍÂȘ Î·È ÂÎ·È‰Â˘ÙÈο ÛÂÌÈÓ¿ÚÈ· Ì ¤ÌÂÈÚÔ˘˜
ÔÌÈÏËÙ¤˜ Û ÛÙÔ¯Â˘Ì¤Ó· ı¤Ì·Ù· ÂӉȷʤÚÔÓÙÔ˜ ÁÈ· ÙËÓ
ηχÙÂÚË ÂÓË̤ڈÛË Î·È Î·Ù¿ÚÙÈÛË ÙˆÓ ÌÂÏÒÓ ÙÔ˘ πÓÛÙÈÙÔ‡ÙÔ˘
fiˆ˜:
ñ Continuous Auditing & Continuous Monitoring: Using
Technology to Drive Value by managing Risk & Monitoring
Performance
ñ Introduction to Computer Forensics
ñ Identity & Access Management – Key Concepts and
Implementation methodology
ñ Identity & Access Management – A practical Implementation
ñ A Risk Based Approach to Data Protection
ñ GSM Threads & Vulnerabilities
ΔÔ πÓÛÙÈÙÔ‡ÙÔ ÛÂ Û˘ÓÂÚÁ·Û›· Ì ÙÔÓ ∫˘ÚÈ·Îfi ™‡Ó‰ÂÛÌÔ
¶ÏËÚÔÊÔÚÈ΋˜ Ú·ÁÌ·ÙÔÔ›ËÛ ™ÂÌÈÓ¿ÚÈÔ Ì ı¤Ì· «Computer
Forensics» ̤۷ ÛÙ· Ï·›ÛÈ· ÙÔ˘ Infosec 2011 Conference Ô˘
Ú·ÁÌ·ÙÔÔÈ‹ıËΠÛÙÔ University of Nicosia ÛÙȘ ·Ú¯¤˜
¡ÔÂÌ‚Ú›Ô˘.
∂›Û˘ ‰ÈÔÚÁ·ÓÒıËΠÂÎ·È‰Â˘ÙÈÎfi ÛÂÌÈÓ¿ÚÈÔ ÛÂ Û˘ÓÂÚÁ·Û›·
Ì ÙËÓ ∫˘Úȷ΋ ∂Ù·ÈÚ›· ¶ÈÛÙÔÔ›ËÛ˘ ÁÈ· ÙËÓ ÚÔÂÙÔÈÌ·Û›·
˘Ô„ËÊ›ˆÓ ÁÈ· ÙË ‰ÈÂıÓ‹ ÂͤٷÛË ÙÔ˘ ¢ÂÎÂÌ‚Ú›Ô˘ ÚÔ˜
·fiÎÙËÛË Ù˘ Â·ÁÁÂÏÌ·ÙÈ΋˜ ÈÛÙÔÔ›ËÛ˘ CISA (Certified
Information Systems Auditor).
∂˘ÂÏÈÛÙԇ̠fiÙÈ Ì¤Û· ·fi ÙË Û˘ÓÂÚÁ·Û›· Ì·˜ Ì ÙÔÓ ∫˘ÚÈ·Îfi
™‡Ó‰ÂÛÌÔ ¶ÏËÚÔÊÔÚÈ΋˜, ÙËÓ ∫˘Úȷ΋ ∂Ù·ÈÚ›· ¶ÈÛÙÔÔ›ËÛ˘
Î·È ÌÂÏÏÔÓÙÈο Ì ¿ÏÏÔ˘˜ Û˘Ó·Ê›˜ Â·ÁÁÂÏÌ·ÙÈÎÔ‡˜
Û˘Ó‰¤ÛÌÔ˘˜ fiˆ˜ ÙÔ Cyprus Institute of Internal Auditors Î·È ÙÔ
Institute of Certified Public Accountants of Cyprus ı· ηٷÛÙ›
‰˘Ó·Ù‹ Ë ·ÓÙ·ÏÏ·Á‹ ÂÌÂÈÚ›·˜ Î·È ÁÓÒÛ˘ ̤۷ ·fi ÙËÓ ·fi
ÎÔÈÓÔ‡ ‰ÈÔÚÁ¿ÓˆÛË ÂΉËÏÒÛÂˆÓ Î·È ¿ÏÏˆÓ ‰Ú·ÛÙËÚÈÔًوÓ.
™Â Ì›· ÂÔ¯‹, ÏÔÈfiÓ, Ô˘ ÔÈ ÔÚÁ·ÓÈÛÌÔ› ı¤ÙÔ˘Ó ˆ˜ ·fiÏ˘ÙË
ÚÔÙÂÚ·ÈfiÙËÙ· ÙËÓ ÔÚıÔÏÔÁÈÛÙÈ΋ ‰È·¯Â›ÚÈÛË ÙÔ˘ Ú›ÛÎÔ˘ Î·È ÙËÓ
·ÛÊ·Ï‹ ‰È·¯Â›ÚÈÛË Î·È ‰È·Î˘‚¤ÚÓËÛË ÙˆÓ ™˘ÛÙËÌ¿ÙˆÓ
¶ÏËÚÔÊÔÚÈ΋˜ ÙÔ˘˜, ÙÔ ∫˘ÚÈ·Îfi πÓÛÙÈÙÔ‡ÙÔ ∂ϤÁ¯Ô˘
12
|
www.pliroforiki.org
www.pliroforiki.org
|
13
™˘ÛÙËÌ¿ÙˆÓ ¶ÏËÚÔÊÔÚÈ΋˜ Î·È Ù· ̤ÏË ÙÔ˘ ¤¯Ô˘Ó Ó·
ÂÈÙÂϤÛÔ˘Ó ÛËÌ·ÓÙÈÎfiÙ·ÙÔ ¤ÚÁÔ ÒÛÙ ӷ ‰È·¯‡ÛÔ˘Ó ÛÙËÓ
∫˘Úȷ΋ ∫ÔÈÓˆÓ›· Ù˘ ¶ÏËÚÔÊÔÚ›·˜ Î·È ÙȘ ÂȯÂÈÚ‹ÛÂȘ
Û˘ÛÙËÌ·ÙÔÔÈË̤ÓË ÁÓÒÛË Î·È ÔÚı¤˜ Ú·ÎÙÈΤ˜.
™À°°ƒ∞º∂A™
O ¶·Û¯¿Ï˘ ¶ÈÛÛ·Ú›‰Ë˜ ÂÚÁ¿˙ÂÙ·È ÛÙÔ ΔÌ‹Ì·
∞ÛÊ¿ÏÂÈ·˜ ¶ÏËÚÔÊÔÚÈÒÓ Ù˘ Marfin Laiki
ΔÚ¿Â˙·˜ ·fi ÙÔ 1997. ¶ÚÔËÁÔ˘Ì¤Óˆ˜
ÂÚÁ¿ÛÙËÎÂ ÁÈ· ÂÚ›Ô‰Ô 8 ÂÙÒÓ ÛÙËÓ ı¤ÛË ÙÔ˘
∞ÓÒÙÂÚÔ˘ ∂ÛˆÙÂÚÈÎÔ‡ ∂ÏÂÁÎÙ‹ ™˘ÛÙËÌ¿ÙˆÓ
¶ÏËÚÔÊÔÚÈ΋˜ Û ÌÂÁ¿ÏÔ ¯ÚËÌ·ÙÔÔÈÎÔÓÔÌÈÎfi
ÔÚÁ·ÓÈÛÌfi ÛÙȘ ∏ӈ̤Ó˜ ¶ÔÏÈÙ›˜ ∞ÌÂÚÈ΋˜.
√ ¶·Û¯¿Ï˘ ¤¯ÂÈ ÂÈÎÔÛ·ÂÙ‹ Â·ÁÁÂÏÌ·ÙÈ΋
Âȉ›Î¢ÛË Î·È ÂÌÂÈÚ›· ÛÙÔ ¯ÒÚÔ Ù˘ ∞ÛÊ¿ÏÂÈ·˜, ¢È·Î˘‚¤ÚÓËÛ˘
Î·È ŒÏÂÁ¯Ô˘ ™˘ÛÙËÌ¿ÙˆÓ ¶ÏËÚÔÊÔÚÈ΋˜.
∫·Ù¤¯ÂÈ Ù˘¯›· ÛÙËÓ §ÔÁÈÛÙÈ΋ Î·È ÙËÓ ¢È·¯Â›ÚÈÛË ™˘ÛÙËÌ¿ÙˆÓ
¶ÏËÚÔÊÔÚÈ΋˜, MBA Ì Âȉ›Î¢ÛË ÛÙ· ¯ÚËÌ·ÙÔÔÈÎÔÓÔÌÈο, ηÈ
ÌÂÙ·Ù˘¯È·Îfi ÛÙȘ ¶ÔÏÈÙÈΤ˜ ∂ÈÛً̘ ·fi ÙÔ ¶·ÓÂÈÛÙ‹ÌÈÔ
Bowling Green ÙÔ˘ √¯¿ÈÔ ∞ÌÂÚÈ΋˜.
∫·Ù¤¯ÂÈ ÙȘ Â·ÁÁÂÏÌ·ÙÈΤ˜ ÈÛÙÔÔÈ‹ÛÂȘ
CRISC
(Certified in
Risk and Information Systems Control), CISM (Certified
Information Security Manager), CISA (Certified Information
Systems Auditor), CPA (Certified Public Accountant) Î·È CFE
(Certified Fraud Examiner).
∂›Ó·È ÂÓÂÚÁfi ̤ÏÔ˜ ÙÔ˘ ‰ÈÂıÓÔ‡˜ ÔÚÁ·ÓÈÛÌÔ‡ ISACA ·fi ÙÔ
1991. À‹ÚÍ ¶Úfi‰ÚÔ˜ ÙÔ˘ Central Indiana ISACA Chapter ÛÙËÓ
∞ÌÂÚÈ΋ Î·È Â›Ó·È ¶Úfi‰ÚÔ˜ ÙÔ˘ ISACA Chapter ÛÙËÓ ∫‡ÚÔ.
∂›Ó·È ̤ÏÔ˜ Ù˘ √ÚÁ·ÓˆÙÈ΋˜ ∂ÈÙÚÔ‹˜ ÙÔ˘ ∫˘ÚÈ·ÎÔ‡
™˘Ó‰¤ÛÌÔ˘ ¶ÏËÚÔÊÔÚÈ΋˜ ÁÈ· ÙÔ ¢ÈÂıÓ¤˜ ™˘Ó¤‰ÚÈÔ πNFOSEC.
GOVERNANCE OF
INFORMATION SECURITY &
OTHER INITIATIVES
Vernon Poole
As information security incidents increase especially cyber security incidents,
organisations need to respond to these challenges as a governance issue and define
specific tasks that staff at all levels can undertake as part of a management
framework. This article will enable executive management and the Board to
undertake their roles in Information Security Governance
As the global economy depends on the secure flow of information within and across
organisations, information security is an issue of vital importance. A secure and
trusted environment for information greatly enhances consumer benefits, business
performance and productivity, and national security.
Conversely, an insecure environment creates the potential for serious damage to
governments and organisations that could significantly undermine customers and
citizens. For those engaged in the Critical National Infrastructure, the stakes are
particularly high. Where do we stand in the effort to bolster information security?
If the stakes are so high, why haven’t we made more progress?
14
|
www.pliroforiki.org
www.pliroforiki.org
|
15
CURRENT POSITION
1.Increasing laws & regulations call for more attention on
Information Security – but only a few organisations are
actively addressing their information security needs.
Information security is important. Companies and individuals want
more security; vendors are responding with more secure products;
industry and consumers recognise the need for information security
– but there is a cost of security and demonstrating return on
security investment is sometimes difficult. The good news is that
security profession and national governments are actively engaged
in addressing the information security challenge. For example, in
UK, The Government have developed a Security Policy Framework
& in USA they have developed the, California’s Database Security
Breach Notification Act, July 2003, which requires companies to
notify customers if they believe a systems breach has led to the
release of their personal information. (this may become an EU
regulation in 18 months time).
2.Information security is often treated as a technology issue,
when it should be treated as a governance issue. The
Board and executive management must be actively
engaged.
Businesses today face increased scrutiny when it comes to
corporate governance, accountability, and ethics. Sarbanes-Oxley
Act of 2002 (SoX) created an obligation at the CEO and board
level to pay attention to information security. Implementation of
an effective IT security program is ultimately a matter of
enlightened organizational self-interest. Companies are taking
action to protect their own information and information entrusted
to them by customers, suppliers, and other partners. They are
establishing responsibility for information security and adopting
programs to evaluate and address the vulnerabilities and the
internal and external threats. However, within many organizations,
two important barriers to effective computer security exist:
ñ responsibility is solely to the Chief Information Security Officer
(CISO)
ñ lack of a framework for action -- how to set priorities, assign
tasks, &monitor implementation.
3.There are existing frameworks that outline the actions
necessary to remedy the problem. ISO27001 & COBIT are
two examples with the emerging BMIS (Business Model on
Information Security) & COBIT5 next year offering the best
way to address these governance issues.
ISO27001 & ISO27002 (Code of Practice on Information Security
Management) are the global de-facto standards which enables all
organisations to set up an effective Information Security
Management System (ISMS).
Business Model for Information Security (BMIS) from Information
Security Audit and Control Association (ISACA) allows an
organisation to understand the driving Organisational requirements
in respect of Governance – taking account of People, Process &
Technology but also to account for the dynamic interconnections
of Culture, Architecture, Emergence, Governance, & Human
Factors. COBIT5 from ISACA – to be published in 2012 will be an
integrated knowledge base and depending who you are as a
stakeholder – CISO; Certified Information Systems Auditor (CISA)
or management role – you can establish what you need to do as
a Governance contributor.
4.Lack of progress is the failure to adopt such frameworks –
they can guide an organisation on implementing practical
solutions
Governance entails the systematic oversight and execution of
information security functions. By themselves, recommended
practices – no matter how strong the consensus is for them –
are not enough; they must be married with an information security
governance framework that assures effective implementation. A
governance framework is important because it provides a
roadmap for the implementation, evaluation and improvement of
information security practices. An organization that builds such a
framework can use it to articulate goals and drive ownership of
them, evaluate information security over time, and determine the
need for additional measures.
RECOMMENDATIONS
1. Government and industry should recognize that a
significant regulatory regime already exists for information
security.
Some laws address information security directly; others address
it indirectly through such issues as financial governance,
privacy, or reporting requirements. Organisations should begin
developing programs to comply with them. e.g. SoX; Basel II;
Payment Card Industry (PCI) Compliance.
2.We should develop an information security governance
framework that organizations can readily adopt.
One of the most important features of a governance framework is
that it defines the roles of different members of an organisation. By
specifying who does what, it allows organizations to assign specific
tasks and responsibilities. A common element in almost all security
best practices is the need for the support of senior management,
management functions can fall into four categories – CEO/Board,
Executive Management, Steering Committee, and CISO :-
CEO/Board has responsibility for
ñ Oversight and coordination of policies
ñ Oversight of business unit compliance
ñ Compliance reporting
ñ Actions to enforce accountability
Executive Management has responsibility for
ñ Providing information security protection commensurate with
the risk and business impact
ñ Providing security training
ñ Developing the controls environment and activities
ñ Reporting on effectiveness of policies, procedures and
practices
Steering Committee has responsibility for
ñ Providing security guidance for information and systems
ñ Periodically assessing assets and their associated risks
ñ Assessing appropriate levels of security for the information in
their systems
ñ Ensuring that policies and procedures cost-effectively reduce
risk to acceptable levels
ñ Ensure that security and controls are tested periodically
CISO has responsibility for
ñ Developing, maintaining, and ensuring compliance to the
security program
ñ Designating a security officer with primary duties and training
in IT security
ñ Developing the required policies to support the security program
and business user needs
ñ Developing the information use and categorization plan
ñ Assisting senior managers with their security responsibilities
ñ Conducting security awareness program
Components of the Framework
Information Security Governance includes elements required to
provide management assurance that its direction/intent are reflected
in the Information Security regime by utilizing a structured approach
to implementing an IS program. 6 basic outcomes are
recommended:-
1.Strategic alignment
2. Risk management
3. Value delivery -optimizing IS investments in support of business
objectives
4. Resource management
5. Performance measurement
6. Assurance Integration
MANAGEMENT
LEVEL
STRATEGIC
ALIGNMENT
RISK
MANAGEMENT
VALUE DELIVERY
PERFOMANCE
MEASUREMENT
RESOURCE
MANAGEMENT
PROCESS
ASSURANCE
Board of
Directors
Require demonstrable
alignment
Policy of risk
managemnet in all
activities
Ensure regulatory
compliance
Require reporting of
security activity costs
Require reporting of
security effectiveness
Policy of knowledge
management and
resource utilization
Policy of assurance
process integration
Executive
Management
Institute processes to
integrate security with
business objectives
Ensure roles and
responsibilities include
risk management in all
activities
Monitor regulatory
compliance
Require business case
studies of security
initiatives
Require monitoring and
metrics for security
activities
Ensure processes for
knowledge capture and
efficiency metrics
Provide oversight of all
assurance functions
and plans for
integration
Steering
Committee
Review security
strategy and integration
efforts, ensure business
owners support
integration
Identify emerging risks,
promote business unit
security practises
Identify compliance
issues
Review adequateness
of security initiatives ot
serve business
functions
Review and advise
vis-à-vissecurity
initiatives meet
business objectives
Review processes for
knowledge capture and
dissemination
Identify critical business
processes and
assurance providers
Direct assurance
integration efforts
Chief Information
Security
Officer
Develop security
strategy, oversee
security program and
initiatives, liaise with
business process
owners for ongoing
alignment
Ensure risk and
business impact
assessments, develop
risk mitigation
strategies
Enforce policy and
regulatory compliace
Monitor utilization and
effectiveness of
security resources
Develop and implement
monitoring and metrics
approaches.
Direct and Monitor
security activities
Develop methods for
knowledge capture and
dissemination, develop
metrics for
effectivemess and
efficiency
Liaise with other
assurance providers
Ensure that gaps and
overlaps are identified
and addressed
16
|
www.pliroforiki.org
www.pliroforiki.org
|
17
Interpreting the Framework
The framework poses three sets of questions:
1.What am I required to do?
2.How do I accomplish my objectives?
3.How effectively do I achieve my objectives?
Because the framework describes proactive actions it not only
clarifies roles and responsibilities, but also helps management
select a security practice reference (like ISO 27001 or the emerging
ISO27014 – still being finalised) that is appropriate for their
organisation.
Consistent with Key Security Practices
Any Governance Framework must include the following key security
requirements:
1. The need for risk assessments. Risks must be understood and
acknowledged, and the security measures that are taken must
be commensurate with these risks.
2. The need for a security organizational structure.
3. The need to create, communicate, implement, endorse,
monitor, and enforce security policies
4. The need to make every member of the organization aware of
the importance of security and to train them in good security
practices.
5. The need for access controls to make certain only identified and
authorized users with a legitimate need can access information
and system resources.
6. The need to consider security throughout the system life cycle.
7. The need to monitor, audit, and review system activity in a
routine and regular function.
8. The need for business continuity plans that are tested regularly.
AUTHOR
Vernon is Head of Business Consultancy,
responsible for Sapphire’s team of consultants
who deal with Information Assurance/
Governance and all best practice standards on
Information Security Management and
associated areas
(ISO27000 series; ITIL; COBIT5; RiskIT).
He is recognised as one of the thought leaders on Information
Security Governance. He now sits on ISACA’s new COBIT5
Taskforce developing ISACA’s new in depth approach to
Information Security Governance. He is both CISM/CGEIT
qualified.
Vernon can be reached at Vernon.poole@sapphire.net
SAFE COMPUTING IN AN
INCREASINGLY HOSTILE
WORLD: SECURITY 2.0
Dr Andrew Jones
The world in which data lives is always changing. But in the last few years it has
changed dramatically and this means that the challenge of protecting networks and
data has become even more difficult. Due the proliferation of national labs whose
goals is to compromise other networks, attacks have become increasingly
sophisticated. The old security solutions will no longer suffice and system architects
must design networks with security as a design goal. Security 2.0 means that
networks must adhere to a range of fundamental security rules or accept that they
will be violated.
www.pliroforiki.org
|
19
SOVEREIGN HACKING
It has long been accepted that some nations have maintained
organizations whose purpose is to "monitor" or "spy" on the
electronic activities of other countries. In the United States it is
widely assumed that the National Security Agency monitors as
much electronic communications as possible, both inside the U.S
and around the world. This is a natural evolution of efforts to
monitor the enemies' communications during various wars. There
are lots of famous tales and books on the subject of spy activities
and efforts to decode messages or prevent the enemy from
breaking your codes. Bletchley Park, located outside of London,
was a secret organization whose only purpose was to decode
WWII German messages encrypted by the famous Enigma
machine. Although Bletchley Park was disbanded after that war,
it was only natural that as communications moved to computers,
spying in that realm would follow.
We call this activity sovereign hacking. Sovereign hacking refers
to activities whose purpose is to violate networks in the interest
of a sovereign government. It is usually conducted by laboratories
with highly trained experts and extensive research, infrastructure
and monetary support. Many nations around the world now
support such laboratories.
Sovereign hacking requires deep knowledge of network
architectures, operating systems, and vulnerability vectors.
Developing this knowledge and the resulting techniques used to
breech well-defended networks requires extensive research. This
makes all networks vulnerable and, unavoidably, this knowledge
and these techniques migrate out of the secret labs and into the
wider world.
Hacking has gone far beyond merely gaining access to networks
in order to read secret messages or learn specifications of new
defense systems. Those are passiveactivities; hacking has also
become active. It is now possible to assume control of a network
remotely and have it carry out your bidding. Does this mean
hacking has become a weapon? Yes and that surely makes many
other weapons systems obsolete.
RECENT HACKS
Let's look at some recent hacks and see what they can tell us
about the current hacking environment.
The RSA hack was particularly spectacular since the RSA token
is so widely used and often considered the "gold standard" of
authentication. The hackers penetrated the algorithm that
generates the one-time password from the RSA card serial
number. This allowed them (or anyone with this information) to
effectively bypass the authentication process. As a result the one-
time password generation algorithm had to be revamped and
literally millions of tokens had to be replaced. A huge hidden cost
was the loss of customer confidence that RSA suffered in this
event.
This hack required subtle "social engineering" to learn the details
of the RSA system architecture, and considerable knowledge
about the code in the Adobe Flash program to gain remote
administration capabilities on a machine inside RSA. This allowed
the hackers to carry out a series of attacks to gain further access
to the networks and accomplish the multistage penetration.
The important lesson to draw from this attack is that hackers are
no longer lone dissidents looking for a quick victory. This hack
was probably the work of several groups, each of which had
expertise in different areas.
SONY PLAYSTATION NETWORK
This was another high-profile attack that affected millions of
people around the world. Like the RSA hack this penetration
required extensive knowledge in several areas. The blogosphere
suggests that the coalition that accomplished this hack might be
from Russia (due to the database knowledge required) and that
they were simply after account information that could be sold for
ready cash. Perhaps they succeeded beyond their expectations.
Before all the doors had been closed, the hackers gained access
to the data in over 77 million on-line accounts. It is not clear that
they were able to "steal" all that data. Downloading and storing
data from 77 million accounts requires a lot of bandwidth and
significant storage. But they probably did get a lot of credit card
data and surely profited from it.
The lesson here is that Sony spent a significant amount of time
and resources to implement a database that could handle millions
of customer accounts but did not use a trusted operating system
(or did not configure those features) that allowed isolation of data
and access. This error is easy to understand given the size and
sophistication of the Playstation network.
Sony had to shutter the on-line gaming service for a period of
time to fix the holes and is still fighting demands for various forms
of compensation from former customers.
BARRACUDA NETWORKS
This hack was more amusing than instructional. (It is amusing to
us; certainly not to Barracuda Networks.) Still there are a few
lessons that can be taken from this.
20
|
www.pliroforiki.org
www.pliroforiki.org
|
21
Barracuda Networks is a developer of firewalls, web and spam
filters and is generally considered to provide "pretty good" security
for its customers. Not surprisingly, Barracuda Networks used its
own products to protect its internal networks. Using a well-known
"SQL injection" technique, hackers successfully accessed the
Barracuda Networks Sales and Marketing Department database
which stored sales leads, marketing data and other sensitive
information.
So the hackers breeched the Barracuda Networks firewall? No,
that was not necessary: the firewall was off-linefor an upgrade
when the network was compromised. So that means the hackers
were really lucky and struck at exactly the opportune moment?
Or perhaps they had inside knowledge? Of course, either of those
situations is possible. But more than likely it was simply the case
that hackers were probing the network all the time, continuously.
Once the firewall was off-line, the door was open and they were
able to access things easily.
This simple hack illustrates two important issues: first, with
external, perimeter-based security, it is best not to leave the gate
unlocked. This might be called single point security and that
allows for the possibility of single point failure. Second, hacking
is not a "sometime" activity; it is continuous. Many studies have
concluded that once a device is placed on-line, hacking probes
begin almost immediately and they continue.
CITIGROUP
Citigroup is one of the largest global banks in the world. As such
they are surely a prime target for a wide variety of hackers - after
all, that is where the money is. This hack, while extremely
successful, was simple and straight-forward.
The hack was successful in that the hackers accessed and
probably downloaded the information from at least 200,000
accounts. This account data included names, passwords and
transaction information - all valuable data if you are looking to sell
the information either above ground (to "legitimate" marketing
research organizations) or below ground (for identity theft). The
hacking team exploited a simple flaw in Java that allowed them -
once they had access to a single account - to jump from one
account to another. It was a brute force method but it was
effective. Again, with no internal controls, once the flaw was
discovered, all the doors were open.
Citigroup has thus far avoided releasing details of the hack.
THE F35 JOINT STRIKE FIGHTER
This is the hack that illustrates the current state of data hacking. The
F35 is a military aircraft that has been developed by a coalition of
countries. It employees highly advanced technology and sophisticated
computer controls and data gathering. In fact it has been called a
"mainframe with a jet engine". It reportedly flies with 7.5 million lines
of code aboard. That is one reason that this weapons system is the
most expensive development ever undertaken by the U.S. military.
Again, this hack required multiple hacking techniques, extensive
expertise in several different areas, and the will to devote large
amounts of resources to obtain this information. Clearly, this was
the work of sovereign hackers rather than rogue programmers
looking to sell credit card information.
LockheedMartin is the prime contractor although several other
contractors and countries are integral to the development.
LockheedMartin employed numerous industry-standard security
technologies. Still, the data system was hacked and the thieves -
spies in this case - obtained very specific data on the actual real-
time performance, performance specifications, maintenance data,
and weapons capabilities.
Of course, when the plane is airborne it is not connect to any
networks (for the most part; there is communication between the
plane and ground stations in several modes). This was not
generalized data that was obtained; the data was specific to each
aircraft and flight and came from data downloaded after each
flight. The hackers apparently had access to this data for at least
two years before the breech was discovered.
Apparently this hack was accomplished by compromising one of
the contractor's networks which had access to the primary data
network. LockheedMartin shut down all access to their network
but clearly, the damage had already been done.
Could the hackers have gained physical control of the aircraft and
caused it to attack the wrong target? Could they cause it to simply
crash? Neither possibility seems that remote. Simply installing
rouge code that executed at the proper time - say once engine
RPM exceed a set value - could easily cause some subsystem
aboard the plane to malfunction. Clearly, this appears to be an
early skirmish in cyber warfare.
If you are comfortable in your efforts securing your network, if
are able to sleep soundly, confident that all the doors are locked,
wake up. If someone can hack a weapon system development
such as the F35, which has access to all the most sophisticated
security technology, most anything can be hacked. All it takes are
the resources and will.
BASIC SECURITY
It is possible to thwart most threats to your system by employing
the basic foundations of security. Of course, it would be nice to
have a "silver bullet" - a single device or technique that guaranteed
your network could not be hacked (at least by ordinary hackers).
Since that silver bullet is not yet available we have to return to the
basics: authentication, encryption, and a trusted operating system.
Authentication means that you know who is at the end of the wire,
who is requesting access, who you can trust. Most authentication
systems use very simple - and very untrustworthy - techniques
for identifying users for convenience. A simple password is easy
to hack and Windows will even remember it for you. That often
means that physical access to a machine is equivalent to access
to the network.
A true three factor authentication system is required. Three factors
mean that you are identified by something you have (the RSA
token for example), and something you are (a fingerprint or iris
scan), and something you know (the one-time password). We
have seen that with two factor authentication, once the token is
hacked, access is easy. So the factors must be very difficult to
compromise. For example most fingerprint readers rely on a
central database to store the fingerprint signatures. If that
database is hacked, a fingerprint reader is useless.
Encryption is often touted as the ultimate solution to all data
security. In mathematics vernacular we would say that encryption
is necessary but not sufficient. Data should be encrypted both
while in storage and during transmission. But the data must be
decrypted to be useful and encryption does not help prevent
hacking.
A trusted operating system (a TOS) is the only way to ensure that
the damage done by a hacker is controlled or limited. Notice that
I did not say that a TOS could not be hacked; any system can be
hacked. But a TOS gives you control over a number of things that
allow you to limit access to very specific data and prevent data
from "migrating" from one sensitivity level to another. It is a
powerful tool in the ongoing hacking arms race.
The concepts that are embodied in a TOS were developed over
30 years ago and have remained constant and useful since that
time. Therefore we will not belabor the features of a TOS here;
they are probably already familiar to most system administrators.
In summary the advantages of a TOS are due to features that
allow fine-grained control of access to resources, and provide
compartmentalization, privilege assignment, and role assignment.
Implementing and configuring a TOS is a complex and difficult
task. It also imposes additional overhead - sometimes significant
overhead - on normal administrative tasks. Hence, many
administrators avoid dealing with a TOS, apparently hoping that
combinations of other security technologies will be sufficient. The
evidence weighs heavy against that position.
CONCLUSIONS
Given the above analysis and observations, it is impossible to
avoid the conclusion that there is cyber warfare under way
between many sovereign hacking groups. Unfortunately, the
techniques and sophistication used by theses sovereign hacking
groups has migrated out into the old world of hacking for fun and
profit - now mostly hacking for profit. This means that everyone
is subject to significantly increased risks of their network being
violated. It is time to upgrade to Security 2.0.
Security 2.0 means that security must be designed into the basic
system architecture. It cannot be added on. You must use a
trusted operating system that has the capability to isolate
compartments and control root privileges. Finally, it means that
you are absolutely sure who is accessing your system by using
true three factor authentication.
In the past it was acceptable to address threats as uncommon
events that had atypical signatures or unusual patterns. This
allowed security devices to "watch" for these odd occurrences
and interdict them or at least protect against them.
Security 2.0 must be "holistic" and address the fact that threats
are no longer characterized by simple errant signatures; the entire
system must be part of the protection mechanism. Security 2.0
must also be agile - it must protect against new attack vectors
that were not anticipated when the system was designed. It must
also allow for quickly and efficiently adding and removing access
or access levels as needs change. Finally, it must be pervasive in
that it must address threats from "end to end" of the system. This
means that data stored in the network operating center is
protected and the data collection and access systems at the "end
of the wire" can also be trusted.
Viewing your network architecture and security in the Security 2.0
model and implementing these principals has another benefit: it
will allow you to once again sleep soundly at night.
22
|
www.pliroforiki.org
www.pliroforiki.org
|
23
AUTHOR
Dr Jones is the recent Chief Executive Officer
and President of Argus Systems Group. Argus
Systems Group is the developer of PitBull
trusted operating system currently sold by IBM
as Trusted AIX.
Dr Jones was a founding member of Open
Prairie Ventures where he evaluated business plans and potential
investments. He was also the lead investor when Open Prairie
acquired the assets of Argus.
Dr Jones has been the founder and operator of several new
technology business and taught technology commercialization
and other subjects at the University of Illinois.
Dr Jones received his PhD from the University of Alabama in
Physics (1975), an MBA from the University of Illinois (1978),
and a BS and MS in Physics and Math from the University of
Alabama (1965, 1972).
THE FUTURE OF
INFORMATION SECURITY:
NEW PRIORITIES, NEW
SKILLS AND NEW
TECHNOLOGIES
David Lacey
The business environment of the future will be very different from
Today’s. Boundaries between organisations and between personal and
business computing will dissolve. Everyone and everything will be
linked to the Internet. In order to survive these radical changes,
organisations must embrace the uncertainty and the new risks this
environment creates.
This paper explores the impact of future trends and sets out a new
agenda for the priorities, skills and technologies of information security
managers.
24
|
www.pliroforiki.org
www.pliroforiki.org
|
25
CHANGES IN THE BUSINESS AND TECHNOLOGY
LANDSCAPES
Digital networks are transforming organisations. This is a long
term trend, as enterprises slowly evolve from a relatively static,
mechanistic form demanded by the Industrial Age, to a more
dynamic, adaptable style encouraged by the Information Age.
Amongst other changes, there will be major differences in the
nature of corporate governance and the location of business.
Horizontal, peer-to-peer information flows will displace traditional,
vertical, command-and-control flows, opening up new
possibilities for external partnerships and virtual supply chains,
but at the same time undermining the influence and authority of
corporate policy and standards. The nature of wealth will also
evolve as intellectual assets, such as ideas, know how,
relationships and reputation become more valuable, requiring
security to extend its traditional scope from safeguarding physical
assets and data to protecting concepts, ability and transactions.
Dynamic information flows will become more significant than
static stocks of data as a generator of wealth, challenging the
traditional role of security as a barrier to physical and electronic
flows. At the same time, corporate boundaries will shift or
dissolve, both between organisations and between personal and
business computing.
The increasing business use of mobile devices coupled with the
introduction of cloud computing is already creating an environment
in which the users have already left the building and the
applications are following. In response, the focus of security
management needs to change from securing private infrastructure
towards influencing behaviour and managing external relationships.
Virtualization is also transforming both the problem and solution
spaces, changing the nature of the target and its attack vectors,
and introducing new possibilities for security features. Examples
of such technologies include servers that continuously refresh
operating system software and client devices that enable the ring-
fenced use of multiple user personae.
Cyberspace itself presents a different environment from a security
perspective, as it creates a world that blends fact and fantasy, in
which people feel anonymous and concealed, encouraging them
to relax and feel less inhibition to explore dark, unacceptable
subjects (such as pornography), or to be unusually hostile, rude
and angry. Users can commit acts or reveal information that go
beyond anything that might be contemplated in the physical world.
And there are no disapproving glances in cyberspace to
discourage inappropriate behaviour.
TRENDS IN SECURITY THREATS
The increasing value of information combined with the greater
availability of knowledge and networking tools means that security
threats will become increasingly strategic, professional and
collaborative. Internal security threats will also increase with the
inevitable growth in the reach and power of user access
capabilities to corporate databases.
Advanced persistent threats, such as those originating from
aggressive intelligence services are long-term, sophisticated and
well funded. The targets of these threats are likely to become
broader and deeper, and they will inevitably progress beyond mere
theft of intellectual property towards sabotage of competing
commercial or national interests.
Modern industrial supervisory control and data acquisition
(SCADA) systems used to control industrial plants are powerful
enough to destroy a plant, yet many have been built and operated
with insufficient attention to security vulnerabilities. Many have
external connections to enable remote maintenance. Offensive
techniques are many and varied, including resonance, wear and
surge attacks. Unfortunately, there are no quick or cheap fixes for
vulnerable systems. This exposure will therefore be a growing
concern for many years.
External sourcing of services, fuelled by lower costs in developing
countries, will introduce additional security risks from crime,
espionage and corruption. In countries where the rule of law is
not fully developed, greater attention to due diligence and
relationship management will be necessary to mitigate the risk of
deliberate breaches of contract. With less direct control of the
supply chain, a greater degree of monitoring will be needed to
maintain visibility of events and controls.
Information has three major components: confidentiality, integrity
and availability. But they are not equally addressed. In particular
the integrity component is not sufficiently recognised, creating a
growing exposure in a threat landscape that will increasingly seek
to manipulate rather than steal corporate secrets. Networks
provide opportunities for both accidental and deliberate attempts
to distort data, whether through ‘Chinese whispers’ or deliberate.
Indeed, the true nature of cyber warfare is more the art of illusion
than the science of sabotage.
A further challenge for security is the forthcoming “information
Tsunami” created by the massive growth in data (up to 60% per
year) which enables growing numbers of people to have greater
access to even more data. Cloud computing enables much larger
volumes of data to be stored and processed, resulting in
increasing citizen concern about stored data and an inevitable
breakdown in manual security practices.
In the short and medium term there will also be an enhanced
threat of system and infrastructure outages during the next few
years as solar activity is forecast to peak massively between 2012
and 2015, potentially threatening electricity supplies and taking
out GPS and mobile communications.
SHORTCOMINGS WITH EXISTING SECURITY
MANAGEMENT METHODS
To be fit for the future, information security management needs
to begin by recognising and correcting its existing
shortcomings. Security thinking and countermeasures have
changed little in three decades despite a continuously evolving
problem space. The current approach is rooted in industrial age
‘process’ thinking, rather than a real-time, improvisational
response.
Regulatory compliance discourages innovation, as it promotes
established standards and discourages innovative emerging
solutions. Security management has become more of a ‘tick-
box’ compliance activity than a thoughtful, creative process.
Few security managers today have sufficient time or incentive
to address emerging risks when they are bogged down in paper
trails of evidence to demonstrate compliance against hundreds
of mandatory control objectives.
Excessive copying of ‘best practices’ is also building a
dangerous ‘monoculture’ that favours the attacker. Potential
forms of attack can be quickly tested against a small range of
standard security products which are likely to compromise the
defensive perimeter for most organisations.
CHANGES NEEDED TO MEET FUTURE
CHALLENGES
The future focus of security will be on assets that are external,
mobile, global, intellectual, abstract, volatile, accelerating, diverse
and complex. These are characteristic that information security
management, in its existing form, will struggle to address. Against
a stifling background of increasing legal and compliance
demands, security practitioners must aim to adopt new priorities,
new skills and new technologies to meet the challenges presented
by this paradigm shift.
Priorities need to change by placing less focus on safeguarding
internal infrastructure and more on external supply chains, by
focusing less on outstanding audit actions and more on real time
events, and by spending less time on specifying security controls
and more on persuading other people to address security.
New or better skills are needed in supply chain leadership, though
smarter due diligence, better contract development and more
effective relationship management. Further skills are needed to
influencing user or customer behaviour, through an appreciation
of psychology and marketing techniques, and an ability to
influence people across social networks.
Better strategic response skills are also required to manage
incidents of increasing business impact on abstract intellectual
assets such as reputation and legal standing. Practitioners will
need to develop strategic crisis management skills, as well as an
enhanced intelligence and investigation capability, supported by
broader and deeper digital forensic skills.
Greater use of technology will be required to support these new
priorities and skills. Virtualisation is a powerful technology that
transforms both the problem and solution spaces. Whether used
at the client or server level it changes the nature of the attack
surface and the potential attack vectors, as well as enabling
multiple users, personae and operating systems to co-exist on a
common platform.
Cloud based security services also offer great potential by
leveraging a much broader knowledge base of events and threats.
Dashboard technology provides a catalyst for centralising
previously disparate information feeds of security information,
enabling greater intelligence and investigation capabilities to be
developed through increased use of data mining, fusion and
visualisation technologies.
To be resistant to the more sophisticated attacks of the future,
platforms and systems also need to be hardened to a much higher
level of security. In practice this can be achieved by exploiting
established but under-utilised security measures such as
Microsoft’s Security Development Lifecycle (SDL) and the trusted
computing standards and products developed by the Trusted
Computing Group (TCG).
Behind the scenes the TCG has been encouraging the roll out of
Trusted Platform Modules (TPMs) in more than 500 million
professional laptops and servers. This technology can be used
for strong device authentication, encryption key management,
trusted execution, multi-level security and secure health checking.
It also enables control of the client device to be fully or partially
transferred from the user to the organisation.
Few of the above skills and technologies have been adopted or
fully exploited by security practitioners. Partly this is because of
26
|
www.pliroforiki.org
www.pliroforiki.org
|
27
ignorance, partly it is due to the absence of incentives to innovate,
and partly it is because of a lack of creativity across the global
security community. But the consequences of the new security
threat landscape are challenging and inescapable. Unless we have
the ambition to change the mindset, knowledge and skills of
security practitioners the outlook for security will be bleak.
AUTHOR
Mr. David Lacey is a leading expert on information
security and risk with more than 25 years
experience of directing corporate policy and
programmes for the UK Foreign & Commonwealth
Office, Royal Dutch/Shell and the Royal Mail.
David is a keen innovator and is responsible for developing many
contemporary ideas and techniques.
He was the creator of the body of text that is now ISO 27002,
and the founder of the Jericho Forum. David is a now an
independent researcher, writer and consultant, and the author of
the books “Managing the Human Factor for Information Security”
and “Managing Security in Outsourced and Offshored
Environments”. He is a member of the Infosecurity Europe “Hall
of Fame”.
TO WHAT EXTEND IS
THE TURING TEST STILL
IMPORTANT?
Christos Papademetriou
The Turing Test, originally proposed as a simple operational definition of
intelligence, has now been around for more than half a century. This paper
chronicles some comments on Turing's classic article from its publication to the
present. Within this context, the alternative versions of the Turing Test that
were proposed in order to assess machine intelligence are discussed.
zFinally, the question of whether the Turing Test is still important is
considered. The conclusion reached is that the Turing Test has been, and will
probably continue to be, a very influential, if controversial, mathematical
model.
28
|
www.pliroforiki.org
www.pliroforiki.org
|
29
INTRODUCTION
The short and extraordinary life of the British mathematician Alan
Turing identifies with the “beginning” of Artificial Intelligence (AI).
In 1950 Alan Turing published his famous paper “Computing
Machinery and Intelligence”. Since then, it has been a widely
discussed topic. In that paper he described a method for humans
to test AI programs. This project will examine to what extent the
Turing Test (TT) is still important.
In the first section of the project, the TT and some comments on
that test will be analysed and the alternative versions of the TT will
be discussed. Then, the question of whether the TT is still important
is considered. In the final section, a conclusion is reached. The
purpose of this paper is to analyse and show why the TT is
historically significant and to what extent it is still important today.
THE TURING TEST
The TT was suggested by Alan Turing in 1950 (Mauldin, 1994).
Alan Turing proposed an interactive test to replace the question
“Can machines think?” this test has become known as the Turing
Test and its validity for determining intelligence or thinking is still in
question (Bradford, and Wollowski, 1994). Turing’s aim was to
provide a method to assess whether a machine can think or not.
He states at the beginning of his paper that the question “Can
machines think?” is a highly ambiguous one. He attempts to
transform this into a more concrete form by proposing what is
called the Imitation Game (IG) (Turing, 1950, p.5).
The game is played with a man (A), a woman (B) and an
interrogator (C) whose gender is not important. The interrogator
stays in the room apart from A and B. The main purpose of the
interrogator is to determine which of the other two is the woman
while the objective of both the man and the woman is to convince
the interrogator that he/she is the woman and the other is not
(Hodges, 1997).
According to Turing (1950) the new agenda to be discussed,
instead of the equivocal “Can machines think”" was “What will
happen when a machine takes the part of A in this game? Will the
interrogator decides wrongly as often when the game is played like
this as he does when the game is played between a man and a
woman?” (Turing, 1950, p.p.4-5).
As is now generally understood, what the TT really tries to assess
is the machine’s ability to imitate a human being, rather than its
ability to simulate a woman. Most subsequent remarks on the TT
ignore the gender issue and assume that the game is played
between a machine (A), a human (B) and an interrogator (C). “In
this version, C's aim is to determine which one of the two entities
he/she is conversing with is the human” (Saygin, et al., 2000, p.3).
If the interrogator is consistently unable to distinguish the person
from the machine, the machine will be said to have passed the Test
and will be said to be intelligent.
SOME COMMENTS ON THE TURING TEST
Gunderson (1964) clearly believed that passing the TT would not
necessarily be a proof of real machine intelligence. Because of
this, the test is based on a behaviouristic construal of thinking.
He proposed that thinking is a very broad concept and that a
machine passing the Imitation Game is merely exhibiting a single
skill, artificial intelligence which is not human but made by human
than the all-purpose abilities defined by thinking.
Gunderson points out some important issues pertaining to
Turing’s replacement question “Can machines think?”. He asks
the question “Can rocks imitate?” and continues to describe the
“toe-stepping-game” (Gunderson, 1964, p.62) in a way that is
identical to the way Turing described his IG (Turing, 1950). Once
again, the game is played between a man (A), a woman (B) and
an interrogator (C). The interrogator’s aim is to distinguish
between the man and the woman by the way his/her toe is
stepped on. C stays in a room apart from the other two and
cannot see or hear the toe-stepping counterparts. There is a small
opening in the wall through which C can place his/her foot. The
interrogator has to determine which one of the other two is the
woman by the way his/her toe is stepped on. “Will the interrogator
decide wrongly as often as when the game is played between a
man and a woman?” (Gunderson, 1964, p.p.62-64). Further,
Gunderson (Gunderson, 1964) claimed that playing the Imitation
Game successfully could well be achieved in ways other than by
thinking, without saying precisely what these other ways might
be.
According to French’s (2000) article, Stevenson (1976) writing a
decade later when the difficulties with AI research had become
clearer, criticized Gunderson’s single-skill objection, insisting that
to play the game would require “a very large range of other
properties” (French, 2000, p.5). Whitby (1997) states that the TT
has become a distraction and he sees the main source as a
mistaken reading of “Computing Machinery and Intelligence”
(Turing, 1950). He is of the opinion that “Turing’s paper [has
been] interpreted as a closer to an operational test than he himself
intended” (Whitby, 1997, p.54) and that “the last thing needed
by AI qua science is an operational definition of intelligence
involving some sort of comparison with human beings” (Whitby,
1997, p.62).
Taking a historical view, Whitby (1997, p.53) describe four
phases in evolving interest in the TT:
30
|
www.pliroforiki.org
“1950 - 1966: A source of inspiration to all
concerned with AI.
1966 - 1973: A distraction from some more
promising avenues of AI research.
1973 - 1990: By now a source of distraction
mainly to philosophers, rather than AI workers.
1990 onwards: Consigned to history”.
ALTERNATIVE VERSIONS OF TURING TEST
In this section, it is important to summarize some alternatives to
the TT that were proposed in order to assess machine intelligence.
HARNAD AND THE TTT
Stevan Harnad’s main contribution to the TT debate has been the
proposal of the Total Turing Test (TTT) an indistinguishability test
that requires the machines to respond to all of our inputs rather
just verbal ones. Clearly the candidate machine for the TTT is a
robot with sensorimotor capabilities (Harnad, 1989; Harnad,
1991).
Besides to the TTT, Harnad also mentions a Total Total Turing
Test (TTTT) which requires neuromolecular indistinguishability.
But, this more stringent version of the TT, will not be necessary,
according to Harnad. If we know how to make a robot that can
pass the TTT, he says, we will have solved all the problems
pertaining to mind-modelling. However, neural data might be used
as clues about how to pass the TTT (Harnad, 1991). Harnad,
thinks TTTT much as a scientist can ask, for empirical story ends
there (Harnad, 2000), but he does not think that we have to “go
that far”.
THE INVERTED TURING TEST
Recently, Stuart Watt has proposed the Inverted Turing Test (ITT)
(Watt, 1996). Watts believes that the TT is inseparable from “naive
psychology
1
” because in order to pass the TT, a machine must
convince the interrogator of that which is in its mind. He calls
naive psychology “the psychological solution to the philosophical
problem” (Watt, 1996). Watt’s ITT requires that machine be able
to prove its human-ness by exercising naive psychology. In
particular, should exhibits that its power discrimination is
indistinguishable from that of the human judge in the TT. No
doubt, the TT is literally inverted and a system passes [the ITT] if
it is itself unable to differentiate between 2 person or among a
human and an engine that can pass the standard TT, but which
can separate between a human and an engine that can be told
apart by a normal TT with a human observer (Watt, 1996).
French (1996) uses the technique of a “Human Subcognitive
Profile” that, can show that a mindless program using the Profile