| ITIL : 2.7.1 Security Plans |
|---|
| Wireless: | | Wireless security is not adequate and wireless communications shall NOT be used for any part of our professional infrastructure. | | Mobil phone security is not adequate and mobile communications shall NOT be used for any critical business communications. |
| Portable Devices: | | USB memory stick, CD disk and DVD disk security is not adequate and such portable media shall NOT be used for any part of our professional infrastructure. | | Laptop, netbook and PDA security is not adequate and portable computer shall NOT be used for any critical business task. | | Business emails, documents, tasks and data shall NOT be stored on any laptop of portable device. Business information must never be put in a position where it could be stolen. |
| Language: | | HTLM is a declarative programming language, but it clear text encoded so no virus could be hidden in any amount of HTML. | | HTML is the language of the Internet and every web page must be delivered to a client browser using HTML. | | CSS is a method used within HTML for cascade style sheets - the colour, fonts and style of every web page. | | CSS must be delivered from the same host server as the HTML so cross-site CSS is no longer possible with modern browsers. |
| Fourth Generation Language: | | Application services use a declarative fourth generation programming language that is clear text encoded and defined using fill-in-the-blanks web pages. | | It will be very hard for any hacker to install a virus when forms have fields with very limited values. | | Every change that is made, is recorded in the audit trail and so a hacker would be limited to defacing a web page, rather than adding malware. |
| Benefits: | | We implemented ISMS as a prerequisite: | | * To deliver business continuity - non-stop operations without backup-restart. | | * To minimise information damage and avoid data losses. | | * To deliver a competitive advantage - safety and privacy. | | * To improve profitability and cash-flow. | | * To create a respected organizations image. | | * to ensure legal compliance. |
| Architecture: | | As a policy, source code is not used - source code may be hacked, will be attacked and could be changed. | | Standard manufacturer system software that is employed by millions of customers must be used to provide the core services. | | If IBM DB2 database management system has a defect, then IBM have the resources and the motivation of millions of critical customer applications to create a fix. | | By employing IBM, Microsoft and other significant vendors to do all critical maintenance, then we can be certain that we will always have the resources needed to resolve any system software defect in the most effective way. | | And that leaves our bespoke applications that must NOT be written in any programming language that could be hacked or suffer form SQL injection, buffer overflow and other zero-day vulnerbilities. |
| Self Inflicted Malware: | | As a policy, web sites are obliged to assume that client computers will contain malware such as browser add-in toolbars that are designed to monitor everything that a user does and report it back to the vendor. For some unknown reason, people can imagine that vendors create free add-in tools without any commercial justification, ignoring the fact that such tools can collect your private data with browing history and send it back to the vendor. | | This means that each time a user signs in, a toolbar may be monitoring the actions taken and report those keystrokes back to the toolbar vendor. Application Services must be able to authenticate the real user and block the hacker who carries out exactly the same procedure. | | It is too late to tell people not to download extra software onto their computer because they may be downloading malware, the fact is that most client computers are compromised by self-inflicted downloaded software and Application Services must try to cope with every user keystroke being copied and sold to hackers. |
| Distributed Denial of Service (DDOS): | | Every corporation must be concerned about a distributed Denial of Service attack where thousands of computers continually send requests to a web service so it becomes so busy that normal business cannot continue or the web service crumbles under too much work to do. | | We provide a number of internal security measures to prevent such problems, begining with our own distributed data centers that our competitors do not own. | | We only accept Internet traffic from a small number of known business ISP name and a finite number of IP addresses in known contries. | | While our competitors can be bombarded with Internet requests from botnets in all parts of the world, we deliveratly reject 90% of the worlds Internet traffic before it gets to one of our data centers. | | Our sign in web page is restricted information that will only be seen by computers that we recognize. | | Public web pages can be bombarded with DDOS requests - the time to respond to any page request will simply increase as traffic increases and it could be said that the DDOS was successful, but no operational user is remotely interested in any public web page that has a long delay. | | Our ability to work with multiple domain names and different data centers means we have the ability to protect our operational users from being closed down by a DDOS attack. | | If one domain is attacked, we can internally switch to an alternative domain without any impact on our operational users. | | If one data center is attacked, we can internally switch to an alternative data center without any impact on our operational users. | | It is suggested that very few application service providers have the ability to match these security provisions. | | One extra layer of protection, we only provide business-to-business application services. We choose not to provide business-to-customer web services that are more suseptable to DDOS attacks. |
| Investigory Powers Act: | | Various acts are made law in one country that are implemented in all countries. The UK Investigory Powers Act may simply make legal certain actions that have taken place for many decades. The key factor is that they apply world-wide not just in the UK. The same is true of every other country in the world who are passing similar laws that apply world-wide. | | Internet behaviour that is legal in one country may not be legal in another country. Internet behaviour that is valid this year may not be legal in ten years time. It is safe to say that everything that is done on the Internet will be recorded by many hundreds of countries. It has to be expected that simple encryption systems in use today will be cracked in the comming years. | | Proposal: leave a very small Internet footprint, make sure everything is encrypted in clever, devious and obfuscated ways. Expect every message to be recorded hundreds of times in lots of countries, eventually that copy will be stolen and sold to the highest bidder. Design data to have very little value to a criminal - fragment and encode like a new language that keeps on evolving. | | Surveilance has been undertaken by many countries for many decades, new laws may simply recognise what is already happening. Countries compete with one another to have even more extensive surveilance sysems - like an arms race. People may be guilty by who they communicate with or what they read in the Internet. Minimise what agencies know about your Internet footprint, because one day it may be illegal in some country. |
|
|