Computers & Security, Vol. 15, No. 4

Constructing difficult-to-guess passwords, Charles Cresson Wood. Passwords have a convenience which other access controls do not. However, they must be made more effective through difficult-to-guess, easy-to-re- member techniques, supported by policies and rules for their construction and expiration. The author provides some guidelines for choosing passwords. Information Management G Security, I/01. 4, No. 1, 1996,~~. 43-44.

Commercial security on the Internet, Carrie Liddy. There is a growing trend to delivering more efficient and more effective products and services with fewer and fewer resources. This trend is reflected in both the commercial and government sectors. The Internet is being viewed as the vehicle that could resolve many of these business delivery challenges. With the advent of public key security and certification, the transition from current business delivery to future Internet-based sys- tems is now possible. This article deals with how public key cryptography may be used for business applications in the future and also considers the theoretical applica- tions of public key technology and certification processes. Information Management G Security, I/01. 4, No. 1, 1996,~~. 47-49.

How safe is your LAN? Al Berg. Many of the well- publicized hacking incidents involve an intruder gaining entrance to a network via a security hole in Unix, such as the Unix sendmail program. William Cheswick ex- plains that packet filters can protect your network quite adequately if they are properly designed. The hard part is getting the rules right and testing the filter to see if it is truly secure. Cheswick also suggests running insecure services such as ftp and E-mail on ‘outside’ machines and networks because these services are the easiest for attackers to access. “It is very difficult to share files over the Internet safely. File-sharing systems, such as Unix’s Network File System have historically had security holes,“said Cheswick. LAN managers should also real- ize that many attacks, such as packet sniffing, are platform-independent and can be used against many types of network systems. LAN TimesJune 17,1996,pp. 31-34.

Hazards of hooking up, AI Berg. This article gives a list of threats the Internet poses to corporate LANs. This list includes: legitimate users sending out proprietary information,legitimate users bringing in harmful infor- mation, packet sniffing, human error, lack of strong user identification, users running servers of which they are

unaware, blind faith in firewall packages and bugs in commercial software. LAN Times, June 17, 1996,~. 35.

Protecting your link to the Net, Thorn Stark.Any network connected to the Internet is at risk ofintrusion. The most common methods of deliberate intrusion identified by CERT are IP spoofing and packet sniffing. Part ofthe reason the Internet is so riddled with security holes is the lack of any effective native security in the current version ofIP which binds together the Internet’s heterogenous systems. Other contributors are the lax security practices prevalent in many corporate network environments and LAN administrator’s overall lack of knowledge about Internet and intranet security. Re- gardless of the type of intrusion, administrators are battling to find the best way to securely connect their enterprise networks to the Internet.The most appropri- ate solutions usually depend on three factors: the method by which the connection will be made, the degree of security required, and the Internet services the connection will support. The overall security issue breaks down into two pieces: securing Internet-based commerce and securing an Internet-based WAN, such as a virtual private network. LAN TimesJirne 17,1996, pp. 36-37.

A business approach to effective information technology risk analysis and management, Sharon Halliday, Karin Badenhorst and Rossouw von Solms. The authors suggest that a number of difficulties are experi- enced by organizations using conventional risk analysis and management. ‘Conventional’ refers to those meth- odologies which are based on the traditional asset/threat/vulnerability model. This article identifies a need for an approach that is more suitable for smaller organizations requiring a quicker, more simplified and less resource-intensive approach. In light of this require- ment, the authors propose an alternative approach to effective information technology risk analysis and man- agement. This approach has a business-orientated focus from an IT perspective. Znfoormafion Management G Secu- rity, Vol. 4, No. 1, 1996,~~. 19-31.

Information security in business environments, Ethan Sanderson and Karen Forcht. This article presents a young person’s view of the threats and security measures to deal with sensitive information in today’s constantly changing technological environment. It promotes the implementation of proactive security and warns of the problems caused by converging business markets and

321