Main topic: Malware intrusion prevention and personal data protection
PUBLISHED: 24.09.2013
These articles were subject to peer-to-peer review
Interview with Rob Evered
[page 6]
In his interview for DSM, security architect for Intel, Rob Evered, talks about the key factors of success for implementing IT consumerization (BYOD) in his company. He stresses in particular the need for open communication with users. “Only at that time when the environment is created, that the users can freely tell us that they do what they shouldn’t do, can we accept smart decisions,” he states. Mr. Evered also expresses his belief that employees must be assured that the company does not gather any personally sensitive data, such as position or communication history.
Identifying the communication channels of malware
[page 12]
Vít Bukač
This article explains the monitoring and analysis of the communication channels of malware as a detection method enabling an organization to disclose what computers have been attacked. This method can be applied even if antivirus signatures for a particular malware have not been created yet. This analysis includes the monitoring of the applied protocols, the communication parties and the data transferred. In its second part, the article focuses on specific issues of http protocol and an analysis of DNS entries as well as the obfuscation of communications between malware and managing servers. Free internet services useful for analyzing the outgoing calls of malware are listed at the end.
Book review: Alan Turing: The Enigma
[page 17]
Václav Matyáš
Andres Hodges, the Dean of Wadham College, Oxford, wrote a biography of Alan Mathison Turing, the founder of modern cryptoanalysis and perhaps even of cybernetics. The book describes both the results of Turing’s research, including his involvement in the war, and his personal life. It is divided into four chapters, from childhood and family background to the last month before his death. The most extensive chapter, chapter four, is dedicated to Turing’s work at Bletchley Park, where the ciphers and codes of several Axis countries were decrypted.
The current state and the future of European personal data protection
[page 20]
Radim Polčák
The new European directive, which is now under preparation, invents – among others – two new principles: the portability of personal data and the right to be forgotten. This article analyzes some of the difficulties at the very heart of the concept of privacy protection and discusses some potential impacts of the new rights, particularly the impact on the business of companies which consider customer data as their key asset and the huge differences among European countries in their understanding of the relationship between freedom of expression and privacy protection.
Regarding the possibilities for punishing DOS/DDOS attacks under Czech law
[page 24]
Vladimír Smejkal, Tomáš Sokol
Is it possible to punish DOS/DDOS attackers under Czech criminal law? In the first part of the article, the authors analyze DOS/DDOS attacks and compare them to events in the physical world, such as blocking access to property. In the second part of the article, several institutions of criminal law are discussed in terms of their applicability to DOS/DDOS attacks. The authors come to the conclusion that the possibility to punish an attacker is limited as long as there is not intrusion and no damage to data. They recommend either waiting for the first judicial decisions or amending the current law.
The true meaning of Internal IT Audit and the role of auditor, with penetration testing as an example
[page 32]
Luboš Klečka
This article corrects some common misunderstandings resulting from the inadequate Czech translation of some English expressions which are widely used in norms. A good example is the word “control” often being mistakenly translated as “kontrolovat” (supervise, oversee). Such mistakes result in the understanding of an internal audit as being a tool for identifying misconduct and punishing people. The article shows that the true task of an audit is to create feedback and help people to their jobs well. This is demonstrated by the lifecycle of penetration testing.
Penetration testing from the security architect’s point of view
[page 36]
Jiří Vábek
This contribution sums up practical experience with penetration testing across its entire lifecycle: the definition of security requirements, creation of specifications, provider selection, internal organization of testing, running tests, results evaluation, findings management and post-implementation revision. It is underlined that a clear and exact definition of expectations is absolutely critical for successful penetration testing. It is recommended that testing employees’ reactions be avoided – penetration testing is not a substitute for training and motivation.
Business continuity implementation at ALD Automotive
[page 40]
Aleš Kruczek
A case study from a financial institution with 80 employees describes a business continuity project along its lifecycle: the business impact analysis, design of a technology solution, its implementation, testing and regular updating. Part of the article is focused on the most frequent obstacles to the successful implementation of business continuity planning projects (limited budget, lack of human resources and the need to replace some legacy systems) and ways of overcoming them.
The articles on pp. 12-17, 20-44 were subject to a peer-to-peer review by the Editorial Board of DSM.
Phone: +420 737 215 220
E-mail: