Main topic: The efficiency metrics of cybernetic security
PUBLISHED: 24.09.2014
These articles were subject to peer-to-peer review
Interview with Zdeněk Adamec
[Page 6]
Petr Hampl
Deputy of Minister of Agriculture in the Czech Republic talks about further IT development strategy in the resort including a possibility of sharing resources and data with other resorts, e.g. with the Ministry of the Environment. The second part of the interview is devoted to information security - guidelines for building up a security policy, cooperation amongst divisions of information and physical security, investment approving and also to practical experience from previous jobs in PPF Group and Volksbank.
Interview with Kyrre Sletsjøe
[Page 10]
Petr Hampl
The significance of earsdropping is often underestimated, especially in small and middle-sized companies. "Prices of rather advanced devices have dropped enough to make these accessible to small criminal groups", claims a Norwegian expert with long-term experience in anti-terrorist fight. For this reason, he recommends to strictly differentiate what sort of information can be handed over by phone, even at the expense of a lower communication efficiency. He gives some hints on how to eliminate risks, hints that are financially and organizationally feasible even for very small companies.
The efficiency metrics in cybernetic security strategies and the role of CIO
[Page 13]
Václav Žid
In the first part of the article, key players ensuring a reasonable level of cybersecurity are defined. These are governments defining a framework and Chief Information Officers being responsible for companies' and users' behavior. The article also analyses investment in information security within an organization and a possibility of assessing benefits of such investments. It compares U.S. and European approach to cybersecurity and discusses whether setting up an information security should be based on metrics and why. At the end, the article discusses diverse relevant documents and gives recommendation which documents can be used for metrics definition.
The most common problems of using SSL certificates
[Page 20]
Jindřich Zechmeister
The article discusses mistakes often committed by administrators while using SSL certificates. Following areas are discussed in detail: certificate requirement and its generation, IIS environment, running of several domains on one server, mix content on web sites, missing domains in the certificate, insufficient protection against Heartbleed attacks and others. At the end, it discusses pros and cons of switching to SH-2 protocol.
SQL injections attack – Part III.
[Page 25]
Lukáš Antal, Maroš Barabas, Petr Hanáček
The final part of the series addresses server compromitation risk at the operating system level. It describes two particular compromitation methods: MSSQL and xp_cmdshell Function and MySQL and User Defined Functions. Further on, it explains several ways of protection against such attacks and mitigation of impacts using a Principle of least privilege, access validation to firewall WAF class (Web Application Firewall).
Systematic approach to security of a critical information system
[Page 30]
Marek Solařík
A large countrywide operator of critical infrastructure case study describes a way of securing an important system that was already in a final phase of installation. The text describes in detail initial conditions, implementation of systematic approach, analysis of network use, security guidelines proposal, technical device settings, audit and testing in the framework of a PDCA (Plan-Do-Check-Act) cycle.
Implementation of single handed digital signature in O2 – part I.
[Page 36]
Aleš Bernášek
The case study describes a project of implementation of biometry signatures across the entire sales network of O2. This first part focuses on goal definition, impact analysis, gathering support within the organization, creating functional requirements and technology supplier tender organization. Further on, a solution development is described as well as its technical principles and legal argumentation that serves as a base for digital signature.
Required information security – utopia or reality?
[Page 40]
Richard Michálek
The initial part of the article discusses aims of information security managers within an organization and arising specific requirements. Then, it discusses several ways how to get support from organization management and favorable funds allocation. It also points out practical hints on communication with managers not familiar with information security. Further on, it discusses topics of assuming responsibility for risks and manager's possibilities to attain security guidelines obeisance. The final part of the article stresses information security manager's positive attitude and the importance of his ability to focus on given target in a long-term.
Phone: +420 737 215 220
E-mail: