By Topic

Security & Privacy, IEEE

Issue 3 • Date May-June 2007

Filter Results

Displaying Results 1 - 25 of 26
  • [Front cover]

    Page(s): c1
    Save to Project icon | Request Permissions | PDF file iconPDF (802 KB)  
    Freely Available from IEEE
  • Black Hat: Briefings & Training USA 2007

    Page(s): c2
    Save to Project icon | Request Permissions | PDF file iconPDF (314 KB)  
    Freely Available from IEEE
  • Table of contents

    Page(s): 1 - 2
    Save to Project icon | Request Permissions | PDF file iconPDF (318 KB)  
    Freely Available from IEEE
  • Food for Thought: Improving the Market for Assurance

    Page(s): 3 - 4
    Save to Project icon | Request Permissions | PDF file iconPDF (93 KB)  
    Freely Available from IEEE
  • [Masthead]

    Page(s): 5
    Save to Project icon | Request Permissions | PDF file iconPDF (38 KB)  
    Freely Available from IEEE
  • Silver Bullet Talks with Becky Bace

    Page(s): 6 - 9
    Save to Project icon | Request Permissions | PDF file iconPDF (809 KB)  
    Freely Available from IEEE
  • News Briefs

    Page(s): 10 - 12
    Save to Project icon | Request Permissions | PDF file iconPDF (448 KB)  
    Freely Available from IEEE
  • Guest Editors' Introduction: Managing Organizational Security

    Page(s): 13 - 15
    Save to Project icon | Request Permissions | PDF file iconPDF (460 KB)  
    Freely Available from IEEE
  • Embedding Information Security into the Organization

    Page(s): 16 - 24
    Save to Project icon | Request Permissions | Click to expandQuick Abstract | PDF file iconPDF (279 KB)  

    Risk and business have always been inseparable, but new information security risks pose unknown challenges. How should firms organize and manage to improve enterprise security? Here, the authors describe how chief information security officer (CISOs) are working to build secure organizations. View full abstract»

    Full text access may be available. Click article title to sign in or learn about subscription options.
  • I'll Buy That! Cybersecurity in the Internet Marketplace

    Page(s): 25 - 31
    Save to Project icon | Request Permissions | Click to expandQuick Abstract | PDF file iconPDF (220 KB)  

    Interviews with chief security officers in the Internet supply chain (those companies that provide Internet services or encourage people to use the Internet) reveal dramatically different attitudes about corporate cybersecurity. The authors' preliminary investigation suggests that a company's market discipline explains these differences. View full abstract»

    Full text access may be available. Click article title to sign in or learn about subscription options.
  • A Coherent Strategy for Data Security through Data Governance

    Page(s): 32 - 39
    Save to Project icon | Request Permissions | Click to expandQuick Abstract | PDF file iconPDF (237 KB)  

    The role of boards of directors now extends to ensuring that a company's data is actively managed in an increasingly technology-intense environment. In this article, the authors show how this requires greater attention to legislative requirements, greater due diligence in transactions and business alliances, and coherent information management strategies. View full abstract»

    Full text access may be available. Click article title to sign in or learn about subscription options.
  • What Anyone Can Know: The Privacy Risks of Social Networking Sites

    Page(s): 40 - 49
    Save to Project icon | Request Permissions | Click to expandQuick Abstract | PDF file iconPDF (245 KB)  

    For the Net generation, social networking sites have become the preferred forum for social interactions, from posturing and role playing to simply sounding off. However, because such forums are relatively easy to access, posted content can be reviewed by anyone with an interest in the users' personal information. View full abstract»

    Full text access may be available. Click article title to sign in or learn about subscription options.
  • Cyberinsurance in IT Security Management

    Page(s): 50 - 56
    Save to Project icon | Request Permissions | Click to expandQuick Abstract | PDF file iconPDF (242 KB)  

    Cyberinsurance to cover losses and liabilities from network or information security breaches can provide incentives for security investments that reduce risk. Although cyberinsurance has evolved, industry has been slow to adopt it as a risk management tool. View full abstract»

    Full text access may be available. Click article title to sign in or learn about subscription options.
  • 2007 USENIX Annual Technical Conference Information

    Page(s): 57
    Save to Project icon | Request Permissions | PDF file iconPDF (659 KB)  
    Freely Available from IEEE
  • Educating Students to Create Trustworthy Systems

    Page(s): 58 - 61
    Save to Project icon | Request Permissions | Click to expandQuick Abstract | PDF file iconPDF (121 KB)  

    Computer science's long-standing tradition of computer security education has focused primarily on designing secure and reliable systems that can ensure information confidentiality, integrity, and availability. This tradition is geared toward preparing students for typical paradigms, such as writing secure code, providing authentication and access control, and developing policies to limit exposure to vulnerabilities and protect users' rights. Faculty and industry must find novel, cross-disciplinary approaches to educating security professionals to fully address this array of issues. In this article, we analyze barriers to effective security education and offer suggestions for improving cooperation among computer science, business management, information systems. and other technology departments. View full abstract»

    Full text access may be available. Click article title to sign in or learn about subscription options.
  • Hiding Virtualization from Attackers and Malware

    Page(s): 62 - 65
    Save to Project icon | Request Permissions | Click to expandQuick Abstract | PDF file iconPDF (90 KB)  

    Virtual machine environments (VMEs) let a user or administrator run one or more guest operating systems on top of a host operating system. With security researchers relying on VMEs in their analysis work, attackers and their malicious code have a significant stake in detecting the presence of a virtual machine. This article focuses on detection techniques and mitigation options for the most widely deployed VME product today, VMware. View full abstract»

    Full text access may be available. Click article title to sign in or learn about subscription options.
  • The Cost of Free Web Tools

    Page(s): 66 - 68
    Save to Project icon | Request Permissions | Click to expandQuick Abstract | PDF file iconPDF (67 KB)  

    Most users assume that their use of Internet services is implicitly private and anonymous, so it can be quite eye-opening to find out how much about ourselves and our companies we reveal by seemingly innocuous words we use to search, the maps we view, and the other "free" services we use on the Internet. The Internet has become one of the most central aspects of our world, and we react to both the mundane and important events in our personal and professional lives by turning to it. Unfortunately, these events, great or small, continue to exist for an indeterminately long time period on the service providers' servers. Providers of free Web-based applications aren't simply offering their tools as a public service. However altruistic they might be in some regards, these companies have legal obligations to their shareholders to make profits. Although various business models exist for advertising in connection with "free" services, the consistent bottom line is that Web-based companies depend on being able to convince advertisers that it's worth their money to have their ads presented on Web pages and emails. Free Web-based services aren't really free: users pay for them with micropayments of information that add up to a significant sum. View full abstract»

    Full text access may be available. Click article title to sign in or learn about subscription options.
  • Authentication without Identification

    Page(s): 69 - 71
    Save to Project icon | Request Permissions | Click to expandQuick Abstract | PDF file iconPDF (454 KB)  

    Many authentication transactions performed today require us to disclose more information than is strictly needed, just for verification purposes. Fortunately, modern cryptography provides us with a way to solve the verification problem without leaking unnecessary personal information. These techniques are fast, secure, and preserve privacy. View full abstract»

    Full text access may be available. Click article title to sign in or learn about subscription options.
  • Building Privacy into Software Products and Services

    Page(s): 72 - 74
    Save to Project icon | Request Permissions | Click to expandQuick Abstract | PDF file iconPDF (354 KB)  

    In the marketplace, customer trust is paramount. As consumers increasingly rely on the Internet for shopping, banking, and other daily activities, privacy is both a major public concern and a barrier to e-commerce growth: fear of data breaches and identity theft threaten to erode trust in the Internet. Once the core privacy team (CPT) is built, it can begin to define the program, deploy its processes, and enforce the rules. View full abstract»

    Full text access may be available. Click article title to sign in or learn about subscription options.
  • The Contemporary Software Security Landscape

    Page(s): 75 - 77
    Save to Project icon | Request Permissions | Click to expandQuick Abstract | PDF file iconPDF (620 KB)  

    Microsoft's release of Windows Vista marks the arrival of a new era for software security. Fundamental changes have gradually occurred, bringing us to a point now where the threat landscape no longer resembles what it was just a few years ago. Vista's release is ideal to consider as a culmination point; it's from here that software attack strategies will move into new directions. In this article, the author examines some of these new directions, as well as some of the changes related to Vista that most encapsulate the current threat landscape for software security. Eight characterirstics most strongly define the new software security threat landscape. Let's take a look at them: actualization of Web vulnerability threats; advances in code analysis; more advanced techniques; client-side vulnerabilities; remote exploitation; targeted attacks; sale of vulnerability information; and anti-exploitation technology. View full abstract»

    Full text access may be available. Click article title to sign in or learn about subscription options.
  • Red-Eye Blink, Bendy Shuffle, and the Yuck Factor: A User Experience of Biometric Airport Systems

    Page(s): 78 - 81
    Save to Project icon | Request Permissions | Click to expandQuick Abstract | PDF file iconPDF (550 KB)  

    When people find security systems difficult or unacceptable, it can result in bottlenecks, excessive operation costs, and shortcuts or workarounds that undermine security. Since 2001, airports worldwide have deployed an increasing number of security systems with biometric recognition. Some operate behind the scenes, for airport staff or cabin crew use. Airports have been deploying biometrics for travelers, too. Some systems are voluntary, whereas others are required, and store travelers' biometric characteristics for inspection or record. Biometric systems should have user-friendly, intuitive interfaces that guide users in presenting necessary traits. Thus, we must ask whether current biometric systems in airports are usable. View full abstract»

    Full text access may be available. Click article title to sign in or learn about subscription options.
  • Software Protection through Anti-Debugging

    Page(s): 82 - 84
    Save to Project icon | Request Permissions | Click to expandQuick Abstract | PDF file iconPDF (74 KB)  

    This article focuses on describing state-of-the-art attacks on debuggers to prevent reverse engineering. You can use the information we present as part of your strategy to protect your software or to assist you in overcoming the anti-debugging tricks present in malicious software. Currently, there are enough anti-debugging techniques available to software engineers to sufficiently protect software against most threats, likewise, most state-of-the-art malware can be sufficiently reverse-engineered with patience and skill to enable security researchers to continue to defend their networks. However, advances in software protection techniques and reverse engineering might alter the balance. View full abstract»

    Full text access may be available. Click article title to sign in or learn about subscription options.
  • Cost-Effective Security

    Page(s): 85 - 87
    Save to Project icon | Request Permissions | Click to expandQuick Abstract | PDF file iconPDF (629 KB)  

    To be successful, application software needs compelling functionality, availability within the right timeframe, and a reasonable price. But equally critical, teams must get nonfunctional characteristics right - performance, scalability, manageability, maintainability, usability, and, of course, security. The authors introduced misuse or abuse cases as counterparts to use cases and explained that although use cases capture functional requirements, abuse cases describes how users can misuse a svstem with malicious intent, thereby identifying additional security requirements. Another prior installment discussed how to fit misuse and abuse cases into the development process by defining who should write them, when to do so, and how to proceed. In this article, we discuss what abuse cases bring to software development in terms of planning. We don't assumes fixed budget is assigned to security measure's but that budgetary constraints apply to the project as a whole. We believe it's reasonable, and often accessary, to trade funtionality against security, so the question isn't how to prioritize security requirements but how to prioritize the development effort across both functional and security requirements. View full abstract»

    Full text access may be available. Click article title to sign in or learn about subscription options.
  • Nonsecurity Considerations in Security Decisions

    Page(s): 88
    Save to Project icon | Request Permissions | PDF file iconPDF (97 KB)  
    Freely Available from IEEE
  • LinuxWorld 2007 Information

    Page(s): c3
    Save to Project icon | Request Permissions | PDF file iconPDF (481 KB)  
    Freely Available from IEEE

Aims & Scope

The primary objective of IEEE Security & Privacy is to stimulate and track advances in information assurance and security and present these advances in a form that can be useful to a broad cross-section of the professional community-ranging from academic researchers to industry practitioners. It is intended to serve a broad readership.

Full Aims & Scope

Meet Our Editors

Editor-in-Chief
Shari Lawrence Pfleeger
shari.l.pfleeger@dartmouth.edu