COMPSEC ‘95 Paper Abstracts

information. In the face ofincreasing insider trading and industrial espionage, this paper describes how business can exploit, in open systems products, technology previously available only to spooks.

Title: Client Server - Promises, Problems and Solutions

Author: P.J. Corum, The Corum Group

STREAM 2: Comms Security

Title: Dial Thru’ Fraud the Ramifications for a Business

Author: Tom Mulhall, BT

Title: X.400 Security: Current and Future Usage Author: John Hughes, Bull Information Systems

The ITU/CCITT X.400 standard detines a very rich set of securitv functions. What the standard does not define is what should be implemented for a given environment and how should it be implemented. Func- tional Profiles are being developed that go some way to resolving this problem. This paper gives an overview of the security features of X.400 and describes the dif- ference between the ‘end to end’ and ‘peer to peer’ strategies for implementing security. It will also describe the US defined Message Security Protocol (MSP) tech- nique of encapsulating the original X.400 contents into a new enciphered contents. The MSP approach is gain- ing favour in a number of countries.

This type of fraud is of particular interest in today’s communication lead world. Particularly, as the ‘Hacker’ of old appears to have migrated in the direction of PBX/Switch manipulation. The object being to obtain free voice/data services. Unfortunately, there is no such thing as a free telephone call! This session will cover:

l Explanation of Dial Thru’ Fraud.

l How fraudsters obtain the relevant information.

@The effects such a fraud can have on a business.

l Security measures a business should consider.

Title: Wireless Network Security Author: Charles Cresson Wood, Information Integrity

Investments

Before your organization implements wireless such as wireless LANs, paging systems, cellular mobile data, personal digital assistants with wireless capabilities, spe- cialized mobile radio, wireless packet networks and satellite networks, it should consider the special security problems these new technologies present. These include ease of intercepting transmitted information (including passwords), the ability to readily spoof a remote device, and the denial of service due to electro-magnetic inter- ference. This presentation will discuss the special risks of these new technologies, how you can prevent and mitigate these risks, the most important wireless net- work control measures, and the functional characteristics of current market offerings. No back- ground in the technical aspects of wireless networking is assumed.

Title: The Impact of ATM on Security in the Data Network

Author: Lesley Hanson, Cabletron Systems

This paper reviews the more recent developments in the ATM Forum relative to designing data networks for security. The impact of Policy Management, and its relationship to distributed management and control of the proposed ATM based Virtual Networks, as debated in the emerging MPOA standard are discussed and practical implementation and design consideration- s considered.

Title: Physical Layer Network Security: What your LAN can do for you

Author: David Banes, 3-COM

STREAM 3 (a.m.): Multimedia

Title: CD-ROM Security Issues Author: Peter Newman, C-Dilla

Title: Developing Legal Risks in Multimedia Author: Alistair Kelman

The development of multimedia products is always slowed and often stopped by the need to get copyright clearance from each of the contributors to the work. Differences in national laws on copyright and authors rights seriously hinder the development of the new

422

Computers & Security, Vol. 14, No. 5

multimedia industries. This presentation will focus upon the problems and the emerging solutions that are being proposed within Europe.

STREAM 3 (p.m.): Directors’ Briefing

Title: Facing the Challenge of IT Security Author: Martin Smith, Kroll Associates

Information is a vital business resource. Protection of that information, most apparent in the need for IT security, is a business issue, not a technical one. The solutions are, in the main, business solutions, not tech- nical ones. Responsibility for IT security rests with senior management. It must not be ignored, nor must it 1~ left in the hands of those who may not have the knowledge, authority, resource or motivation to address it satisfxtorily.

Title: IT Security - An Implementation Strategy

Author: Rod Parkin, Midland Bank

Title: Business Continuity Planning Author: John Sherwood, Sherwood Associates

Title: An International Perspective on IT Security

Author: Judith Vince,Thc Rothschild Group

The paper examines the legal aspects of information security and copyright laws, as well as security infra- structure, IT security policies, security catalysts, new challenges, trends in security threats and responses to today’s requirements and tomorrow’s world.

STREAM 4 (a.m.): Disaster Recovery

Title: The Changing Rises Associated with Computer Systems as Reflected by Disaster Recovery Experience

Author: Frank Taylor, Systems Technology Consultants

Distributed computing in association with Interna- tional/European and de facto standardization has r.ldicall?, changed the risks associated with computing svstems. Based on more than eighty case histories inves- tjgatcd over 1 J ye.u-s this presentation will show that

risks associated with hardware, system software and data losses are reducing rapidly, whilst losses associated with human behaviour, viruses and other forms ofmisuse arc’ coming into increasing focus.

Title: Why Waste Money on Disaster Recovery Author: Andrew Hiles, Kingswell Partnership

“A disaster will never happen to me - so why spend money on pre\renting it? In any cast‘, 1 have insur- ance......” Yes, it is easy to waste money on disaster recovery. This session will demonstrate how to avoid throwing money at a problem that may never happen; how to justify spend in terms of day-to-day business benefit; how to get the best possible leverage from your investment in disaster recovery; how to turn disaster recovery into a corporate asset that can glvc real con- petitive edge.

STREAM 4 (p.m.): IT Audit

Title: Marketing Information Systems Audit Author: Alan Krull, Business and Professional

Education

Marketing starts with discovering what customers want. It is not huckstering; it is not ‘selling’ what you have. Marketing allo\xps clients to ‘buy into’ audit, so that prudent business practices and positive control become part of the job and an aid to the client.

Threats and the use of power get compliance, but they don’t get understanding of and commitment to good practice. You don’t need cajoling, surveillance or threats to get you to lock your house or car. Can this kind of commitment be transferred to the business environ- ment!

Topics and sub-topics: How to get the educated opinion and judgement of senior management, when they are &gnorant (not stupid) on the subject. Customer scrvicc: how people (and audit departments) arc incented to give bad service; whey you cannot measure aspects of good service; why the measuring procc>ss itself m,ly negatively impact the prrccption of service; telephone calls ti-om hell. User-friendly audits (not an oxymoron) and dumb rules. Pseudo-requirements - whatever happened to the Dutch East India Company? Title: Automated Audit - Tools & Techniques

423