A Futuristic Look at Cloud Computing Security
E. Eugene Schultz, Ph.D., CISSP, CISM

The term ―cloud computing‖ means different things to different individuals, and cloud computing is by no means new. Despite confusion and misconceptions related to cloud computing, this type of computing is currently immensely popular and is being used to substantially reduce the financial cost and complexity of computing, as well as for other reasons. Cloud service providers (CSPs) offer three basic types of services: Software as a Service (SaaS), Infrastructure as a Service (IaaS), and Platform as a Service (PaaS). Although cloud services offer many benefits, they are also beset with security risks, the most serious of which currently are inadequate security for data stored in the cloud, restricted ability to conduct adequate audits in cloud environment, and unavailability of cloud services.

Download A Futuristic Look at Cloud Computing Security (PDF)

Myths about Password Settings and Other Nonsense: How Information Security Tortures Users in the Name of Security
E. Eugene Schultz, Ph.D., CISSP, CISM

Typical organizations have information security standards that require a certain password length, password expiration every 30 to 90 days, password complexity, and more. Information security staff members who routinely prescribe these settings might believe that their organization is meeting ―best practice‖standards. Research on password settings over the past years, however, suggests that many widely accepted and used settings do not help security appreciably. Instead, many of these settings not only inconvenience users, but in many cases make them less able to remember their passwords. The problem is not limited to passwords, either. Third-party authentication and other technology designed to improve security too often are not at all user friendly. This paper discusses how information security tortures users in the name of security and suggests solutions.

Download Myths about Password Settings and Other Nonsense (PDF)

The Rootkit Epidemic
E. Eugene Schultz, Ph.D., CISSP, CISM

Malicious code (also called malware) has become increasingly sophisticated since the time the first virus surfaced in the wild around 1980. Malware such as viruses and worms attack are troublesome, yet they are generally easy to detect and eradicate once they infect a system. Viruses and worms also largely (but not exclusively) target Windows systems, largely leaving other types of systems alone. Other types of malware started to pose a proportionately greater degree of security threat several years ago when the allure and utility of writing and releasing viruses and worms started to fade because malware writers started to deploy more surreptitious malware because they become increasingly motivated by financial gain (SCHU06). Rootkits, in contrast, are designed to help attackers escape being noticed; they have, therefore, in particular proven much more troublesome than other types of malicious code. Rootkits are becoming so prevalent that to refer to the rootkit problem as an ―epidemic‖ is becoming increasingly appropriate. This paper defines rootkits, explains how they work, explicates why they are likely to become even more prevalent, and wrestles with the issue of whether the war against rootkits will ever be won and if so, how.

Download The Rootkit Epidemic (PDF)

Research on Usability in Information Security
E. Eugene Schultz, Ph.D., CISSP, CISM

Usability engineering, often also called human factors engineering, focuses on optimizing the interaction between humans and the tasks they perform. Given the long-recognized importance of usability engineering in areas such as human-computer interaction, it is easy to assume that a plethora of research on the relationship between usability and information security exists. Strangely, the opposite is the case. Although numerous authors have argued for the need to pay more attention to usability considerations in information security, relatively few papers presenting research results on the relationship between usability and information security have been published. This paper covers several key research papers on this topic.

Download Research on Usability in Information Security (PDF)