Information Security Papers This section covers an in-depth guide to information security and data security.   Topics include PKI (public key infrastructure), passwords, secure email and S/MIME, spoofing, Internet fraud and web security, SSL and biometrics.
For information security papers in PDF format click on the icon.
PUBLIC KEY INFRASTRUCTURE (PKI)
- An Introduction to PKI
Basic introduction to key terms and concepts used in a PKI including encryption, digital signatures, certificates, keys and Authorities, features and services used by the PKI and the techniques involved in public key cryptography.
- Passwords vs PKI
Simple chart that compares passwords and PKI for encryption of information.
- PKI Security FAQs
Everything you wanted to know about PKI.   Certificates, digital signatures, public and private keys, Certificate Authorities (CAs), cross-certification.
- Ten things I wished they warned me about PKI
PKI has been reviewed as a technical infrastructure by a number of security experts.   In this paper we look at a number of pratical organizational issues that pure PKI suppliers often fail to mention.
- Solving problems in PKI
The big players in PKI make you believe, by advertising, that there are no problems implementing PKI.   This paper exposes some of the real problems and some practical solutions.
- PKI Certificates - a source of confusion?
There is a lot of misleading information on the Internet about certificates, public & private keys, digital signatures, etc. - when and how you use them.   This paper sets the record straight using terminology for the non-technical person.
- PKI - Managing Liability
One of the frequently quoted concepts of PKI is that of being able to do business with people you don't know, with certainty.   Who is held liable for these transactions ?
- PKI - A Technology or a hype too far?
PKI has been getting a lot of bad press of late, but is it justified?   Has the technology failed or is it a problem of implementation?
- What Root Certification Authority can you trust?
Covering public key infrastructure frameworks, hierarchical structures, legal frameworks and commercial responses.
- Making PKI simple
There are much simpler things that can be done with PKI if you don't set out to conquer the world.
- S/MIME - the reality of interoperability
People assume that when they buy an S/MIME compliant email application they can send digitially signed and encrypted emails to any other S/MIME compatible client.   The reality however is somewhat different...
- The problems with Secure Email
Find out why " Silver Bullet" Email security is problematic.   Learn to fully protect your data simply and securely while avoiding complex interactions between proprietary systems.
- Who's Reading your Email?
This article by IT Director Simon Bennett of Tarlo Lyons law firm, discusses how simple it is for others to read confidential email since email and that it is no more secure than sending information on a postcard.   It covers what can be done to ensure your emails are kept confidential.
- Email Encryption Guide
32-page, step-by-step tutorial that will have you up and running with industrial strength encryption in a single read-through (available for purchase).
INFORMATION SECURITY & DATA SECURITY
- A Managers Guide to Information Security
This guide was written by The Open Group. It covers why security matters to your business, information security from a business perspective - what security you need, what to expect from information security solutions, internal implementation and outsourcing (PDF format).
- An Introduction to Encryption
Make any enquiry about computer security, and you will almost immediately fall over the terms cryptography and encryption (and also decryption), but what exactly is meant by this?
- Plug-ins - a source of insecurity
Written by LockLizard Limited, this paper examines and questions the claims often made by plug-in suppliers that they are secure, giving published examples of where they are not.
- Self-extracting exe files - the hidden dangers
Self-extracting (decrypting) EXE files were developed so you didn't have to install proprietary software in order to share protected files.   But they also pose a significant, hidden risk to your organization, making them more flawed than the cryptographic algorithm DES already abandoned by industry.
- Security can be Simple and Secure
There has always been an attitude of 'no pain, no gain' in the security industry.   If one was to believe some of the comments made then you could be forgiven into thinking that security has to be complex in order to be secure...
- Open Standards - why they are essential
Before choosing a information security solution it is wise to consider what you are actually buying into. This paper explains the cost of proprietary solutions and the benefits of Open Standards
- Security of the Internet
Published by CERT and covering topics such as basic security concepts, security policies, network security incidents, Internet vulnerabilities, improving information security, security technology and tools, and the future of Internet security.
- Managing Internet Security - Good Practise Guide
This guide published by The Victoria Auditor-General's Office serves as a practical resource for for chief information officers, business managers, information technology staff and audit committees, to help assess and improve their agency's Internet security practices. It sets out the main issues that need to be considered when assessing the effectiveness of information security over an internet system providing a starting point for a planned and structured approach.
SSL (SECURE SOCKETS LAYER)
- Web Spoofing an Internet con game
This paper written by Princeton University describes an Internet security attack that could endanger the privacy of World Wide Web users and the integrity of their data.   The attack can be carried out on today's systems, endangering users of the most common Web browsers, including Netscape Navigator and Microsoft Internet Explorer.
- Spoofing - Arts of attack and defense
How to spot and avoid potential spoof attacks. Covers DNS spoofing, IP address spoofing, email address spoofing, link alteration, name similarity and content theft.
- How do you deal with Internet fraud?
Covers fraud that uses Internet technology as an integral part of the fraud and fraud that is already taking place by other means where the Internet is merely another method of delivery.
- The changing face of web security
Are we winning or losing the battle of web security?   Read this white paper backed by industry figures to ensure you are aware of the facts.
- Authentication - who's site is it really?
Whilst a lot of work seems to have been done on personal authentication, little or no work has been done over or about web site authentication to users.   Users should be just as entitled to authenticate web sites as web sites are to authenticate them.
- How do you know where information came from?
In the ordinary world of the Internet you don&rsquo t really know where information comes from - a web site that you first linked to, or a completely different site. Hackers can also alter information without you being aware of any change.   How can the person receiving the information to be aware that anything is wrong?
- A matter of trust or is it?
Who do you know who you are really dealing with when disclosing your personal / credit card details over the Internet?   This explains the current methods available for proving the identity of a web site and explains why they fail.   It offers an alternative solution to the problem of web site authenticity.
- Why web site logos are phony security
Probably the worst possible kind of Internet security we have today is the &lsquo secure site logo&rsquo .   Read why.
- It can't be fraud - or is it?
Bad commercial behavior and practice may be no different from fraud as far as the customer is concerned.