SECTION 6 ©
National Institutes and IT Security Organizations
  • SANS (System Administration, Networking, and Security) Institute
  • ECRC - Electronic Commerce Resource Center 
National Government Security Agencies
  • Federal Bureau of Investigation
    • Carnivore
  • National Infrastructure Protection Center (NIPC)
  • National Security Agency
    • Echelon
  • Royal Canadian Mounted Police
  • Canadian Security Intelligence Service
National Government Scams
  • Nigeria
Leading Companies in IT Security
  • KPMG Investigation and Security Inc.

As taught by Prof. Tim Richardson School of Marketing & e-Business, Faculty of Business, Seneca College, Canada

last updated 2002 Dec 28
 
http://www.sans.org
  • In SAN's web page, which includes the listing "How To Eliminate The Ten Most Critical Internet Security Threats" their introduction serves to provide some important points we should consider in beginning this section of the IEC 719 course, namely:

  •  
    • The majority of successful attacks on computer systems via the Internet can be traced to exploitation of one of a small number of security flaws. 
    • Recent compromises of Windows NT-based web servers are typically traced to entry via a well-known vulnerability. 
    • A few software vulnerabilities account for the majority of successful attacks because attackers are  opportunistic taking the easiest and most convenient  route. They exploit the best-known flaws with the  most effective and widely available attack tools. They  count on organizations not fixing the problems, and  they often attack indiscriminately, by scanning the  Internet for vulnerable systems.
    • System administrators report that they have not corrected these flaws because they simply do not know which of over 500 potential problems are the ones that are most dangerous, and they are too busy to correct them all
    .
     
    http://www.sans.org The SANS Institute http://www.sans.org
    Bethesda, Maryland, USA

    in their own words "The SANS (System Administration, Networking, and Security) Institute is a cooperative research and education organization through which more than 96,000 system administrators, security professionals, and network administrators share the lessons they are learning and find solutions for challenges they face. SANS was founded in 1989."
     

    What products does SANS offer people interested in the most contemporary and reliable internet security information?
    SANS offers three different free electronic subscriptions: 
    • Security Alert Consensus (SAC) - weekly
      • One definitive weekly summary of new alerts and countermeasures week with announcements from: SANS, CERT, the Global Incident Analysis Center, the National Infrastructure Protection Center, the U.S.  Department of Defense, Security Portal, Sun, and several other vendors.
    • SANS NewsBites - weekly 
      • NewsBites keep up with everything going on in the computer security world. A dozen or two articles, each just one, two, or three sentences in length, elaborate a URL that points to the source of the  detailed information
    • SANS Windows Security Newsletter - monthly 
      • provides updates to NT Security: Step-by-Step and guidance on new Hotfixes and Service Packs that should and should not be implemented. It also summarizes new threats and bugs found in Windows and its services.
    .

    The ECRC Program is sponsored by the U.S. Department of Defense Joint Electronic Commerce Program Office (JECPO). The Bremerton ECRC is operated by Concurrent Technologies Corporation, EDC of Kitsap County and Olympic College for JECPO
    Electronic Commerce Resource Center 'ECRC'
    Bremerton, WA  USA 

    The ECRC describes itself as a "clearinghouse and jumpstation for electronic commerce information and resources"

    "The Security Resources page includes resources on a variety of security issues, including document transfers, financial transactions, firewalls, and virus information. The ECRC also offers a free Internet Security Issues seminar"   http://www.becrc.org/security.htm

     

    . .
    .


    Chpt 5
    Regulatory
    Environment 
    Regulatory Environment
    2nd ed. page 157
    Carnivore

    "Carnivore, as the general public has learned, is a software program that can monitor and track packets of data passing through an ISP's network. Government officials claim that the software will only be used in those instances in which a court order has been obtained to monitor a specific, alleged criminal act. Privacy advocates do not trust the intent or use of the software, and worry that widespread monitoring of e-mail contents will occur."

    "Carnivore attaches a combination of hardware and software  applications to the network of an Internet Service Provider (ISP) and scans all of the e-mail and other transmissions to
     locate a "target" piece of e-mail or communication from a specific person or suspect. Carnivore can analyze millions of messages per second while it searches for the specific messages that it wants. 

     The FBI is developing Carnivore to help the agency police cyberspace. Law enforcement officials have expressed increasing concern over how the Internet is used illegally for those who would anonymously distribute child pornography, steal confidential proprietary information or wreak havoc on e-commerce giants by hacking into their systems". 
    by Dan Gebler  E-Commerce Times  August 3, 2000 

    full online article at
     www.ecommercetimes.com/news/articles2000/000803-2.shtml

    The FBI's own statement on their web site about using "Carnivore" at
     http://www.fbi.gov/hq/lab/carnivore/carnivore.htm 

    "In recent years, the FBI has encountered an increasing number of criminal investigations in  which the criminal subjects use the Internet to communicate with each other or to communicate with their victims. Because many Internet Service Providers (ISP) lacked the ability to discriminate communications to identify a particular subject's messages to the exclusion of all others, the FBI designed and developed a diagnostic tool, called Carnivore.  The Carnivore device provides the FBI with a "surgical" ability to intercept and collect the  communications which are the subject of the lawful order while ignoring those  communications which they are not authorized to intercept. This type of tool is necessary to meet the stringent requirements of the federal wiretapping statutes.

    The Carnivore device works much like commercial "sniffers" and other network diagnostic  tools used by ISPs every day, except that it provides the FBI with a unique ability to  distinguish between communications which may be lawfully intercepted and those which  may not. For example, if a court order provides for the lawful interception of one type of  communication (e.g., e-mail), but excludes all other communications (e.g., online shopping)   the Carnivore tool can be configured to intercept only those e-mails being transmitted either  to or from the named subject."
     www.fbi.gov/hq/lab/carnivore/carnivore2.htm 

    . .

    National
    Government
    Involvement
    in
    internet
    security
    http://public.srce.hr/~mprofaca/echelon01.html Echelon

    "Designed and coordinated by NSA, [America's National Security Agency] the ECHELON system is used to intercept ordinary e-mail, fax, telex, and telephone communications carried over the world's  telecommunications networks. Unlike many of the electronic spy systems developed during the Cold War, ECHELON is designed primarily for non-military targets:  governments, organizations, businesses, and individuals in virtually every country. It potentially affects every person communicating between (and sometimes within) countries anywhere in the world. "
     

    .
     
     
    http://www.witiger.com/ecommerce/scams.htm click on the screen capture to access this section
    .
    Professional
    Security
    Service
    Companies
    KPMG Investigation and Security Inc.
    part of the large KMPG accounting and consulting group of companies
     http://www.kpmg.ca/english/services

    Norman Inkster is the President of KPMG ISI and is best known for being the former Commissioner for the RCMP

    Many of the large professional service firms such as KPMG, Price Waterhouse Coopers, Ernst & Young have publications on their web sites re: e-commerce
    KPMG has e.fr@ud.survey.2000 
     http://www.kpmg.ca/english/services/fas/publications/efraudsurvey2000.html
     

    .