Downloading - Pliroforiki

ISSUE 22 | JANUARY 2012 | www.pliroforiki.org
GOVERNANCE OF INFORMATION
SECURITY & OTHER INITIATIVES p.14
SAFE COMPUTING IN AN
INCREASINGLY HOSTILE WORLD:
SECURITY 2.0 p.19
THE FUTURE OF INFORMATION
SECURITY: NEW PRIORITIES,
NEW SKILLS AND NEW
TECHNOLOGIES p.24
ŒÎ‰ÔÛË ÙÔ˘ ∫˘ÚÈ·ÎÔ‡ ™‡Ó‰ÂÛÌÔ˘ ¶ÏËÚÔÊÔÚÈ΋˜
Publication of the Cyprus Computer Society
ISSN 1450-152X
ΠΕΡΙΕΧΟΜΕΝΑ
CONTENTS
ISSUE 22 - JANUARY 2012
Δ∂ÀÃ√™ 22 - IANOÀ∞ƒπ√™ 2012
π‰ÈÔÎÙ‹Ù˘
∫˘ÚÈ·Îfi˜ ™‡Ó‰ÂÛÌÔ˜ ¶ÏËÚÔÊÔÚÈ΋˜
N¤· ‰È‡ı˘ÓÛË:
ºÏˆÚ›Ó˘ 11, City Forum, 3Ô˜ fiÚÔÊÔ˜,
°Ú. 303, 1065 §Â˘ÎˆÛ›·
Δ£ 27038
1641 §Â˘ÎˆÛ›·
∫‡ÚÔ˜
ΔËÏ.: 22 460680
º·Í: 22 767349
[email protected]
www.ccs.org.cy
™˘ÓÙ·ÎÙÈ΋ ∂ÈÙÚÔ‹
°È¿ÓÓÔ˜ ∞ÏÂÙÚ¿Ú˘
∫˘ÚÈ¿ÎÔ˜ E. °ÂˆÚÁ›Ô˘
∫ˆÓÛÙ·ÓÙ›ÓÔ˜ ∑ÂÚ‚›‰Ë˜
∫ˆÓÛÙ·ÓÙ›ÓÔ˜ º·ÓÔ˘Ú›Ô˘
ª›Óˆ˜ °ÂˆÚÁ¿Î˘
¶·Ó›ÎÔ˜ ª·ÛÔ‡Ú·˜
º›ÏÈÔ˜ ¶ÂÏÂÙȤ˜
ÀÔ‚ÔϤ˜ ÕÚıÚˆÓ
www.pliroforiki.org
∂È̤ÏÂÈ· - ¢È·ÊËÌ›ÛÂȘ
ÃÚÈÛÙ›Ó· ¶··ÌÈÏÙÈ¿‰Ô˘
ΔËÏ.: 22 460680
[email protected]
∂È̤ÏÂÈ· - ™ÂÏ›‰ˆÛË - ∂ÍÒÊ˘ÏÏÔ
GRA.DES
[email protected]
www.gra-des.com
∫˘ÚÈ·Îfi˜ ™‡Ó‰ÂÛÌÔ˜ ¶ÏËÚÔÊÔÚÈ΋˜
ISSN 1450-152X
02
06
09
11
ªH¡Àª∞ ™À¡Δ∞∫Δπ∫H™ ∂¶πΔƒ√¶H™
Δ∞ ¡E∞ ª∞™
Dr EUGENE SCHULTZ (1946 – 2011)
Yiannos Aletraris
ISACA CYPRUS CHAPTER
∫À¶ƒπ∞∫O π¡™ΔπΔ√YΔ√ ∂§E°Ã√À ™À™Δ∏ªAΔø¡ ¶§∏ƒ√º√ƒπ∫H™
¶·Û¯¿Ï˘ ¶ÈÛÛ·Ú›‰Ë˜
14
GOVERNANCE OF INFORMATION SECURITY
& OTHER INITIATIVES
Vernon Poole
19
SAFE COMPUTING IN AN INCREASINGLY HOSTILE WORLD:
SECURITY 2.0
Dr Andrew Jones
24
THE FUTURE OF INFORMATION SECURITY:
NEW PRIORITIES, NEW SKILLS AND NEW TECHNOLOGIES
David Lacey
28
33
TO WHAT EXTEND IS THE TURING TEST STILL IMPORTANT?
Christos Papademetriou
44
DO YOU KNOW THIS MAN?
Dr Philippos Peleties
THE ROLE OF EFFECTIVE PROJECT MANAGEMENT IN
PROJECT SUCCESS: IDENTIFYING SUCCESS CRITERIA
& THE CRITICAL SUCCESS FACTORS
Andreas Solomou, Kyriakos E. Georgiou
www.pliroforiki.org | 1
ªH¡Àª∞ ™À¡Δ∞∫Δπ∫H™
∂¶πΔƒ√¶H™
π·ÓÔ˘¿ÚÈÔ˜ 2012
Στὸν κόσµο τῆς Κύπρου, Μνήµη καὶ Ἀγάπη ...
Κύπρον, οὗ µ᾿ ἐθέσπισεν...
«Κύριε, βόηθα νὰ θυµόµαστε
πῶς ἔγινε τοῦτο τὸ φονικὸτὴν ἁρπαγὴ τὸ δόλο τὴν ἰδιοτέλεια,
τὸ στέγνωµα τῆς ἀγάπηςΚύριε, βόηθα νὰ τὰ ξεριζώσουµε...i».
Γίωργος Σεφέρης
Σαλαµίνα της Κύπρου, Ἡµερολόγιο
Καταστρώµατος Γ´
∞Á·ËÙÔ› Ê›ÏÔÈ Î·È Ê›Ï˜,
∂π™∞°ø°∏
To ·ÚfiÓ Ì‹Ó˘Ì· ¿Ú¯ÈÛ ӷ ÁÚ¿ÊÂÙ·È Û¯Â‰fiÓ ·Ú¿ÏÏËÏ· Ì ÙÔ
ÚÔËÁÔ‡ÌÂÓÔ ª‹Ó˘Ì· Ù˘ ™˘ÓÙ·ÎÙÈ΋˜ ∂ÈÙÚÔ‹˜ Ù˘ ¤Î‰ÔÛ˘
ÙÔ˘ πÔ˘Ó›Ô˘ 2011 ÁÈ·Ù› ÔÈ Û˘Ó¤ÂȘ Ù˘ ΔÚ·Áˆ‰›·˜ Ù˘ 11˘
πÔ˘Ï›Ô˘ 2011 ÂÈ‚¿Ú˘Ó·Ó ¤Ó· ‰‡ÛÎÔÏÔ ‰ÈÂıÓ¤˜ ÂÚÈ‚¿ÏÏÔÓ Î·È
Â¤ÊÂÚ·Ó ‰Ú·Ì·ÙÈΤ˜ Î·È ÚÈ˙ÈΤ˜ ·ÏÏ·Á¤˜ Û fiϘ ÙȘ
ÂÎÊ¿ÓÛÂȘ ÙÔ˘ ‰ËÌfiÛÈÔ˘ Î·È È‰ÈˆÙÈÎÔ‡ ‚›Ô˘. √ ÏfiÁÔ˜ ÙÔ˘ ÔÈËÙ‹
fiˆ˜ ¿ÓÙ· ÚÔÊËÙÈÎfi˜ Î·È Â› Ù˘ Ô˘Û›·˜. Δ· ·ÚÓËÙÈο
Û˘Ó·ÈÛı‹Ì·Ù· Ù˘ ·fiÁÓˆÛ˘, Ù˘ ÓÙÚÔ‹˜, Ù˘ χ˘, Ù˘
·‰˘Ó·Ì›·˜, ÙÔ˘ ı˘ÌÔ‡ Î·È Ù˘ ·Á·Ó¿ÎÙËÛ˘ Ô˘ ‚ÈÒÛ·ÌÂ, ÙfiÙÂ,
¤¯Ô˘Ó ÂÓ Ì¤ÚÂÈ ·ÓÙÈηٷÛÙ·ı› ·fi ÌÈ· ¢ڇÙÂÚË ·ÁˆÓ›· ÁÈ· ÙÔ
̤ÏÏÔÓ, ÙË Ê˘ÛÈ΋ ÂÈ‚›ˆÛË Î·È ÙË ‰È·Ù‹ÚËÛË ÙÔ˘ ÂÈ¤‰Ô˘ ˙ˆ‹˜
Ô˘ ¤¯Ô˘ÌÂ Û˘ÓËı›ÛÂÈ. °È· ÙËÓ ¤ÁÓÔÈ· Ì‹ˆ˜ Ë ÂÚ›Ô‰Ô˜ Ù˘
Â˘Ì¿ÚÂÈ·˜ Î·È Ù˘ ·ÛÊ¿ÏÂÈ·˜ ¤¯ÂÈ ·Ú¤ÏıÂÈ ÔÚÈÛÙÈο Î·È Ë
ÂfiÌÂÓË ÂÚ›Ô‰Ô˜ ı· Â›Ó·È ÈÔ ‰‡ÛÎÔÏË Î·È ·‚¤‚·ÈË.
∏ Úfi‚ÏÂ„Ë ÁÈ· ÙËÓ ·Ú·ÙÂٷ̤ÓË ÂÚ›Ô‰Ô ÎÚ›Û˘ ηÈ
·ÛÙ¿ıÂÈ·˜ Û fiÏ· Ù· Â›‰· ¤¯ÂÈ, ‰˘ÛÙ˘¯Ò˜, Â·ÏËı¢ı›.
ƒÂ·ÏÈÛÙÈο ÔÌÈÏÔ‡ÓÙ˜ Ù· ‰ËÌÔÛÈÔÓÔÌÈο ‰Â‰Ô̤ӷ Ù˘ ∫‡ÚÔ˘
‰ÂÓ Â›Ó·È Û Â›Â‰Ô Ô˘ Ó· ‰ÈηÈÔÏÔÁÔ‡Ó ÙËÓ ˘ÊÈÛÙ¿ÌÂÓË
ηÙËÁÔÚÈÔÔ›ËÛË ÙˆÓ ‰ÈÂıÓÒÓ ÂÙ·ÈÚÂÈÒÓ ·ÍÈÔÏfiÁËÛ˘ Î·È Î·Ù’
Â¤ÎÙ·ÛË ÙËÓ ·‰˘Ó·Ì›· ÙÔ˘ ÎÚ¿ÙÔ˘˜ Ó· ·¢ı˘Óı› ÛÙȘ
‰ÈÂıÓ›˜ ·ÁÔÚ¤˜ ÁÈ· ‰·ÓÂÈÛÌfi. √È ·ÔÊ¿ÛÂȘ Î·È Ù· ‰Ú·ÎfiÓÙÂÈ·
ÔÈÎÔÓÔÌÈο ̤ÙÚ· Ù˘ ÔÏÈÙÈ΋˜ ËÁÂÛ›·˜ ¤¯Ô˘Ó ‰ÚÔÌÔÏÔÁËı›
ÙfiÛÔ ·fi ÙËÓ ÎÚ›ÛË ÙÔ˘ ∂˘ÚÒ Ô˘ Ù·Ï·Ó›˙ÂÈ ÙËÓ ∂˘ÚÒË fiÛÔ Î·È
·fi ÙËÓ ·ÒÏÂÈ· ÂÌÈÛÙÔÛ‡Ó˘ ÙˆÓ ·ÁÔÚÒÓ ÛÙË ‰˘Ó·ÙfiÙËÙ· Ù˘
∫‡ÚÔ˘ Ó· ‰È·¯ÂÈÚÈÛı› Ù· ÙÔ˘ Ô›ÎÔ˘ Ù˘ Û ÌÈ· ‰‡ÛÎÔÏË
ÔÈÎÔÓÔÌÈ΋ Û˘Á΢ڛ·. ∞˘Ù¤˜ ÔÈ ÂÍÂÏ›ÍÂȘ ÂÍ·Ó¤ÌÈÛ·Ó ÙȘ fiÔȘ
·Ì˘‰Ú¤˜ ÂÏ›‰Â˜ ÁÈ· ·Ó¿Î·Ì„Ë Ù˘ ÔÈÎÔÓÔÌ›·˜ ÙÔ 2012 Î·È ÙËÓ
Ô‰ËÁÔ‡Ó ›Ûˆ ÛÙËÓ ‡ÊÂÛË ( recession) ·Ó fi¯È Î·È ÙËÓ ‚·ıÈ¿ ηÈ
·Ú·ÙÂٷ̤ÓË ‡ÊÂÛË (depression).
Δ· ÂÓ ÔÏÏÔ›˜ ·Ó·Áη›·, ‰Ú·ÎfiÓÙÂÈ· ̤ÙÚ· Ì›ˆÛ˘ ÙÔ˘
ÌÈÛıÔÏÔÁ›Ô˘ ÙÔ˘ ¢ڇÙÂÚÔ˘ ÎÚ·ÙÈÎÔ‡ ÙÔ̤· ÁÈ· Ù· ÂfiÌÂÓ· ‰‡Ô
¤ÙË ı· Û˘ÓÙ›ÓÔ˘Ó ÛÙË Ì›ˆÛË ÙÔ˘ ÂÏÏ›ÌÌ·ÙÔ˜ ÙÔ˘
ÚÔ¸ÔÏÔÁÈÛÌÔ‡. ∏ ·Ï‹ıÂÈ· Â›Ó·È fiÙÈ ÙÔ ÌÈÛıÔÏfiÁÈÔ ÛÙÔÓ
¢ڇÙÂÚÔ ‰ËÌfiÛÈÔ ÙÔ̤· ·˘Í·ÓfiÙ·Ó Ù· ÚÔËÁÔ‡ÌÂÓ· ¯ÚfiÓÈ·
ηٿ 10% Û ÂÙ‹ÛÈ· ‚¿ÛË. ∞˘Ù‹ Ë ·‡ÍËÛË Â›Ó·È ÔÏÏ·Ï¿ÛÈ·
Ù˘ ‚ÂÏÙ›ˆÛ˘ Ù˘ ·Ú·ÁˆÁÈÎfiÙËÙ·˜ Î·È Î·Ù’ Â¤ÎÙ·ÛË ÌË
‚ÈÒÛÈÌË. ∞ÓÙ›ıÂÙ· Ë ·‡ÍËÛË ÙÔ˘ º¶∞ ·fi ÙÔ ª¿ÚÙÈÔ ÙÔ˘ 2012
‰ÂÓ Â›Ó·È Û›ÁÔ˘ÚÔ fiÙÈ ı· ·˘Í‹ÛÂÈ Ù· ¤ÛÔ‰· ÙÔ˘ ÎÚ¿ÙÔ˘˜. À¿Ú¯ÂÈ
ÌÈ· ηϋ Èı·ÓfiÙËÙ· Ô Û˘Ó‰˘·ÛÌfi˜ ÙˆÓ ‰‡Ô ·˘ÙÒÓ Ì¤ÙÚˆÓ Ì·˙›
Ì ÙËÓ ·ÔÚÚfiÊËÛË ·fi ÙÔ ∫Ú¿ÙÔ˜ Ù˘ fiÔÈ·˜ ‰È·ı¤ÛÈÌ˘
ÙÔÈ΋˜ Ú¢ÛÙfiÙËÙ·˜ ˘fi ÙË ÌÔÚÊ‹ ‰·ÓÂÈÛÌÔ‡ Ó· Ô‰ËÁ‹ÛÂÈ ÛÙË
Ì›ˆÛË Ù˘ ‰È·ı¤ÛÈÌ˘ Ú¢ÛÙfiÙËÙ·˜ Î·È ÛÙË Ì›ˆÛË Ù˘ ˙‹ÙËÛ˘
ÛÙËÓ ·ÁÔÚ¿, fiˆ˜ ¤¯ÂÈ Û˘Ì‚Â› Î·È ÛÙËÓ ∂ÏÏ¿‰·, Ô˘ ı· ¤¯ÂÈ
Ôχ ·ÚÓËÙÈΤ˜ ÂÈÙÒÛÂȘ ÛÙ· ¤ÛÔ‰· ÙÔ˘ ∫Ú¿ÙÔ˘˜ Î·È ÛÙËÓ
·Ó¿Ù˘ÍË ÁÈ· ÙÔ 2012 Î·È Ù· ÂfiÌÂÓ· ¤ÙË. ∞fi ÙËÓ ¿ÏÏË Ë
i. √È ÛÙÔ›¯ÔÈ Â›Ó·È ÂχıÂÚË ·fi‰ÔÛË ÌÈ·˜ ÚÔÛ¢¯‹˜ Ô˘ ›¯Â ÊÙÈ¿ÍÂÈ ÁÈ· ÙÔ Î·Ú¿‚È ÙÔ˘ Ô ·ÓÙÈÏÔ›·Ú¯Ô˜ Lord Hugh Beresoft Î·È Ô ÔÔ›Ô˜ ¤ÂÛ ÛÙË ª¿¯Ë
Ù˘ ∫Ú‹Ù˘ ÙÔÓ ∞Ú›ÏÈÔ ÙÔ˘ 1941. ∏ ÚÔÛ¢¯‹ ›¯Â ‰ËÌÔÛÈ¢ı› Û ÌÈ· ÓÔÙÈÔ·ÊÚÈηÓÈ΋ ÂÊËÌÂÚ›‰· ÙÔ ™Â٤̂ÚÈÔ ÙÔ˘ 1941.
2 | www.pliroforiki.org
¶ÔÏÈÙ›· Ôχ Ï›Á· ¤¯ÂÈ Î¿ÓÂÈ ÁÈ· ÙËÓ ·Ó¿Ù˘ÍË Ù˘ ÔÈÎÔÓÔÌ›·˜
Î·È Ù˘ ··Û¯fiÏËÛ˘.
HARRY S. TRUMAN (1884 – 1972)
THE BUCK STOPS HERE
√ Harry S. Truman ˘ËÚ¤ÙËÛ ˆ˜ Ô 33Ô˜ ¶Úfi‰ÚÔ˜ ÙˆÓ
∏ÓˆÌ¤ÓˆÓ ¶ÔÏÈÙÂÈÒÓ (1945–1953) Û ‰È·‰Ô¯‹ ÙÔ˘ Franklin D.
Roosevelt, fiÙ·Ó ·˘Ùfi˜ ·‚›ˆÛ ÙÚ›˜ ÌfiÓÔ Ì‹Ó˜ ÌÂÙ¿ ·ÊÔ‡
¿Ú¯ÈÛ ÙËÓ ÈÛÙÔÚÈ΋ 4Ë ¶ÚÔ‰ڛ· ÙÔ˘. O Harry S. Truman
ÚÔ¤Ú¯ÔÓÙ·Ó ·fi ÙÔ ªÈÛÔ‡ÚÈ, ‹Ù·Ó Ù·ÂÈÓ‹˜ ηٷÁˆÁ‹˜, ‰ÂÓ
‹Ù·Ó ·fiÊÔÈÙÔ˜ ¶·ÓÂÈÛÙËÌ›Ô˘ Î·È fiÙ·Ó ¤Ê˘Á ·fi ÙËÓ
¶ÚÔ‰ڛ· ÙÔ 1953 ÙÔ ÌfiÓÔ ÙÔ˘ ÂÈÛfi‰ËÌ· ‹Ù·Ó Ë Û‡ÓÙ·ÍË ÙÔ˘
§Ô¯·ÁÔ‡ ·fi ÙËÓ ˘ËÚÂÛ›· ÙÔ˘ ÛÙÔ ÛÙÚ·Ùfi ηٿ ÙË ‰È¿ÚÎÂÈ· ÙÔ˘
1Ô˘ ¶·ÁÎÔÛÌ›Ô˘ ¶ÔϤÌÔ˘. ∞ÚÓ‹ıËΠӷ ‰Â¯Ù› ‚Ô‹ıÂÈ· ‹
ÂÚÁ·Û›· ÁÈ· Ó· ÌËÓ ÂÎı¤ÛÂÈ ÙÔ ıÂÛÌfi Ù˘ ¶ÚÔ‰ڛ·˜. ∞ÚÁfiÙÂÚ·
fiÙ·Ó Û˘ÓÂȉËÙÔÔÈ‹ıËÎÂ Ë ¤Ó‰˘· ÙÔ˘ Î·È fiÙÈ ·Ó·ÁοÛÙËΠӷ
˙ËÙ‹ÛÂÈ ‰¿ÓÂÈÔ ÁÈ· Ó· ˙‹ÛÂÈ Ë ¶ÔÏÈÙ›· „‹ÊÈÛ ÓfiÌÔ ÁÈ· ÙË
Û˘ÓÙ·ÍÈÔ‰fiÙËÛË ÙˆÓ ¶ÚÔ¤‰ÚˆÓ.
∫·Ù¿ ÙË ‰È¿ÚÎÂÈ· Ù˘ ¶ÚÔ‰ڛ·˜ ÙÔ˘ ·Ó·ÁοÛÙËΠӷ ¿ÚÂÈ
‰‡ÛÎÔϘ ·ÔÊ¿ÛÂȘ fiˆ˜ Ë Ú›„Ë ÙˆÓ ‰‡Ô ˘ÚËÓÈÎÒÓ ‚ÔÌ‚ÒÓ
ÛÙËÓ π·ˆÓ›·, Ë ·fiÏ˘ÛË ÙÔ˘ ‰ËÌÔÊÈÏÔ‡˜ ÛÙÚ·ÙËÁÔ‡ MacArthur,
Ô fiÏÂÌÔ˜ Ù˘ ∫ÔÚ¤·˜, Ë ·Ó·ÁÓÒÚÈÛË ÙÔ˘ ÎÚ¿ÙÔ˘˜ ÙÔ˘ πÛÚ·‹Ï,
Ë ·fiÊ·ÛË Ó· ÛÙËÚȯı› ÔÈÎÔÓÔÌÈο Ë ¢˘ÙÈ΋ ∂˘ÚÒË Î·È ÙÔ
Û¯¤‰ÈÔ Marshal. ø˜ ·ÔÙ¤ÏÂÛÌ· Ë ‰ËÌÔÙÈÎfiÙËÙ· ÙÔ˘ ʇÁÔÓÙ·˜
·fi ÙÔÓ §Â˘Îfi √›ÎÔ ‹Ù·Ó ¯·ÌËÏfiÙÂÚË Î·È ·fi ·˘Ù‹Ó ÙÔ˘ Richard
Nixon (1968 -1974) o ÔÔ›Ô˜ ·Ó·ÁοÛÙËΠӷ ·Ú·ÈÙËı› ÏfiÁˆ
ÙÔ˘ ÛηӉ¿ÏÔ˘ Watergate. ∞ÚÁfiÙÂÚ· Ì ÙÔ ¤Ú·ÛÌ· ÙÔ˘ ¯ÚfiÓÔ˘
Î·È ÙË Û˘ÓÂȉËÙÔÔ›ËÛË Ù˘ Û˘ÓÂÈÛÊÔÚ¿˜ ÙÔ˘ Ë ¿Ô„Ë ÁÈ· ÙÔ
¤ÚÁÔ ÙÔ˘ ·ÓÙÈÛÙÚ¿ÊËΠÛÙÔ ÛËÌÂ›Ô Ô˘ Ó· ıˆÚÂ›Ù·È ÌÂٷ͇ ÙˆÓ
ÂȉÈÎÒÓ ·ÏÏ¿ ÙˆÓ ÔÏÈÙÒÓ ˆ˜ ¤Ó·˜ Ôχ ηÏfi˜ Úfi‰ÚÔ˜ ηÈ
Ó· ·ÍÈÔÏÔÁÂ›Ù·È ÌÂٷ͇ ÙˆÓ ‰¤Î· Î·Ï˘Ù¤ÚˆÓ.
ΔÔ ÁÚ·ÊÂ›Ô ÙÔ˘, Oval Office, ÎÔÛÌÔ‡Û ÌÈ· ͇ÏÈÓË ÂÈÁÚ·Ê‹ Ë
ÔÔ›· ·fi ÌÚÔÛÙ¿ ¤ÁÚ·Ê "The buck stops here" Î·È ·fi ›Ûˆ
“I am from Missouri”. ∏ ÂÈÁÚ·Ê‹ ·Ú¤ÌÂÈÓ ÛÙÔ Oval Office
ÙÔ˘Ï¿¯ÈÛÙÔÓ Ì¤¯ÚÈ ÙËÓ ¶ÚÔ‰ڛ· ÙÔ˘ Jimmy Carter (1976 –
1980). ∏ ¤ÎÊÚ·ÛË "The buck stops here" Û’ ·˘Ùfi ÙÔ Ï·›ÛÈÔ
·ÊÔÚ¿ ÛÙËÓ Ú·ÁÌ·ÙÈÎfiÙËÙ· ÙÔ˘ ·ÍÈÒÌ·ÙÔ˜. √ ¶Úfi‰ÚÔ˜ ı·
Ú¤ÂÈ Ó· ·›ÚÓÂÈ ·ÔÊ¿ÛÂȘ Î·È Ê˘ÛÈο Ó· Ï·Ì‚¿ÓÂÈ ÙËÓ ÙÂÏÈ΋
¢ı‡ÓË ÁÈ· ÙȘ ·ÔÊ¿ÛÂȘ ÙÔ˘. ¢ÂÓ ˘¿Ú¯ÂÈ ÂÚÈıÒÚÈÔ Ó·
ÂÚ¿ÛÂÈ ÙËÓ Â˘ı‡ÓË (buck) ÁÈ· ÙËÓ ·fiÊ·ÛË Û’ ¿ÏÏÔ˘˜ Ô‡Ù ηÈ
Ó· ·ÔÔÈËı› ÙˆÓ Â˘ıËÓÒÓ ÙÔ˘. ∏ ÙÂÏÈ΋ ¢ı‡ÓË Â›Ó·È ‰È΋ ÙÔ˘.
Δ√ ¡∂º√™ (CLOUD) ∫∞π ∏ ∫À¶ƒ√™ Δ√À 2011:
∞™Àªμ∞Δ∂™ ∂¡¡√π∂™;
ΔÔ ¡¤ÊÔ˜ (Cloud) Â›Ó·È ÌÈ· ¤ÓÓÔÈ· Î·È ÂÊ·ÚÌÔÁ‹ Ù¯ÓÔÏÔÁ›·˜
Ô˘ Ù›ÓÂÈ Ó· ʤÚÂÈ Â·Ó¿ÛÙ·ÛË ÛÙÔ ÙÚfiÔ Ô˘ ηٷÓÔԇ̠ηÈ
·ÍÈÔÔÈԇ̠ÙËÓ Ù¯ÓÔÏÔÁ›·, ÙËÓ ÏËÚÔÊÔÚ›· Î·È ÙË ÁÓÒÛË. ΔÔ
ÂÚÒÙËÌ· fï˜ ·Ó ÙÔ Ó¤ÊÔ˜ ·ÔÙÂÏ› fiÓÙˆ˜ ·ÏÏ·Á‹
˘ԉ›ÁÌ·ÙÔ˜ ‹ ·Ï¿ Â›Ó·È ÌÈ· ÛÂÈÚ¿ ·fi Ù¯ÓÔÏÔÁ›Â˜ ÛÙȘ
Ôԛ˜ ¤¯ÂÈ ·Ô‰Ôı› ¤Ó· ·˘ÍË̤ÓÔ ÔÛÔÛÙfi ˘ÂÚ‚ÔÏ‹˜ Ô˘
Û¯ÂÙ›˙ÂÙ·È Ì ÙËÓ ·Ó¿ÁÎË ·‡ÍËÛ˘ ÙˆÓ ˆÏ‹ÛÂˆÓ ·Ú·Ì¤ÓÂÈ.
ÕÏψÛÙ ÔÈ ÌÂÁ¿Ï˜ ÂÙ·ÈÚ›˜ ÙÔ˘ ÎÏ¿‰Ô˘ ‰›‰Ô˘Ó ÂÚÈÛÛfiÙÂÚË
ÛËÌ·Û›· ÛÙÔÓ ÙÔ̤· ˆÏ‹ÛÂˆÓ ·Ú¿ ÛÙÔÓ ÙÔ̤· ·Ú·ÁˆÁ‹˜ ‹
ÈηÓÔÔ›ËÛ˘ ÙˆÓ ·Ó·ÁÎÒÓ ÙˆÓ ÂÏ·ÙÒÓ / ¯ÚËÛÙÒÓ. ÿÛˆ˜ Ë
·Ï‹ıÂÈ· ÛÙÔ ÈÔ ¿Óˆ ÂÚÒÙËÌ· Ó· Â›Ó·È Î¿Ô˘ ÛÙË Ì¤ÛË ÌÂٷ͇
ÙˆÓ ‰‡Ô ·ÎÚ·›ˆÓ ı¤ÛˆÓ.
™Â ¤Ó· ·Ú·‰ÔÛÈ·Îfi Û‡ÛÙËÌ· ËÏÂÎÙÚÔÓÈÎÔ‡ ˘ÔÏÔÁÈÛÙ‹ Ù·
Ì˯·Ó‹Ì·Ù·, Ù· ÏÔÁÈÛÌÈο Î·È ÔÈ ÏËÚÔÊÔڛ˜ ‚Ú›ÛÎÔÓÙ·Ó ÛÙÔ
›‰ÈÔ Ê˘ÛÈÎfi ¯ÒÚÔ. √ ¯ÒÚÔ˜ ÌÔÚÔ‡Û ӷ Â›Ó·È ¤Ó· ÎÙ‹ÚÈÔ ‹ ηÈ
¤Ó· ‰ˆÌ¿ÙÈÔ ·fi Ô‡ ÙÔ ·Ú·‰ÔÛÈ·Îfi Û‡ÛÙËÌ· ‰ÂÓ ÌÔÚÔ‡ÛÂ
Ó· ÌÂÙ·ÎÈÓËı› Ì ¤Ó· ‡ÎÔÏÔ ÙÚfiÔ. ™Ù·‰È·Î¿ Ù· Û˘ÛÙ‹Ì·Ù·
¤ÁÈÓ·Ó ÌÈÎÚfiÙÂÚ· Û ̤ÁÂıÔ˜, ÈÛ¯˘ÚfiÙÂÚ· Û ˘ÔÏÔÁÈÛÙÈ΋
‰‡Ó·ÌË Î·È ¯ÒÚÔ ·Ôı‹Î¢Û˘ Â› Ù˘ Ô˘Û›·˜ ÌÂÙ·ÊÂÚfiÌÂÓ·
Î·È ·˘ÙfiÓÔÌ·. ™’ ·˘Ù‹Ó ÙËÓ ÂͤÏÈÍË ¤¯ÂÈ ÚÔÛÙÂı› Ë ÌÂÁ¿ÏË
Â·Ó¿ÛÙ·ÛË ÙÔ˘ ‰È·‰ÈÎÙ‡Ô˘ Ô˘ Ô‰ËÁ› Û ʷÈÓfiÌÂÓ· fiÔ˘ Ë
Ê˘ÛÈ΋ ·ÚÔ˘Û›· ÙˆÓ Û˘ÓÙÂÏÂÛÙÒÓ ÂÂÍÂÚÁ·Û›·˜ Ù˘
ÏËÚÔÊÔÚ›·˜ (Ì˯·Ó‹Ì·Ù·, ÏÂÈÙÔ˘ÚÁÈÎfi Û‡ÛÙËÌ·, ÏÔÁÈÛÌÈÎfi,
‰›ÎÙ˘Ô, ÂÊ·ÚÌÔÁ‹, ‰Â‰Ô̤ӷ) ‰ÂÓ Â›Ó·È ÛËÌ·ÓÙÈο ÛÙË ÏÂÈÙÔ˘ÚÁ›·
Î·È ÂÂÍÂÚÁ·Û›· Ù˘ ÏËÚÔÊÔÚ›·˜ Î·È ÛÙË ‰ÈÂÍ·ÁˆÁ‹ Ù˘
ÂÚÁ·Û›·˜. ∞˘Ùfi ‚‚·›ˆ˜ ÌÂÙ·ÌÔÚÊÒÓÂÈ ÙÔÓ ÙÚfiÔ ÏÂÈÙÔ˘ÚÁ›·˜
ÙˆÓ ÔÚÁ·ÓÈÛÌÒÓ Î·È ÙË ÌÔÚÊ‹ Î·È ÙÚfiÔ ÂÚÁ·Û›·˜ Î·È ‰ËÌÈÔ˘ÚÁ›
Ӥ˜ ¢ηÈڛ˜ Î·È ÚÔÎÏ‹ÛÂȘ.
°È· ·Ú¿‰ÂÈÁÌ· ·ÂÏ¢ıÂÚÒÓÂÈ ÙÔÓ ¯Ú‹ÛÙË ¯ˆÚÈο Î·È ¯ÚÔÓÈο
Î·È ·fi ÙËÓ ·Ó¿ÁÎË ÁÈ· ·ÎÚÈ‚fi Î·È ÌÂÁ¿ÏÔ ÚÔÛˆÈÎfi Û‡ÛÙËÌ·
Î·È ÙÔ˘ ÂÈÙÚ¤ÂÈ Ó· ÂÚÁ¿˙ÂÙ·È fiÔ˘ Î·È Ó· ‚Ú›ÛÎÂÙ·È ÊÙ¿ÓÂÈ Ó·
˘¿Ú¯ÂÈ Â·Ú΋˜ Î·È ·ÛÊ·Ï‹˜ ÚfiÛ‚·ÛË ÛÙÔ ‰È·‰›ÎÙ˘Ô. ΔÔ
ÚÔÛˆÈÎfi Û‡ÛÙËÌ· ÌÔÚ› Ó· ¤¯ÂÈ ÔÏϤ˜ ÌÔÚʤ˜ ÌÔÚ› Ó·
Â›Ó·È ¤Ó·˜ ÛÙ·ıÂÚfi˜ ÛÙ·ıÌfi˜ ÂÚÁ·Û›·˜, ¤Ó·˜ ÂÈÁÔÓ¿ÙÈÔ˜
˘ÔÏÔÁÈÛÙ‹˜, ÌÈ· Ù·ÌϤٷ Ù‡Ô˘ ipod, ipad ‹ Î·È Kindle ‹ ·ÎfiÌË
Î·È ¤Ó· Â˘Ê˘¤˜ ÙËϤʈÓÔ Ù‡Ô˘ iphone, blackberry, Nokia Î.·..
∞˘Ù‹ Ë ÂͤÏÈÍË ·ÂÏ¢ıÂÚÒÓÂÈ ÙÔÓ ¯Ú‹ÛÙË ·fi ÙÔ˘˜ ¯ˆÚÈÎÔ‡˜
Î·È ¯ÚÔÓÈÎÔ‡˜ ÂÚÈÔÚÈÛÌÔ‡˜ Ù˘ ÂÚÁ·Û›·˜ Î·È ÙÔ˘ ÂÈÙÚ¤ÂÈ Ó·
¤¯ÂÈ ÌÂÁ·Ï‡ÙÂÚË Â˘ÂÏÈÍ›· Î·È ÂÏ¢ıÂÚ›· ÛÙË ‰ÈÂÎÂÚ·›ˆÛË Ù˘.
μ‚·›ˆ˜ Ë Î·Ù¿¯ÚËÛË ·˘Ù‹˜ Ù˘ ·ÂÏ¢ı¤ÚˆÛ˘ Ô‰ËÁ› Û ÌÈ·
Ó¤·˜ ÌÔÚÊ‹˜ ·˘Ùfi‚Ô˘ÏÔ˘ ÂÚÈÔÚÈÛÌÔ‡ fiÔ˘ Ù· fiÚÈ· ÌÂٷ͇
ÂÚÁ·Û›·˜ Î·È È‰ÈˆÙÈ΋˜ ˙ˆ‹˜ ‰ÂÓ ¤¯Ô˘Ó Û·Ê‹ fiÚÈ· Î·È Ô
ÂÚÁ·˙fiÌÂÓÔ˜ Ù›ÓÂÈ Ó· ÂÚÁ¿˙ÂÙ·È fiϘ Ù˘ ÒÚ˜ Ù˘ Ë̤ڷ˜ ηÈ
Ù˘ Ó‡ÎÙ·˜ Î·È ·ÓÙÔ‡.
www.pliroforiki.org | 3
∏ ÏÂÈÙÔ˘ÚÁ›· ÂÓfi˜ Ù¤ÙÔÈÔ˘ Û˘ÛÙ‹Ì·ÙÔ˜ ¿Óˆ ·fi fiÏ·
ÚÔ¸Ôı¤ÙÂÈ ÌÈ· ÈÛ¯˘Ú‹ Î·È ·ÛÊ·Ï‹ ˘Ô‰ÔÌ‹ (Û˘Ó¯‹
ËÏÂÎÙÚÔ‰fiÙËÛË Î·È ÁÚ‹ÁÔÚÔ ‰È·‰›ÎÙ˘Ô) Ô˘ ı· ‰È·ÛÊ·Ï›˙ÂÈ ÙËÓ
Û˘Ó¯‹ Î·È ÁÚ‹ÁÔÚË ÚfiÛ‚·ÛË ÛÙÔ ‰È·‰›ÎÙ˘Ô Î·È ÛÙ·
Ì˯·Ó‹Ì·Ù·, ÏÔÁÈÛÌÈÎfi Î·È ‰Â‰Ô̤ӷ ÙÔ˘ ¯Ú‹ÛÙË ÒÛÙ ӷ ÌÔÚ›
Ó· ÂÎÙÂÏ› ÙËÓ ÂÚÁ·Û›· ÙÔ˘ ·ÓÂÌfi‰ÈÛÙ·. ªÂÙ¿ ÙÔÓ πÔ‡ÏÈÔ ÙÔ˘
2011 Î·È ÁÈ· ‰‡Ô ÂÚ›Ô˘ Ì‹Ó˜ Ù· ·˘ÙÔÓfiËÙ· ·˘Ù¿
·ÔÙÂÏÔ‡Û·Ó ·ÛÙ¿ıÌËÙÔ˘˜ ·Ú¿ÁÔÓÙ˜ ÛÙËÓ ∫‡ÚÔ ÌÈ· Î·È Ë
·Ú·ÁfiÌÂÓË ËÏÂÎÙÚÈ΋ ÂÓ¤ÚÁÂÈ· ‰ÂÓ Â·ÚÎÔ‡Û ÁÈ· ÙȘ ·Ó¿ÁΘ
Ù˘ ¯ÒÚ·˜. ¶ÔÏϤ˜ ÂÚÁ·ÙÔÒÚ˜ ›¯·Ó ¯·ı› ÂΛÓË ÙËÓ ÂÚ›Ô‰Ô
Î·È ÔÏÏÔ› ¯Ú‹ÛÙ˜ ¤ÊÙ·Û·Ó ÛÙÔ ¯Â›ÏÔ˜ Ù˘ ·fiÁÓˆÛ˘ fiÙ·Ó Ë
·ÒÏÂÈ· Ù˘ ËÏÂÎÙÚÈ΋˜ ÂÓ¤ÚÁÂÈ·˜ Û˘ÓÙÂÏÔ‡Û ÛÙËÓ ·ÒÏÂÈ·
Ù˘ ÂÚÁ·Û›·˜ Î·È ÙˆÓ ‰Â‰ÔÌ¤ÓˆÓ Ô˘ ‚ÚÈÛÎfiÓÙÔ˘Û·Ó ˘fi
ÂÂÍÂÚÁ·Û›·. ΔËÓ ÂÔ¯‹ ÂΛÓË ÔÈ ÂÙ·ÈÚ›˜ ÙÔ˘ ÎÏ¿‰Ô˘ ‹Ù·Ó
ÛÂ Û˘Ó¯‹ ÂÈÊ˘Ï·Î‹ ÁÈ· Ó· Â͢ËÚÂÙÔ‡Ó ÂÏ¿Ù˜ Û ·fiÁÓˆÛË
Î·È Ó· ÚÔÌËıÂ‡Ô˘Ó ÂÙ·ÈÚ›˜ Ì Ì˯·Ó¤˜ ·Ú·ÁˆÁ‹˜
ËÏÂÎÙÚÈ΋˜ ÂÓ¤ÚÁÂÈ·˜ Î·È Û˘ÛÙ‹Ì·Ù· ·‰È¿ÏÂÈÙ˘ ·ÚÔ¯‹˜
ËÏÂÎÙÚÈ΋˜ ÂÓ¤ÚÁÂÈ·˜ (UPS). ∏ ÂÎÙ›ÌËÛË ÁÈ· ÙÔ ÂÂÚ¯fiÌÂÓÔ
ηÏÔη›ÚÈ Î·È ÙËÓ ·˘Í·ÓfiÌÂÓË ·Ó¿ÁÎË Û ËÏÂÎÙÚÈÛÌfi ›ӷÈ
Ì¿ÏÏÔÓ ·ÚÓËÙÈ΋ ÁÈ·Ù› Ë Â¿ÚÎÂÈ· ÂÍ·ÎÔÏÔ˘ı› Ó· ›ӷÈ
ÂÈÛÊ·Ï‹˜.
μ‚·›ˆ˜ ÙÔ ‰›ÏËÌÌ· ˆ˜ ÚÔ˜ ÙÔ ÙÈ Â›Ó·È ÚÔÙÈÌËÙ¤Ô ¤Ó·
·˘ÙÔ‰‡Ó·ÌÔ ÂÙ·ÈÚÈÎfi ‹ Î·È ÚÔÛˆÈÎfi Û‡ÛÙËÌ· Ì ÂÚÈÔÚÈṲ̂ÓË
·Ó¿ÁÎË ÁÈ· ÚfiÛ‚·ÛË ÛÙÔ ‰È·‰›ÎÙ˘Ô ‹ ¤Ó· Û‡ÛÙËÌ· ÌÂ Û˘Ó¯‹
ÚfiÛ‚·ÛË ÛÙÔ ‰È·‰›ÎÙ˘Ô Î·È ·ÓÂÌfi‰ÈÛÙË ·ÍÈÔÔ›ËÛË ÏÔÁÈÛÌÈÎÔ‡
Î·È ‰Â‰ÔÌ¤ÓˆÓ Â›Ó·È Â› Ù˘ Ô˘Û›·˜ „¢‰Ô‰›ÏÏËÌ· ÁÈ·Ù› Ë ÛˆÛÙ‹
·¿ÓÙËÛË ¤¯ÂÈ Ó· οÓÂÈ Ì ÙÔ ÙÈ Â͢ËÚÂÙ› ηχÙÂÚ·,
·ÛʷϤÛÙÂÚ· Î·È ÔÈÎÔÓÔÌÈÎfiÙÂÚ· ÙȘ ÂÙ·ÈÚÈΤ˜ Î·È ÚÔÛˆÈΤ˜
·Ó¿ÁΘ. μ‚·›ˆ˜ Ë Ù¿ÛË Â›Ó·È ÁÈ· ÌÈÎÚ¿ ÌÂÙ·ÊÂÚfiÌÂÓ·
Û˘ÛÙ‹Ì·Ù· Ì ÌÂȈ̤ÓË ˘ÔÏÔÁÈÛÙÈ΋ ‰‡Ó·ÌË Î·È ·ÔıË΢ÙÈÎfi
¯ÒÚÔ ·ÏÏ¿ ·˘ÍË̤ÓË ·˘ÙfiÓÔÌË ÏÂÈÙÔ˘ÚÁ›· ¯ˆÚ›˜ ·Ó¿ÁÎË ·ÚÔ¯‹
ËÏÂÎÙÚÈ΋˜ ÂÓ¤ÚÁÂÈ·˜ ·ÏÏ¿ Ì ÚfiÛ‚·ÛË ÛÙÔ ‰È·‰›ÎÙ˘Ô.
CYPRUS INFOSEC WEEK 2011
ΔÔÓ ÂÚ·Ṳ̂ÓÔ √ÎÙÒ‚ÚÈÔ Ô ™‡Ó‰ÂÛÌÔ˜ ÛÂ Û˘ÓÂÚÁ·Û›· Ì ÙÔ
¶·ÓÂÈÛÙ‹ÌÈÔ §Â˘ÎˆÛ›·˜ ÔÚÁ¿ÓˆÛ·Ó ÙËÓ Â‚‰ÔÌ¿‰· Cyprus
Infosec 2011 Ë ÔÔ›· ÂÚÈÂÏ¿Ì‚·Ó Â·ÁÁÂÏÌ·ÙÈο ÛÂÌÈÓ¿ÚÈ·
Î·È ÙÔ Î·ıÈÂڈ̤ÓÔ ÌÔÓÔ‹ÌÂÚÔ Û˘Ó¤‰ÚÈÔ. ∏ ‚‰ÔÌ¿‰·
ÚÔÛ¤ÊÂÚ ¤Ó· ÏÔ‡ÛÈÔ ÚfiÁÚ·ÌÌ· Ì ÔÏÏ¿ Î·È ‰È·ÊÔÚÂÙÈο
ı¤Ì·Ù· ÂÚÈÏ·Ì‚·ÓÔ̤ÓÔ˘ Î·È ÙÔ˘ “η˘ÙÔ‡” ı¤Ì·ÙÔ˜ ·ÛÊ¿ÏÂÈ·˜
ÛÙÔ “cloud”. ¶·ÚfiÏÔ ÙÔ ‰‡ÛÎÔÏÔ ÔÈÎÔÓÔÌÈÎfi ÂÚÈ‚¿ÏÏÔÓ Ë
‚‰ÔÌ¿‰· ·ÏÈÛ ÔÌ·Ï¿ Î·È ‹Ù·Ó ÂÈÙ˘¯‹˜. ™Ù· Ï·›ÛÈ· ÙÔ˘
Û˘Ó‰ڛԢ ¤ÁÈÓ ÁÈ· ÚÒÙË ÊÔÚ¿ ·ÚÔ˘Û›·ÛË Ì¤Ûˆ
ÙËωȿÛ΄˘, ηٿ ÙËÓ ÔÔ›· Ô “ÁÎÔ˘ÚÔ‡” Mr. Winn
Schwartau Ì›ÏËÛ ·fi ÙȘ ∏¶∞ ÁÈ· Ù· ÊϤÁÔÓÙ· ı¤Ì·Ù· ÛÙÔÓ
ÙÔ̤· ·ÛÊ¿ÏÂÈ·˜ Ô˘ ÙÔÓ ÎÚ·ÙÔ‡Ó “͇ÓÈÔ Ù· ‚Ú¿‰È·”. ™Ù·
‰˘Û¿ÚÂÛÙ· ÙÔ˘ Cyprus Infosec 2011 Û˘ÌÂÚÈÏ·Ì‚¿ÓÂÙ·È Ô
·‰fiÎËÙÔ˜ ¯·Ìfi˜ ÙÔ˘ Ì·ÎÚÔ¯ÚfiÓÈÔ˘ Û˘ÓÂÚÁ¿ÙË ÙÔ˘ £ÂÛÌÔ‡
4 | www.pliroforiki.org
Cyprus Infosec Î·È ÙÔ˘ ÂÚÈÔ‰ÈÎÔ‡ ÙÔ˘ ™˘Ó‰¤ÛÌÔ˘, Dr Eugene
Shultz. ø˜ ÂÎ ÙÔ‡ÙÔ˘ Ë Â‚‰ÔÌ¿‰· ‹Ù·Ó ·ÊÈÂڈ̤ÓË ÛÙË ÌÓ‹ÌË
ÙÔ˘. √ °È¿ÓÓÔ˜ ∞ÏÂÙÚ¿Ú˘ ÂΠ̤ÚÔ˘˜ ÙÔ˘ ¢ÈÔÈÎËÙÈÎÔ‡
™˘Ì‚Ô˘Ï›Ô˘ ·Ô¯·ÈÚÂÙ¿ ÙÔ Gene Ì ¤Ó· Û‡ÓÙÔÌÔ ·ÊȤڈ̷ ÛÙËÓ
·ÚÔ‡Û· ¤Î‰ÔÛË.
£∂ª∞Δ√§√°π∞
™ÙËÓ ™˘ÓÙ·ÎÙÈ΋ ∂ÈÙÚÔ‹ ÙÔ˘ ÂÚÈÔ‰ÈÎÔ‡ ¤¯ÂÈ ÚÔÛÙÂı› ¤Ó·
·ÎfiÌË Ì¤ÏÔ˜ Ô ¢Ú. ∫ˆÓÛÙ·ÓÙ›ÓÔ˜ ∑ÂÚ‚›‰Ë˜, Ô ÔÔ›Ô˜ ÚfiÛÊ·Ù·
‰ÈÔÚ›ÛÙËΠÛÙÔ ΔÌ‹Ì· ∂ÈıÂÒÚËÛ˘ ∂ÚÁ·Û›·˜, ∫Ï¿‰Ô˜
∞ÎÙÈÓÔÚÔÛÙ·Û›·˜ ÙÔ˘ ÀÔ˘ÚÁ›Ԣ ∂ÚÁ·Û›·˜ Î·È ∫ÔÈÓˆÓÈÎÒÓ
∞ÛʷϛۈÓ. ΔÔÓ Î·ÏˆÛÔÚ›˙Ô˘Ì ÛÙËÓ ÔÌ¿‰· Ì·˜. H
ıÂÌ·ÙÔÏÔÁ›· Ù˘ ¤Î‰ÔÛ˘ ÂÚÈÏ·Ì‚¿ÓÂÈ ÌÈ· ÛÂÈÚ¿ ·fi
ÂӉȷʤÚÔÓÙ· Î·È ÔÈΛϷ ¿ÚıÚ· Ô˘ ηχÙÔ˘Ó ¤Ó· ¢ڇ Ê¿ÛÌ·
ıÂÌ¿ÙˆÓ Ì ÂÈΤÓÙÚˆÛË fï˜ ÛÙËÓ ·ÛÊ¿ÏÂÈ· Ù˘ ÏËÚÔÊÔÚ›·˜
ÌÈ·, ˆ˜ ·ÔÙ¤ÏÂÛÌ· Ù˘ ‚‰ÔÌ¿‰·˜ Infosec2011, ηÈ
ÂÚÈÏ·Ì‚¿ÓÂÈ Ù· ·ÎfiÏÔ˘ı· ΛÌÂÓ·:
∫·Ù’ ·Ú¯‹Ó Ô °È¿ÓÓÔ˜ ∞ÏÂÙÚ¿Ú˘ ·ÚÔ˘ÛÈ¿˙ÂÈ ÙË ÓÂÎÚÔÏÔÁ›· ÁÈ·
ÙÔ Ì·ÎÚÔ¯ÚfiÓÈÔ Ê›ÏÔ ÙÔ˘ ™˘Ó‰¤ÛÌÔ˘ Î·È Ù·ÎÙÈÎfi Û˘ÓÂÚÁ¿ÙË ÙÔ˘
Cyprus Infosec ÙÔÓ Dr Eugene Shultz.
√ ¶·Û¯¿Ï˘ ¶ÈÛÛ·Ú›‰Ë˜, ¶Úfi‰ÚÔ˜ ÙÔ˘ ∫˘ÚÈ·ÎÔ‡ πÓÛÙÈÙÔ‡ÙÔ˘
∂ϤÁ¯Ô˘ ™˘ÛÙËÌ¿ÙˆÓ ¶ÏËÚÔÊÔÚÈ΋˜ (ISACA Cyprus Chapter)
ÁÚ¿ÊÂÈ ÁÈ· ÙËÓ ›‰Ú˘ÛË Î·È ÏÂÈÙÔ˘ÚÁ›· ÙÔ˘ πÓÛÙÈÙÔ‡ÙÔ˘ Î·È ÙË
ÛËÌ·ÓÙÈ΋ ·ÔÛÙÔÏ‹ ÙÔ˘ ÛÙËÓ ·ÓÙÈÌÂÙÒÈÛË ÙˆÓ ·˘Í·ÓfiÌÂÓˆÓ
ÎÈÓ‰‡ÓˆÓ, ÙˆÓ ÂϤÁ¯ˆÓ ÈÛÙÔÔ›ËÛ˘ Ù˘ ·ÛÊ¿ÏÂÈ·˜ Î·È Ù˘
ÔÚı‹˜ ‰È·Î˘‚¤ÚÓËÛ˘ ÙˆÓ ™˘ÛÙËÌ¿ÙˆÓ ¶ÏËÚÔÊÔÚÈ΋˜, ηÈ
ÁÂÓÈÎfiÙÂÚ· Ù˘ ÚÔÛÙ·Û›·˜ Ù˘ ÏËÚÔÊÔÚ›·˜.
√ Vernon Poole, ¤Ó·˜ Ù·ÎÙÈÎfi˜ Û˘ÓÂÚÁ¿Ù˘ ÛÙ· Ï·›ÛÈ· ÙÔ˘
Infosec Î·È ÙÔ˘ ÂÚÈÔ‰ÈÎÔ‡, ‰›ÓÂÈ Û˘Ì‚Ô˘Ï¤˜ ÛÙȘ ‰È¢ı‡ÓÛÂȘ
Î·È ‰ÈÔÈ΋ÛÂȘ ÙˆÓ ÔÚÁ·ÓÈÛÌÒÓ Ò˜ Ó· ¯ÂÈÚÈÛÙÔ‡Ó ÙÔ˘˜ ÚfiÏÔ˘˜
ÙÔ˘˜ Û ۯ¤ÛË Ì ÙËÓ ‰È·¯Â›ÚÈÛË Ù˘ ·ÛÊ¿ÏÂÈ·˜ Ù˘
ÏËÚÔÊÔÚ›·˜ ÌÂ ÙÔ ¿ÚıÚÔ ÙÔ˘ “Governance of Information
Security & Other Initiatives”.
O Dr Andrew Jones ÁÚ¿ÊÂÈ ÛÙÔ ¿ÚıÚÔ ÌÂ Ù›ÙÏÔ “Safe Computing
in an Increasingly Hostile World: Security 2.0” ÁÈ· ÙËÓ
·˘ÍË̤ÓË ·Ó¿ÁÎË ·ÓÙÈÌÂÙÒÈÛ˘ Ù˘ ·ÛÊ¿ÏÂÈ·˜ Ù˘
ÏËÚÔÊÔÚ›·˜ ̤۷ ·fi ÙÔ Û¯Â‰È·ÛÌfi ‰ÈÎÙ‡ˆÓ Î·È ÂÊ·ÚÌÔÁÒÓ
fiÔ˘ Ë ·ÛÊ¿ÏÂÈ· Â›Ó·È ÌÂٷ͇ ÙˆÓ Û¯Â‰È·ÛÙÈÎÒÓ ÎÚÈÙËÚ›ˆÓ
√ David Lacey ÛÙÔ ¿ÚıÚÔ ÙÔ˘ “The Future of Information
Security: New Priorities, New Skills and New Technologies”
ÁÚ¿ÊÂÈ ÁÈ· ÙÔÓ ·Ó·‰˘fiÌÂÓÔ ÎfiÛÌÔ fiÔ˘ Ù· fiÚÈ· ÌÂٷ͇ ÙÔ˘
Â·ÁÁÂÏÌ·ÙÈÎÔ‡ Î·È ÙÔ˘ ÚÔÛˆÈÎÔ‡ ÂÚÈ‚¿ÏÏÔÓÙÔ˜
ηٷÚÁÔ‡ÓÙ·È Î·È fiÔ˘ fiÏÔÈ Î·È fiÏ· ‚Ú›ÛÎÔÓÙ·È ÛÙÔ ‰È·‰›ÎÙ˘Ô
Î·È ÙȘ Â·ÁÁÂÏÌ·ÙÈΤ˜ ÚÔÎÏ‹ÛÂȘ Ô˘ ·˘Ù‹ Ë ÂͤÏÈÍË
‰ËÌÈÔ˘ÚÁ›.
√ ˘Ô„‹ÊÈÔ˜ ‰È‰¿ÎÙˆÚ ÃÚ›ÛÙÔ˜ ¶··‰ËÌËÙÚ›Ô˘ ·ÚÔ˘ÛÈ¿˙ÂÈ ¤Ó·
ÂӉȷʤÚÔÓ ¿ÚıÚÔ ÁÈ· ÙËÓ Ù¯ÓËÙ‹ ÓÔËÌÔÛ‡ÓË Ì ÙÔ ¿ÚıÚÔ ÙÔ˘
“To What Extend is the Turing Test Still Important?” ÛÙÔ ÔÔ›Ô
·ÚÔ˘ÛÈ¿˙ÂÈ Î·È ·Ó·Ï‡ÂÈ ¤Ó· ÓÔËÙÈÎfi ›ڷ̷ ÙÔ˘ Alan Turing
ÂÓfi˜ ÚˆÙÔfiÚÔ˘ ÛÙÔ ¯ÒÚÔ.
√ ∞Ó‰Ú¤·˜ ™ÔÏÔÌÔ‡ Î·È Ô ∫˘ÚÈ¿ÎÔ˜ °ÂˆÚÁ›Ô˘, ÂÎ ÙˆÓ ÌÂÏÒÓ
Ù˘ Û˘ÓÙ·ÎÙÈ΋˜ ÂÈÙÚÔ‹˜, ÛÙÔ ¿ÚıÚÔ ÙÔ˘˜ “The Role of
Effective Project Management in Project Success: Identifying
Success Criteria and Critical Success Factors” ¶ÂÚÈÁÚ¿ÊÔ˘Ó
ÙȘ ÚÔÎÏ‹ÛÂȘ ÛÙË ‰È·¯Â›ÚÈÛË ¤ÚÁˆÓ ÏËÚÔÊÔÚÈ΋˜ Î·È ÙÔ˘˜
ÎÚ›ÛÈÌÔ˘˜ ·Ú¿ÁÔÓÙ˜ Ô˘ ηıÔÚ›˙Ô˘Ó ÙËÓ ÂÈÙ˘¯›· ÂÓfi˜ ¤ÚÁÔ˘.
∏ ¤Î‰ÔÛË Û˘ÌÏËÚÒÓÂÙ·È Ì ÙË ÌfiÓÈÌË ÛÙ‹ÏË ÙÔ˘ ¢Ú·. º›ÏÈÔ˘
¶ÂÏÂÙȤ “Do you know this Man”, Ì ̛· ÂÍ·ÈÚÂÙÈ΋ ÓÂÎÚÔÏÔÁ›·
·ÊÈÂڈ̤ÓË ÛÙÔÓ ÙÔ˘ Steven Jobs, π‰Ú˘Ù‹ Î·È ¢È¢ı‡ÓÔÓÙ·
™‡Ì‚Ô˘ÏÔ Ù˘ Apple.
∂¶π§√°√™
∫·ıËÌÂÚÈÓ¿ ÁÈÓfiÌ·ÛÙ ̿ÚÙ˘Ú˜ ÛÙËÓ ∫‡ÚÔ Î·È ÛÙËÓ ∂ÏÏ¿‰·
ÚˆÙfiÁÓˆÚˆÓ ÎÔÈÓˆÓÈÎÒÓ Î·Ù·ÛÙ¿ÛÂˆÓ Î·È Ê·ÈÓÔÌ¤ÓˆÓ ¤Ó‰ÂÈ·˜
Î·È ÂÍ·ıÏ›ˆÛ˘ Ô˘ ‰ÂÓ ¤¯Ô˘Ì ˙‹ÛÂÈ Ô‡Ù ÙËÓ ÂÚ›Ô‰Ô Ù˘
ΔÔ˘ÚÎÈ΋˜ ∂ÈÛ‚ÔÏ‹˜ ÙÔ Î·ÏÔη›ÚÈ ÙÔ˘ 1974. ∞ÎfiÌË ˙ԇ̠ÌÈ·
¤Í·ÚÛË ÙÔ˘ ÂÁÎÏ‹Ì·ÙÔ˜ ·ÚÈ· ˘fi ÙË ÌÔÚÊ‹ ÎÏÔÒÓ, ÏËÛÙÂÈÒÓ
Î·È ‰È·ÚÚ‹ÍÂˆÓ ·fi ·ÓıÚÒÔ˘˜ Ô˘ ‰ÂÓ ¤¯Ô˘Ó Ù· ÛÙÔȯÂÈÒ‰Ë
Î·È ÚÔÛ·ıÔ‡Ó Ì ·Ú¿ÓÔÌÔ˘˜ ÙÚfiÔ˘˜ Ó· ηχ„Ô˘Ó ÙȘ
·Ó¿ÁΘ ÙˆÓ ÔÈÎÔÁÂÓÂÈÒÓ ÙÔ˘˜. ∏ ‰˘Ó·ÙfiÙËÙ· ÙÔ˘ ÎÚ¿ÙÔ˘˜ ηÈ
Ù˘ ÎÔÈÓˆÓ›·˜, ÂÓ Á¤ÓÂÈ, Ó· ·ÓÙÈÌÂÙˆ›ÛÔ˘Ó ·˘Ù¿ Ù· Ê·ÈÓfiÌÂÓ·
Ê·›ÓÂÙ·È Ó· Â›Ó·È ÂÚÈÔÚÈṲ̂ÓË Î·È ·Ó›Î·ÓË Ó· ·ÓÙÈÌÂÙˆ›ÛÂÈ ÌÂ
Â¿ÚÎÂÈ· ÙȘ ÛÙÔȯÂÈÒ‰ÂȘ ·Ó¿ÁΘ ÙˆÓ Û˘Ó·ÓıÚÒˆÓ Ì·˜.
¶ÔÏÏ¿ ı· Ú¤ÂÈ Ó· Á›ÓÔ˘Ó Î‡ÚÈ· ·fi ÏÂ˘Ú¿˜ ËÌÒÓ ÙˆÓ
ÔÏÈÙÒÓ Ô˘ ¤¯Ô˘Ì ÙË ‰˘Ó·ÙfiÙËÙ· Î·È ı· Ú¤ÂÈ Ó· ÛÙ·ıÔ‡ÌÂ
·ÚˆÁÔ› ÛÙÔ˘˜ Û˘Ó·ÓıÚÒÔ˘˜ Ì·˜ Ô˘ ‚Ú›ÛÎÔÓÙ·È Á‡Úˆ Ì·˜, ÛÙË
ÁÂÈÙÔÓÈ¿ Ì·˜ ÛÙËÓ ÎÔÈÓfiÙËÙ· Ì·˜ ÛÙÔ ‰ÈÏ·Ófi Ì·˜ Û›ÙÈ. ı·
Ú¤ÂÈ Ó· οÓÔ˘Ì ÙËÓ ÊÈÏ·ÓıÚˆ›· ÚÔÙÂÚ·ÈfiÙËÙ·.
∫·È fiÙ·Ó ÓÔÈÒıÂÙ ¤ÓÙÔÓ· ¤Ó· ·›ÛıËÌ· ·fiÁÓˆÛ˘ ηÈ
·‰ÈÂÍfi‰Ô˘ ÁÈ· ÙËÓ ·ıÏÈfiÙËÙ· Î·È ÙËÓ ¤Ó‰ÂÈ· Ô˘ Ì·˜ ÂÚÈ‚¿ÏÏÂÈ
Ó· ʤÚÓÂÙ ÛÙÔ ÓÔ˘Ó ÙÔ˘˜ ÛÙ›¯Ô˘˜ ÙÔ˘ ÌÂÁ¿ÏÔ˘ ÔÈËÙ‹ ∫ˆÛÙ‹
¶·Ï·Ì¿ (¶¿ÙÚ·, 13 π·ÓÔ˘·Ú›Ô˘ 1859 - ∞ı‹Ó·, 27 ºÂ‚ÚÔ˘·Ú›Ô˘
1943) ÛÙÔ ¢ˆ‰ÂοÏÔÁÔ ÙÔ˘ °‡ÊÙÔ˘.
∫È ·Ó ¤Û·Ì Û ¤ÛÈÌÔ ÚˆÙ¿ÎÔ˘ÛÙÔ
Î·È Û ÁÎÚÂÌfi ηÙÚ·Î˘Ï‹Û·ÌÂ
Ô˘ ÈÔ ‚·ı‡ ηÌÈ¿ Ê˘Ï‹ ‰ÂÓ Â›‰Â ˆ˜ ÙÒÚ·,
Â›Ó·È ÁÈ·Ù› ÌÂ ÙˆÓ Î·ÈÚÒÓ ÙÔ ϋڈ̷
fiÌÔÈ· ‚·ı‡ ÂÓ' ·Ó¤‚·ÛÌ· Ì·˜ ̤ÏÏÂÙ·È
ÚÔ˜ ‡„Ë Ô˘Ú·ÓÔÊfiÚ·!
¢π∞º∏ªπ™Δ∂πΔ∂ ™Δ∏¡ ¶§∏ƒ√º√ƒπ∫∏!
¢È·ÊËÌ›˙ÔÓÙ·˜ ÛÙÔ ÂÚÈÔ‰ÈÎfi ¶ÏËÚÔÊÔÚÈ΋ ÚÔˆı›Ù ÙȘ ˘ËÚÂۛ˜ Î·È Ù· ÚÔÈfiÓÙ· Û·˜
Û ÂÚÈÛÛfiÙÂÚÔ˘˜ ·fi 1000 ·Ó·ÁÓÒÛÙ˜, Â·ÁÁÂÏ̷ٛ˜, ÂȉÈÎÔ› Î·È Ê›ÏÔÈ ÙÔ˘ ÙÔ̤·
¶ÏËÚÔÊÔÚÈ΋˜, Δ¯ÓÔÏÔÁ›·˜ Î·È ∂ÈÎÔÈÓˆÓÈÒÓ ÛÙËÓ ∫‡ÚÔ!
°È· ÏËÚÔÊÔڛ˜ Û¯ÂÙÈο Ì ÙÈ̤˜ Î·È ÎÚ·Ù‹ÛÂȘ ÁÈ· Ù· ÂfiÌÂÓ· Ì·˜ Ù‡¯Ë, ÂÈÎÔÈÓˆÓ‹ÛÙÂ
Ì ÙËÓ À‡ı˘ÓË ¢ËÌÔÛ›ˆÓ ™¯¤ÛÂˆÓ ÙÔ˘ ∫˘ÚÈ·ÎÔ‡ ™˘Ó‰¤ÛÌÔ˘ ¶ÏËÚÔÊÔÚÈ΋˜ ÃÚÈÛÙ›Ó·
¶··ÌÈÏÙÈ¿‰Ô˘ ÙËÏ. 22460680
email: [email protected] .
ADVERTISE IN PLIROFORIKI!
By advertising in Pliroforiki you are promoting your services and products to more than 1000
readers, professionals, specialists and friends of Computers, Information, Technology and
Communications Industry in Cyprus!
For information regarding prices and reservations you can contact the Cyprus Computer
Society Public Relations Officer Christina Papamiltiadou at tel. 22460680,
email: [email protected] .
www.pliroforiki.org | 5
Δ∞ ¡∂∞ ª∞™
∂∫¢∏§ø™∂π™ CCS
CALL OF THE WHITE
∫·È ·˘Ù‹ ÙË ¯ÚÔÓÈ¿ ÙÔ √ ™‡Ó‰ÂÛÌÔ˜ ¿ÓÙÔÙ ÛÙËÚ›˙ÂÈ ·ÓıÚÒÔ˘˜ ηÈ
Ú¿ÍÂȘ Ô˘ ÂȉÂÈÎÓ‡Ô˘Ó ÙfiÏÌË, ÚˆÙÔÔÚ›·, „˘¯È΋ ‰‡Ó·ÌË Î·È
ı¿ÚÚÔ˜. ŒÙÛÈ, ÁÈ· ‰Â‡ÙÂÚË ÊÔÚ¿ Ù›ÌËÛ ÙËÓ ÚÒÙË ∫‡ÚÈ· Ô˘
η٤ÎÙËÛ ÙÔ ¡fiÙÈÔ ¶fiÏÔ Î·È ÙÔ ÛËÌ·ÓÙÈÎfi Â›Ù¢ÁÌ· Ù˘,
‰ÈÔÚÁ·ÓÒÓÔÓÙ·˜ ÂΉ‹ÏˆÛË Ì ı¤Ì· ÙËÓ ∞ÔÛÙÔÏ‹ Ù˘
∫ÔÈÓÔÔÏÈÙ›·˜ ÛÙËÓ ∞ÓÙ·ÚÎÙÈ΋ (Kaspersky Lab Commonwealth
Antarctic Expedition) fiÔ˘ Û˘ÌÌÂÙ›¯Â Ë ›‰È· Ì ¿ÏϘ 7 Á˘Ó·›Î˜ Ù˘
∫ÔÈÓÔÔÏÈÙ›·˜. ™ÙËÓ ÂÓ ÏfiÁˆ ÂΉ‹ÏˆÛË Ô˘ Ú·ÁÌ·ÙÔÔÈ‹ıËΠÛÙȘ
13 √ÎÙˆ‚Ú›Ô˘ ÙÔ˘ 2011, ÙÔ CCS ÛÂ Û˘ÓÂÚÁ·Û›· Ì ÙÔ ¶·ÓÂÈÛÙ‹ÌÈÔ
§Â˘ÎˆÛ›·˜, ·ÚÔ˘Û›·Û ÙËÓ ·ÁÎfiÛÌÈ· ÚÂÌȤڷ ÙÔ˘ ÓÙÔÎÈÌ·ÓÙ¤Ú
ÁÈ· ·˘Ù‹ ÙËÓ ·ÔÛÙÔÏ‹ «CALL OF THE WHITE».∂ȉÈο ÁÈ· ÙËÓ
ÂΉ‹ÏˆÛË ‹Úı ÛÙËÓ ∫‡ÚÔ Ë ·Ú¯ËÁfi˜ Ù˘ ·ÔÛÙÔÏ‹˜ Felicity Aston,
Ë fiÔÈ· ¤¯ÂÈ Û˘ÁÁÚ¿„ÂÈ ÙÔ ÔÌÒÓ˘ÌÔ ‚È‚Ï›Ô Î·È Ë Û˘ÌÌÂÙ¤¯Ô˘Û· ·fi
ÙË ™ÈÁηÔ‡ÚË Sophia Pang. ªÂÙ¿ ÙËÓ ÚÔ‚ÔÏ‹ Ù˘ Ù·ÈÓ›·˜, Ë Felicity,
Ë Sophia Î·È Ë ∫‡ÚÈ· ™Ù¤Ê·ÓË, Ì›ÏËÛ·Ó ÁÈ· ÙȘ ÂÌÂÈڛ˜ ÙÔ˘˜ ηÈ
·¿ÓÙËÛ·Ó Û ÂÚˆÙ‹ÛÂȘ ·fi ÙÔ ÎÔÈÓfi. ¶¤Ú·Ó ÙˆÓ 150
·Ú¢ÚÈÛÎÔÌ¤ÓˆÓ ÂÓÙ˘ˆÛÈ¿ÛÙËÎ·Ó ·fi ÙËÓ ÙÂÚ¿ÛÙÈ· ÚÔÛ¿ıÂÈ·
ÙˆÓ 8 Á˘Ó·ÈÎÒÓ Ô˘ ‰È¤Ó˘Û·Ó 900 ¯ÈÏÈfiÌÂÙÚ· Û ·ÓÙ›ÍÔ˜ Û˘Óı‹Î˜
ÒÛÙ ӷ ηٷÎÙ‹ÛÔ˘Ó ÙÔ ÓÔÙÈfiÙÂÚÔ ¿ÎÚÔ ÙÔ˘ Ï·Ó‹ÙË.
AGM
™ÙȘ 24 ¡ÔÂÌ‚Ú›Ô˘, ÛÙÔ ÍÂÓÔ‰Ô¯Â›Ô ∫ÏÂÔ¿ÙÚ· Ú·ÁÌ·ÙÔÔÈ‹ıËÎÂ Ë ∂Ù‹ÛÈ· °ÂÓÈ΋ ™˘Ó¤Ï¢ÛË ÙÔ˘ ™˘Ó‰¤ÛÌÔ˘ ÁÈ· ÙÔ 2011. √
¶Úfi‰ÚÔ˜ ÙÔ˘ ¢.™. ÎÔ˜ ∫ÒÛÙ·˜ ∞ÁÚfiÙ˘ Ì›ÏËÛ ÁÈ· ÙÔÓ ·ÔÏÔÁÈÛÌfi Î·È Ë Δ·Ì›·˜ ÁÈ· ÙËÓ ÔÈÎÔÓÔÌÈ΋ ηٿÛÙ·ÛË ÙÔ˘ ÚÔËÁÔ‡ÌÂÓÔ˘
¤ÙÔ˘˜ 2010, ÂÓÒ fiÏ· Ù· ̤ÏË ÙÔ˘ ¢.™. Û˘˙‹ÙËÛ·Ó Ì ÙÔ˘˜ 50 ·Ú¢ÚÈÛÎÔ̤ÓÔ˘˜ ÁÈ· ÙÚ¤¯ÔÓÙ· ˙ËÙ‹Ì·Ù· Î·È ‰Ú·ÛÙËÚÈfiÙËÙ˜.
6 | www.pliroforiki.org
INFOSEC
ªÂ ·fiÏ˘ÙË ÂÈÙ˘¯›· ÛÙ¤ÊıËΠÙÔ 8Ô ¢ÈÂıÓ¤˜ ™˘Ó¤‰ÚÈÔ Ì ı¤Ì·
ÙËÓ «∞ÛÊ¿ÏÂÈ· Ù˘ ¶ÏËÚÔÊÔÚ›·˜» INFOSEC 2011 Ô˘ ‰ÈÔÚÁ·ÓÒıËÎÂ
·fi ÙÔÓ ∫˘ÚÈ·Îfi ™‡Ó‰ÂÛÌÔ ¶ÏËÚÔÊÔÚÈ΋˜ ÙÔ ¡Ô¤Ì‚ÚÈÔ 2011, ÛÙÔ
¶·ÓÂÈÛÙ‹ÌÈÔ §Â˘ÎˆÛ›·˜. ™ÙÔ Û˘Ó¤‰ÚÈÔ, ÙÔ ÔÔ›Ô Ê¤ÙÔ˜ ›¯Â Ù›ÙÏÔ
«Information Security: The Cloud And Beyond», ‰È·ÎÂÎÚÈ̤ÓÔÈ
ÂÈÛÙ‹ÌÔÓ˜ Î·È ÂÈÛËÁËÙ¤˜ ·fi fiÏÔ ÙÔÓ ÎfiÛÌÔ ·Ú›¯·Ó
·ÚÔ˘ÛÈ¿ÛÂȘ Î·È ÂÚÁ·ÛÙ‹ÚÈ· ÁÈ· ÙȘ ÙÂÏÂ˘Ù·›Â˜ ‰ÈÂıÓ›˜ ÂÍÂÏ›ÍÂȘ
ÛÙÔÓ ÙÔ̤· Ù˘ ∞ÛÊ¿ÏÂÈ·˜ ÙˆÓ ¶ÏËÚÔÊÔÚÈÒÓ. ø˜ ÂÎ ÙÔ‡ÙÔ˘, ¿Óˆ
·fi 100 Û˘ÌÌÂÙ¤¯ÔÓÙ˜, Â·ÁÁÂÏ̷ٛ˜ ÏËÚÔÊÔÚÈ΋˜ ηÈ
ÂȯÂÈÚËÌ·ÙÈο ÛÙÂϤ¯Ë ›¯·Ó ÙËÓ Â˘Î·ÈÚ›· Ó· ÂÓËÌÂÚˆıÔ‡Ó ÁÈ· ÙȘ
ÎÚ›ÛÈ̘ ·Ú·Ì¤ÙÚÔ˘˜ Ù˘ ·ÛÊ¿ÏÂÈ·˜ Î·È ÁÈ· ÙȘ ‚¤ÏÙÈÛÙ˜
Ú·ÎÙÈΤ˜ ÚÔÛÙ·Û›·˜. √ ∫˘ÚÈ·Îfi˜ ™‡Ó‰ÂÛÌÔ˜ ¶ÏËÚÔÊÔÚÈ΋˜
¢¯·ÚÈÛÙ› fiÛÔ˘˜ Û˘Ó¤‚·Ï·Ó ÛÙËÓ ·ÔÙÂÏÂÛÌ·ÙÈ΋ ˘ÏÔÔ›ËÛË Ù˘
‰ÈÔÚÁ¿ÓˆÛ˘ (CEPIS, ¶·ÓÂÈÛÙ‹ÌÈÔ §Â˘ÎˆÛ›·˜, ECDL, ™∂Δ∏§, Cyta,
IBM, Microsoft & Powersoft) Î·È ˘fiÛ¯ÂÙ·È ÁÈ· ÙË Û˘Ó¤¯ÂÈ· ÙÔ˘
ıÂÛÌÔ‡ INFOSEC ÛÙÔ Ì¤ÏÏÔÓ.
™Àªª∂Δ√Ã∂™ ECDL/CCS
ŒÎıÂÛË ™Ù·‰ÈÔ‰ÚÔÌ›·˜
°È· ¿ÏÏË ÌÈ· ¯ÚÔÓÈ¿ Ô ∫˘ÚÈ·Îfi˜ ™‡Ó‰ÂÛÌÔ˜ ¶ÏËÚÔÊÔÚÈ΋˜ ¤Ï·‚Â
̤ÚÔ˜ ÛÙËÓ ŒÎıÂÛË ™Ù·‰ÈÔ‰ÚÔÌ›·˜ Ô˘ ‰ÈÔÚÁ·ÓÒıËΠ·fi ÙÔÓ
∫˘ÚÈ·Îfi ™‡Ó‰ÂÛÌÔ˜ ∫·ıËÁËÙÒÓ ™˘Ì‚Ô˘Ï¢ÙÈ΋˜ Î·È ∂·ÁÁÂÏÌ·ÙÈ΋˜
∞ÁˆÁ‹˜ (√∂§ª∂∫) Î·È ÙÔ Û˘ÁÎÚfiÙËÌ· Ù˘ ΔÚ¿Â˙·˜ ∫‡ÚÔ˘ ÛÙȘ 19
Î·È 20 ¡ÔÂÌ‚Ú›Ô˘. ™Ù· ·È‰È¿ Ô˘ ÂӉȷʤÚÔÓÙ·È Ó· ·ÎÔÏÔ˘ı‹ÛÔ˘Ó
ÙÔ Â¿ÁÁÂÏÌ· Ù˘ ¶ÏËÚÔÊÔÚÈ΋˜ ÂÎÙfi˜ ·fi ÙȘ ·Ó¿ÏÔÁ˜ Û˘Ì‚Ô˘Ï¤˜
ÚÔÛʤÚıËÎÂ Î·È ¤ÓÙ˘Ô ˘ÏÈÎfi Ì ÂÂÍ‹ÁËÛË ÙˆÓ Â·ÁÁÂÏÌ¿ÙˆÓ
¶ÏËÚÔÊÔÚÈ΋˜.
∫˘Ó‹ÁÈ £ËÛ·˘ÚÔ‡
°È· ‰¤Î·ÙË Û˘Ó¯‹ ¯ÚÔÓÈ¿ ‰ÈÔÚÁ·ÓÒıËΠÙÔ ƒ¿ÏÏ˘ ∫˘Ó‹ÁÈ £ËÛ·˘ÚÔ‡,
‰È·ÙËÚÒÓÙ·˜ ÙËÓ Î·Ï‹ ÙÔ˘ Ê‹ÌË ˆ˜ ÌÈ· ·fi ÙȘ ÈÔ “cool” ÂΉËÏÒÛÂȘ
ÙÔ˘ ƒ·‰ÈÔÌ·Ú·ıˆÓ›Ô˘. ΔÔ ECDL Î·È ÙÔ CCS ˘ÔÛÙ‹ÚÈÍ·Ó Î·È Ê¤ÙÔ˜
ÙËÓ ÔÚÁ¿ÓˆÛË Ë ÔÔ›· Ú·ÁÌ·ÙÔÔÈ‹ıËΠÛÙȘ 4 ¢ÂÎÂÌ‚Ú›Ô˘, Î·È Â›¯Â
ÚÂÎfiÚ Û˘ÌÌÂÙÔ¯ÒÓ (75 Û˘ÌÌÂÙ¤¯ÔÓÙ· ·˘ÙÔΛÓËÙ· -·fi 4 ÂÚ›Ô˘
¿ÙÔÌ· ÛÙÔ Î¿ı ¤Ó·) ηıÒ˜ Î·È ÂÈÛÚ¿ÍÂˆÓ Ô˘ ·ÊÔÚÔ‡Û·Ó ÛÙË
ÛÙ‹ÚÈÍË ÙˆÓ ·ÙfiÌˆÓ Ì ÂȉÈΤ˜ ·Ó¿ÁΘ.
www.pliroforiki.org | 7
∏ÌÂÚ›‰· ÁÈ· ÙË æËÊȷ΋ ∞Ù˙¤ÓÙ· Ù˘ ∂˘ÚÒ˘
√ ∫˘.™˘.¶. Û˘ÌÌÂÙ›¯Â ÛÙËÓ ∏ÌÂÚ›‰· Ì ٛÙÏÔ «Going Local II –
A digital Agenda for Europe and Cyprus» Ô˘ ‰ÈÔÚÁ·ÓÒıËΠÛÙȘ
25 ¡ÔÂÌ‚Ú›Ô˘ ·fi ÙÔ ΔÌ‹Ì· ∏ÏÂÎÙÚÔÓÈÎÒÓ ∂ÈÎÔÈÓˆÓÈÒÓ ÙÔ˘
ÀÔ˘ÚÁ›Ԣ ™˘ÁÎÔÈÓˆÓÈÒÓ Î·È ŒÚÁˆÓ ÛÂ Û˘ÓÂÚÁ·Û›· Ì ÙË °ÂÓÈ΋
¢È‡ı˘ÓÛË ÁÈ· ÙËÓ ∫ÔÈÓˆÓ›· Ù˘ ¶ÏËÚÔÊÔÚ›·˜ Î·È Ù· ªª∂ Ù˘
∂˘Úˆ·˚΋˜ ∂ÈÙÚÔ‹˜. ™ÙËÓ ∏ÌÂÚ›‰·, ÂΠ̤ÚÔ˘˜ ÙÔ˘ ™˘Ó‰¤ÛÌÔ˘
Ì›ÏËÛÂ Ô ÎÔ˜ ¡Ù›ÓÔ˜ ∫ÔÓ‹˜ Ô˘ Î¿Ï˘„ ÙÔ ı¤Ì· ÙˆÓ
∏ÏÂÎÙÚÔÓÈÎÒÓ ¢ÂÍÈÔÙ‹ÙˆÓ – eSkills ·ÚÔ˘ÛÈ¿˙ÔÓÙ·˜ ÙËÓ Î˘Úȷ΋
Ú·ÁÌ·ÙÈÎfiÙËÙ· Û ۯ¤ÛË Ì ÙÔ Â›Â‰Ô ÙˆÓ e-‰ÂÍÈÔÙ‹ÙˆÓ ÛÙȘ
ÂȯÂÈÚ‹ÛÂȘ, ηıÒ˜ Î·È ÙȘ ÂÓ¤ÚÁÂȘ Ù˘ ∂˘Úˆ·˚΋˜
∂ÈÙÚÔ‹˜ ÁÈ· Ó· ‚ÔËı‹ÛÂÈ fiÏÔ˘˜ ÙÔ˘˜ ∂˘Úˆ·›Ô˘˜ Ó·
Û˘ÌÌÂÙ¤¯Ô˘Ó ÛÙË „ËÊȷ΋ ÎÔÈÓˆÓ›·.
∏ÌÂÚ›‰· ÁÈ· ¡¤Â˜ Δ¯ÓÔÏÔÁ›Â˜ ÛÙËÓ ∂Î·›‰Â˘ÛË
ΔÔ ÿ‰Ú˘Ì· ¢È·¯Â›ÚÈÛ˘ ∂˘Úˆ·˚ÎÒÓ ¶ÚÔÁÚ·ÌÌ¿ÙˆÓ ¢È· μ›Ô˘ ª¿ıËÛ˘ ‰ÈÔÚÁ¿ÓˆÛ ∏ÌÂÚ›‰· Ì ٛÙÏÔ «ÃÚ‹ÛË ¡¤ˆÓ Δ¯ÓÔÏÔÁÈÒÓ ÛÙËÓ
∂Î·›‰Â˘ÛË Î·È ÙËÓ ∫·Ù¿ÚÙÈÛË – ∏ÏÂÎÙÚÔÓÈ΋ ª¿ıËÛË». ™Ù· Ï·›ÛÈ· Ù˘ ÂΉ‹ÏˆÛ˘ ÏÂÈÙÔ‡ÚÁËÛ ŒÎıÂÛË Û˘ÌÌÂÙ¯fiÓÙˆÓ ÛÂ
¶ÚÔÁÚ¿ÌÌ·Ù· ¢È· μ›Ô˘ ª¿ıËÛ˘, fiÔ˘ ¤Ï·‚ ̤ÚÔ˜ ÙÔ CCS Î·È ÙÔ ECDL ·ÚÔ˘ÛÈ¿˙ÔÓÙ·˜ ÙË Û˘ÌÌÂÙÔ¯‹ ÙÔ˘ ™˘Ó‰¤ÛÌÔ˘ ÛÙÔ Leonardo
Da- Vinci – ‰Ú¿ÛË ÎÈÓËÙÈÎfiÙËÙ·, Ì ÛÙfi¯Ô ÙËÓ ÂÓË̤ڈÛË ÁÈ· ÙÔ ÚfiÁÚ·ÌÌ· e-guardian Ô˘ ·Ó¤Ù˘Í·Ó ÔÈ §ÈıÔ˘·ÓÔ› ÂÙ·›ÚÔÈ Ì·˜ ÛÙ·
Ï·›ÛÈ· ÙÔ˘ ECDL.
∂Ή‹ÏˆÛË CCS ÁÈ· ÙËÓ ∫Ô‹ Ù˘ μ·ÛÈÏfiÈÙÙ·˜.
ªÂÁ¿ÏË ÂÈÙ˘¯›· ›¯Â Ë ÂΉ‹ÏˆÛË ÙÔ˘ CCS ÁÈ· ÙÔÓ ÂÔÚÙ·ÛÌfi ÙÔ˘
Ó¤Ô˘ ¤ÙÔ˘˜! ™ÙÔ Î·ıÈÂڈ̤ÓÔ ‰Â›ÓÔ ÁÈ· Ù· ̤ÏË ÙÔ˘ ™˘Ó‰¤ÛÌÔ˘
Ì ÙËÓ ÎÔ‹ Ù˘ ‚·ÛÈÏfiÈÙÙ·˜, ·˘Ù‹ ÙË ¯ÚÔÓÈ¿ ÙÔ ¢ÈÔÈÎËÙÈÎfi
™˘Ì‚Ô‡ÏÈÔ ÂÙԛ̷Û ÌÈ· ¢¯¿ÚÈÛÙË ¤ÎÏËÍË ÁÈ· fiÏÔ˘˜: ªÂ ÙËÓ
˘ÔÛÙ‹ÚÈÍË Ù˘ ÂÙ·ÈÚ›·˜ ‰ÈÔÚÁ¿ÓˆÛ˘ ÂΉËÏÒÛÂˆÓ Amaaze.com
‰ÈÔÚÁ·ÓÒıËÎ·Ó ·È¯Ó›‰È· η˙›ÓÔ (Poker, Black Jack, Roulette) ηÈ
Bingo (ÙfiÌÔÏ·), ÁÂÁÔÓfi˜ Ô˘ ÚÔÛ¤ÊÂÚ ‰È·ÛΤ‰·ÛË ÁÈ· ÙÔ˘˜
·Ú¢ÚÈÛÎÔ̤ÓÔ˘˜ ·ÏÏ¿ Î·È ÏÔ‡ÛÈ· ‰ÒÚ· ÁÈ· ÙÔ˘˜ ÓÈÎËÙ¤˜ Ù˘
‚Ú·‰˘¿˜! Δ· ·È¯Ó›‰È· ·˘Ù¿ ÂÓıÔ˘ÛÈ¿Û·Ó ¿Óˆ ·fi 115 ¿ÙÔÌ·
Ô˘ ·Ú¢ڤıËÎ·Ó ÛÙËÓ ÂΉ‹ÏˆÛË, ÛÙȘ 13 π·ÓÔ˘·Ú›Ô˘, ÛÙÔÓ
¶ÔÏ˘¯ÒÚÔ Mondo. √ ∫˘ÚÈ·Îfi˜ ™‡Ó‰ÂÛÌÔ˜ ¶ÏËÚÔÊÔÚÈ΋˜ ı·
‹ıÂÏ ӷ ¢¯·ÚÈÛÙ‹ÛÂÈ ÙÔ˘˜ ¯ÔÚËÁÔ‡˜ Ô˘ ÚÔÛ¤ÊÂÚ·Ó Ù· ‰ÒÚ·,
·ÏÏ¿ Î·È Ù· ̤ÏË Ô˘ Ì ÙËÓ ·ÚÔ˘Û›· Î·È ÙË Û˘ÌÌÂÙÔ¯‹ ÙÔ˘˜
ÛÙ· ·È¯Ó›‰È· ÙÔ˘˜ Û˘Ó¤‚·Ï·Ó ÛÙËÓ ÙÂÚ¿ÛÙÈ· ÂÈÙ˘¯›· Ù˘
ÂΉ‹ÏˆÛ˘.
8 | www.pliroforiki.org
Dr EUGENE SCHULTZ
(1946 – 2011)
Yiannos Aletraris
Dr Eugene Schultz, a valued associate and dear friend passed
away on Sunday, 2nd October 2011. I came to know Gene, as
he preferred to be called, back in 2004 when he accepted our
invitation to be a presenter at the Cyprus Infosec conference. We
had heard so much about him, and were pleasantly surprised that
such a renown and respected information security guru would
show so much interest in travelling all the way from the United
States to visit our small island and enlighten us with his
knowledge and wisdom. Getting to know him in person was an
even greater surprise, with his humble character, his wit and
delightful humour. The feedback we received from the conference
audience as well as the participants at his workshop completely
confirmed his high reputation, and fellow members started asking
for more follow-on workshops from him.
Gene’s wife, Cathy, had escorted him on that 2004 trip, and I
remember her commenting that she came all the way from the
United States to a small island in the Mediterranean only to find
out she would stay 40 kilometres away from the beach!. That
innocent comment led to Cyprus Infosec 2005 being organised
in Limassol, but unfortunately Gene could not make it due to other
commitments. He did however manage to be with us in 2007 and
in 2009, and Cyprus Infosec was always pencilled-in in his yearly
plans.
2009 was to become the last time Gene participated in Cyprus
Infosec. He contacted us in early 2010 to agree on the 2011
dates, and he even suggested other information security
presenters that he admired. He had come to consider himself as
part of the team, and cherished the time he spent in Cyprus with
us. This year he planned to talk about Cloud Security and present
a newly developed 2-day workshop on the subject. However, in
September, his close associate Paul Underwood sent us a
worrying email telling us that Gene would not be able to participate
due to a serious illness. A blog was set up to inform his friends
and colleagues on his health status, and through that, his wife
Cathy finally informed us of his passing away.
As a tribute to Gene, the Cyprus Infosec 2011 conference was
held on November 2nd 2011 in his memory.
Yiannos Aletraris
Member of the Cyprus Infosec Organising Committee
www.pliroforiki.org | 9
DR EUGENE SCHULTZ IN BRIEF
Gene was born September 10, 1946, in Chicago to E. Eugene Sr.
and Elizabeth Schultz. He graduated from UCLA, and earned his
MS and PhD (in Cognitive Science, 1977) at Purdue University in
Indiana.
While at Purdue University, Gene met and married Cathy Brown.
They were married for 36 years, and raised three daughters: Sarah,
Rachel and Leah.
Gene was an active member of Cornerstone Fellowship, and
belonged to a men’s Bible study. His many interests included family,
going to his mountain home in Twain Harte, model trains, music,
travelling, the outdoors, history, reading and sports.
Gene was one of the more notable
and accomplished figures in
computing security over the last few
decades. During the course of his
career, Gene was professor of
computer science at several
universities, including the University
of California at Davis and Purdue
University, and retired from the
University of California at Berkeley.
He consulted for a wide range of clients, including U.S. and foreign
governments and the banking, petroleum, and pharmaceutical
industries. He also managed several information security practices
and served as chief technology officer for two companies.
Gene formed and managed the Computer Incident Advisory
Capability (CIAC) — an incident response team for the U.S.
Department of Energy — from 1986–1992. This was the first
formal incident response team, predating the CERT/CC by several
years. He also was instrumental in the founding of FIRST — the
Forum of Incident Response & Security Teams.
10 | www.pliroforiki.org
During his 30 years of work in security, Gene authored or coauthored over 120 papers, and five books. He was manager of the
I4 program at SRI from 1994–1998. From 2002–2007, he was the
Editor-in-Chief of Computers and Security — the oldest journal in
computing security — and continued to serve on its editorial board.
Gene was also an associate editor of Network Security. He was a
member of the accreditation board of the Institute of Information
Security Professionals (IISP).
Gene testified as an expert several times before both Senate and
House Congressional Committees. He also served as an expert
advisor to a number of companies and agencies. Gene was a
certified SANS instructor, instructor for ISACA, senior SANS analyst,
member of the SANS NewsBites editorial board, and co-author of
the 2005 and 2006 Certified Information Security Manager
preparation materials.
Dr Schultz was honored numerous times for his research, service,
and teaching. Among his many notable awards, Gene received the
NASA Technical Excellence Award, Department of Energy
Excellence Award, the Vanguard Conference Top Gun Award (for
best presenter) twice, the Vanguard Chairman's Award, the ISACA
John Kuyers Best Speaker/Best Conference Contributor Award and
the National Information Systems Security Conference Best Paper
Award. One of only a few Distinguished Fellows of the Information
Systems Security Association (ISSA), he was also named to the
ISSA Hall of Fame and received ISSA's Professional Achievement
and Honor Roll Awards.
At the time of his death, Dr Schultz was the CTO of Emagined
Security, an information security consultancy based in San Carlos,
California. He held certifications as a CISM, CISSP, and GSLC.
E. Eugene Schultz, Jr., 10/9/46–2/10/11. Rest in Peace.
ISACA CYPRUS CHAPTER
∫À¶ƒπ∞∫O π¡™ΔπΔ√YΔ√
∂§E°Ã√À ™À™Δ∏ªAΔø¡
¶§∏ƒ√º√ƒπ∫H™
¶·Û¯¿Ï˘ ¶ÈÛÛ·Úȉ˘
™Â Ì›· ÂÔ¯‹ fiÔ˘ Ù· ı¤Ì·Ù· Ù˘ ÚÔÛÙ·Û›·˜, Ù˘
·ÓÙÈÌÂÙÒÈÛ˘ ÙˆÓ ·˘Í·ÓfiÌÂÓˆÓ ÎÈÓ‰‡ÓˆÓ, ÙˆÓ ÂϤÁ¯ˆÓ
ÈÛÙÔÔ›ËÛ˘ Ù˘ ·ÛÊ¿ÏÂÈ·˜ Î·È Ù˘ ÔÚı‹˜ ‰È·Î˘‚¤ÚÓËÛ˘ ÙˆÓ
™˘ÛÙËÌ¿ÙˆÓ ¶ÏËÚÔÊÔÚÈ΋˜, Î·È ÁÂÓÈÎfiÙÂÚ· Ù˘ ÚÔÛÙ·Û›·˜ Ù˘
ÏËÚÔÊÔÚ›·˜ Â›Ó·È Î·ıËÌÂÚÈÓ¿ ÛÙËÓ ÂÈηÈÚfiÙËÙ· ηÈ
·Ó·‰ÂÈÎÓ‡ÔÓÙ·È ˆ˜ ÛËÌ·ÓÙÈÎfiÙ·ÙÔÈ ˘ÏÒÓ˜ ÁÈ· ÙËÓ ÔÈÎÔÓÔÌÈ΋
Â˘ÚˆÛÙ›· Î·È ÙËÓ Â›Ù¢ÍË ÙˆÓ ÛÙÚ·ÙËÁÈÎÒÓ Î·È ÂȯÂÈÚËÌ·ÙÈÎÒÓ
ÛÙfi¯ˆÓ οı ÔÚÁ·ÓÈÛÌÔ‡, ÎÚ›ÓÂÙ·È ˆ˜ ·Ó·ÁηÈfiÙËÙ· Ë ÂÓ›Û¯˘ÛË
Î·È ıÂÛÌÔı¤ÙËÛË Ù˘ ÚÔÛÙ·Û›·˜ Î·È ÙÔ˘ ÂϤÁ¯Ô˘ ÙˆÓ
™˘ÛÙËÌ¿ÙˆÓ ¶ÏËÚÔÊÔÚÈ΋˜.
∏ ›‰Ú˘ÛË Î·È ÏÂÈÙÔ˘ÚÁ›· ÙÔ˘ «∫˘ÚÈ·ÎÔ‡ πÓÛÙÈÙÔ‡ÙÔ˘ ∂ϤÁ¯Ô˘
™˘ÛÙËÌ¿ÙˆÓ ¶ÏËÚÔÊÔÚÈ΋˜» ÛÙËÓ ∫‡ÚÔ ‰ÂÓ ı· ÌÔÚÔ‡Û ӷ
‰ËÌÈÔ˘ÚÁËı› Û ÈÔ Î·Ù¿ÏÏËÏË ÂÔ¯‹ Î·È ¤Ú¯ÂÙ·È Ó·
Û˘ÌÏËÚÒÛÂÈ ¤Ó· ÎÂÓfi Ô˘ ˘‹Ú¯Â ÛÙÔÓ ÂȯÂÈÚËÌ·ÙÈÎfi ÎfiÛÌÔ,
·˘Ùfi Ù˘ ıÂÛÌÔı¤ÙËÛ˘ ÙÔ˘ ÂϤÁ¯Ô˘ Î·È Ù˘ ÔÚı‹˜
‰È·Î˘‚¤ÚÓËÛ˘ ÙˆÓ Û˘ÛÙËÌ¿ÙˆÓ ÏËÚÔÊÔÚÈ΋˜.
√È ÚÔÛ¿ıÂȘ Ù˘ √ÚÁ·ÓˆÙÈ΋˜ ∂ÈÙÚÔ‹˜ ÛÙ¤ÊıËÎ·Ó ÌÂ
ÂÈÙ˘¯›· ÛÙȘ 16 πÔ˘Ó›Ô˘ 2010 fiÙ·Ó ÙÔ ¢ÈÔÈÎËÙÈÎfi ™˘Ì‚Ô‡ÏÈÔ ÙÔ˘
‰ÈÂıÓÔ‡˜ πÓÛÙÈÙÔ‡ÙÔ˘ «ISACA» (Information Systems Audit &
Control Association), Ô˘ ‰Ú‡ÂÈ ÛÙÔ ™ÈοÁÔ ÙˆÓ ∏.¶.∞. ¤‰ˆÛÂ
ÙËÓ Â›ÛËÌË ¤ÁÎÚÈÛË ÙÔ˘ ÁÈ· ÙËÓ ·Ô‰Ô¯‹ ÙÔ˘ ISACA Cyprus
Chapter Û·Ó Ï‹Ú˜ Î·È ·Ó·ÁÓˆÚÈṲ̂ÓÔ Ì¤ÏÔ˜ ÙÔ˘ Ì ¤‰Ú· ÙË
§Â˘ÎˆÛ›·. ™ÙȘ 20 √ÎÙˆ‚Ú›Ô˘ ÙÔ˘ 2011, ÙÔ ISACA Cyprus
Chapter ‹ÚÂ Î·È ÈÛÙÔÔÈËÙÈÎfi ÂÁÁÚ·Ê‹˜ Î·È ÏÂÈÙÔ˘ÚÁ›·˜ Û·Ó
™ˆÌ·ÙÂ›Ô Û‡Ìʈӷ Ì ÙÔÓ ÂÚ› ™ˆÌ·Ù›ˆÓ Î·È π‰Ú˘Ì¿ÙˆÓ ¡fiÌÔ
Ì ÙËÓ ÂˆÓ˘Ì›· «∫˘ÚÈ·Îfi πÓÛÙÈÙÔ‡ÙÔ ∂ϤÁ¯Ô˘ ™˘ÛÙËÌ¿ÙˆÓ
¶ÏËÚÔÊÔÚÈ΋˜».
ΔÔ ‰ÈÂıÓ¤˜ πÓÛÙÈÙÔ‡ÙÔ «ISACA» ‰ËÌÈÔ˘ÚÁ‹ıËΠÛÙȘ ∏.¶.∞. ÙÔ
1969 Î·È ÏÂÈÙÔ˘ÚÁ› Û·Ó ÎÂÓÙÚÈÎfi˜ ÊÔÚ¤·˜ ÏËÚÔÊfiÚËÛ˘ ηÈ
ηıÔ‰‹ÁËÛ˘ Û¯ÂÙÈ˙fiÌÂÓÔ˜ Ì ÙÔÓ ¤ÏÂÁ¯Ô ™˘ÛÙËÌ¿ÙˆÓ
¶ÏËÚÔÊÔÚÈ΋˜. ŒÎÙÔÙ ÙÔ «ISACA» ÂÍÂÏ›¯ıËΠ۠¤Ó· ‰ÈÂıÓ‹
Î·È Î·Ù·ÍȈ̤ÓÔ ÔÚÁ·ÓÈÛÌfi Ì ·ÚÔ˘Û›· Û ÂÚÈÛÛfiÙÂÚ˜ ·fi
160 ¯ÒÚ˜ Î·È ¤Ú·Ó ÙˆÓ 86,000 ÌÂÏÒÓ Ô˘ ·Û¯ÔÏÔ‡ÓÙ·È
Â·ÁÁÂÏÌ·ÙÈο Ì ÙËÓ ÚÔÛÙ·Û›·, ÙÔÓ ¤ÏÂÁ¯Ô, Î·È ÙËÓ
‰È·Î˘‚¤ÚÓËÛË ÙˆÓ ™˘ÛÙËÌ¿ÙˆÓ ¶ÏËÚÔÊÔÚÈ΋˜. ™‹ÌÂÚ· ÙÔ
«ISACA» Ù˘Á¯¿ÓÂÈ ·ÁÎfiÛÌÈ·˜ ·Ó·ÁÓÒÚÈÛ˘ Û·Ó Ô Î·ÙÂÍÔ¯‹Ó
ÔÚÁ·ÓÈÛÌfi˜ Ô˘ ÂȉÈ·ÂÙ·È Û ı¤Ì·Ù· ·ÓÙÈÌÂÙÒÈÛ˘ ÎÈÓ‰‡ÓˆÓ,
ÚÔÛÙ·Û›·˜, ÂϤÁ¯Ô˘, Î·È ÔÚı‹˜ ‰È·Î˘‚¤ÚÓËÛ˘ ÙˆÓ
™˘ÛÙËÌ¿ÙˆÓ ¶ÏËÚÔÊÔÚÈ΋˜ ÚÔˆıÒÓÙ·˜ ÌÂٷ͇ ¿ÏÏˆÓ ÙË
ÁÓÒÛË Î·È ÙËÓ ÂÎ·›‰Â˘ÛË Ì¤Û· ·fi ‰ÈÂıÓÒ˜ ·Ó·ÁÓˆÚÈṲ̂ӷ
ÚfiÙ˘·, ‰ÈÂıÓ‹ Û˘Ó¤‰ÚÈ·, ÛÂÌÈÓ¿ÚÈ·, ¤ÓÙ˘· ‰È·ÊÒÙÈÛ˘, ηÈ
Â·ÁÁÂÏÌ·ÙÈο ¤ÓıÂÙ·.
ΔÔ ∫˘ÚÈ·Îfi πÓÛÙÈÙÔ‡ÙÔ ∂ϤÁ¯Ô˘ ™˘ÛÙËÌ¿ÙˆÓ ¶ÏËÚÔÊÔÚÈ΋˜ ·fi
ÙË ÚÒÙË ÛÙÈÁÌ‹ Ù˘ ‰ËÌÈÔ˘ÚÁ›·˜ ÙÔ˘ ¤¯ÂÈ Âȉ›ÍÂÈ Ì›· ÌÔÓ·‰È΋
‰˘Ó·ÌÈ΋, ÁÂÁÔÓfi˜ Ô˘ ·Ô‰ÂÈÎÓ‡ÂÙ·È ·fi ÙËÓ ¤Ó‰ÂÈÍË ÌÂÁ¿ÏÔ˘
ÂӉȷʤÚÔÓÙÔ˜ ÁÈ· Û˘ÌÌÂÙÔ¯‹ ÛÙÔ πÓÛÙÈÙÔ‡ÙÔ ÙÔ ÔÔ›Ô Ì¤Û· ÛÂ
Ï›ÁÔ˘˜ Ì‹Ó˜ ·fi Ù˘ ȉڇÛˆ˜ ÙÔ˘ ¤ÊÙ·Û ӷ ·ÚÈıÌ› 68 ̤ÏË.
∏ ·‰‹ÚÈÙË ·Ó¿ÁÎË ÁÈ· ÙË ‰ËÌÈÔ˘ÚÁ›· ÙÔ˘ πÓÛÙÈÙÔ‡ÙÔ˘ ‰ڷÈÒÓÂÙ·È
Î·È ·fi ÙÔ ÁÂÁÔÓfi˜ fiÙÈ Ô ÚfiÏÔ˜ ÙˆÓ ÂȉÈÎÒÓ ÛÙÔÓ ÎÏ¿‰Ô ÙÔ˘
ÂϤÁ¯Ô˘ Î·È Ù˘ ÚÔÛÙ·Û›·˜ ÙˆÓ ™˘ÛÙËÌ¿ÙˆÓ ¶ÏËÚÔÊÔÚÈ΋˜
·ÔÎÙ¿ ÔÏÔ¤Ó· Î·È ÌÂÁ·Ï‡ÙÂÚË ‚·Ú‡ÙËÙ· ÛÙȘ ÏÂÈÙÔ˘ÚÁ›Â˜ ÙfiÛÔ
ÙÔ˘ ‰ËÌfiÛÈÔ˘ fiÛÔ Î·È ÙÔ˘ ȉȈÙÈÎÔ‡ ÙÔ̤·.
™ÙȘ 5 ¡ÔÂÌ‚Ú›Ô˘, 2009 ‰ÈÂÍ‹¯ıË Ë 1Ë ¶·Á·ÚÈ· π‰Ú˘ÙÈ΋
°ÂÓÈ΋ ™˘Ó¤Ï¢ÛË ÙÔ˘ πÓÛÙÈÙÔ‡ÙÔ˘ ÛÙË ‰È¿ÚÎÂÈ· Ù˘ ÔÔ›·˜
www.pliroforiki.org | 11
ÂÍÂϤÁË Î·È ÙÔ ÂÓÈ·ÌÂϤ˜ ¢ÈÔÈÎËÙÈÎfi ™˘Ì‚Ô‡ÏÈÔ. ΔÔ ¢ÈÔÈÎËÙÈÎfi
™˘Ì‚Ô‡ÏÈÔ ÂȉÈÒÎÂÈ Ì¤Û· ·fi ÙȘ ‰Ú·ÛÙËÚÈfiÙËÙ˜ ÙÔ˘
πÓÛÙÈÙÔ‡ÙÔ˘ ÙËÓ ÂÎÏ‹ÚˆÛË ÙˆÓ ·ÎÔÏÔ‡ıˆÓ ÛÙfi¯ˆÓ:
ñ ÙËÓ ÂÎ·›‰Â˘ÛË Î·È ÙËÓ ‰È¿¯˘ÛË ÁÓÒÛÂˆÓ ÛÙÔ˘˜ ÙÔÌ›˜ Ù˘
ÂÈıÂÒÚËÛ˘, Ù˘ ÚÔÛÙ·Û›·˜ Î·È ÙÔ˘ ÂϤÁ¯Ô˘ ÙˆÓ
™˘ÛÙËÌ¿ÙˆÓ ¶ÏËÚÔÊÔÚÈ΋˜,
ñ ÙËÓ ˘ÈÔı¤ÙËÛË, ÂÂÍÂÚÁ·Û›· Î·È ‰ËÌÔÛÈÔÔ›ËÛË ÁÂÓÈÎÒÓ
·Ú¯ÒÓ Î·ıÒ˜ Î·È ÚÔÒıËÛË Ù¯ÓÈÎÒÓ Û¯ÂÙÈÎÒÓ Ì ÙËÓ ÔÚı‹
Ú·ÎÙÈ΋ ÛÙÔ˘˜ ÙÔÌ›˜ ÙÔ˘ ÎÏ¿‰Ô˘,
ñ ÙËÓ ÚÔÒıËÛË Î·È ÂÓ›Û¯˘ÛË Ù˘ ¤Ú¢ӷ˜, ÛÔ˘‰‹˜ ηÈ
ÁÓÒÛ˘ Ô˘ ·ÊÔÚÔ‡Ó ÙÔ˘˜ ÙÔÌ›˜ ÙÔ˘ ÎÏ¿‰Ô˘ ·ÏÏ¿ Î·È ÙËÓ
˘ÔÛÙ‹ÚÈÍË ÙˆÓ ÌÂÏÒÓ ÙÔ˘ πÓÛÙÈÙÔ‡ÙÔ˘ Ì ÙËÓ ··Ú·›ÙËÙË
Ù¯ÓÔÁÓˆÛ›· Î·È ÁÂÓÈÎfiÙÂÚ· ÙËÓ Â˘Ú‡ÙÂÚË ÂÈÌfiÚʈÛË ÙˆÓ
ÛÙÂϯÒÓ ÙÔ˘ ÎÏ¿‰Ô˘,
ñ ÙËÓ ÂÓË̤ڈÛË, ˘ÔÛÙ‹ÚÈÍË Î·È ·ÚÔ¯‹ οı ‰˘Ó·Ù‹˜
‚Ô‹ıÂÈ·˜ ÛÙ· ̤ÏË ÙÔ˘ πÓÛÙÈÙÔ‡ÙÔ˘ ÁÈ· ÙËÓ ·fiÎÙËÛË ÙˆÓ
Â·ÁÁÂÏÌ·ÙÈÎÒÓ ÈÛÙÔÔÈ‹ÛÂˆÓ ÔÈ Ôԛ˜ ·Ú¤¯ÔÓÙ·È ·fi
ÙÔÓ ISACA:
* CISA (Certified Information Systems Auditor) Ì ¤Ú·Ó
ÙˆÓ 70,000 ÈÛÙÔÔÈËÌ¤ÓˆÓ ÌÂÏÒÓ ·fi ÙËÓ ¤Ó·ÚÍË Ù˘
ÈÛÙÔÔ›ËÛ˘ ÙÔ 1978
* CISM (Certified Information Security Manager) Ì ¤Ú·Ó
ÙˆÓ 10,000 ÈÛÙÔÔÈËÌ¤ÓˆÓ ÌÂÏÒÓ ·fi ÙËÓ ¤Ó·ÚÍË Ù˘
ÈÛÙÔÔ›ËÛ˘ ÙÔ 2002
* CGEIT (Certified in the Governance of Enterprise IT) ÌÂ
¤Ú·Ó ÙˆÓ 3,000 ÈÛÙÔÔÈËÌ¤ÓˆÓ ÌÂÏÒÓ ·fi ÙËÓ ¤Ó·ÚÍË
Ù˘ ÈÛÙÔÔ›ËÛ˘ ÙÔ 2008 ηÈ
* CRISC (Certified in Risk and Information Systems Control)
Ì ¤Ú·Ó ÙˆÓ 1,000 ÈÛÙÔÔÈËÌ¤ÓˆÓ ÌÂÏÒÓ ·fi ÙËÓ
¤Ó·ÚÍË Ù˘ ÈÛÙÔÔ›ËÛ˘ ÛÙȘ ·Ú¯¤˜ ÙÔ˘ 2010
∏ Ú·Á‰·›· ·Ó¿Ù˘ÍË ÙˆÓ Û˘Ó·ÏÏ·ÁÒÓ Ì¤Ûˆ ÙÔ˘ ‰È·‰ÈÎÙ‡Ô˘ ·ÏÏ¿
Î·È ÙÔ ÁÂÁÔÓfi˜ fiÙÈ ˙ԇ̠ۋÌÂÚ· ÛÙËÓ «∫ÔÈÓˆÓ›· Ù˘
¶ÏËÚÔÊÔÚ›·˜» Ë ÔÔ›· ‰ËÌÈÔ˘ÚÁ› Ó¤· ‰Â‰Ô̤ӷ Î·È Ó¤Â˜
¢ηÈڛ˜ ÁÈ· ·Ó¿Ù˘ÍË Ë ÔÔ›· ‚·Û›˙ÂÙ·È ¿ÌÂÛ· ÛÙË Ú·Á‰·›·
ÂͤÏÈÍË ÙˆÓ Ù¯ÓÔÏÔÁÈÒÓ ÏËÚÔÊÔÚ›·˜ Î·È ÂÈÎÔÈÓˆÓ›·˜ Ô˘
·ÔÙÂÏÔ‡Ó Ô˘ÛÈ·ÛÙÈÎfi ÂÚÁ·ÏÂ›Ô ÁÈ· ÈÔ ·ÓÔȯً ηÈ
·ÔÙÂÏÂÛÌ·ÙÈ΋ ‰È·Î˘‚¤ÚÓËÛË Î·ıÒ˜ Î·È ÁÈ· ÙË ‚ÂÏÙ›ˆÛË Ù˘
·ÓÙ·ÁˆÓÈÛÙÈÎfiÙËÙ·˜ ÙˆÓ ÂȯÂÈÚ‹ÛÂˆÓ ÚÔÛ‰›‰Ô˘Ó ȉȷ›ÙÂÚË
ÛËÌ·Û›· ÛÙȘ ·Ó¿ÁΘ ÙˆÓ ÂȯÂÈÚ‹ÛÂˆÓ ÁÈ· ÙËÓ ÚÔÛÙ·Û›· ηÈ
ÙÔÓ ·ÔÙÂÏÂÛÌ·ÙÈÎfi ¤ÏÂÁ¯Ô ÙˆÓ Ù¯ÓÔÏÔÁÈÒÓ ÏËÚÔÊÔÚ›·˜ ηÈ
ÂÈÎÔÈÓˆÓ›·˜ Î·È ÙËÓ ·ÔÙÂÏÂÛÌ·ÙÈ΋ ‰È·¯Â›ÚÈÛË ÙˆÓ ÎÈÓ‰‡ÓˆÓ.
ΔÔ ∫˘ÚÈ·Îfi πÓÛÙÈÙÔ‡ÙÔ ∂ϤÁ¯Ô˘ ™˘ÛÙËÌ¿ÙˆÓ ¶ÏËÚÔÊÔÚÈ΋˜
Ì ÙÔ˘˜ ÛÙfi¯Ô˘˜ Ô˘ ¤¯ÂÈ ı¤ÛÂÈ ÁÈ· ÂÓ›Û¯˘ÛË Î·È ÚÔÒıËÛË
Ù˘ ¤Ú¢ӷ˜, ÙËÓ ‰ÈÔÚÁ¿ÓˆÛË ÂÈÛÙËÌÔÓÈÎÒÓ ËÌÂÚ›‰ˆÓ ηÈ
Û˘Ó‰ڛˆÓ Î·È ÙËÓ ÚÔÒıËÛË ‰ÈÂıÓÒÓ ÚÔÙ‡ˆÓ ηÈ
12 | www.pliroforiki.org
‰È·‰ÈηÛÈÒÓ Û ۯ¤ÛË Ì ÙËÓ ÚÔÛÙ·Û›· Î·È ÙÔÓ ¤ÏÂÁ¯Ô
Û˘ÛÙËÌ¿ÙˆÓ ÏËÚÔÊÔÚÈ΋˜, ı· Û˘Ì‚¿ÏÂÈ ÙfiÛÔ ÛÙËÓ Û˘Ó¯‹
ÂÎ·›‰Â˘ÛË, ·Ó·‚¿ıÌÈÛË, Î·È ÂÓ‰˘Ó¿ÌˆÛË ÙÔ˘ ·ÓıÚÒÈÓÔ˘
‰˘Ó·ÌÈÎÔ‡ Ô˘ ··Û¯ÔÏÂ›Ù·È ÛÙÔÓ ÙÔ̤· Ù˘ ‰È·¯Â›ÚÈÛ˘
ÎÈÓ‰‡ÓˆÓ fiÛÔ Î·È ÛÙËÓ ÂÊ·ÚÌÔÁ‹ ηٿÏÏËÏˆÓ Ì˯·ÓÈÛÌÒÓ
ÂϤÁ¯Ô˘ Î·È ÚÔÛÙ·Û›·˜ ÙˆÓ Û˘ÛÙËÌ¿ÙˆÓ ÏËÚÔÊÔÚÈ΋˜,
ÁÂÁÔÓfi˜ Ô˘ ı· ÂÓÈÛ¯‡ÛÂÈ ÙËÓ ·ÓÙ·ÁˆÓÈÛÙÈÎfiÙËÙ· Î·È ÙËÓ
·ÍÈÔÈÛÙ›· ÙˆÓ ÂȯÂÈÚ‹ÛˆÓ.
∫·Ù¿ ÙËÓ ‰È¿ÚÎÂÈ· ÙÔ˘ 2011 ÙÔ πÓÛÙÈÙÔ‡ÙÔ ‰ÈÔÚÁ¿ÓˆÛ ÌÂ
ÂÈÙ˘¯›· ‰È·Ï¤ÍÂȘ Î·È ÂÎ·È‰Â˘ÙÈο ÛÂÌÈÓ¿ÚÈ· Ì ¤ÌÂÈÚÔ˘˜
ÔÌÈÏËÙ¤˜ Û ÛÙÔ¯Â˘Ì¤Ó· ı¤Ì·Ù· ÂӉȷʤÚÔÓÙÔ˜ ÁÈ· ÙËÓ
ηχÙÂÚË ÂÓË̤ڈÛË Î·È Î·Ù¿ÚÙÈÛË ÙˆÓ ÌÂÏÒÓ ÙÔ˘ πÓÛÙÈÙÔ‡ÙÔ˘
fiˆ˜:
ñ Continuous Auditing & Continuous Monitoring: Using
Technology to Drive Value by managing Risk & Monitoring
Performance
ñ Introduction to Computer Forensics
ñ Identity & Access Management – Key Concepts and
Implementation methodology
ñ Identity & Access Management – A practical Implementation
ñ A Risk Based Approach to Data Protection
ñ GSM Threads & Vulnerabilities
ΔÔ πÓÛÙÈÙÔ‡ÙÔ ÛÂ Û˘ÓÂÚÁ·Û›· Ì ÙÔÓ ∫˘ÚÈ·Îfi ™‡Ó‰ÂÛÌÔ
¶ÏËÚÔÊÔÚÈ΋˜ Ú·ÁÌ·ÙÔÔ›ËÛ ™ÂÌÈÓ¿ÚÈÔ Ì ı¤Ì· «Computer
Forensics» ̤۷ ÛÙ· Ï·›ÛÈ· ÙÔ˘ Infosec 2011 Conference Ô˘
Ú·ÁÌ·ÙÔÔÈ‹ıËΠÛÙÔ University of Nicosia ÛÙȘ ·Ú¯¤˜
¡ÔÂÌ‚Ú›Ô˘.
∂›Û˘ ‰ÈÔÚÁ·ÓÒıËΠÂÎ·È‰Â˘ÙÈÎfi ÛÂÌÈÓ¿ÚÈÔ ÛÂ Û˘ÓÂÚÁ·Û›·
Ì ÙËÓ ∫˘Úȷ΋ ∂Ù·ÈÚ›· ¶ÈÛÙÔÔ›ËÛ˘ ÁÈ· ÙËÓ ÚÔÂÙÔÈÌ·Û›·
˘Ô„ËÊ›ˆÓ ÁÈ· ÙË ‰ÈÂıÓ‹ ÂͤٷÛË ÙÔ˘ ¢ÂÎÂÌ‚Ú›Ô˘ ÚÔ˜
·fiÎÙËÛË Ù˘ Â·ÁÁÂÏÌ·ÙÈ΋˜ ÈÛÙÔÔ›ËÛ˘ CISA (Certified
Information Systems Auditor).
∂˘ÂÏÈÛÙԇ̠fiÙÈ Ì¤Û· ·fi ÙË Û˘ÓÂÚÁ·Û›· Ì·˜ Ì ÙÔÓ ∫˘ÚÈ·Îfi
™‡Ó‰ÂÛÌÔ ¶ÏËÚÔÊÔÚÈ΋˜, ÙËÓ ∫˘Úȷ΋ ∂Ù·ÈÚ›· ¶ÈÛÙÔÔ›ËÛ˘
Î·È ÌÂÏÏÔÓÙÈο Ì ¿ÏÏÔ˘˜ Û˘Ó·Ê›˜ Â·ÁÁÂÏÌ·ÙÈÎÔ‡˜
Û˘Ó‰¤ÛÌÔ˘˜ fiˆ˜ ÙÔ Cyprus Institute of Internal Auditors Î·È ÙÔ
Institute of Certified Public Accountants of Cyprus ı· ηٷÛÙ›
‰˘Ó·Ù‹ Ë ·ÓÙ·ÏÏ·Á‹ ÂÌÂÈÚ›·˜ Î·È ÁÓÒÛ˘ ̤۷ ·fi ÙËÓ ·fi
ÎÔÈÓÔ‡ ‰ÈÔÚÁ¿ÓˆÛË ÂΉËÏÒÛÂˆÓ Î·È ¿ÏÏˆÓ ‰Ú·ÛÙËÚÈÔًوÓ.
™Â Ì›· ÂÔ¯‹, ÏÔÈfiÓ, Ô˘ ÔÈ ÔÚÁ·ÓÈÛÌÔ› ı¤ÙÔ˘Ó ˆ˜ ·fiÏ˘ÙË
ÚÔÙÂÚ·ÈfiÙËÙ· ÙËÓ ÔÚıÔÏÔÁÈÛÙÈ΋ ‰È·¯Â›ÚÈÛË ÙÔ˘ Ú›ÛÎÔ˘ Î·È ÙËÓ
·ÛÊ·Ï‹ ‰È·¯Â›ÚÈÛË Î·È ‰È·Î˘‚¤ÚÓËÛË ÙˆÓ ™˘ÛÙËÌ¿ÙˆÓ
¶ÏËÚÔÊÔÚÈ΋˜ ÙÔ˘˜, ÙÔ ∫˘ÚÈ·Îfi πÓÛÙÈÙÔ‡ÙÔ ∂ϤÁ¯Ô˘
™˘ÛÙËÌ¿ÙˆÓ ¶ÏËÚÔÊÔÚÈ΋˜ Î·È Ù· ̤ÏË ÙÔ˘ ¤¯Ô˘Ó Ó·
ÂÈÙÂϤÛÔ˘Ó ÛËÌ·ÓÙÈÎfiÙ·ÙÔ ¤ÚÁÔ ÒÛÙ ӷ ‰È·¯‡ÛÔ˘Ó ÛÙËÓ
∫˘Úȷ΋ ∫ÔÈÓˆÓ›· Ù˘ ¶ÏËÚÔÊÔÚ›·˜ Î·È ÙȘ ÂȯÂÈÚ‹ÛÂȘ
Û˘ÛÙËÌ·ÙÔÔÈË̤ÓË ÁÓÒÛË Î·È ÔÚı¤˜ Ú·ÎÙÈΤ˜.
™À°°ƒ∞º∂A™
O ¶·Û¯¿Ï˘ ¶ÈÛÛ·Ú›‰Ë˜ ÂÚÁ¿˙ÂÙ·È ÛÙÔ ΔÌ‹Ì·
∞ÛÊ¿ÏÂÈ·˜ ¶ÏËÚÔÊÔÚÈÒÓ Ù˘ Marfin Laiki
ΔÚ¿Â˙·˜ ·fi ÙÔ 1997. ¶ÚÔËÁÔ˘Ì¤Óˆ˜
ÂÚÁ¿ÛÙËÎÂ ÁÈ· ÂÚ›Ô‰Ô 8 ÂÙÒÓ ÛÙËÓ ı¤ÛË ÙÔ˘
∞ÓÒÙÂÚÔ˘ ∂ÛˆÙÂÚÈÎÔ‡ ∂ÏÂÁÎÙ‹ ™˘ÛÙËÌ¿ÙˆÓ
¶ÏËÚÔÊÔÚÈ΋˜ Û ÌÂÁ¿ÏÔ ¯ÚËÌ·ÙÔÔÈÎÔÓÔÌÈÎfi
ÔÚÁ·ÓÈÛÌfi ÛÙȘ ∏ӈ̤Ó˜ ¶ÔÏÈÙ›˜ ∞ÌÂÚÈ΋˜.
√ ¶·Û¯¿Ï˘ ¤¯ÂÈ ÂÈÎÔÛ·ÂÙ‹ Â·ÁÁÂÏÌ·ÙÈ΋
Âȉ›Î¢ÛË Î·È ÂÌÂÈÚ›· ÛÙÔ ¯ÒÚÔ Ù˘ ∞ÛÊ¿ÏÂÈ·˜, ¢È·Î˘‚¤ÚÓËÛ˘
Î·È ŒÏÂÁ¯Ô˘ ™˘ÛÙËÌ¿ÙˆÓ ¶ÏËÚÔÊÔÚÈ΋˜.
∫·Ù¤¯ÂÈ ÙȘ Â·ÁÁÂÏÌ·ÙÈΤ˜ ÈÛÙÔÔÈ‹ÛÂȘ CRISC (Certified in
Risk and Information Systems Control), CISM (Certified
Information Security Manager), CISA (Certified Information
Systems Auditor), CPA (Certified Public Accountant) Î·È CFE
(Certified Fraud Examiner).
∂›Ó·È ÂÓÂÚÁfi ̤ÏÔ˜ ÙÔ˘ ‰ÈÂıÓÔ‡˜ ÔÚÁ·ÓÈÛÌÔ‡ ISACA ·fi ÙÔ
1991. À‹ÚÍ ¶Úfi‰ÚÔ˜ ÙÔ˘ Central Indiana ISACA Chapter ÛÙËÓ
∞ÌÂÚÈ΋ Î·È Â›Ó·È ¶Úfi‰ÚÔ˜ ÙÔ˘ ISACA Chapter ÛÙËÓ ∫‡ÚÔ.
∂›Ó·È ̤ÏÔ˜ Ù˘ √ÚÁ·ÓˆÙÈ΋˜ ∂ÈÙÚÔ‹˜ ÙÔ˘ ∫˘ÚÈ·ÎÔ‡
™˘Ó‰¤ÛÌÔ˘ ¶ÏËÚÔÊÔÚÈ΋˜ ÁÈ· ÙÔ ¢ÈÂıÓ¤˜ ™˘Ó¤‰ÚÈÔ πNFOSEC.
∫·Ù¤¯ÂÈ Ù˘¯›· ÛÙËÓ §ÔÁÈÛÙÈ΋ Î·È ÙËÓ ¢È·¯Â›ÚÈÛË ™˘ÛÙËÌ¿ÙˆÓ
¶ÏËÚÔÊÔÚÈ΋˜, MBA Ì Âȉ›Î¢ÛË ÛÙ· ¯ÚËÌ·ÙÔÔÈÎÔÓÔÌÈο, ηÈ
ÌÂÙ·Ù˘¯È·Îfi ÛÙȘ ¶ÔÏÈÙÈΤ˜ ∂ÈÛً̘ ·fi ÙÔ ¶·ÓÂÈÛÙ‹ÌÈÔ
Bowling Green ÙÔ˘ √¯¿ÈÔ ∞ÌÂÚÈ΋˜.
www.pliroforiki.org | 13
GOVERNANCE OF
INFORMATION SECURITY &
OTHER INITIATIVES
Vernon Poole
As information security incidents increase especially cyber security incidents,
organisations need to respond to these challenges as a governance issue and define
specific tasks that staff at all levels can undertake as part of a management
framework. This article will enable executive management and the Board to
undertake their roles in Information Security Governance
As the global economy depends on the secure flow of information within and across
organisations, information security is an issue of vital importance. A secure and
trusted environment for information greatly enhances consumer benefits, business
performance and productivity, and national security.
Conversely, an insecure environment creates the potential for serious damage to
governments and organisations that could significantly undermine customers and
citizens. For those engaged in the Critical National Infrastructure, the stakes are
particularly high. Where do we stand in the effort to bolster information security?
If the stakes are so high, why haven’t we made more progress?
14 | www.pliroforiki.org
CURRENT POSITION
1. Increasing laws & regulations call for more attention on
Information Security – but only a few organisations are
actively addressing their information security needs.
Information security is important. Companies and individuals want
more security; vendors are responding with more secure products;
industry and consumers recognise the need for information security
– but there is a cost of security and demonstrating return on
security investment is sometimes difficult. The good news is that
security profession and national governments are actively engaged
in addressing the information security challenge. For example, in
UK, The Government have developed a Security Policy Framework
& in USA they have developed the, California’s Database Security
Breach Notification Act, July 2003, which requires companies to
notify customers if they believe a systems breach has led to the
release of their personal information. (this may become an EU
regulation in 18 months time).
2. Information security is often treated as a technology issue,
when it should be treated as a governance issue. The
Board and executive management must be actively
engaged.
Businesses today face increased scrutiny when it comes to
corporate governance, accountability, and ethics. Sarbanes-Oxley
Act of 2002 (SoX) created an obligation at the CEO and board
level to pay attention to information security. Implementation of
an effective IT security program is ultimately a matter of
enlightened organizational self-interest. Companies are taking
action to protect their own information and information entrusted
to them by customers, suppliers, and other partners. They are
establishing responsibility for information security and adopting
programs to evaluate and address the vulnerabilities and the
internal and external threats. However, within many organizations,
two important barriers to effective computer security exist:
ñ responsibility is solely to the Chief Information Security Officer
(CISO)
ñ lack of a framework for action -- how to set priorities, assign
tasks, &monitor implementation.
3. There are existing frameworks that outline the actions
necessary to remedy the problem. ISO27001 & COBIT are
two examples with the emerging BMIS (Business Model on
Information Security) & COBIT5 next year offering the best
way to address these governance issues.
ISO27001 & ISO27002 (Code of Practice on Information Security
Management) are the global de-facto standards which enables all
organisations to set up an effective Information Security
Management System (ISMS).
Business Model for Information Security (BMIS) from Information
Security Audit and Control Association (ISACA) allows an
organisation to understand the driving Organisational requirements
in respect of Governance – taking account of People, Process &
Technology but also to account for the dynamic interconnections
of Culture, Architecture, Emergence, Governance, & Human
Factors. COBIT5 from ISACA – to be published in 2012 will be an
integrated knowledge base and depending who you are as a
stakeholder – CISO; Certified Information Systems Auditor (CISA)
or management role – you can establish what you need to do as
a Governance contributor.
4. Lack of progress is the failure to adopt such frameworks –
they can guide an organisation on implementing practical
solutions
Governance entails the systematic oversight and execution of
information security functions. By themselves, recommended
practices – no matter how strong the consensus is for them –
are not enough; they must be married with an information security
governance framework that assures effective implementation. A
governance framework is important because it provides a
roadmap for the implementation, evaluation and improvement of
information security practices. An organization that builds such a
framework can use it to articulate goals and drive ownership of
them, evaluate information security over time, and determine the
need for additional measures.
RECOMMENDATIONS
1. Government and industry should recognize that a
significant regulatory regime already exists for information
security.
Some laws address information security directly; others address
it indirectly through such issues as financial governance,
privacy, or reporting requirements. Organisations should begin
developing programs to comply with them. e.g. SoX; Basel II;
Payment Card Industry (PCI) Compliance.
2. We should develop an information security governance
framework that organizations can readily adopt.
One of the most important features of a governance framework is
that it defines the roles of different members of an organisation. By
specifying who does what, it allows organizations to assign specific
tasks and responsibilities. A common element in almost all security
best practices is the need for the support of senior management,
www.pliroforiki.org | 15
management functions can fall into four categories – CEO/Board,
Executive Management, Steering Committee, and CISO :CEO/Board has responsibility for
CISO has responsibility for
ñ Developing, maintaining, and ensuring compliance to the
security program
ñ Designating a security officer with primary duties and training
in IT security
ñ Oversight and coordination of policies
ñ Oversight of business unit compliance
ñ Compliance reporting
ñ Developing the required policies to support the security program
and business user needs
ñ Actions to enforce accountability
ñ Developing the information use and categorization plan
Executive Management has responsibility for
ñ Assisting senior managers with their security responsibilities
ñ Providing information security protection commensurate with
the risk and business impact
ñ Conducting security awareness program
Components of the Framework
ñ Providing security training
ñ Developing the controls environment and activities
ñ Reporting on effectiveness of policies, procedures and
practices
Information Security Governance includes elements required to
provide management assurance that its direction/intent are reflected
in the Information Security regime by utilizing a structured approach
to implementing an IS program. 6 basic outcomes are
recommended:-
Steering Committee has responsibility for
ñ Providing security guidance for information and systems
1. Strategic alignment
ñ Periodically assessing assets and their associated risks
2. Risk management
ñ Assessing appropriate levels of security for the information in
their systems
3. Value delivery -optimizing IS investments in support of business
objectives
ñ Ensuring that policies and procedures cost-effectively reduce
risk to acceptable levels
4. Resource management
ñ Ensure that security and controls are tested periodically
6. Assurance Integration
MANAGEMENT
LEVEL
Board of
Directors
Executive
Management
Steering
Committee
Chief Information
Security
Officer
STRATEGIC
ALIGNMENT
Require demonstrable
alignment
Institute processes to
integrate security with
business objectives
RISK
MANAGEMENT
Policy of risk
managemnet in all
activities
Ensure regulatory
compliance
Ensure roles and
responsibilities include
risk management in all
activities
Monitor regulatory
compliance
Identify emerging risks,
Review security
strategy and integration promote business unit
security practises
efforts, ensure business
owners support
Identify compliance
integration
issues
Develop security
strategy, oversee
security program and
initiatives, liaise with
business process
owners for ongoing
alignment
16 | www.pliroforiki.org
Ensure risk and
business impact
assessments, develop
risk mitigation
strategies
Enforce policy and
regulatory compliace
5. Performance measurement
VALUE DELIVERY
PERFOMANCE
MEASUREMENT
RESOURCE
MANAGEMENT
PROCESS
ASSURANCE
Require reporting of
security activity costs
Require reporting of
security effectiveness
Policy of knowledge
management and
resource utilization
Policy of assurance
process integration
Require business case
studies of security
initiatives
Require monitoring and
metrics for security
activities
Ensure processes for
knowledge capture and
efficiency metrics
Provide oversight of all
assurance functions
and plans for
integration
Review adequateness
of security initiatives ot
serve business
functions
Review and advise
vis-à-vis security
initiatives meet
business objectives
Review processes for
knowledge capture and
dissemination
Monitor utilization and
effectiveness of
security resources
Develop and implement
monitoring and metrics
approaches.
Direct and Monitor
security activities
Develop methods for
knowledge capture and
dissemination, develop
metrics for
effectivemess and
efficiency
Identify critical business
processes and
assurance providers
Direct assurance
integration efforts
Liaise with other
assurance providers
Ensure that gaps and
overlaps are identified
and addressed
Interpreting the Framework
The framework poses three sets of questions:
1. What am I required to do?
2. How do I accomplish my objectives?
3. How effectively do I achieve my objectives?
Because the framework describes proactive actions it not only
clarifies roles and responsibilities, but also helps management
select a security practice reference (like ISO 27001 or the emerging
ISO27014 – still being finalised) that is appropriate for their
organisation.
3. The need to create, communicate, implement, endorse,
monitor, and enforce security policies
4. The need to make every member of the organization aware of
the importance of security and to train them in good security
practices.
5. The need for access controls to make certain only identified and
authorized users with a legitimate need can access information
and system resources.
6. The need to consider security throughout the system life cycle.
7. The need to monitor, audit, and review system activity in a
routine and regular function.
Consistent with Key Security Practices
8. The need for business continuity plans that are tested regularly.
Any Governance Framework must include the following key security
requirements:
1. The need for risk assessments. Risks must be understood and
acknowledged, and the security measures that are taken must
be commensurate with these risks.
2. The need for a security organizational structure.
AUTHOR
Vernon is Head of Business Consultancy,
responsible for Sapphire’s team of consultants
who deal with Information Assurance/
Governance and all best practice standards on
Information Security Management and
associated areas
(ISO27000 series; ITIL; COBIT5; RiskIT).
He is recognised as one of the thought leaders on Information
Security Governance. He now sits on ISACA’s new COBIT5
Taskforce developing ISACA’s new in depth approach to
Information Security Governance. He is both CISM/CGEIT
qualified.
Vernon can be reached at [email protected]
www.pliroforiki.org | 17
SAFE COMPUTING IN AN
INCREASINGLY HOSTILE
WORLD: SECURITY 2.0
Dr Andrew Jones
The world in which data lives is always changing. But in the last few years it has
changed dramatically and this means that the challenge of protecting networks and
data has become even more difficult. Due the proliferation of national labs whose
goals is to compromise other networks, attacks have become increasingly
sophisticated. The old security solutions will no longer suffice and system architects
must design networks with security as a design goal. Security 2.0 means that
networks must adhere to a range of fundamental security rules or accept that they
will be violated.
www.pliroforiki.org | 19
SOVEREIGN HACKING
It has long been accepted that some nations have maintained
organizations whose purpose is to "monitor" or "spy" on the
electronic activities of other countries. In the United States it is
widely assumed that the National Security Agency monitors as
much electronic communications as possible, both inside the U.S
and around the world. This is a natural evolution of efforts to
monitor the enemies' communications during various wars. There
are lots of famous tales and books on the subject of spy activities
and efforts to decode messages or prevent the enemy from
breaking your codes. Bletchley Park, located outside of London,
was a secret organization whose only purpose was to decode
WWII German messages encrypted by the famous Enigma
machine. Although Bletchley Park was disbanded after that war,
it was only natural that as communications moved to computers,
spying in that realm would follow.
We call this activity sovereign hacking. Sovereign hacking refers
to activities whose purpose is to violate networks in the interest
of a sovereign government. It is usually conducted by laboratories
with highly trained experts and extensive research, infrastructure
and monetary support. Many nations around the world now
support such laboratories.
Sovereign hacking requires deep knowledge of network
architectures, operating systems, and vulnerability vectors.
Developing this knowledge and the resulting techniques used to
breech well-defended networks requires extensive research. This
makes all networks vulnerable and, unavoidably, this knowledge
and these techniques migrate out of the secret labs and into the
wider world.
Hacking has gone far beyond merely gaining access to networks
in order to read secret messages or learn specifications of new
defense systems. Those are passive activities; hacking has also
become active. It is now possible to assume control of a network
remotely and have it carry out your bidding. Does this mean
hacking has become a weapon? Yes and that surely makes many
other weapons systems obsolete.
RECENT HACKS
Let's look at some recent hacks and see what they can tell us
about the current hacking environment.
The RSA hack was particularly spectacular since the RSA token
is so widely used and often considered the "gold standard" of
authentication. The hackers penetrated the algorithm that
generates the one-time password from the RSA card serial
number. This allowed them (or anyone with this information) to
20 | www.pliroforiki.org
effectively bypass the authentication process. As a result the onetime password generation algorithm had to be revamped and
literally millions of tokens had to be replaced. A huge hidden cost
was the loss of customer confidence that RSA suffered in this
event.
This hack required subtle "social engineering" to learn the details
of the RSA system architecture, and considerable knowledge
about the code in the Adobe Flash program to gain remote
administration capabilities on a machine inside RSA. This allowed
the hackers to carry out a series of attacks to gain further access
to the networks and accomplish the multistage penetration.
The important lesson to draw from this attack is that hackers are
no longer lone dissidents looking for a quick victory. This hack
was probably the work of several groups, each of which had
expertise in different areas.
SONY PLAYSTATION NETWORK
This was another high-profile attack that affected millions of
people around the world. Like the RSA hack this penetration
required extensive knowledge in several areas. The blogosphere
suggests that the coalition that accomplished this hack might be
from Russia (due to the database knowledge required) and that
they were simply after account information that could be sold for
ready cash. Perhaps they succeeded beyond their expectations.
Before all the doors had been closed, the hackers gained access
to the data in over 77 million on-line accounts. It is not clear that
they were able to "steal" all that data. Downloading and storing
data from 77 million accounts requires a lot of bandwidth and
significant storage. But they probably did get a lot of credit card
data and surely profited from it.
The lesson here is that Sony spent a significant amount of time
and resources to implement a database that could handle millions
of customer accounts but did not use a trusted operating system
(or did not configure those features) that allowed isolation of data
and access. This error is easy to understand given the size and
sophistication of the Playstation network.
Sony had to shutter the on-line gaming service for a period of
time to fix the holes and is still fighting demands for various forms
of compensation from former customers.
BARRACUDA NETWORKS
This hack was more amusing than instructional. (It is amusing to
us; certainly not to Barracuda Networks.) Still there are a few
lessons that can be taken from this.
Barracuda Networks is a developer of firewalls, web and spam
filters and is generally considered to provide "pretty good" security
for its customers. Not surprisingly, Barracuda Networks used its
own products to protect its internal networks. Using a well-known
"SQL injection" technique, hackers successfully accessed the
Barracuda Networks Sales and Marketing Department database
which stored sales leads, marketing data and other sensitive
information.
So the hackers breeched the Barracuda Networks firewall? No,
that was not necessary: the firewall was off-line for an upgrade
when the network was compromised. So that means the hackers
were really lucky and struck at exactly the opportune moment?
Or perhaps they had inside knowledge? Of course, either of those
situations is possible. But more than likely it was simply the case
that hackers were probing the network all the time, continuously.
Once the firewall was off-line, the door was open and they were
able to access things easily.
This simple hack illustrates two important issues: first, with
external, perimeter-based security, it is best not to leave the gate
unlocked. This might be called single point security and that
allows for the possibility of single point failure. Second, hacking
is not a "sometime" activity; it is continuous. Many studies have
concluded that once a device is placed on-line, hacking probes
begin almost immediately and they continue.
CITIGROUP
Citigroup is one of the largest global banks in the world. As such
they are surely a prime target for a wide variety of hackers - after
all, that is where the money is. This hack, while extremely
successful, was simple and straight-forward.
The hack was successful in that the hackers accessed and
probably downloaded the information from at least 200,000
accounts. This account data included names, passwords and
transaction information - all valuable data if you are looking to sell
the information either above ground (to "legitimate" marketing
research organizations) or below ground (for identity theft). The
hacking team exploited a simple flaw in Java that allowed them once they had access to a single account - to jump from one
account to another. It was a brute force method but it was
effective. Again, with no internal controls, once the flaw was
discovered, all the doors were open.
Citigroup has thus far avoided releasing details of the hack.
THE F35 JOINT STRIKE FIGHTER
This is the hack that illustrates the current state of data hacking. The
F35 is a military aircraft that has been developed by a coalition of
countries. It employees highly advanced technology and sophisticated
computer controls and data gathering. In fact it has been called a
"mainframe with a jet engine". It reportedly flies with 7.5 million lines
of code aboard. That is one reason that this weapons system is the
most expensive development ever undertaken by the U.S. military.
Again, this hack required multiple hacking techniques, extensive
expertise in several different areas, and the will to devote large
amounts of resources to obtain this information. Clearly, this was
the work of sovereign hackers rather than rogue programmers
looking to sell credit card information.
LockheedMartin is the prime contractor although several other
contractors and countries are integral to the development.
LockheedMartin employed numerous industry-standard security
technologies. Still, the data system was hacked and the thieves spies in this case - obtained very specific data on the actual realtime performance, performance specifications, maintenance data,
and weapons capabilities.
Of course, when the plane is airborne it is not connect to any
networks (for the most part; there is communication between the
plane and ground stations in several modes). This was not
generalized data that was obtained; the data was specific to each
aircraft and flight and came from data downloaded after each
flight. The hackers apparently had access to this data for at least
two years before the breech was discovered.
Apparently this hack was accomplished by compromising one of
the contractor's networks which had access to the primary data
network. LockheedMartin shut down all access to their network
but clearly, the damage had already been done.
Could the hackers have gained physical control of the aircraft and
caused it to attack the wrong target? Could they cause it to simply
crash? Neither possibility seems that remote. Simply installing
rouge code that executed at the proper time - say once engine
RPM exceed a set value - could easily cause some subsystem
aboard the plane to malfunction. Clearly, this appears to be an
early skirmish in cyber warfare.
If you are comfortable in your efforts securing your network, if
are able to sleep soundly, confident that all the doors are locked,
wake up. If someone can hack a weapon system development
such as the F35, which has access to all the most sophisticated
security technology, most anything can be hacked. All it takes are
the resources and will.
www.pliroforiki.org | 21
BASIC SECURITY
It is possible to thwart most threats to your system by employing
the basic foundations of security. Of course, it would be nice to
have a "silver bullet" - a single device or technique that guaranteed
your network could not be hacked (at least by ordinary hackers).
Since that silver bullet is not yet available we have to return to the
basics: authentication, encryption, and a trusted operating system.
Authentication means that you know who is at the end of the wire,
who is requesting access, who you can trust. Most authentication
systems use very simple - and very untrustworthy - techniques
for identifying users for convenience. A simple password is easy
to hack and Windows will even remember it for you. That often
means that physical access to a machine is equivalent to access
to the network.
A true three factor authentication system is required. Three factors
mean that you are identified by something you have (the RSA
token for example), and something you are (a fingerprint or iris
scan), and something you know (the one-time password). We
have seen that with two factor authentication, once the token is
hacked, access is easy. So the factors must be very difficult to
compromise. For example most fingerprint readers rely on a
central database to store the fingerprint signatures. If that
database is hacked, a fingerprint reader is useless.
Encryption is often touted as the ultimate solution to all data
security. In mathematics vernacular we would say that encryption
is necessary but not sufficient. Data should be encrypted both
while in storage and during transmission. But the data must be
decrypted to be useful and encryption does not help prevent
hacking.
A trusted operating system (a TOS) is the only way to ensure that
the damage done by a hacker is controlled or limited. Notice that
I did not say that a TOS could not be hacked; any system can be
hacked. But a TOS gives you control over a number of things that
allow you to limit access to very specific data and prevent data
from "migrating" from one sensitivity level to another. It is a
powerful tool in the ongoing hacking arms race.
The concepts that are embodied in a TOS were developed over
30 years ago and have remained constant and useful since that
time. Therefore we will not belabor the features of a TOS here;
they are probably already familiar to most system administrators.
In summary the advantages of a TOS are due to features that
allow fine-grained control of access to resources, and provide
compartmentalization, privilege assignment, and role assignment.
Implementing and configuring a TOS is a complex and difficult
task. It also imposes additional overhead - sometimes significant
22 | www.pliroforiki.org
overhead - on normal administrative tasks. Hence, many
administrators avoid dealing with a TOS, apparently hoping that
combinations of other security technologies will be sufficient. The
evidence weighs heavy against that position.
CONCLUSIONS
Given the above analysis and observations, it is impossible to
avoid the conclusion that there is cyber warfare under way
between many sovereign hacking groups. Unfortunately, the
techniques and sophistication used by theses sovereign hacking
groups has migrated out into the old world of hacking for fun and
profit - now mostly hacking for profit. This means that everyone
is subject to significantly increased risks of their network being
violated. It is time to upgrade to Security 2.0.
Security 2.0 means that security must be designed into the basic
system architecture. It cannot be added on. You must use a
trusted operating system that has the capability to isolate
compartments and control root privileges. Finally, it means that
you are absolutely sure who is accessing your system by using
true three factor authentication.
In the past it was acceptable to address threats as uncommon
events that had atypical signatures or unusual patterns. This
allowed security devices to "watch" for these odd occurrences
and interdict them or at least protect against them.
Security 2.0 must be "holistic" and address the fact that threats
are no longer characterized by simple errant signatures; the entire
system must be part of the protection mechanism. Security 2.0
must also be agile - it must protect against new attack vectors
that were not anticipated when the system was designed. It must
also allow for quickly and efficiently adding and removing access
or access levels as needs change. Finally, it must be pervasive in
that it must address threats from "end to end" of the system. This
means that data stored in the network operating center is
protected and the data collection and access systems at the "end
of the wire" can also be trusted.
Viewing your network architecture and security in the Security 2.0
model and implementing these principals has another benefit: it
will allow you to once again sleep soundly at night.
AUTHOR
Dr Jones is the recent Chief Executive Officer
and President of Argus Systems Group. Argus
Systems Group is the developer of PitBull
trusted operating system currently sold by IBM
as Trusted AIX.
Dr Jones was a founding member of Open
Prairie Ventures where he evaluated business plans and potential
investments. He was also the lead investor when Open Prairie
acquired the assets of Argus.
Dr Jones has been the founder and operator of several new
technology business and taught technology commercialization
and other subjects at the University of Illinois.
Dr Jones received his PhD from the University of Alabama in
Physics (1975), an MBA from the University of Illinois (1978),
and a BS and MS in Physics and Math from the University of
Alabama (1965, 1972).
www.pliroforiki.org | 23
THE FUTURE OF
INFORMATION SECURITY:
NEW PRIORITIES, NEW
SKILLS AND NEW
TECHNOLOGIES
David Lacey
The business environment of the future will be very different from
Today’s. Boundaries between organisations and between personal and
business computing will dissolve. Everyone and everything will be
linked to the Internet. In order to survive these radical changes,
organisations must embrace the uncertainty and the new risks this
environment creates.
This paper explores the impact of future trends and sets out a new
agenda for the priorities, skills and technologies of information security
managers.
24 | www.pliroforiki.org
CHANGES IN THE BUSINESS AND TECHNOLOGY
LANDSCAPES
Digital networks are transforming organisations. This is a long
term trend, as enterprises slowly evolve from a relatively static,
mechanistic form demanded by the Industrial Age, to a more
dynamic, adaptable style encouraged by the Information Age.
Amongst other changes, there will be major differences in the
nature of corporate governance and the location of business.
Horizontal, peer-to-peer information flows will displace traditional,
vertical, command-and-control flows, opening up new
possibilities for external partnerships and virtual supply chains,
but at the same time undermining the influence and authority of
corporate policy and standards. The nature of wealth will also
evolve as intellectual assets, such as ideas, know how,
relationships and reputation become more valuable, requiring
security to extend its traditional scope from safeguarding physical
assets and data to protecting concepts, ability and transactions.
Dynamic information flows will become more significant than
static stocks of data as a generator of wealth, challenging the
traditional role of security as a barrier to physical and electronic
flows. At the same time, corporate boundaries will shift or
dissolve, both between organisations and between personal and
business computing.
The increasing business use of mobile devices coupled with the
introduction of cloud computing is already creating an environment
in which the users have already left the building and the
applications are following. In response, the focus of security
management needs to change from securing private infrastructure
towards influencing behaviour and managing external relationships.
Virtualization is also transforming both the problem and solution
spaces, changing the nature of the target and its attack vectors,
and introducing new possibilities for security features. Examples
of such technologies include servers that continuously refresh
operating system software and client devices that enable the ringfenced use of multiple user personae.
Cyberspace itself presents a different environment from a security
perspective, as it creates a world that blends fact and fantasy, in
which people feel anonymous and concealed, encouraging them
to relax and feel less inhibition to explore dark, unacceptable
subjects (such as pornography), or to be unusually hostile, rude
and angry. Users can commit acts or reveal information that go
beyond anything that might be contemplated in the physical world.
And there are no disapproving glances in cyberspace to
discourage inappropriate behaviour.
TRENDS IN SECURITY THREATS
The increasing value of information combined with the greater
availability of knowledge and networking tools means that security
threats will become increasingly strategic, professional and
collaborative. Internal security threats will also increase with the
inevitable growth in the reach and power of user access
capabilities to corporate databases.
Advanced persistent threats, such as those originating from
aggressive intelligence services are long-term, sophisticated and
well funded. The targets of these threats are likely to become
broader and deeper, and they will inevitably progress beyond mere
theft of intellectual property towards sabotage of competing
commercial or national interests.
Modern industrial supervisory control and data acquisition
(SCADA) systems used to control industrial plants are powerful
enough to destroy a plant, yet many have been built and operated
with insufficient attention to security vulnerabilities. Many have
external connections to enable remote maintenance. Offensive
techniques are many and varied, including resonance, wear and
surge attacks. Unfortunately, there are no quick or cheap fixes for
vulnerable systems. This exposure will therefore be a growing
concern for many years.
External sourcing of services, fuelled by lower costs in developing
countries, will introduce additional security risks from crime,
espionage and corruption. In countries where the rule of law is
not fully developed, greater attention to due diligence and
relationship management will be necessary to mitigate the risk of
deliberate breaches of contract. With less direct control of the
supply chain, a greater degree of monitoring will be needed to
maintain visibility of events and controls.
Information has three major components: confidentiality, integrity
and availability. But they are not equally addressed. In particular
the integrity component is not sufficiently recognised, creating a
growing exposure in a threat landscape that will increasingly seek
to manipulate rather than steal corporate secrets. Networks
provide opportunities for both accidental and deliberate attempts
to distort data, whether through ‘Chinese whispers’ or deliberate.
Indeed, the true nature of cyber warfare is more the art of illusion
than the science of sabotage.
A further challenge for security is the forthcoming “information
Tsunami” created by the massive growth in data (up to 60% per
year) which enables growing numbers of people to have greater
access to even more data. Cloud computing enables much larger
volumes of data to be stored and processed, resulting in
www.pliroforiki.org | 25
increasing citizen concern about stored data and an inevitable
breakdown in manual security practices.
events, and by spending less time on specifying security controls
and more on persuading other people to address security.
In the short and medium term there will also be an enhanced
threat of system and infrastructure outages during the next few
years as solar activity is forecast to peak massively between 2012
and 2015, potentially threatening electricity supplies and taking
out GPS and mobile communications.
New or better skills are needed in supply chain leadership, though
smarter due diligence, better contract development and more
effective relationship management. Further skills are needed to
influencing user or customer behaviour, through an appreciation
of psychology and marketing techniques, and an ability to
influence people across social networks.
SHORTCOMINGS WITH EXISTING SECURITY
MANAGEMENT METHODS
To be fit for the future, information security management needs
to begin by recognising and correcting its existing
shortcomings. Security thinking and countermeasures have
changed little in three decades despite a continuously evolving
problem space. The current approach is rooted in industrial age
‘process’ thinking, rather than a real-time, improvisational
response.
Regulatory compliance discourages innovation, as it promotes
established standards and discourages innovative emerging
solutions. Security management has become more of a ‘tickbox’ compliance activity than a thoughtful, creative process.
Few security managers today have sufficient time or incentive
to address emerging risks when they are bogged down in paper
trails of evidence to demonstrate compliance against hundreds
of mandatory control objectives.
Excessive copying of ‘best practices’ is also building a
dangerous ‘monoculture’ that favours the attacker. Potential
forms of attack can be quickly tested against a small range of
standard security products which are likely to compromise the
defensive perimeter for most organisations.
CHANGES NEEDED TO MEET FUTURE
CHALLENGES
The future focus of security will be on assets that are external,
mobile, global, intellectual, abstract, volatile, accelerating, diverse
and complex. These are characteristic that information security
management, in its existing form, will struggle to address. Against
a stifling background of increasing legal and compliance
demands, security practitioners must aim to adopt new priorities,
new skills and new technologies to meet the challenges presented
by this paradigm shift.
Priorities need to change by placing less focus on safeguarding
internal infrastructure and more on external supply chains, by
focusing less on outstanding audit actions and more on real time
26 | www.pliroforiki.org
Better strategic response skills are also required to manage
incidents of increasing business impact on abstract intellectual
assets such as reputation and legal standing. Practitioners will
need to develop strategic crisis management skills, as well as an
enhanced intelligence and investigation capability, supported by
broader and deeper digital forensic skills.
Greater use of technology will be required to support these new
priorities and skills. Virtualisation is a powerful technology that
transforms both the problem and solution spaces. Whether used
at the client or server level it changes the nature of the attack
surface and the potential attack vectors, as well as enabling
multiple users, personae and operating systems to co-exist on a
common platform.
Cloud based security services also offer great potential by
leveraging a much broader knowledge base of events and threats.
Dashboard technology provides a catalyst for centralising
previously disparate information feeds of security information,
enabling greater intelligence and investigation capabilities to be
developed through increased use of data mining, fusion and
visualisation technologies.
To be resistant to the more sophisticated attacks of the future,
platforms and systems also need to be hardened to a much higher
level of security. In practice this can be achieved by exploiting
established but under-utilised security measures such as
Microsoft’s Security Development Lifecycle (SDL) and the trusted
computing standards and products developed by the Trusted
Computing Group (TCG).
Behind the scenes the TCG has been encouraging the roll out of
Trusted Platform Modules (TPMs) in more than 500 million
professional laptops and servers. This technology can be used
for strong device authentication, encryption key management,
trusted execution, multi-level security and secure health checking.
It also enables control of the client device to be fully or partially
transferred from the user to the organisation.
Few of the above skills and technologies have been adopted or
fully exploited by security practitioners. Partly this is because of
ignorance, partly it is due to the absence of incentives to innovate,
and partly it is because of a lack of creativity across the global
security community. But the consequences of the new security
threat landscape are challenging and inescapable. Unless we have
the ambition to change the mindset, knowledge and skills of
security practitioners the outlook for security will be bleak.
AUTHOR
Mr. David Lacey is a leading expert on information
security and risk with more than 25 years
experience of directing corporate policy and
programmes for the UK Foreign & Commonwealth
Office, Royal Dutch/Shell and the Royal Mail.
David is a keen innovator and is responsible for developing many
contemporary ideas and techniques.
He was the creator of the body of text that is now ISO 27002,
and the founder of the Jericho Forum. David is a now an
independent researcher, writer and consultant, and the author of
the books “Managing the Human Factor for Information Security”
and “Managing Security in Outsourced and Offshored
Environments”. He is a member of the Infosecurity Europe “Hall
of Fame”.
www.pliroforiki.org | 27
TO WHAT EXTEND IS
THE TURING TEST STILL
IMPORTANT?
Christos Papademetriou
The Turing Test, originally proposed as a simple operational definition of
intelligence, has now been around for more than half a century. This paper
chronicles some comments on Turing's classic article from its publication to the
present. Within this context, the alternative versions of the Turing Test that
were proposed in order to assess machine intelligence are discussed.
zFinally, the question of whether the Turing Test is still important is
considered. The conclusion reached is that the Turing Test has been, and will
probably continue to be, a very influential, if controversial, mathematical
model.
28 | www.pliroforiki.org
INTRODUCTION
The short and extraordinary life of the British mathematician Alan
Turing identifies with the “beginning” of Artificial Intelligence (AI).
In 1950 Alan Turing published his famous paper “Computing
Machinery and Intelligence”. Since then, it has been a widely
discussed topic. In that paper he described a method for humans
to test AI programs. This project will examine to what extent the
Turing Test (TT) is still important.
In the first section of the project, the TT and some comments on
that test will be analysed and the alternative versions of the TT will
be discussed. Then, the question of whether the TT is still important
is considered. In the final section, a conclusion is reached. The
purpose of this paper is to analyse and show why the TT is
historically significant and to what extent it is still important today.
THE TURING TEST
The TT was suggested by Alan Turing in 1950 (Mauldin, 1994).
Alan Turing proposed an interactive test to replace the question
“Can machines think?” this test has become known as the Turing
Test and its validity for determining intelligence or thinking is still in
question (Bradford, and Wollowski, 1994). Turing’s aim was to
provide a method to assess whether a machine can think or not.
He states at the beginning of his paper that the question “Can
machines think?” is a highly ambiguous one. He attempts to
transform this into a more concrete form by proposing what is
called the Imitation Game (IG) (Turing, 1950, p.5).
The game is played with a man (A), a woman (B) and an
interrogator (C) whose gender is not important. The interrogator
stays in the room apart from A and B. The main purpose of the
interrogator is to determine which of the other two is the woman
while the objective of both the man and the woman is to convince
the interrogator that he/she is the woman and the other is not
(Hodges, 1997).
According to Turing (1950) the new agenda to be discussed,
instead of the equivocal “Can machines think”" was “What will
happen when a machine takes the part of A in this game? Will the
interrogator decides wrongly as often when the game is played like
this as he does when the game is played between a man and a
woman?” (Turing, 1950, p.p.4-5).
As is now generally understood, what the TT really tries to assess
is the machine’s ability to imitate a human being, rather than its
ability to simulate a woman. Most subsequent remarks on the TT
ignore the gender issue and assume that the game is played
between a machine (A), a human (B) and an interrogator (C). “In
this version, C's aim is to determine which one of the two entities
he/she is conversing with is the human” (Saygin, et al., 2000, p.3).
If the interrogator is consistently unable to distinguish the person
from the machine, the machine will be said to have passed the Test
and will be said to be intelligent.
SOME COMMENTS ON THE TURING TEST
Gunderson (1964) clearly believed that passing the TT would not
necessarily be a proof of real machine intelligence. Because of
this, the test is based on a behaviouristic construal of thinking.
He proposed that thinking is a very broad concept and that a
machine passing the Imitation Game is merely exhibiting a single
skill, artificial intelligence which is not human but made by human
than the all-purpose abilities defined by thinking.
Gunderson points out some important issues pertaining to
Turing’s replacement question “Can machines think?”. He asks
the question “Can rocks imitate?” and continues to describe the
“toe-stepping-game” (Gunderson, 1964, p.62) in a way that is
identical to the way Turing described his IG (Turing, 1950). Once
again, the game is played between a man (A), a woman (B) and
an interrogator (C). The interrogator’s aim is to distinguish
between the man and the woman by the way his/her toe is
stepped on. C stays in a room apart from the other two and
cannot see or hear the toe-stepping counterparts. There is a small
opening in the wall through which C can place his/her foot. The
interrogator has to determine which one of the other two is the
woman by the way his/her toe is stepped on. “Will the interrogator
decide wrongly as often as when the game is played between a
man and a woman?” (Gunderson, 1964, p.p.62-64). Further,
Gunderson (Gunderson, 1964) claimed that playing the Imitation
Game successfully could well be achieved in ways other than by
thinking, without saying precisely what these other ways might
be.
According to French’s (2000) article, Stevenson (1976) writing a
decade later when the difficulties with AI research had become
clearer, criticized Gunderson’s single-skill objection, insisting that
to play the game would require “a very large range of other
properties” (French, 2000, p.5). Whitby (1997) states that the TT
has become a distraction and he sees the main source as a
mistaken reading of “Computing Machinery and Intelligence”
(Turing, 1950). He is of the opinion that “Turing’s paper [has
been] interpreted as a closer to an operational test than he himself
intended” (Whitby, 1997, p.54) and that “the last thing needed
by AI qua science is an operational definition of intelligence
involving some sort of comparison with human beings” (Whitby,
1997, p.62).
Taking a historical view, Whitby (1997, p.53) describe four
phases in evolving interest in the TT:
www.pliroforiki.org | 29
“1950 - 1966: A source of inspiration to all
concerned with AI.
1966 - 1973: A distraction from some more
promising avenues of AI research.
1973 - 1990: By now a source of distraction
mainly to philosophers, rather than AI workers.
1990 onwards: Consigned to history”.
ALTERNATIVE VERSIONS OF TURING TEST
In this section, it is important to summarize some alternatives to
the TT that were proposed in order to assess machine intelligence.
HARNAD AND THE TTT
Stevan Harnad’s main contribution to the TT debate has been the
proposal of the Total Turing Test (TTT) an indistinguishability test
that requires the machines to respond to all of our inputs rather
just verbal ones. Clearly the candidate machine for the TTT is a
robot with sensorimotor capabilities (Harnad, 1989; Harnad,
1991).
Besides to the TTT, Harnad also mentions a Total Total Turing
Test (TTTT) which requires neuromolecular indistinguishability.
But, this more stringent version of the TT, will not be necessary,
according to Harnad. If we know how to make a robot that can
pass the TTT, he says, we will have solved all the problems
pertaining to mind-modelling. However, neural data might be used
as clues about how to pass the TTT (Harnad, 1991). Harnad,
thinks TTTT much as a scientist can ask, for empirical story ends
there (Harnad, 2000), but he does not think that we have to “go
that far”.
THE INVERTED TURING TEST
Recently, Stuart Watt has proposed the Inverted Turing Test (ITT)
(Watt, 1996). Watts believes that the TT is inseparable from “naive
psychology1” because in order to pass the TT, a machine must
convince the interrogator of that which is in its mind. He calls
naive psychology “the psychological solution to the philosophical
problem” (Watt, 1996). Watt’s ITT requires that machine be able
to prove its human-ness by exercising naive psychology. In
particular, should exhibits that its power discrimination is
indistinguishable from that of the human judge in the TT. No
doubt, the TT is literally inverted and a system passes [the ITT] if
it is itself unable to differentiate between 2 person or among a
human and an engine that can pass the standard TT, but which
can separate between a human and an engine that can be told
apart by a normal TT with a human observer (Watt, 1996).
French (1996) uses the technique of a “Human Subcognitive
Profile” that, can show that a mindless program using the Profile
could pass this variant of the TT. Ford and Hayes (1996) renew
their appeal to reject particular test as any kind of meaningful
yardstick for AI. Collins (1997) suggests his own type of test, the
Editing Test based on the skilful way in which humans ‘repair’
deficiencies in speech, written texts and handwriting, for example,
and the breakdown of computers to accomplish the same
interpretative competence. Short passages of typed text are quite
sensible to reveal interpretative asymmetry, and that’s why a
Turing-like test, turning on the differential ability to sub-edit such
short passages, is enough to expose whether the profound
problem of AI has been solved (Collins, 1997).
THE TRULY TOTAL TURING TEST
In their article “The Turing Test: 50 Years Later” Saygin, et al.
(2000, p.26) mentioned that very recently, Schweizer (1998)
proposed the “Truly Total Turing Test” (TRTTT). Schweizer (1998)
believes even Hamad’s TTT to be an insufficient test for
intelligence. Before he proposes the TRTTT, Schweizer states his
own opinions about the adequacy of behavioural criteria. He views
such tests as “dealing with evidence for intelligence but not as
constitutive or definitional” (Schweizer, 1998, p.264).
In the Truly Total Turing Test, robots as a race should be able to
invent languages, build a society and achieve results in science,
for example, similar to the human race (Schweizer, 1998).
LOEBNER PRIZE
Will machines ever be able to think of their own will? And will we
be able to tell if and when they do? Pondering these questions in
1950, the British mathematician Alan Turing came up with a
simple solution of settling the matter. Every year since 1991,
computer programmers have competed for the Loebner’s prize
of $100,0002 and a gold medal. The winner will be the first
program that will pass an unrestricted TT (Shieber, 1994).
One of the aims of the Loebner competition, as Loebner states,
is to advance the field of artificial intelligence
(http://www.loebner.net). Few serious scholars of the TT take this
competition seriously and Minsky has even publicly offered $100
1. Basically the term given to the natural human tendency and ability to ascribe mental states to others and to themselves. (Watt, 1996)
2. Now Loebner requires that this program should also be able to process audio/visual input.
30 | www.pliroforiki.org
for anyone who can convince Loebner to put an end to the
competition (Shieber, 1994).
RAY KURZWEIL VERSUS MITCHELL D. KAPOR
The Long Bets Foundation, a non-profit group founded by two
long-time Silicon Valley gadflies, Stewart Brand and Kevin Kelly,
started an online forum in year 2002 for those willing to put their
money, and reputations, behind their speculation. (Zipern, 2002).
Ray Kurzweil, an artificial intelligence expert, bet Mitchell D. Kapor,
the founder of Lotus Development that by 2029 (a computer) or (machine intelligence) will pass the TT, which states that
artificial intelligence will be proved when a machine’s conversation
can be mistaken for a person’s. Each man wagered $10,000 of
his own money (Wired Magazine, 2002).
IS TURING TEST STILL IMPORTANT?
It is obvious that 60 years after the original paper about TT, this
test is still important even now. Asseveration of that, are the
Loebner competition and the bet between Ray Kurzweil and
Mitchell D. Kapor. Furthermore, in almost all the articles about TT
that were written between 1950 and 2003, there is the assertion
that over the coming years, the researchers will try to produce a
machine capable of in order to passing the TT.
We are in the year 2011 but what has really been done of passing
the TT? According to Saygin, et al. (2000, p.34) “over the years,
many natural language systems have been developed with
different purposes, including that of carrying out conversations
with human users3. These systems chat with people on the
WWW, play MUDs4, give information about specific topics, tell
stories, and enter TT competitions. However, none has been able
to pass the TT so far”.
LIST OF REFERENCES
French (2000, p.3) believes that in 300 years’ time people will
still be discussing the point of view raised by Turing in his paper.
It could even be argued that the TT will take on an even greater
importance several centuries in the future when it might provide
a moral yardstick in a world where machinery will move around
much as we do, will use normal language, and will act together
with humans in ways that are almost beyond belief today. In short,
one of the questions in front of future generations may well be, To what extent do machines have to act like humans before it
becomes immoral to damage or destroy them?- And the very real
meaning of the TT is our decision of how well machines act like
humans. French’s thesis suggests convincingly why the TT is still
valid today.
CONCLUSION
Alan Turing was a remarkable man. His ideas in computing and
machinery have helped developed the world into what it is today.
He did much influential break through work in getting people to
think about Artificial Intelligence. As a result of the above
discussion the general conclusion can be made that after 60 years
of the original paper about the TT it is still important. It is possible
that the TT will remain important until the time that somebody
creates a machine which will pass the TT. A machine that must
have the ability to think and react as the human brain does. As a
final remark, it is better to agree with the words of French that
“The TT will remain important, not only as a landmark in a history
of the development of intelligent machines, but also with real
relevance of future generations of people living in a world in which
the cognitive capacities of machines will be vastly greater than
they are now” (French 2000, p.l).
French, R.M. (1996a) “The Inverted Turing Test: How a Mindless
Program Could Pass It”. Psychology, 7(39).
Bradford, P.G. and Wollowski, M. (1994) A Formalisation of the
Turing Test, Department of Computer and Science, Indiana
University.
French, R.M. (2000b) “The Turing Test: The First Fifty Years”,
Trends in Cognitive Sciences, 4(3): 115-121.
Collins, ∏. M. (1997) “The Editing Test for the Deep Problem of
AI”, Psychology. 8(01).
Gunderson (1964) “The Imitation Game”, In: Anderson, A.R., ed.,
Minds and Machines, London: Prentice-Hall, (1964) p.p. 60-71.
Ford K.M. and Hayes, P.J. (1996) “The Turing Test is Just as bad
When Inverted”, Psychology, 7(43).
Harnad, S. (1989) “Minds, Machines and Searle”, Journal of
Experimental and Theoretical Artificial Intelligence, (1): 5-25.
3. Such systems are usually called language understanding/generation systems, conversation agents, or simply chatbots.
4. Multi-User-Dungeons. These are games played interactively on the Internet by multiple players.
www.pliroforiki.org | 31
Harnad, S. (1991) “Other Bodies, Other Minds: A Machine
Incarnation of an Old Philosophical problem”, Minds, and
Machines, (1): 43-54.
Harnad, S. (2000) “Turing Indistinguishability and the Blind
Watchmaker”. In: Fetzer, J. & Mulhauser, G. (eds.) Evolving
Consciousness, Amsterdam: John Benjamins (in press)
Hodges, A. (1997) Turing, Phoenix: London.
Mauidin, M.L. (1994) Chatterbots, Tinymuds, and the Turing Test:
Entering the Loebner Prize Competition, Carnegie Mellon University
[online]. Available at:
<http://www.lazytd.com/lti/pub/aaai94.html> [20 August 2010]
Saygin, A.P., Cicekli, I., and Akman, V. (2000) “Turing Test: 50
Years Later”, Minds and Machines, 10(4).
Schweizer, P. (1998) “The Truly Total Turing Test”, Minds and
Machines, 8: 263-272.
Shieber, S.M. (1994) “Lessons from Restricted Turing Test”,
Communications of the Association for Computing; Machinery,
37: 70-78.
AUTHOR
Christos Papademetriou a native of Pafos,
teaches at the University of Neapolis in Pafos. He
obtained a BSc (Hons) in Accounting and
Business (2001) and MA in International
Management (2002) from the University of
Sunderland and a BSc (Hons) in Computing from
the University of Portsmouth. At the moment, he is in the final
year of his doctorate in Social Sciences at University of Leicester.
32 | www.pliroforiki.org
Stevenson, J. (1976) “On the imitation game”, Philosophia, 6:
131-133
Turing, A. (1950) “Computing Machinery and Intelligence”, In:
Anderson, A.R., ed., Minds and Machines, London: Prentice-Hall,
(1964) 4-30.
Wired Magazine (2002) “A computer will pass the Turing test by
2029”, Wired Magazine, Issue 10.05
Watt, S. (1996) "Naive Psychology and the Inverted Turing Test",
Psycoloquy, 7(14).
Whitby, B. (1997) “Why The Turing Test is AI's Biggest Blind
Alley” 53-63 [online]. Available at:
<http://www.cogs.susx.ac.uk/users/blayw/tt.html> [ 24 August
2010]
Zipem, A. (2002) “Compressed Data; On a Futurists' Forum,
Money Backs Up Predictions”, The New York Times.
<http://www.loebner.net > [20 August 2010]
<http://www.macrovu.com/CCTMap2DetailPlayers.html> [22
August 2010]
<http://www.macrovu.com/CCTMap2.html> [ 18 August 2010]
THE ROLE OF EFFECTIVE
PROJECT MANAGEMENT
IN PROJECT SUCCESS:
IDENTIFYING SUCCESS CRITERIA &
THE CRITICAL SUCCESS FACTORS
Andreas Solomou, Kyriakos E. Georgiou
“The use of project and teams has modified the theory and practice of management”
(Cleland, Bursic, Puerzer, & Vlasak, 1998, p. ix) as organizations’ strive to achieve
excellence through optimal management of their resources. Early research acknow-ledged
that Project Management (PM) is the most efficient way of managing complex initiatives as
opposed to traditional methods of management (Avots, 1969). PM has evolved over the past
forty years through extensive research, has become a discipline and Structured PM
Methodologies have been developed to help organisations manage complex projects in
volatile environments. However project failure rate re-mains relatively high and actual
Project Success appears to be trivial for researchers and academics. This paper, a first of
two, contributes to the body of knowledge on PM theory and practice. The objective of the
proposed research is to answer specific questions which will help to identify the link
between the effective use of project man-agement and project success. Nowadays, it
appears that the PM success criteria have moved beyond the “iron triangle” (Atkinson,
1999, p. 338) to include the “soft systems” involved in PM. Furthermore, recent research
has identified critical success factors for which limited research has been done (Georgiou K.,
2010). These already identified success criteria and factors will provide the basis of the
proposed research.
www.pliroforiki.org | 33
INTRODUCTION
Project Management (PM) is becoming increasingly a strategic
competence for organisations. Recent research has identified that
a significant number of organisations are changing their structure
from the pure functional form towards more projectised or mixed
forms. The volatile business environment (Eizenhardt, 1989) and
the competing forces require optimal management of resources
in order to balance requirements against cost. “Organisations are
under pressure to develop and execute innovative business
strategies and projects” (Srivannaboon & Milosevic, 2006, p.
493) and “in order to introduce change they need the disciplines
inherent in formal PM” (Kay, 2010, p. 14).
PM was initially used in military projects and construction
engineering. However, PM evolution was swift and today it is
widely used not only in “traditional sectors” but also in sectors
where the project deliverables are intangible. PM is employed in
sectors which have not only high technical requirements but also
demand extensive managerial interaction, such as change
management (Lehmann, 2010), information management and
information systems. The diverse nature and complexity of these
projects has rendered the use of PM imperative. Existing research
is restricted within mainly the field of project management (Kwak
& Anbari, 2009, p. 435). However, recently there is increasing
interest to investigate the relationship of PM and project success
in diverse disciplines, especially from the management
perspective (Kwak & Anbari, 2009, p. 435).
During the past forty years the importance of Project Management
has been increasingly acknowledged (Kerzner, 2006, p. 35) and
PM is now established as an important discipline in business
management. Beyond the research regarding successful project
management, extensive research exists in relation to Project
Management schooling. There is an ongoing debate to identify
the knowledge and skills which project managers must possess
in order to be able to successfully cope with “the increasing level
of complexity, chaos and uncertainty in project environments”
(Thomas & Mengel, 2008).
Scope
Schedule
Constrain?
Quality
Budget
Risk
Resources
Constrain?
Constrain?
Figure 1: The Project Triangle of Constrains (Adopted from PMI, 2008)
34 | www.pliroforiki.org
The extensive use of PM in the organisations let to the need to
develop a specific methodology in order to have a “single,
common structured method” (McHugh & Hogan, 2010) to
manage projects. A PM Methodology is a structured approach for
delivering a project and it consists of a set of processes with
clearly defined inputs and outputs, tools & techniques, resources
and activities (Turner, 2000 cited in McHugh & Hogan, 2010,
p.2). Among other objectives of the project management is the
use of the existing organisational structure and resources to
deliver results without adversely disturbing the routine operations
of the company (Munns & Bjeirmi, 1996, p. 81) . A structured
methodology assists organisations to minimise impact on the
daily activities of the organisation, streamlines project objectives
with organisation’s strategy and minimises resistance to change
(Kerzner, 2010).
Organisations until recently developed their own PM
methodologies according to the specific nature and characteristics
of each project. However, the increasing number of projects and
their diversity forced organisations to acknowledge the importance
and versatility of structured PM methodologies. These
methodologies are flexible and can be tailored to any project type
irrespectively of the nature of its deliverables. According to these
methodologies a project is completed in one or more phases
which can be sequential, overlapping or iterative and each phase
is comprised of processes (Figure 2). Each process has a number
of knowledge areas with specific inputs, tools and techniques and
outputs (PMI, 2008) upon which the organisation relies at any
given point during the project to evaluate the project progress and
ultimately its successful implementation. Another important aspect
of these methodologies is the “Organisational Assets” (PMI,
2008); A process with which organisations build a database with
past projects’ experiences and represents an important point of
reference for future projects.
A number of PM Methodologies exist (Cook-Davis, 2002, p. 185),
however the two most acknowledged are the Projects in
Controlled Environments (PRINCE2) developed by the UK Office
of Government Commerce and Project Management Body of
Knowledge (PMBoK) developed by the Project Management
Institute (PMI) in the United States (US). The majority of
organisations today are using the above methodologies and
require that their project managers are certified by the respective
organisations.
1. PRELIMINARY LITERATURE REVIEW
The first objective of the literature review will be to define Project
Success. Oxford Dictionary defines success as “the gaining of
what is aimed” (Hornby, Cowie, & Gimson). Chan & Chan (Key
Performance Indicators for Measuring Construction Success,
2004) argue that certain criteria are essential in order to measure
project success. Oxford Dictionary defines a criterion as “a
standard or principal by which something is measured for value”
(Hornby, Cowie, & Gimson). If these terms are combined together,
then the criteria of project success can be defined as a “set of
principles or standards by which favourable outcomes can be
completed within a set specification” (Chan & Chan, 2004, p. 204).
It appears that project success has been trivial to researchers. As
Tuman (1986, cited in Baccarini, 1999) identified, there is a
diverse mix of the stakeholders in a project therefore a much wider
range of needs, concerns and issues must be addressed in order
to assess a project’s success. Shenhar et al. (1997, p. 5) and
Shenhar et al. (2001, p. 702) argue that success of a project is
perceived in a different way by each stakeholder. Therefore they
suggest a distinction between two different types of projects in
order to assess project success: operationally managed projects
and strategically managed projects. Similarly to other researchers
they perceive project success as a multidimensional concept
comprising of three major dimensions as presented in Figure 2.
The three dimensions of Project success (Adopted from Shenhar,
2001).
Researchers like De Wit (Measuring Project Success, 1988),
Nicholas (1989, - cited in Bjeirmi, 1996, p. 83) and (Cook-Davis,
2002) make a distinction between project success and project
management success. Cook-Davis (The "Real" Success Factors
on Projects, 2002) goes one step further to make another
distinction between success criteria and success factors (Figure
4). “Project success is measured against the overall objectives
of the project while project management success is measured
against the widespread and traditional measures of performance
against cost, time and quality” (Cook-Davis, 2002).
www.pliroforiki.org | 35
Figure 2: The three dimensions of Project success (Adopted from Shenhar, 2001)
Performance
Measurments
Project Objectives
measurments
Project
Success
Project
Managment
Success
Success
Factors
Success
Criteria
Measures by which a
project or a business
will be judged
Inputs to management
system that lead to
success
Figure 3: The success components according to Cook-Davis (2002)
36 | www.pliroforiki.org
Figure 4: The scope of success in the project life cycle (Munns & Bjeirmi, 1996, p. 85)
Figure 4: The scope of success in the project life cycle (Munns & Bjeirmi, 1996, p. 85)
Munns & Bjeirmi (1996, p. 82) argue that the outcome of a project
(product, service, result) exists for a varying period according to
the nature of the project. Therefore the focus of project
management is distinct from that of the project because of its
short-term use until delivery of the final product as opposed to
the product itself that has long-term effects (Figure 5).
Baccarini (1999) identifies two distinct components of success,
the product success and the PM success and uses the Logical
Framework Method (LFM)1 to define Project Success (Figure 6).
Each component is further divided into subcomponents and
assessed separately. “LFM uses a top-down approach to
formulate an hierarchy of project objectives such that, at any given
level, the lower objectives are the means to satisfying the next
higher level of objectives” (Baccarini, 1999).
Yu et al. (2005) did an extensive review of existing literature and
have concluded that two different approaches exist in the quest
for assessing project success: the product-oriented approach and
the value-centred approach. The researchers identified
weaknesses in the product oriented approach which emphasises
on the traditional criteria of cost, time and quality; therefore they
focused on the value-centred approach. This approach consists
of two key concepts: Net Project Execution Cost (NPEC) and Net
1. The LFM was developed by the American Aid Association to improve the management of development projects (Baccarini, 1999)
www.pliroforiki.org | 37
Product Operation Value (NPOV). The researchers argue that this
approach addresses inadequacies of other methods or models
used to assess project success. However the NPEC and NPOV
concepts are complex, difficult to measure and have not been
either evaluated or established yet.
Researchers also argue that the definition of project success is
directly related to the nature of the project and the success criteria
set for the specific project. Furthermore there is a clear distinction
between Success Criteria and Critical Success Factors that will
be discussed in the next section. However, there is evidently no
consensus among researchers on a clear-cut definition of project
success and a multitude of definitions exist based on the
perspective each researcher adopts. It is suggested that the valuecentred proposition by Maude and Willis (1991, cited in Yu et al.,
2005) that “software development projects are be said to fail if,
for whatever reason, it would have been more economic not to
have run the project at all” is more appropriate for this research
which will focus on Information Management and Information
Systems.
Chan & Chan (2004, p. 204) did an extensive review of the late
1980’ and early 1990’s literature and concluded that the basic
criteria to measure project success are time, cost and quality.
However, Westervel (2003) argues that “perceiving project
success as the compliance with time, cost and quality constraints
appears to be a narrow view” in relation to the size, uniqueness
and complexity of each project. He developed a “Project
Excellence Model” (Figure 7) based on the EFQM-model with the
purpose to link Project Success Criteria and Critical Success
Factors. “The EFQM Excellence Model (Figure 8) was developed
in 1988 and is a non-prescriptive - practical management
framework used by over thirty thousand organisations” that
enables organisations, irrespectively of their size, structure or
maturity, to “develop sustainable excellence” (EFQM, 2011). The
researcher argues that Project success criteria are linked with the
“Results Areas” and the Critical Success Factors with the
“Organisational Areas”. His model suggests a universal clustering
of criteria and a definition of six organisational areas where critical
success factors can be studied. The assessment of project
success is enabled by linking Success Criteria and Critical
Success Factors (Westerveld, 2003, p. 415).
1.1. Project Success Criteria and the Critical Success Factors
It is important for the purpose of the research to identify and
distinguish the Project Success Criteria and Project Critical
Success Factors within the existing literature and isolate those
which are more frequently mentioned. These will be used within
the context of the research.
Figure 2 the Project Excellence Model developed by Westervel (The Project Excellence Model: Linking Success Criteria and Critical Success Factors, 2003)
38 | www.pliroforiki.org
Figure 3 the Graphical representation of the EFQM-Model of Excellence (EFQM, 2011)
The preliminary literature review has revealed that there is
extensive research on critical success factors and a plethora of
such factors have been already identified.
Cook-Davis (2002) uses a different approach from other
researchers on the quest for defining project success factors. His
research identifies three questions the answer of which will
identify the critical factors that lead to successful projects:
a) What factors are critical to project management success?
b) What factors are critical to success on an individual project?
c) What factors lead to consistently successful projects?
The specific research identified twelve “real”2 success factors
(Table 1) that derived from either hard data or from “softer
evidence”.
Kanter & Walsh (2004) argue that an “organisation’s ability to
develop and implement projects depends on the organisation’s
skills and experience, its track record, the management climate
and the specific project”. Their research focused on Information
Technology organisations and was facilitated through two
subsequent workshops, each attended by the same thirty project
managers. The research identified five project success factors
upon which further study is required (Table 2).
Milosevic & Patanakul (2005) drawing on Brown & Eisenhardt’s
(1989), Eisenhardt’s (1997) and Lengnick-Hall & Wolff (1999)
work on critical success factors in high velocity markets,
developed an empirical research to address two questions:
1. What are the major factors in standardised project
management efforts on the organisational project
management level?
2. What standardised project management factors on the
organisational project management level are of interest
because they may impact project success?
Further to these questions the researchers made a series of
hypotheses in relation to standardised project management.
However, their research did not focused on the internationallyacknowledged project management methodologies but rather on
project management methodologies developed by the
organisations under study.
One of the most comprehensive researches on critical success
factors is that of Fortune & White (2006). The researchers have
used the “Formal System Model” across sixty-three publications
since the 1960’s and have identified at least twenty-seven factors.
These are ranked by the number of citation the author of the
publication has received. A list of the more prominent factors is
presented in a comprehensive table in Appendix 2 and will be
used as a basis for the research.
2. The researcher uses the term “real” as the results of his research derived from an empirical research.
www.pliroforiki.org | 39
Q.1: What factors are critical to project management success
1.
Adequacy of company-wide education on the concepts of risk management
2.
Maturity of an organisation’s processes for assigning ownership of risks
3.
Adequacy with which a visible risk register is maintained
4.
Adequacy of an up-to-date risk management plan
5.
Adequacy of documentation of organisational responsibilities on the project
6.
Keep project (or project stage duration) as far below three years as possible (1 year is considered to be better)
7.
Allow changes to scope only through a mature scope change control process
8.
Maintain the integrity of the performance measurement baseline
Q.2: What factors are critical to success on an individual project
9.
The existence of an effective benefits delivery and management process that involves the mutual co-operation of project
management and line management functions
Q.3: What factors lead to consistently successful projects
10.
Organisations Portfolio and programme management practices
11.
The quality of set of metrics (both for performance and success) used by the organisation
12.
An effective means of “learning form experience”
Table 1 the twelve “real” success factors on projects (Cook-Davis, 2002)
1.
Define and promulgate functional requirements and control changes
2.
Develop realistic project schedules
3.
Match skills to needs at the proper time
4.
Know and respond to the real status of the project
5.
Establish and control the performance of the contractors
Table 2 the five project success factors that drew consensus in Kanter & Walsh’s (2004) research
40 | www.pliroforiki.org
1.2. The Critical Success Factors of projects within the Cyprus
Business & Economic Environment
All critical success factors identified in the literature will be
surveyed; however more weight will be placed upon those factors
that are more relevant to the Cypriot business environment and
specifically to the Information Management Sector. The proposed
research will take place among professionals that participate in
Information Management/Information Management Systems’
related projects. Due to the particularity of the business
environment and the influence of culture it appears that there are
critical success factors (Georgiou K. , 2011) other than those
identified in the preliminary literature review and the research will
try to identify them.
Cyprus’ economy heavily depends on the services sector and
Cyprus is becoming an internationally acknowledged centre
offering high quality services, especially banking services. Such
services demand the implementation of complex Information
Management Systems and there is an increasing need to manage
these projects. At the same time though, PM knowledge, skills
and experience are practically non-existent and basic project
success criteria are neglected. A frequent example of this
inexperience is the initiation of Projects without a Project OwnerSponsor or Champion (Georgiou K. , 2011).
In a recent research within a large service organisation Georgiou
& Georgiou (2010, p. 27) have identified Project Management to
be “vital to the implementation success” of an Enterprise
Resource Planning System (ERP), but more significantly that “the
collection and analysis of the requirements of users to be as a
critical success factor for which limited and insignificant
research” exists (Georgiou & Georgiou, 2010, p. 28).
Additionally, the researchers identified communication and top
management support to have a catalytic role in the success of
the project. Although the researchers make a clear distinction
between these key factors in the specific case study, there is a
strong connection between them. According to PMI project
“Planning Process Group”, within the “Scope” knowledge area
(Appendix 3) the most important process is to “Collect
Requirements” (PMI, 2008, p. 43). The predecessor of the
specific process in the “Initiating Process Group” is “Identify
Stakeholders”. According to PMI (A Guide to the Project
Management Body of Knowledge, 2008) “Identify stake-holders”
is a process that belongs to the knowledge area of
“Communication” (Appendix 3) which is considered one of the
most important areas of the specific methodology. Several
authors such as Lanning (2001), Loonam & McDonagh, Bhatti
(2005) and Mabert, Soni & Vankataramanan (cited in Georgiou &
Georgiou, 2010, p.29) have identified “Communication” as a
critical success factor in the implementation of such information
systems, while Brown (2007, cited in Georgiou & Georgiou.
2010) rank “Communication” as the second most critical area in
implementation and especially important in the adoption phase
when introducing new information technology in organisations.
Several other critical success factors identified by Georgiou &
Georgiou (2010) have a direct or indirect relationship with project
management and project management methodologies. The
proposed research will build on the specific research focusing on
“requirements management” through the context of PM
methodologies.
Recent research reveals that “technical Project Management Tools
and Methods are so developed and widely used that now it is time
to turn the focus on developing leadership skills” (Hyvari, 2006,
p. 223). This is a challenging field where indepth research is
required and the propose research will touch.
From the preliminary literature review it appears that there is
significant research in regards to the Project Success, Project
Success Criteria and the Critical Success Factors of Projects. It
appears though that there is gap as to the type and impact of
project methodologies that organisations are using to manage
their projects and to what extent these methodologies are
customised to achieve the desired results. Further to the impact
of project management methodologies though the proposed
research will try to identify those factors that are part of project
management methodologies and are the key success factors of
projects
and
are
related
to
the
Information
Management/Information Systems sector in Cyprus.
www.pliroforiki.org | 41
REFERENCES
Atkinson, R. (1999). Project Managment: Cost, Time and Quality,
Two Best Guesses and a Phenomenon, its Time to Accept other
Success Criteria. International Journal of Project Management, 17
(6), 337-342.
Avots, I. (1969). Why does Project Management Fails. California
Management Review, 12 (1), 77-82.
Baccarini, D. (1999). The Logical Framework Method for Defining
Project Success. Project Management Journal, 30 (4), 25-32.
Chan, A. P., & Chan, A. P. (2004). Key Performance Indicators
for Measuring Construction Success. Benchmarking: An
International Journal, 11 (2), 203-221.
Cleland, D. I., Bursic, K. M., Puerzer, R., & Vlasak, Y. A. (Eds.).
(1998). Project Management Case Book. Project Management
Institute.
Cook-Davis, T. (2002). The "Real" Success Factors on Projects.
International Journal of Project Management, 20 (3), 185-190.
Cryer, P. (2006). The Research Student's Guide to Success (3rd
Edition ed.). Berkshire, United Kingdom: Open University Press &
McGraw-Hill Education.
Dawkins, R. (1989). Chapter 11 - Memes: the new replicators. In
The Selfish Gene (2nd Edition ed., pp. 189-201). New York:
Oxford University Press.
De Wit, A. (1988). Measuring Project Success. International
Journal of Project Management, 6 (3), 164-170.
EFQM. (2011). EFQM Excellence Model. Retrieved March 29,
2011, from EFQM: http://www.efqm.org/en/tabid/132/default.aspx
Eizenhardt, K. M. (1989). Making Fast Strategic Decisions in HighVelocity Environments. Academy of Management Journal, 32 (3),
543-576.
Fortune, J., & White, D. (2006). Framing of Project Critical
Success Factors by a Systems Model. International Journal of
Project Management, 24, 53-65.
Georgiou, K. (2010). Cristical Success Factors for the
Implementation of Enterprise Resource Planning. MBA
Dissertation, Kingston University, Nicosia.
Georgiou, K. (2011). Introduction of Proposal - Enquiry e-mail.
Personal Communication [E-mail] Sent on Saturday 30 of June
2011 at 11:46 AM.
42 | www.pliroforiki.org
Georgiou, K., & Georgiou, E. K. (2010). Critical Success Factors
for the Implementation of an Enterprice Resource Planning
System. Information Management (20).
HHornby, A., Cowie, A., & Gimson, A. Oxford Advanced Learner's
Dictionary of Current Eanglish. Oxford: Oxford University Press.
Hyvari, I. (2006). Project Managment Effectiveness in ProjectOriented Business Organisations. International Journal of Project
Management, 24, 216-225.
Kanter, J., & Walsh, J. (2004, March). Toward More Successful
Project Management. Information Systems Management, 16-21.
Kay, R. J. (2010). An APMP Primer - PRINCE2 Edition (First ed.).
Kerzner, H. (2010). Project Management Best Practices Achieving Global Excellence (Second Edition ed.). New York: John
Wiley & Sons Inc.
Kerzner, H. (2006). Project Management: A Systems Approach to
Planning, Scheduling and Controlling (Ninth ed.). New Jersey:
John Wiley and Sons Inc.
Kumar, R. (2011). Research Methodology: A Step by Step Guide
to Beginners (Third Edition ed.). London: Sage Publications Ltd.
Kwak, H. Y., & Anbari, F. T. (2009). Analysing Project
Management Research: Perspectives from Top Management
Journals. International Jounal of Project Management, 27, 435446.
Lehmann, V. (2010). Connecting changes to projects using a
historical perspective: Towards some new canvases for
researchers. International Journal of Project Management, 28,
328-338.
McHugh, O., & Hogan, M. (2010). Investigating the Rationale for
Adopting an Internationally-Recognised Project Management
Methodology in Ireland: The View of the Project Manager.
International Journal of Project Management.
Milosevic, D., & Patanakul, P. (2005). Standardised Project
Management may Increase Development Project Success.
International Journal of Project Management, 23, 181-192.
Munns, A. K., & Bjeirmi, B. F. (1996). The Role of Project
Management in Achieving Project Success. International Journal
of Project Management, 14 (2), 81-87.
PMI. (2008). A Guide to the Project Management Body of
Knowledge (4th Edition ed.). Pensylvania, United States: Project
Management Institude Inc..
Srivannaboon, S., & Milosevic, D. Z. (2006). A two-way influence
between business strategy and project management. International
Journal of Project Management, 24, 493-505.
Rudestam, K. E., & Newton, R. (1992). Surviving your Dissertation
Sage.
Thomas, J., & Mengel, T. (2008). Preparing project managers to
deal with complexity – Advanced project management education.
International Journal of Project Management, 26, 304-315.
Shenhar, A. J., Dvir, D., Levy, O., & Maltz, A. C. (2001). Project
Success: A Multidiamensional Strategic Concept. Long Range
Planning, 34, 699-725.
Shenhar, A. J., Levy, O., & Dvir, D. (1997). Mapping the
Diamensions of Project Success. The Professional Journal of
Project Management Institute, 28 (2), 5-13.
Westerveld, E. (2003). The Project Excellence Model: Linking
Success Criteria and Critical Success Factors. International
Journal of Project Management, 21, 411-418.
Yu, A. G., Flett, P. D., & Bowers, A. J. (2005). Developing a ValueCentred Proposal for Assessing Project Success. International
Journal of Project Management, 23, 428-436.
AUTHORS
Andreas Solomou is an ECDL Certified
Training Professional and has managed
several training projects as well as product
design and development projects. He is
currently studying for a postgraduate degree
in Business Administration from Kingston
University. He can be reached at
[email protected]
Kyriakos E. Georgiou is one of the longtime
editors of the journal. His professional
activities include both academia and the real
world of business and banking. He is
studying for a DBA from the University of
Kingston, London UK and his research
include
information
technology
management, business value and
productivity from information technology. He can be reached at
[email protected] .
www.pliroforiki.org | 43
DO YOU KNOW
THIS MAN?
Dr Philippos Peleties
Of course you know this man, unless you’ve been
living under a rock for all these years! Steve Jobs,
the co-founder of Apple Computers (now Apple Inc),
NeXT Inc, and Pixar Animation Studios is looking at
us and smiles.
44 | www.pliroforiki.org
Photo from Wikipedia,
the free encyclopedia
A difficult man, a control freak, a man with a binary view of things
-- excellent or terrible -- possessing a singular focus on vision
and execution, a master of persuasion, the man who created a
reality distortion field around him, Steve Jobs has trail blazed
through the years creating art that fits the function, simplicity over
complexity, but also control over freedom. He didn’t invent
anything, but saw the whole when others saw the parts. He didn’t
think people knew what they wanted until they were shown what
they wanted. “The best way to predict the future is to invent it”.
He stayed true to this throughout his life. Love him or hate him,
as binary as his view of the world, he has left an indelible mark
on our lives and through the use of his creations, the Macintosh,
iPod, iPhone, iPad and the rest, a part of his soul has remained
with us.
Upon graduation from high school, Steve attended Reed College
in Oregon. However, after one semester he decided he did not
want to be bound by formal requirements so he dropped out.
However, he remained on campus auditing classes. One of these
was a class in calligraphy. It is this very class that let him insist
that the Macintosh has multiple typefaces and proportionally
spaced fonts leading to the True Type Fonts that we are all familiar
with.
Steven Paul Jobs was born out of wedlock on February 24, 1955
in San Fransisco. His parents, American Joanne Carole Schieble
and her Syrian university instructor Abdulfattah "John" Jandali met
at the University of Wisconsin. Joanne’s father was not in favor
of her marrying Abdulfattah, a Mouslim, so when Joanne became
pregnant and later gave birth to Steve, she decided to put him up
for adoption. Her only stipulation was that the adopting parents
would have to be university graduates.
In early 1974 Steve took all the money he made working at Atari
and left for India to “find his guru”. Despite the amusement of his
Atari manager, Steve was serious about it. The journey to India
was a spiritual journey in search of his inner self. After spending
seven months and visiting countless places he declared that his
journey was over and returned home. With a shaved head, Indian
cotton robes and a dark chocolate skin from the sun, he was a
far cry from the polished Steve Jobs to become.
Paul Reinhold Jobs and his wife Clara adopted the newly born
and named him Steven Paul Jobs. Even though they were not
university graduates, thus not fitting the exact requirements, they
promised that they would send Steven, or simply Steve, to
university.
The mid 70’s ware a time of discovery. Computers were no longer
the big machines that only large corporations could afford. The
Altair, the first “personal computer” made sure of it, or at least
showed the way. Not much of a computer, the personal computer
kit sparked a frenzy of interest and development. Homebrew
computer clubs sprang around. It is in this setup that Apple
Computer was born. Steve Jobs, Stephen Wozniak and Ron
Wayne drew up the partnership agreement that made Apple a
reality. The name was chosen by Jobs. He was a vegetarian who
had spent time tending an apple farm in Oregon.
Steve’s childhood was uneventful, a typical late 1950’s and early
1960’s lifestyle. His father, Paul, had a love for the mechanics
and cars, so he made sure he transplanted this love to Steve as
well. Being a perfectionist, insisting that the “inside should look
as good as the outside even though nobody would see it” instilled
upon Steve the sense that whatever you do should be beautiful
irrespective of who, if any, would see it. This had a profound
effect on his development and later career in Apple and elsewhere.
Returning home after eighteen months at Reed, Jobs got a work
at the up and coming video game powerhouse, Atari. However,
he was forced to take the nightshift as his insistence on dieting
but not washing forced a small smell rebellion among his daytime
coworkers.
As a teenager, Steve was involved in the Hewlett-Packard Explorer
Club. The Club encouraged its members to do projects, so one
day, Steve wanting some electronic parts, he looked up HP’s CEO
on the phonebook and gave him a call, asking for the parts. Bill
Hewlett not only got him the part but also a summer job at HP.
The fledgling company set up shop in Job’s parents’ garage. The
scene was quite laughable: Steve in shorts, barefoot, circuit
boards littering the place, Wozniak doing his magic with Apple II.
It is in this setting that Mike Markkula walked looking for his next
venture capital investment. Mike was a young guy, fresh off Intel
getting rich with stock options and retiring at the age of thirtyone. Without too much thought he sank a quarter of a million
dollars into the fledgling company. Mike was in and so was his
involvement with Apple Computers for the next twenty or so years.
While at school he met a brilliant kid who even thought was five
years older he was emotionally at the same age: Stephen
Wozniak. Wozniak’s electronics wizardry was legendary. The two
of them got along together and forged a relationship where, later,
Wozniak would create and Steve would sell.
Apple II was launched in April 1977 in San Francisco at the
first West Coast Computer Faire. An overwhelming success,
Apple secured attention and customers. A real company, doing
real products looking towards the future. A very bright future,
indeed.
www.pliroforiki.org | 45
was named after Lisa, Job’s daughter out of wedlock. With a
radical new design, a 16-bit microprocessor and a load of other
new technologies, Lisa was supposed to be the next big thing. It
wasn’t and Jobs was more frustrated than ever. He berated his
colleagues, a mode of operation that stayed with him for the rest
of his life, and said he was tired of it all.
Jef Raskin, a former professor and Apple’s Manager of Publications
had a vision of creating a simple “computer for the masses”, an
“appliance” type of machine. Jef was convinced that a character
based interface was certainly not for the masses. As he had access
to the Xerox Palo Alto Research Center’s work on Graphical User
Interface (GUI), he prompted Jobs to visit the Center. In what
perhaps is one of the biggest ironies in the computer industry, the
company that invented the GUI, Xerox, was totally eclipsed by the
company that copied it, Apple. It wasn’t that Xerox did not try to
market the GUI. They were simply ineffective. They had the right
vision (GUI workstations communicating via Ethernet in a LAN
arrangement and sharing printers and other peripheral devices), but
they lacked in execution. In all fairness to Apple, Apple did not
simply copy the technology, but greatly improved it.
Lisa was an expensive system. With a price tag of $10,000 in
1983 very few, if any, could afford it. It was not the revolution
that Jobs had hoped for. It would never be.
Raskin’s idea for a computer for the masses was still a small
project in need for a bigger idea. The GUI that was invented for
Lisa was to become the GUI for this new computer. The name of
it: the Macintosh.
The Macintosh, or Mac, was named after the McIntosh variety of
apples. A major project within Apple, it was directed by Jobs
himself. The Macintosh team grew out of the small team Raskin
had set for his computer.
Image via Wikipedia
By 1981 Apple had sold a bit over 200,000 Apple II. This was a
success beyond expectation by any measure. Everybody should
have been happy. But Steve was not. He was restless looking for
the next big thing. He knew that Apple II was Wozniak’s invention
and that it would forever be his machine. Steve wanted something
of his own, so he started Apple III. After two years of development
and countless hour of testing, Apple III hit the market. It was a
failure, a flop. Even before the introduction of Apple III, Steve,
sensing that the product would not live up to his expectations,
started a new project.
The “Local Integrated Software Architecture” or “Lisa” project
aimed at the next generation personal computer. Even though the
“Lisa” acronym was clever, everybody knew that this computer
46 | www.pliroforiki.org
As the Mac team grew, and got more “into the Mac”, tensions
started to surface between them and the Apple III team. Job’s
extreme style of management and overall attitude exacerbated this
tension. Calling themselves “the Pirates”: “it’s better to be a pirate
than join the army” and guided under the maxims of “don’t
compromise” and “real artists ship” Jobs instilled in them a highly
competitive spirit.
The Macintosh was unveiled through a lot of fanfare on January
24, 1984. The stage, and Job’s performance, was to become his
trademark for years to come. The Ridley Scott directed “1984”
commercial, showing a running athlete smashing the screen with
a big hammer where the “Big Brother” was proclaiming to the
mesmerized masses that “we shall prevail!”, played on a big
screen. After an equally mesmerizing introduction, the Mac was
pulled out of a cloth bag, put on a table and shown for all to
admire. Jobs pulled a 3 ó inch floppy diskette, loaded the Mac,
and in the theme of Chariots of Fire, the words “MACINTOSH”
scrolled on its screen. In an electronic synthesized speech, the
Macintosh introduced itself amidst the ensuing pandemonium.
History was made and Jobs was at the center of it.
The year was 1985. Jobs was flying high after his success with
the Macintosh. The Apple III production was coming to an end,
and the Lisa and Macintosh divisions were folded into one. But
dark clouds started forming on the horizon. Jobs management
style became erratic. John Sculley, the Apple CEO who was lured
a few years back from Pepsi Cola under the famous “Do you want
to sell sugar water for the rest of your life, or do you want to
come with me and change the world?” lure by Jobs, was asked
by the board to contain Jobs. A power struggle between Jobs and
Sculley turned out ugly. In the end Sculley won and Jobs, at 30,
was out. For the first time since Apple came to existence Jobs
was not part of it.
After a short period of desolation, Jobs started NeXT. The main
product was the infamous black Cube. NeXT was a powerful
workstation featuring a sassy GUI running on top of a UNIX-like
kernel and an optical drive. NeXT was unveiled on October 12,
1988 in San Francisco. At a list price of $6000 it would be a hard
pill to swallow for most of its target audience: university students.
Those were my exact sentiments. After watching a presentation
done by one of the many NeXT evangelists, I thought to myself
that there was no way, I, a poor graduate student, could afford
such a machine. Luckily, the University had bought a few so I
was able to admire Steve’s new creation firsthand.
In an irony of fate, even though neither the Cube nor its operating
system NeXTSTEP would survive for long, both would gain their
place in history: the World Wide Web would first start on a CERN
NeXT Cube, and the OS X operating system that is currently
featured on all Macs would call NeXTSTEP its father. Last but not
least the iOS, Apple’s operating system for mobile devices looks
at NexTSTEP as its grandfather.
A story about Job’s life wouldn’t be complete without some words
about Pixar Animation Studios, the third large endeavor in his
cache of achievements. Pixar Animation Studios started its life as
Lucasfilm’s Computer Division, Jobs bought the division in 1986
and renamed it. A mostly hardware driven establishment owning
to the Pixar Image Computer it had a soft spot for computer
animation producing short films whenever the occasion arose. Its
jovial digital animation group director John Lasseter (still seen as
the director of such Pixar blockbusters as Toy Story, Cars and
Cars 2) was running the group as a sideline, its main purpose
being as a show to the hardware.
One of Pixar’s biggest buyers was the Walt Disney Corporation.
Through his savvy style Jobs persuaded Disney to do a threepicture animated film deal with Pixar. Toy Story opened to critical
success on November 1995, followed by A Bug’s Life and Toy
Story 2. As Jobs vied for creative control over his movies, Disney
attempted to displace him. In the end, Disney bought Pixar which
made Jobs the biggest single shareholder in Walt Disney
Corporation and a vital member of its Board of Directors.
Sculley’s reign at Apple came to a close in June 1993 after ten
years at the helms. He was replaced by Michael Spindler,
president of Apple Europe. His stay at Apple was as disastrous
as short. He was himself replaced by Jill Amelio in February 1996.
Amelio, the ex-National Semiconductors CEO, tried to transform
Apple and right all its wrongs, for Apple had become a
complacent company with low quality products and no welldefined strategies for the future. One particular strategy that was
lacking was that of the operating system. After going through a
number of iterations, Apple bought NeXT, and used its NeXTSTEP
operating system as the basis for OS X, the current Mac operating
system. Amelio, then, asked Jobs to assist Apple as an advisor.
Jobs was back at Apple, after eleven years as an outcast. It didn’t
take too long before Amelio was voted out by the Board and Jobs
was voted in as the interim CEO of Apple. The grand plan was
coming to fruition.
One of the first things Job did after becoming interim CEO was to
focus on revitalizing the aging Macintosh product line: the iMac,
with its translucent body and its ease to navigate the Internet it
was introduced in May 1998. Apple, with fresh investment money
from its archrival Microsoft, with Jobs at the helms looked straight
into the future and smiled. The strategy was to focus on four
sectors with only four products, professional and consumer,
desktop and laptop.
The iMac was a resounding success. Job’s strategy seemed to
be working. Next, was the introduction of Apple’s own store: the
Apple Store. Unparalleled in providing the right customer
experience, all stores featured clear glass facades with benches
littered with Apple products, and blue T-shirt employees whose
enthusiasm was unparalleled (I had the opportunity to visit the
Fifth Avenue Apple Store in New York City and I can attest to the
feeling and experience firsthand).
The Apple Stores were once again a resounding success. Nothing
seemed to be stopping Jobs from taking the next big step: come
up with a digital audio player capable of holding a thousand songs
all in your pocket. The iPod was introduced on October 23, 2001.
The rest, as they say, is history.
www.pliroforiki.org | 47
The iPod was a revolutionary product. It was easy to use, it had
a great capacity, it was “chique”, and it was in. With a lot of help
from iTunes, the management software which controlled all
updates to iPod, and the large library of easy to buy songs, iPod
was taking over the world. Its white earphones, when every
competitor was having black earphones on their digital players,
gave a distinct signature to its owner. Jobs was, at long last, in
heaven.
By 2005 twenty million iPod were sold per year, four times as
many as the year before. This represented a 45% share of Apple’s
yearly revenues! Jobs, a perpetually restless man, was worried
that something could mess up this success. He was looking for
the next big thing.
The next big thing, or so Jobs thought, was a mobile phone. The
ROKR was a collaboration among Motorola, Apple, and wireless
carrier Cingular. An ugly and difficult phone to use included digital
player functionality. Jobs was not happy. The ROKR had neither
the elegance of the iPod nor Jobs the control of both software
and hardware that he was used to and looked for. Jobs knew that
the direction was right but the product was wrong. Enter
FingerWorks, a small company in Delaware making a line of multitouch trackpads. The “finger is the stylus” was their style and
products like the iGesture pad showed the way. Apple bought the
company in early 2005. The race for the iPhone was on.
Parallel to the iPhone, Jobs was developing a tablet computer, a
touchpad. However, for marketing reasons, he held back its
introduction and instead introduced the iPhone bearing the same
technologies. The iPad was announced on January 27, 2010 once
again in San Francisco. Its success was followed by the iPad2,
the second generation device, unveiled on March 2nd, 2011.
Jobs, moving along and always looking towards the future,
introduced the iCloud, the Apple cloud services, got involved in
the design of the new Apple campus with a huge building
resembling a UFO, and counted his days. These days were
numbered.
Steven Paul Jobs passed away on October 5th, 2011 in his home
in Palo Alto surrounded by his wife of 20 years Laurene, their
three children, his daughter Lisa, and his sister Patty. Six weeks
prior to his death he had resigned as CEO of Apple. Cancer, which
first struck him in 2003 took him down. Cancer knew no bounds.
***
I have never met Steve, but I have followed his path for the past
30 years. I still remember the 1983 issue of Byte magazine with
Lisa, the first GUI based computer from Apple, on its front cover.
At a time when I was punching cards on a UNIVAC mainframe
the sight of a GUI was as refreshing and mesmerizing as the
rainbow after the storm. He will be missed.
The iPhone was introduced on January 9, 2007 at the Macworld
2007 convention in San Francisco. In one of the best
presentations that Jobs ever gave, iPhone was shown to be three
devices rolled into one: an iPod, a mobile phone, and an Internet
communication device.
NOTES
My sources for this article were four: Steve Jobs, by Walter Isaacson, Wikipedia, YouTube and “Pirates of Silicon Valley”.
The first was the authorized biography of Jobs, who sensing that the end was near gave absolute freedom to Walter Isaacson,
the ex-Chairman and CEO of CNN and managing editor of TIME, to write about him.
The second was the omnipresent Wikipedia.
The third was YouTube with its many clips regarding statements and interviews Steve Jobs gave through the years. Viewing the many
product introductions gave me a sense of history in the making.
The fourth was Martyn Burke’s 1999 TV movie about Jobs and Gates.
The method I used to write this article was to first read the book, make a mental map of Job’s life and look for details in Wikipedia
crosschecking them with the book and YouTube. The “Pirates of Silicon Valley” gave an added overall “artistic” view of events.
48 | www.pliroforiki.org
49 | www.pliroforiki.org
∫˘ÚÈ·Îfi˜ ™‡Ó‰ÂÛÌÔ˜ ¶ÏËÚÔÊÔÚÈ΋˜
ºÏˆÚ›Ó˘ 11, City Forum, 3Ô˜ fiÚÔÊÔ˜, °Ú. 303
1065 §Â˘ÎˆÛ›·, ∫‡ÚÔ˜
Δ.£. 27038, 1641 §Â˘ÎˆÛ›·, ∫‡ÚÔ˜
ΔËÏ. +357 22 460 680
º·Í. +357 22 767 349
www.ccs.org.cy [email protected]
www.pliroforiki.org
Cyprus Computer Society
11, Florinis str., City Forum, 3rd floor, Office 303
1065 Nicosia, Cyprus
P.O. Box 27038, 1641 Nicosia, Cyprus
Tel. +357 22 460 680
Fax. +357 22 767 349
www.ccs.org.cy [email protected]
www.pliroforiki.org