Security Balancetrying to bring balance to the Force |
 |
I’ve just read about an Unix engineer from Fannie Mae being sued for trying to deploy a time-bomb script on their servers after being fired. The guy was able to access the servers after being fired, so it’s a very good example of a flawed termination process. An interesting thing here is that he was [...]
Martin Mckeay, Mike Dahn, Anton Chuvakin and a lot of others are talking about the impact and/or the meaning of the Heartland breach on PCI. It raised the debate about compliance versus security, with valid points on “doing security first” and “security and compliance only have few points in common”. I agree with [...]
I’m usually ranting here about the usage of statistics, risk metrics and other quantitative approaches (as ROI) to support security decisions. Well, there is a small but very smart comment from Lindstrom regarding some of “our” arguments against those methods. I completely agree with him. That’s why this blog is named “Security Balance”, it’s my [...]
Do you know what that is? That’s a complete disaster!
I’ve got the tip for this very interesting Burton Group discussion from Anton Chuvakin’s post (who also has an overflowing ”2blog” queue .
There is a way to summarize that discussion. The key issue on deperimeterization is the control over the endpoint. If you are pushing the [...]
The info about Senthil Cheetancheri proposal on fighting zero-day attacks with a peer-to-peer software that shares information about anomalous behavior is spread through a lot of security blogs and portals today. It is not that innovative, but it’s certainly something nice to think about.
I would go a little further and propose something a little different. [...]
Since the beginning of Microsoft security efforts there are lots of reports of chunks of code being rewritten from scratch to address old and recurring problems. Now, why do we still have to deal with vulnerabilities related to SMB (MS09-001, MS08-063, MS06-063), when everybody knows that the components that deal with it are present and [...]
It’s started to be a rule on security programs to have security solutions/processes implemented following the 80/20 “Pareto principle”. That’s pretty acceptable except for the fact that people immediately forget that remaining 20% and keep in their heads that that risk is completely mitigated. You start to see those cases piling up, absurd “no risk” situations [...]
I was relieved to read this post from Stuart King today and see that I’m not the only one that is worried about the way that parents are behaving to protect their kids.
He mentions the problem of allowing kids to go walking alone to school, using some good risk management concepts to illustrate how irrational [...]
