Security Balancetrying to bring balance to the Force |
 |
Folks, this is serious and important. A lot of us has several complaints about the way that the CISSP certification is modeled, the quality of the questions and how it is interpreted by the industry. Seth Hardy is asking for support to be included in the (ISC)2 Board of Directors election ballot. He needs 633 [...]
We finally have some information about what really happened on Heartland, Hannaford and 7-Eleven breaches.
Even if the initial SQL injection was in a SSL connection (my assumption is there was no initial reaction due to lack of detection), the rest of the attack should still be easy to detect. What are these companies doing about [...]
This is a quite logical line of thought, but there is one catch. Not all regulations are created in order to reduce risk to the part who is responsible for applying the controls and will go over compliance validation. Think about PCI-DSS compliance by merchants. It tries to reduce risk for card brands, issuers and [...]
I tried to resist posting about this last discussion. For those who are not aware of it, a very quick overview:
Payment processing company (Heartland) had a breach, leaking thousands of credit card information
Heartland’s CEO complains that they went through the regular PCI-DSS audit and the QSA had not pointed out the issues related to the [...]
There is a ongoing discussion on some forums about the “fallacy” that the damage to the security reputation of an organization due to a security incident is not as bad as security professionals use to say. This is based on this post from Larry Walsh.
I’m sure there is a lot of exaggeration on the effects [...]
For those who are addicted to vulnerability information feeds, you are probably already aware of the XML Libraries data parsingĀ vulnerabilities. This is the kind of vulnerability that creeps me out. When you’ve got vulnerabilities related to an easily identifiable software, like “Windows 2008″, “Firefox 3.5″ or “Java Runtime Environment 6″, it is easy to [...]
Schneier has posted a very good post on “Risk intuition” and risk perception in general. This part was particularly interesting:
“[...] I listened to yet another conference presenter complaining about security awareness training. He was talking about the difficulty of getting employees at his company to actually follow his security policies: encrypting data on memory sticks, [...]
