Security Balancetrying to bring balance to the Force |
 |
I was reading Schneier’s blog Today as he posted an old text he published on Dark Reading back in 2006, about Cryptography usage. It’s interesting how an article of four years ago is still very relevant. I’ve been seeing some cases where people considers encryption as the most appropriate control to implement, when access control [...]
I’m currently re-reading “The Black Swan”, by Nassim Taleb, in a moment when most information security planning and decision-making techniques look like just plain bullshit to me. So, my mood for accepting absolute truths on this fields is becoming even worse than before. I was reading a post from the “New School of Information Security” blog, [...]
Two posts in a day…I’m probably sick or something like that I was reading an interesting article by Bill Brenner on CSO Online, “Five Security Missteps Made in the Name of Compliance”. Although I don’t disagree with what is listed as missteps (in fact I think they are quite correct), something in the last paragraph [...]
I was happy to find Anton Chuvakin’s post about the issues of doing security based on risk management a few days ago. As I said on my twitter, “discussions about decision making (risk based vs. others) is the only thing interesting for me today on the security field”. Anton made a very good summary about [...]
Probably not enough content for a post, but certainly for a tweet It’s common to see on the security standards, frameworks and best practices a lot of “standard” ways of doing things like access control and patch management. The problem is the organizations are extremely different from each other, not only on the technology but also [...]
I tried to resist posting about this last discussion. For those who are not aware of it, a very quick overview: Payment processing company (Heartland) had a breach, leaking thousands of credit card information Heartland’s CEO complains that they went through the regular PCI-DSS audit and the QSA had not pointed out the issues related [...]
I was caught by surprise when I was reading Matthew Rosenquist post on the IT@Intel blog by this information about the OCTAVE methodology: “I have observed the accuracy to be +/- 40% in complex organizations. I believe this is largely due to multiple tiers of qualitative-to-quantitative analysis and the bias introduced at each level. Credible [...]
I’ve just finished Malcolm Gladwell’s book The Tipping Point. As usual, Gladwell’s books always bring food for thought on security for me. Security is deeply related to human behaviour, the main subject of his books. The most interesting thing from TP for security is the Dunbar’s number. Honestly, when I read about it I thought [...]
It was written some weeks ago by Stuart King. I love it. Two key points for me: “Many “experts” preach the importance of working through risk models. It’s a load of tosh. No matter which way you try to do it, you’ll always come out with the answer you first thought of. You might as [...]
I was reviewing my notes about RSA to prepare a series of posts about what I saw there during last week. I’ve got a sense of disappointment since last Friday that was preventing me from writing anything good about it. I started to think about all this and also about some of the things that [...]
