Security Balancetrying to bring balance to the Force |
 |
I’m currently re-reading “The Black Swan”, by Nassim Taleb, in a moment when most information security planning and decision-making techniques look like just plain bullshit to me. So, my mood for accepting absolute truths on this fields is becoming even worse than before.
I was reading a post from the “New School of Information Security” blog, which, [...]
I’m starting a Wave
on Google Wave to build a collaboration piece on security decision making. Please send
me your contact if you want to participate.
It starts like this:
Security decision making
Dear security friends,
I’m
planning for a long time to work on a paper/presentation about security
decision [...]
I was reading the post that I just published when I noted that the post right before that was complaining about attempts to standardize diversity, the curse of the “best practices”. The funny thing is that on the last post I tried to make the case for a big standard, that would probably end up [...]
I was happy to find Anton Chuvakin’s post about the issues of doing security based on risk management a few days ago. As I said on my twitter, “discussions about decision making (risk based vs. others) is the only thing interesting for me today on the security field”. Anton made a very good summary about [...]
This is a quite logical line of thought, but there is one catch. Not all regulations are created in order to reduce risk to the part who is responsible for applying the controls and will go over compliance validation. Think about PCI-DSS compliance by merchants. It tries to reduce risk for card brands, issuers and [...]
I tried to resist posting about this last discussion. For those who are not aware of it, a very quick overview:
Payment processing company (Heartland) had a breach, leaking thousands of credit card information
Heartland’s CEO complains that they went through the regular PCI-DSS audit and the QSA had not pointed out the issues related to the [...]
Schneier has posted a very good post on “Risk intuition” and risk perception in general. This part was particularly interesting:
“[...] I listened to yet another conference presenter complaining about security awareness training. He was talking about the difficulty of getting employees at his company to actually follow his security policies: encrypting data on memory sticks, [...]
I was happy to see the last posts from Alan Shimel about the incident on LxLabs and what that means to “cloud security”. Not only because I think he is right about using it as an example of why we should think about cloud security but also because I like his “anti-hype” posture. Ok, that [...]
I agree with Ben Tomhave on this particular subject. He is basically saying that we still don’t have a good solution for reliable and repeatable risk assessments. I must say that this is not true to smaller scopes, like a single application or a small network or system. However, when we start talking about a [...]
The last Verizon reports brought a lot of very good numbers to the Information Security space, so much in need for reliable data. There is always the risk of people using numbers in a wrong way, falling into the famous “base rate fallacy” class of mistakes.
Check Pete Lindstrom comments on it, they perfectly illustrate how easy [...]
