Security Balancetrying to bring balance to the Force |
 |
I was reading Schneier’s blog Today as he posted an old text he published on Dark Reading back in 2006, about Cryptography usage. It’s interesting how an article of four years ago is still very relevant. I’ve been seeing some cases where people considers encryption as the most appropriate control to implement, when access control [...]
I left this awesome post from this SANS blog pass without saying anything here. It has 10 tips for IT auditors, and in my opinion it nailed down the key issues that I generally have with auditors. Some of the best pieces: Trying to find everything is often a mistake Auditing is never about catching [...]
I’m currently re-reading “The Black Swan”, by Nassim Taleb, in a moment when most information security planning and decision-making techniques look like just plain bullshit to me. So, my mood for accepting absolute truths on this fields is becoming even worse than before. I was reading a post from the “New School of Information Security” blog, [...]
I’m starting a Wave on Google Wave to build a collaboration piece on security decision making. Please send me your contact if you want to participate. It starts like this: Security decision making Dear security friends, I’m planning for a long time to work on a paper/presentation about security decision making. I was planning to [...]
I was reading the post that I just published when I noted that the post right before that was complaining about attempts to standardize diversity, the curse of the “best practices”. The funny thing is that on the last post I tried to make the case for a big standard, that would probably end up [...]
I was happy to find Anton Chuvakin’s post about the issues of doing security based on risk management a few days ago. As I said on my twitter, “discussions about decision making (risk based vs. others) is the only thing interesting for me today on the security field”. Anton made a very good summary about [...]
This is a quite logical line of thought, but there is one catch. Not all regulations are created in order to reduce risk to the part who is responsible for applying the controls and will go over compliance validation. Think about PCI-DSS compliance by merchants. It tries to reduce risk for card brands, issuers and [...]
I tried to resist posting about this last discussion. For those who are not aware of it, a very quick overview: Payment processing company (Heartland) had a breach, leaking thousands of credit card information Heartland’s CEO complains that they went through the regular PCI-DSS audit and the QSA had not pointed out the issues related [...]
Schneier has posted a very good post on “Risk intuition” and risk perception in general. This part was particularly interesting: “[...] I listened to yet another conference presenter complaining about security awareness training. He was talking about the difficulty of getting employees at his company to actually follow his security policies: encrypting data on memory [...]
I was happy to see the last posts from Alan Shimel about the incident on LxLabs and what that means to “cloud security”. Not only because I think he is right about using it as an example of why we should think about cloud security but also because I like his “anti-hype” posture. Ok, that [...]
