Security Balancetrying to bring balance to the Force |
 |
I agree with Ben Tomhave on this particular subject. He is basically saying that we still don’t have a good solution for reliable and repeatable risk assessments. I must say that this is not true to smaller scopes, like a single application or a small network or system. However, when we start talking about a [...]
The last Verizon reports brought a lot of very good numbers to the Information Security space, so much in need for reliable data. There is always the risk of people using numbers in a wrong way, falling into the famous “base rate fallacy” class of mistakes. Check Pete Lindstrom comments on it, they perfectly illustrate how [...]
I read this post from Michael Dahn and I really liked what he called “Attack Vector Risk Management”. Today I saw that the guys from Sensepost also noted the post for the same reasons, and even showed some of their work under the same concept, calling it “Corporate Threat Modeling”. During the last months my [...]
One of the best blog posts I read from last week was the “Consensus Audit Guidelines are still controls” from Richard Bejtlich. I really like that he is looking at some suggestions (in this case, the CAG) and pointing that’s just controls, there is nothing about measuring the outputs. That goes directly to the heart [...]
Hoff wrote a nice post about some noise being generated about “The Cloud” being more secure than running things at home. He briefly pointed to one reason, the cloud is not just SaaS. Remember there are several different offers from different layers (from applications to virtualized OS environments) considered as “The Cloud”, so you’ll have to “fill [...]
Lawrence Pingree, from McAffee, was kind to comment my post about his post on McAffee’s blog on “security not being a cost”. Well, I must say that what he expressed on that comment didn’t change my mind at all. As he said, security can be an enabler. I understand this statement as saying that it [...]
Martin Mckeay, Mike Dahn, Anton Chuvakin and a lot of others are talking about the impact and/or the meaning of the Heartland breach on PCI. It raised the debate about compliance versus security, with valid points on “doing security first” and “security and compliance only have few points in common”. I agree with both, but there is also [...]
It’s started to be a rule on security programs to have security solutions/processes implemented following the 80/20 “Pareto principle”. That’s pretty acceptable except for the fact that people immediately forget that remaining 20% and keep in their heads that that risk is completely mitigated. You start to see those cases piling up, absurd “no risk” situations [...]
I was relieved to read this post from Stuart King today and see that I’m not the only one that is worried about the way that parents are behaving to protect their kids. He mentions the problem of allowing kids to go walking alone to school, using some good risk management concepts to illustrate how [...]
Yes, a lot of security professionals went to the bill’s text and were not able to find anything related to information security, even when directed to sections 302 and 404. I was very happy to find this post from the eIQnetworks blog today, as it is written in the same exact way that I use [...]
