Security Balancetrying to bring balance to the Force |
 |
Yes, a lot of security professionals went to the bill’s text and were not able to find anything related to information security, even when directed to sections 302 and 404. I was very happy to find this post from the eIQnetworks blog today, as it is written in the same exact way that I use [...]
John Pescatore is right when he says that talking about less regulation at this time seems to be not aligned with the current crysis, but the article he is pointing to is very precise on saying that the costs from SOX are pretty high and, as we could see, it wasn’t able to prevent cases [...]
Anton Chuvakin wrote a very good piece about PCI and how regulations like that are usually written and interpreted. He is completely right on defining the problem as: Mandate the tools (e.g. “must use a firewall”) – and risk “checklist mentality”, resulting in BOTH insecurity and “false sense” of security. Mandate the results (e.g. “must [...]
It would be impossible to write about low hanging fruits without mentioning network shares. I say it because they are usually my favorite path to elevate privileges when I’m performing a penetration test. Among stuff that I’ve already found on unprotected (I mean, Everyone – Full Control) shares are: – Source code for critical applications [...]
So we are finally approaching the BH/Defcon weeks, when all the new stuff is presented to the security world and the sky starts to fall once more. I’m not going to Vegas this year (I’d love to), but as I came back to work on vulnerability assessments and penetration testing I noticed the main issue [...]
Good information will always come from discussions between people like Gunnar Peterson, Richard Mogull, Chris Hoff and Alan Shimel. This time’s target are GRC tools. It started with Peterson, was commented by Hoff and Mogull, followed by Shimel. There is space for GRC tools on the market, but it is really risky to change a [...]
I really believe that information security is about the business and we need to bring the business together, specially when doing risk management. But doing risk management together with the business is not always pretty and easy. There are two factors that can make it a real nightmare: The “pointy-haired boss factor” and the Threat [...]
Well, it’s funny to see this discussion started by Farnum about “Availability versus Security”. I remember seeing one of the first product presentations from Symantec after the Veritas deal. It was the first time that I heard someone saying something as “there is Availability and there is Security”. I remember the guy showing one of [...]
The question was raised, again, because of this. A funny thing about the discussions about it is that everybody is always right, in a certain point of view This is yet another case where several other variables need to be assessed before a decision is made. A company where the business requires lots of third [...]
Axur is a Brazilian company with huge knowledge about ISO27001/2. Their product, ISMS, is a great solution for those looking for a platform to build their ISMS over. They are blogging in english now, it’s a very good source of information about the standards.
