Security Balancetrying to bring balance to the Force |
 |
Two posts in a day…I’m probably sick or something like that
I was reading an interesting article by Bill Brenner on CSO Online, “Five Security Missteps Made in the Name of Compliance”. Although I don’t disagree with what is listed as missteps (in fact I think they are quite correct), something in the last [...]
I’m starting a Wave
on Google Wave to build a collaboration piece on security decision making. Please send
me your contact if you want to participate.
It starts like this:
Security decision making
Dear security friends,
I’m
planning for a long time to work on a paper/presentation about security
decision [...]
Probably not enough content for a post, but certainly for a tweet
It’s common to see on the security standards, frameworks and best practices a lot of “standard” ways of doing things like access control and patch management. The problem is the organizations are extremely different from each other, not only on the technology but [...]
For those who are addicted to vulnerability information feeds, you are probably already aware of the XML Libraries data parsing vulnerabilities. This is the kind of vulnerability that creeps me out. When you’ve got vulnerabilities related to an easily identifiable software, like “Windows 2008″, “Firefox 3.5″ or “Java Runtime Environment 6″, it is easy to [...]
I was caught by surprise when I was reading Matthew Rosenquist post on the IT@Intel blog by this information about the OCTAVE methodology:
“I have observed the accuracy to be +/- 40% in complex organizations. I believe this is largely due to multiple tiers of qualitative-to-quantitative analysis and the bias introduced at each level. Credible [...]
I was happy to see the last posts from Alan Shimel about the incident on LxLabs and what that means to “cloud security”. Not only because I think he is right about using it as an example of why we should think about cloud security but also because I like his “anti-hype” posture. Ok, that [...]
Trying to be compliant PCI is a tough task. One of the biggest problems is to find good answers to common questions, as the “PCI specialists” are usually very evasive and will hardly give you a definitive answer. So, it’s extremely valuable when someone posts a set of common Q&A about the subject like this [...]
I read this post from Michael Dahn and I really liked what he called “Attack Vector Risk Management”. Today I saw that the guys from Sensepost also noted the post for the same reasons, and even showed some of their work under the same concept, calling it “Corporate Threat Modeling”.
During the last months my main [...]
One of the best blog posts I read from last week was the “Consensus Audit Guidelines are still controls” from Richard Bejtlich. I really like that he is looking at some suggestions (in this case, the CAG) and pointing that’s just controls, there is nothing about measuring the outputs. That goes directly to the heart [...]
I’ve just read about an Unix engineer from Fannie Mae being sued for trying to deploy a time-bomb script on their servers after being fired. The guy was able to access the servers after being fired, so it’s a very good example of a flawed termination process. An interesting thing here is that he was [...]
