The InfoSec Blog

And while on that subject …

“Consult Human Resources when making disaster recovery plans”

Every DR plan I’ve seen has failed to take into account human factors.
The most basic of which is that if there is any one of a large number of disaster scenarios, how are staff going to get in to the DR site?

So: here we are in Toronto and the DR site is in Arizona …
what sort of disaster will take out Toronto and let all the staff here track down to Arizona in order to run the IT services to support the customers in, guess where?
Right: Toronto Read the rest of this entry »

http://www.smartplanet.com/business/blog/business-brains/why-dont-companies-apply-more-risk-analysis-to-layoff-decisions/3447/

So, here we are, all trained up in Risk Analysis, knowing about the risks of hiring and firing, disgruntled employees, various litigations, and more. We’re often considered pests for asking the “Why Are We Doing This” questions about new technology and initiatives that bring security risks.
Read the rest of this entry »

You betcha its not!

There are GOOD practices for deploying SNMP.
The BEST practice is to avoid V2.
If you must SNMP then use v3
http://searchsecurity.techtarget.com/tip/0,289483,sid14_gci1078248,00.html
http://www.snmp.com/snmpv3/v3white.shtml
or http://www.tcpipguide.com/free/t_SNMPVersion3SNMPv3MessageFormat.htm
if you are feeling geekish.

However my personal view is DON’T DO IT.
Read the rest of this entry »

http://tech.yahoo.com/blogs/null/154866;_ylt=Av2YyMlmiE8ERpzUwD020zUWLpA5

Remember all those journalists doing the “give you password or a chocolate bar” articles?

Well this seems a lot more realistic – giving up you laptop.

Not just the hardware, but everything on it!

Frightening!

Related articles by Zemanta

• When Should I Choose to Remember My Password? (techie-buzz.com)
• Most common passwords (mybroadband.co.za)

I saw this assertion go by and it stood out:

The bigger cost would be the cost of not patching. Such items as downtime will affect more staff/users than patching will.

That’s not a fair statement. There is much more to the discussion than whether to patch or not to patch or “stuff this for a lark, lets convert to MAC or Linux“.

The issue so far has been black and white.
There is a black and white difference between devices that face the internet and those that are not accessible to or from the ‘Net.

But what about the “grey”? No all patches have the same criticality even for ‘Net-facing devices.

And there’s more to security – even of the Internet-facing devices – than patching software.
Read the rest of this entry »

Yesterday, my friend and collegue, Rob Slade, noted that …

Idly leafing through yet another IT executive rag (preparatory to recycling it),
and noticed an article on privacy by the head of a data destruction company. He
was talking about the problem of “data reminisce.”

Well, it may not have been the author at fault.
We’ve criticized journalists for lacking knowledge of various technical professions and so mangling and misinterpreting reports, but what about typesetters? And editors?
Read the rest of this entry »