The InfoSec Blog

System Integrity: Without Integrity you don’t have Security

November 25th, 2009

Why don’t companies apply more risk analysis – Part 2

And while on that subject …

“Consult Human Resources when making disaster recovery plans”

Every DR plan I’ve seen has failed to take into account human factors.
The most basic of which is that if there is any one of a large number of disaster scenarios, how are staff going to get in to the DR site?

360-degree panorama of Toronto, Canada, as see...
Image via Wikipedia

So: here we are in Toronto and the DR site is in Arizona
what sort of disaster will take out Toronto and let all the staff here track down to Arizona in order to run the IT services to support the customers in, guess where?
Right: Toronto Read the rest of this entry »

November 25th, 2009

Why don’t companies apply more risk analysis?

http://www.smartplanet.com/business/blog/business-brains/why-dont-companies-apply-more-risk-analysis-to-layoff-decisions/3447/

So, here we are, all trained up in Risk Analysis, knowing about the risks of hiring and firing, disgruntled employees, various litigations, and more. We’re often considered pests for asking the “Why Are We Doing This” questions about new technology and initiatives that bring security risks.
Read the rest of this entry »

November 25th, 2009

Unfortunately, SNMPv2 is not secure

You betcha its not!

There are GOOD practices for deploying SNMP.
The BEST practice is to avoid V2.
If you must SNMP then use v3
http://searchsecurity.techtarget.com/tip/0,289483,sid14_gci1078248,00.html
http://www.snmp.com/snmpv3/v3white.shtml
or http://www.tcpipguide.com/free/t_SNMPVersion3SNMPv3MessageFormat.htm
if you are feeling geekish.

However my personal view is DON’T DO IT.
Read the rest of this entry »

November 18th, 2009

How much would you give up your laptop for?

http://tech.yahoo.com/blogs/null/154866;_ylt=Av2YyMlmiE8ERpzUwD020zUWLpA5

Remember all those journalists doing the “give you password or a chocolate bar” articles?

Twix bar Purchased March 2005 in Atlanta, GA, USA

Well this seems a lot more realistic – giving up you laptop.

Not just the hardware, but everything on it!

Frightening!

Reblog this post [with Zemanta]
November 13th, 2009

The Cost of patching

I saw this assertion go by and it stood out:

The bigger cost would be the cost of not patching. Such items as downtime will affect more staff/users than patching will.

That’s not a fair statement. There is much more to the discussion than whether to patch or not to patch or “stuff this for a lark, lets convert to MAC or Linux“.

The issue so far has been black and white.
There is a black and white difference between devices that face the internet and those that are not accessible to or from the ‘Net.

But what about the “grey”? No all patches have the same criticality even for ‘Net-facing devices.

And there’s more to security – even of the Internet-facing devices – than patching software.
Read the rest of this entry »

November 6th, 2009

Speil Chequers

Yesterday, my friend and collegue, Rob Slade, noted that …

Idly leafing through yet another IT executive rag (preparatory to recycling it),
and noticed an article on privacy by the head of a data destruction company. He
was talking about the problem of “data reminisce.”

Well, it may not have been the author at fault.
We’ve criticized journalists for lacking knowledge of various technical professions and so mangling and misinterpreting reports, but what about typesetters? And editors?
Read the rest of this entry »

|