http://www.linuxfordevices.com/c/a/News/Kootol-joins-Lodsys-as-a-patent-troll/?kc=LNXDEVNL072111
The Debt ceiling crisis will pass; even if there is a crash, the USA can recover from it …
IF its core economic worth, that is its industrial productivity, is unharmed.
There are a number of ways this can be harmed, poor credit rating among them, lack of availability for investments. Continue reading Economic Impact: Patent trolls chase app developers out of the U.S
I was at a presentation yesterday.
One of the vendor’s speakers, I’m sorry to say, was a CISSP.
OK, he wasn’t Ian Paisley or any other radical religious zealot.
BUT his was hectoring us and telling us that the Devil is out there gathering sinners (aka botnets) and tempting us (with web sites and spam) and just watch what he says: we must open our hearts to Christ (aka his company’s products) and be SAVED by following the One True Faith (only buying his company’s products) and repenting for our sins (having is company come in and do all the scans, consulting and so forth).
I was inoculated against the religious hectoring meme at a young age, but its still fascinating to watch. But like with religion, there are always people who are susceptible, and sadly, always groups willing to give such people a platform.
To be fair, that day’s event also had some good speakers. It had some straight forward and ‘humble’ people who explained matters clearly and without drama, stated the issues and the scopes of threats and
vulnerabilities and how and why their product id what it did. All without the drama, all without the hectoring or intimidation.
People keep asking questions like
If the risk equation I use is Impact * Probability, when it comes to calculating the residual risk value do I still need to consider the impact of Loss of confidentiality, integrity and availability of the asset afterwards ? My understanding us that the probability value may decrease after applying some controls to mitigate the risk, but how does does the impact change?
Personally I don’t like the use of the generalization “Impact“. It hides details and it hides seeing where the control is being applied. Assets are often affected by more than one threat or more than one vulnerability. You really need to recalculate the whole thing over again after the controls have been applied – don’t try for short cuts.
I’d further suggest looking at
http://www.bloginfosec.com/2010/08/23/why-the-risk-threats-x-vulnerabilities-x-impact-formula-is-mathematical-nonsense/
I discuss this kind of over-simplification at
http://infosecblog.antonaylward.com/2010/02/28/fbi-risk-equation/
Some people seem to be making life difficult for themselves with risk models such as “Impact * Probability” and as such have lead themselves into all manner of imponderable … since this model hides essential details.
I discuss the CLASSICAL risk equation in my blog
http://infosecblog.antonaylward.com/2010/05/19/the-classical-risk-equation/
There is a good reason for, no make that MANY good reasons, for separating out the threat and the vulnerability and asset rather that just using “impact”.
Any asset is going to be affected by many
Any control will almost certainly address many assets and in all likelihood deal with many threats and vulnerabilities.
Any reasonable approach will try to optimise this: make the controls more effective and efficient by having them cover as many assets, threats or vulnerabilities as possible.
As such, the CLASSICAL risk equation can then be viewed as addressing residual risk – the probability AFTER applying the controls. Continue reading Risk Models that hide important information
Sometimes I wonder why we bother …
http://www.vancouversun.com/news/Sony+backs+cybersecurity+legislation/5030033/story.html
“If nothing else, perhaps the frequency, audacity and harmfulness of
these attacks will help encourage Congress to enact new legislation to
make the Internet a safer place for everyone,” the Sony executive said.“By working together to enact meaningful cybersecurity legislation we
can limit the threat posed to U.S. all,” he said.
To people like us, IT Audit and InfoSec types, ‘control‘ come in 3 forms
It seems that this legislation focuses on the 3rd and not the first.
It might even be seen to discourage the second.
