The InfoSec Blog

Economic Impact: Patent trolls chase app developers out of the U.S

Posted by Anton Aylward

http://www.linuxfordevices.com/c/a/News/Kootol-joins-Lodsys-as-a-patent-troll/?kc=LNXDEVNL072111

The Debt ceiling crisis will pass; even if there is a crash, the USA can recover from it ...

IF its core economic worth, that is its industrial productivity, is unharmed.

There are a number of ways this can be harmed, poor credit rating among them, lack of availability for investments.

He’s not Ian Paisley

Posted by Anton Aylward

Image of Ian Paisley cropped from Image:Ian_Pa...

Image via Wikipedia

I was at a presentation yesterday.
One of the vendor's speakers, I'm sorry to say, was a CISSP.

OK, he wasn't Ian Paisley or any other radical religious zealot.

BUT his was hectoring us and telling us that the Devil is out there gathering sinners (aka botnets) and tempting us (with web sites and spam) and just watch what he says: we must open our hearts to Christ (aka his company's products) and be SAVED by following the One True Faith (only buying his company's products) and repenting for our sins (having is company come in and do all the scans, consulting and so forth).

I was inoculated against the religious hectoring meme at a young age, but its still fascinating to watch. But like with religion, there are always people who are susceptible, and sadly, always groups willing to give such people a platform.

To be fair, that day's event also had some good speakers. It had some straight forward and 'humble' people who explained matters clearly and without drama, stated the issues and the scopes of threats and
vulnerabilities and how and why their product id what it did.  All without the drama, all without the hectoring or intimidation.

Enhanced by Zemanta

The Question of Residual Risk value

Posted by antonaylward

People keep asking questions like

If the risk equation I use is Impact * Probability, when it comes to
calculating the residual risk value do I still need to consider the
impact of Loss of confidentiality, integrity and availability of the
asset afterwards ?
My understanding us that the probability value may decrease
after applying some controls to mitigate the risk,  but how does
does the impact change?

English: ISMS activities and their relationshi...

Personally I don't like the use of the generalization "Impact".   It hides details and it hides seeing where the control is being applied.   Assets are often affected by more than one threat or more than one vulnerability.  You really need to recalculate the whole thing over again after the controls have been applied - don't try for short cuts.

I'd further suggest looking at
http://www.bloginfosec.com/2010/08/23/why-the-risk-threats-x-vulnerabilities-x-impact-formula-is-mathematical-nonsense/

I discuss this kind of over-simplification at
http://infosecblog.antonaylward.com/2010/02/28/fbi-risk-equation/

 

Enhanced by Zemanta

Risk Models that hide important information

Posted by Anton Aylward

Some people seem to be making life difficult for themselves with risk models such as "Impact * Probability" and as such have lead themselves into all manner of imponderable ... since this model hides essential details.

I discuss the CLASSICAL risk equation in my blog
http://infosecblog.antonaylward.com/2010/05/19/the-classical-risk-equation/

There is a good reason for, no make that MANY good reasons, for separating out the threat and the vulnerability and asset rather that just using "impact".

Any asset is going to be affected by many

  • threats
  • vulnerabilities
  • controls

Any control will almost certainly address many assets and in all likelihood deal with many threats and vulnerabilities.

Any reasonable approach will try to optimise this: make the controls more effective and efficient by having them cover as many assets, threats or vulnerabilities as possible.

As such, the CLASSICAL risk equation can then be viewed as addressing residual risk - the probability AFTER applying the controls.

Compliance? What Compliance?

Posted by Anton Aylward

United States Securities and Exchange Commission

Image via Wikipedia

Sometimes I wonder why we bother ...

The Securities and Exchange Commission doesn't just enforce the rules
that govern Wall Street. When asked, it often grants individual
companies exemptions from the rules
.

Enhanced by Zemanta

Sony backs U.S. ineffective cybersecurity legislation

Posted by Anton Aylward

Magic Link

Image via Wikipedia

http://www.vancouversun.com/news/Sony+backs+cybersecurity+legislation/5030033/story.html

"If nothing else, perhaps the frequency, audacity and harmfulness of
these attacks will help encourage Congress to enact new legislation to
make the Internet a safer place for everyone," the Sony executive said.

"By working together to enact meaningful cybersecurity legislation we
can limit the threat posed to U.S. all," he said.

To people like us, IT Audit and InfoSec types, 'control' come in 3 forms

  • preventative
  • detective
  • compensatory

It seems that this legislation focuses on the 3rd and not the first.
It might even be seen to discourage the second.

Enhanced by Zemanta