The InfoSec Blog

http://www.linuxfordevices.com/c/a/News/Kootol-joins-Lodsys-as-a-patent-troll/?kc=LNXDEVNL072111

The Debt ceiling crisis will pass; even if there is a crash, the USA can recover from it …

IF its core economic worth, that is its industrial productivity, is unharmed.

There are a number of ways this can be harmed, poor credit rating among them, lack of availability for investments. Read the rest of this entry »

Image via Wikipedia

I was at a presentation yesterday.
One of the vendor’s speakers, I’m sorry to say, was a CISSP.

OK, he wasn’t Ian Paisley or any other radical religious zealot.

BUT his was hectoring us and telling us that the Devil is out there gathering sinners (aka botnets) and tempting us (with web sites and spam) and just watch what he says: we must open our hearts to Christ (aka his company’s products) and be SAVED by following the One True Faith (only buying his company’s products) and repenting for our sins (having is company come in and do all the scans, consulting and so forth).

I was inoculated against the religious hectoring meme at a young age, but its still fascinating to watch. But like with religion, there are always people who are susceptible, and sadly, always groups willing to give such people a platform.

To be fair, that day’s event also had some good speakers. It had some straight forward and ‘humble’ people who explained matters clearly and without drama, stated the issues and the scopes of threats and
vulnerabilities and how and why their product id what it did.  All without the drama, all without the hectoring or intimidation.

Related articles

• Ian Paisley jnr: My views on gays have matured (politics.ie)
• A Paisley Affair (modedimitri.wordpress.com)
• The City: Belfast (newsweek.com)

Some people seem to be making life difficult for themselves with risk models such as “Impact * Probability” and as such have lead themselves into all manner of imponderable … since this model hides essential details.

I discuss the CLASSICAL risk equation in my blog
http://infosecblog.antonaylward.com/2010/05/19/the-classical-risk-equation/

There is a good reason for, no make that MANY good reasons, for separating out the threat and the vulnerability and asset rather that just using “impact”.

Any asset is going to be affected by many

• threats
• vulnerabilities
• controls

Any control will almost certainly address many assets and in all likelihood deal with many threats and vulnerabilities.

Any reasonable approach will try to optimise this: make the controls more effective and efficient by having them cover as many assets, threats or vulnerabilities as possible.

As such, the CLASSICAL risk equation can then be viewed as addressing residual risk – the probability AFTER applying the controls. Read the rest of this entry »

Image via Wikipedia

Sometimes I wonder why we bother …

The Securities and Exchange Commission doesn’t just enforce the rules
that govern Wall Street. When asked, it often grants individual
companies exemptions from the rules.

Related articles

• Recently Updated “Securities Law Deskbook” – A Resource to Help Achieve Compliance and Avoid Regulatory Problems, From Bradford Publishing Co. (prweb.com)
• SEC: Bigger potential payouts for whistleblowers (marketwatch.com)
• LATEST FEATURE: Compliance: A hybrid marital troika? (ecmplus.wordpress.com)

Image via Wikipedia

http://www.vancouversun.com/news/Sony+backs+cybersecurity+legislation/5030033/story.html

“If nothing else, perhaps the frequency, audacity and harmfulness of
these attacks will help encourage Congress to enact new legislation to
make the Internet a safer place for everyone,” the Sony executive said.

“By working together to enact meaningful cybersecurity legislation we
can limit the threat posed to U.S. all,” he said.

To people like us, IT Audit and InfoSec types, ‘control‘ come in 3 forms

• preventative
• detective
• compensatory

It seems that this legislation focuses on the 3rd and not the first.
It might even be seen to discourage the second.

Related articles

• Sony backs U.S. cybersecurity legislation (canada.com)
• DOD Website Sells Public On Cybersecurity Strategy (informationweek.com)
• Companies To Spend $130 Billion On Cybersecurity In 2011 (teamshatter.com)
• Obama to Introduce Cybersecurity Proposal (circleid.com)
• White House to unveil cybersecurity proposal (theglobeandmail.com)
• What do we need to do to reach “cybersecurity awareness”? (nakedsecurity.sophos.com)
• White House Cybersecurity Plan: What You Need To Know (huffingtonpost.com)
• Microsoft Endorses White House Cybersecurity Plan (blogs.wsj.com)