He’s not Ian Paisley
Image via Wikipedia
I was at a presentation yesterday.
One of the vendor's speakers, I'm sorry to say, was a CISSP.
OK, he wasn't Ian Paisley or any other radical religious zealot.
BUT his was hectoring us and telling us that the Devil is out there gathering sinners (aka botnets) and tempting us (with web sites and spam) and just watch what he says: we must open our hearts to Christ (aka his company's products) and be SAVED by following the One True Faith (only buying his company's products) and repenting for our sins (having is company come in and do all the scans, consulting and so forth).
I was inoculated against the religious hectoring meme at a young age, but its still fascinating to watch. But like with religion, there are always people who are susceptible, and sadly, always groups willing to give such people a platform.
To be fair, that day's event also had some good speakers. It had some straight forward and 'humble' people who explained matters clearly and without drama, stated the issues and the scopes of threats and
vulnerabilities and how and why their product id what it did. All without the drama, all without the hectoring or intimidation.
Related articles
- Ian Paisley jnr: My views on gays have matured (politics.ie)
- A Paisley Affair (modedimitri.wordpress.com)
- The City: Belfast (newsweek.com)
The Question of Residual Risk value
People keep asking questions like
If the risk equation I use is Impact * Probability, when it comes to calculating the residual risk value do I still need to consider the impact of Loss of confidentiality, integrity and availability of the asset afterwards ? My understanding us that the probability value may decrease after applying some controls to mitigate the risk, but how does does the impact change?
Personally I don't like the use of the generalization "Impact". It hides details and it hides seeing where the control is being applied. Assets are often affected by more than one threat or more than one vulnerability. You really need to recalculate the whole thing over again after the controls have been applied - don't try for short cuts.
I'd further suggest looking at
http://www.bloginfosec.com/2010/08/23/why-the-risk-threats-x-vulnerabilities-x-impact-formula-is-mathematical-nonsense/
I discuss this kind of over-simplification at
http://infosecblog.antonaylward.com/2010/02/28/fbi-risk-equation/
Related articles
- Planning means planning for success and for not-success (herdingcats.typepad.com)
Risk Models that hide important information
Some people seem to be making life difficult for themselves with risk models such as "Impact * Probability" and as such have lead themselves into all manner of imponderable ... since this model hides essential details.
I discuss the CLASSICAL risk equation in my blog
http://infosecblog.antonaylward.com/2010/05/19/the-classical-risk-equation/
There is a good reason for, no make that MANY good reasons, for separating out the threat and the vulnerability and asset rather that just using "impact".
Any asset is going to be affected by many
- threats
- vulnerabilities
- controls
Any control will almost certainly address many assets and in all likelihood deal with many threats and vulnerabilities.
Any reasonable approach will try to optimise this: make the controls more effective and efficient by having them cover as many assets, threats or vulnerabilities as possible.
As such, the CLASSICAL risk equation can then be viewed as addressing residual risk - the probability AFTER applying the controls.
Compliance? What Compliance?
Image via Wikipedia
Sometimes I wonder why we bother ...
Related articles
- Recently Updated "Securities Law Deskbook" - A Resource to Help Achieve Compliance and Avoid Regulatory Problems, From Bradford Publishing Co. (prweb.com)
- SEC: Bigger potential payouts for whistleblowers (marketwatch.com)
- LATEST FEATURE: Compliance: A hybrid marital troika? (ecmplus.wordpress.com)
Sony backs U.S. ineffective cybersecurity legislation
Image via Wikipedia
http://www.vancouversun.com/news/Sony+backs+cybersecurity+legislation/5030033/story.html
"If nothing else, perhaps the frequency, audacity and harmfulness of
these attacks will help encourage Congress to enact new legislation to
make the Internet a safer place for everyone," the Sony executive said."By working together to enact meaningful cybersecurity legislation we
can limit the threat posed to U.S. all," he said.
To people like us, IT Audit and InfoSec types, 'control' come in 3 forms
- preventative
- detective
- compensatory
It seems that this legislation focuses on the 3rd and not the first.
It might even be seen to discourage the second.
Related articles
- Sony backs U.S. cybersecurity legislation (canada.com)
- DOD Website Sells Public On Cybersecurity Strategy (informationweek.com)
- Companies To Spend $130 Billion On Cybersecurity In 2011 (teamshatter.com)
- Obama to Introduce Cybersecurity Proposal (circleid.com)
- White House to unveil cybersecurity proposal (theglobeandmail.com)
- What do we need to do to reach "cybersecurity awareness"? (nakedsecurity.sophos.com)
- White House Cybersecurity Plan: What You Need To Know (huffingtonpost.com)
- Microsoft Endorses White House Cybersecurity Plan (blogs.wsj.com)
