http://www.nytimes.com/2012/04/03/opinion/how-china-steals-our-secrets.html This is better written than most ‘chicken little’ pieces, but please can we have ‘history’ of how most nations, including the USA, have engages in ‘industrial espionage‘. I recall a presentation by CSIS that was making the point that Canada’s greatest threat on the Industrial Espionage scene was France, …
Last month, this question came up in a discussion forum I’m involved with: Another challenge to which i want to get an answer to is, do developers always need Admin rights to perform their testing? Is there not a way to give them privilege access and yet have them get …
This kind of question keeps coming up, many people are unclear about the Statement of Applicability on ISO-27000. The SoA should outline the measures to be taken in order to reduce risks such as those mentioned in Annex A of the standard. These are based on ‘Controls’. But if you …
Call me a dinosaur (that’s OK, since its the weekend and dressed down to work in the garden) but … Surely COMPLIANCE is a binary measure, not a “level of” issue. You are either in compliance or you are not. As in you are either deal or alive.
Someone asked: If you have a good information security awareness amongst the employees then it should not a problem what kind of attempts are made by the social engineers and to glean information from your employees. Yes but as RSA demonstrated, it is a moving target. You need to have …
On the ISO27000 Forum list, someone asked: I’m looking for Risk statement for each ISO 27k control; meaning “what is the risk of not implementing a control”. That’s a very ingenious way of looking at it! One way of formulating the risk statement is from the control objective mentioned in …
http://www.nextgov.com/nextgov/ng_20120305_6368.php The Navy’s premier institution for developing senior strategic and operational leaders started issuing students Apple iPad tablet computers equipped with GoodReader software in August 2010, unaware that the mobile app was developed and maintained by a Russian company, Good.iWare, until Nextgov reported it in February. OK so its not …
You do do backups don’t you? Backups to DVD is easy, but what software to use? – How are you managing the backup archives? Do you need a specific dated version of a file or directory? Would a VCS be more appropriate than a backup system? Sometimes you need both. …
So to have great (subjective) protection your layered protection and controls have to be “bubbled” as opposed to linear (to slow down or impede a direct attack). I have doubts about “defence in depth” analogies with the military that many people in InfoSec use. Read what they are really talking …
The hack to make the HP printers burn was interesting, but lets face it, a printer today is a special purpose computer and a computer almost always has a flaw which can be exploited. In his book on UI design “The Inmates are Running the Asylum”, Alan Cooper makes the …
What framework would you use to provide for quantitative or qualitative risk analysis at both the micro and macro level? I’m asking about a true risk assessment framework not merely a checklist. Yes, this is a bit of a META-Question. But then its Sunday, a day for contemplation… When does …
he documentation required and/or needed by ISO-2700x is a perenial source of dispute in the various forums I subscribe to. Of course management has to define matters such as scope and applicability and the policies, but how much of the detail of getting there needs to be recorded? How much …
http://www.schneier.com/blog/archives/2010/08/hacking_cars_th.html A few alarming things here. More nanny State : In other words, the nanny state is forcing upon us expensive and insecure systems that aren’t as effective as a human being just doing what he’s supposed to, but we should just think of the children we’re “protecting” with this …
http://www.eweek.com/c/a/IT-Management/As-Foretold-by-Desktop-Managment-Tools-588370/ What’s interesting here is that this isn’t preaching “The Cloud” and only mentions VDI in one paragraph (2 in the one-line expanded version). Also interesting is the real message: “Microsoft has lost it”. Peter Drucker, the management guru, pointed out that the very last buggy-whip manufacturer in the age …
In case you’re not aware, ISECOM (Institute for Security and Open Methodologies) has OSSTMM3 – The Open Source Security Testing Methodology Manual – http://www.isecom.org/osstmm/ There’s an interesting segue to this at https://www.infosecisland.com/blogview/14651-How-to-Pen-Test-Crazy.html Skip over his ranting about the definition of “hackers” This is the meat: Wewrote the OSSTMM 3 to …
Apparently (ISC)2 did this survey … which means they asked the likes of us …. http://www.darkreading.com/security-monitoring/167901086/security/security-management/229219084/under-growing-pressure-security-pros-may-be-ready-to-crack-study-says.html Faced with an attack surface that seems to be growing at an overwhelming rate, many security professionals are beginning to wonder whether their jobs are too much for them, according to a study published …
One list I subscribe I saw this outrageous statement: ISO 27001 requires that you take account of all the relevant threats (and vulnerabilities) to every asset – that means that you have to consider whether every threat from your list is related to each of your assets. “All”? “Every”? I …
Image via Wikipedia A business might possibly choose not to have a BCP but they might be interested in doing a BIA After all, the “impact” might be something positive resulting from some change. Oh, the Irony! Expeditious and cost effective. I’ve audited BCPs and always found them lacking. They …
A friend and colleague who is also a security guru and much better qualified than me and who admits that he is not a huge fan of enterprise architecture frameworks doesn’t think that “enterprise architecture” is on a completely solid footing; he points out that it’s a major business for …
© 2013 The InfoSec Blog
Powered by Esplanade Theme by One Designs and WordPress