Online Ad Industry Threatened by Security Issues

Most people use ad blockers because they’re irritated with some of the intrusive ways ads are presented. But there are also compelling security arguments behind ad blockers. By blocking ads, consumers are better insulated against security risks from malvertisements.

The social media site Reddit, which can be a rich traffic source for publishers, warns users of links to content that demand people to disable their ad blockers, including publishers such as Forbes and Wired.

“Warning! Disabling your ad blocker may open you up to malware infections, malicious cookies and can expose you to unwanted tracker networks,” Reddit’s warning says. “Proceed with caution.”

I don’t know whether to be glad or worried by this.
It may be considered unsocial of me, but I use adblockers. Continue reading Online Ad Industry Threatened by Security Issues

On ‘paranoia’ – revisiting “Paid to be paraoid”

My fellow CISSP and author Walter Jon  Williams observed that

Paranoia is not a part of any mindset. It is an illness.

Ah, Walter the literalist!

Yes I agree with what you say but look at it this way

“We’re paid to be paranoid” doesn’t mean we’re ill.
It’s a job.

Now if your job is an obsession, one you take home with you and it interferes with your family life, that you can’t let go, then its an illness whatever it is.

“We’re paid to be paranoid”

Its a job. You don’t pay us Information Security Professionals to be pollyannas, to have a relaxed attitude. Continue reading On ‘paranoia’ – revisiting “Paid to be paraoid”

Sony backs U.S. ineffective cybersecurity legislation

Magic Link
Image via Wikipedia

“If nothing else, perhaps the frequency, audacity and harmfulness of
these attacks will help encourage Congress to enact new legislation to
make the Internet a safer place for everyone,” the Sony executive said.

“By working together to enact meaningful cybersecurity legislation we
can limit the threat posed to U.S. all,” he said.

To people like us, IT Audit and InfoSec types, ‘control‘ come in 3 forms

  • preventative
  • detective
  • compensatory

It seems that this legislation focuses on the 3rd and not the first.
It might even be seen to discourage the second.

Enhanced by Zemanta

One In Two Security Pros Unhappy In Their Jobs

Well? Are you?

You’d think most professionals in a hot industry like IT security would
feel content and challenged technically and creatively in their jobs —
but not so much. According to the results of a new survey that will go
public next week at Defcon in Las Vegas, half of security pros aren’t
satisfied with their current jobs, and 57 percent say their jobs are
neither challenging nor fully tapping their skills.

Like most reports on survey, this is journalism at it worse. Continue reading One In Two Security Pros Unhappy In Their Jobs

Vulnerability Management – The Next Fad?

The article is at

but I find it ominous.

Vulnerability management may be the next big thing in terms of IT
security strategy, but deriving the maximum value out of your efforts
requires hard work and a comprehensive plan, industry insiders

Well at least the author admits its not the next “Silver Bullet“!

Speaking at the SOURCE Boston conference this week, scanner maker
Tenable Security’s Carole Fennelly outlined some of the best practices
that organizations should observe as they attempt to identify and
remediate security weaknesses that exist throughout their IT systems and

Well that sounds good, but where does it lead to?
Personally I find it deceptive and not a good use of resources.
At the bottom, its too much like reactive fire-fighting.

We’ve discussed – or at least some of the more outspoken of us security blogers and professionals – of techniques for compartmentalization, being proactive in protection and using architectural and strategic decisions rather than ‘bug-hunting’.

We all know that you’ll never find the last bug, but its often easier to build things so that the effect of bugs, or failures, or attacks, is minimized.

What makes me despair though is when the old shibboleths get spouted:

“Organizations need to create asset lists that define their critical
business systems to help prioritize their efforts;

Without wanting to sound like I have it in for Ko-ko and his little list (heck, I have my own to-do list and GTD page), this is still reactive rather than proactive. In the last 15 years I’ve seen such revolutionary concepts as firewalls and DMZ become accepted by the mainstream, but the we can still see many people “don’t get it”. As evidence of this I would point towards the PCI documents. Implicit in them is the subtext that there are IT shops that are too stupid (or recalcitrant) to implement very basic good practices without being lead though them by the nose.

… they need to have the
support of different internal groups to create these lists that will
help them mitigate their most critical problems,” said Fennelly,

I wonder. Many security practitioners, and I think a lot of IT, would say that the most critical problems are not technical ones but rather have to do with people, management and strategy.

Scanners are useful tools, but they are also the kind of geek toy that can suck you in. This article touches on prioritizing those lists, but I’d say reality is that you have to deal with many things all at once, and getting stuck ‘head down’ with something like this and dealing reactively with the issues it raises will distract you from the more strategic matter that might just sweep away many of these problems.

Reblog this post [with Zemanta]

Encyclopedia of IT terms

CMP ChannelWeb have an on-line encyclopaedia of IT terms. This is a useful addition to my toolbar for composition, along with a more conventional dictionary.

The definition of ‘information security‘ seems limited to access control, which is very disappointing. The definition for ‘computer security‘ is more comprehensive. Never the less, to a security professional both these definitions are lacking.

What screams out to me, and this is very obviously my bias, is the lack of any mention of INTEGRITY in these definitions. As I keep pointing out, if you don’t have integrity, any other efforts at security, be it information security, or “Gates, Guards, Guns and Dogs” physical security, be it backup and disaster recovery, be it access control, be it 1024-bit SSL, are all going to be pointless.

Its not until we follow a few links at the Encyclopaedia do we come to a mention of Donn Parker‘s six fundamental and orthogonal attributes of security is there mention of ‘integrity’. Even so, that definition has only a like to ‘data integrity‘. There is a separate definition for ‘message integrity‘. While these specific items are important, they are details. What is lacking is a general definition of “Integrity”. Once again, Fred Cohen’s seminal 1997 article on the importance of Integrity comes to mind.

No, a much better reference is Rob Slade’sDictionary of Information Security“, which, of necessity, encompasses many IT terms.

Enhanced by Zemanta