July 2, 2016 Nobody wants to pay for security, including security companies https://www.linkedin.com/pulse/nobody-wants-pay-security-including-companies-beno%C3%AEt-h-dicaire In theory, consumers and businesses could punish Symantec for these oversights by contracting with other security vendors. In practice, there’s no guarantee that…
March 22, 2016 Cyber risk in the business https://normanmarks.wordpress.com/2015/06/05/cyber-risk-and-the-boardroom/ The take-away that is relevant : Cyber risk should not be managed separately from enterprise or business risk. Cyber may be only one…
July 5, 2015 Cyber, Ciber or Syber? Occasionally, people do ask: What exactly do you mean by “cyber securityâ€? Or “cyber†for that matter. Please explain. “Steersman Security”? It seems to…
March 21, 2015 Review: “Penetration with Perl” by Douglas Berdeaux Douglas Berdeaux has written an excellent book, excellent from quite a number of points of view, some of which I will address. Packt Publishing…
January 11, 2013 Another Java bug: Disable the java setting in your browser http://www.kb.cert.org/vuls/id/625617 Java 7 Update 10 and earlier contain an unspecified vulnerability that can allow a remote, unauthenticated attacker to execute arbitrary code on a…
September 14, 2012 Learning to Counter Threats – Skills or Ethics? Fellow CISSPÂ Cragin Shelton made this very pertinent observation and gave me permission to quote him. The long thread about the appropriateness of learning…
August 8, 2012 Steve Wozniak: Cloud Computing Will Cause ‘Horrible Problems In The http://www.businessinsider.com/steve-wozniak-cloud-computing-will-cause-horrible-problems-in-the-next-five-years-2012-8 Perhaps The Woz isn’t the influence he once was, and certainly not on Wall Street and the consumer market place. The unbounded RAH-RAH-RAH…
March 7, 2012 The 19 most maddening security questions | Security – InfoWorld http://www.infoworld.com/d/security/the-19-most-maddening-security-questions-187983 An interesting list, since it covers issues of public structural security. I recall reading that the greatest contribution to the health of individuals…
August 7, 2011 Using ALE … inappropriately Like many forms of presenting facts, not least of all about risk, reducing complex and multifaceted information to a single figure does a dis-service…
June 21, 2011 In praise of OSSTMM In case you’re not aware, ISECOM (Institute for Security and Open Methodologies) has OSSTMM3 – The Open Source Security Testing Methodology Manual – http://www.isecom.org/osstmm/…
July 14, 2010 IAM – Basics – Policy If there’s one thing that upsets me when I see articles and posting to forums about policy, its mention of a “Password Policy”. I…
June 29, 2010 You don’t need a Firewall Security Policy A member of a discussion list I subscribe asked for a Firewall Policy template. A usual, I was alarmed enough by this to want…
May 19, 2010 The Classical Risk Equation What we had drilled into us when I worked in Internal Audit and when I was preparing for the CISA exam was the following…
March 26, 2010 A Security Policy needs to be abstract not specific Image via Wikipedia There’s much I don’t like about many of the published security policies an the ones I see in use at many…
February 28, 2010 The FBI risk equation It seems that to make better cybersecurity-related decisions a senior FBI official recommends considering a simple algebraic equation: risk = threat x vulnerability x…
December 27, 2009 Throwing in the towel I was saddened to hear of an InfoSec colleague who met with overwhelming frustration at work: After two years of dealing with such nonsense,…
November 18, 2009 How much would you give up your laptop for? http://tech.yahoo.com/blogs/null/154866;_ylt=Av2YyMlmiE8ERpzUwD020zUWLpA5 Remember all those journalists doing the “give you password or a chocolate bar” articles? Well this seems a lot more realistic – giving…
November 13, 2009 The Cost of patching I saw this assertion go by and it stood out: The bigger cost would be the cost of not patching. Such items as downtime…
October 24, 2009 How Many Deaths? Here http://thecipblog.com/?author=3 I found this quote: “In order to be designated ‘critical information infrastructure’, how many deaths would the failure of a network have…
October 6, 2009 About creating Corporate IT Security Policies As I’ve said before, you should not ask yourself what policies to write but what you need to control. If you begin with a…