Wednesday, 15 February 2012

Is your definition of security holding you back? Michael It would be great if you could post those fifteen definitions of information security for us? Thanks.

Saturday, 15 October 2011

I say

How an email hacker ruined my life and then tried to sell it back to me
As previously noted, you get what you pay for.  There is a reason that one has to keep passwords secure.

The real irony in these anonymous web mail systems is what happens if you want to reset your account and you don't have your own password.  One can enroll in gmail, yahoo mail, tiscali or whatever with no outlay and no identity checks.  If one then, say, forgets the password and you want to close the account you end up in the bizzarre world where the mail company wants you to prove who you are.

There has to be a better way.

The problem that we have is the number of passwords we need to recall so there are bound to be overlaps.

One option is to register your own domain and then to pay £30 per month for a small company to manage your mail for you.  Then if something goes wrong, you know you can speak to a real person.

InfosecChap

‘Sexting’: Perceptions, Realities & Indecent Images of Children
It is indeed a scary world.  There is a toxic combination of Parent + Photographer + PC that should send a chill up all our spines.

But the combination of Adolescent+Hormones+Camera equals Register.

Scary world.
 
Hacking Activity Detected By Sony
Protective Monitoring and SIEM is supposed to be the new silver bullet.  It's getting the governent all fired up.

Looks like Sony's attempt is working.  Just in time!

InfosecChap

Where Can I Learn More About Computer And Internet Security? #2 Naked Security
Agreed.  The Sophos blog is one of the best out there.  They are obviously spending money to generate good content and they seem to allow their employees the freedom to pursue their own interests.

How many people do they have working for Sophos and how many on the blog.  An interesting metric would the percentage of researchers vs bloggers vs staff.  Even the big consultancies don't seem to have this level of commitment.  I can only assume that Sophos employ people who are bloggers and who can make a name for themselves.

I do wonder what the editorial control from Sophos is, though.  I know many companies that would love a high quality blog but they just won't let their staff run loose.

HP also have a good blog, though the recent Mary Anne Davison spat on the Oracle blog shows how sometimes things do get interesting.

Naked Security?  Try Naked Mentalism too!
chin chin
@infosecChap
Technical Whitepaper - "Tracking Performance of Software Security Assurance - 5 Essential KPIs"
Agree entirely about using KPIs, though I wonder how one relates software defects to security vulnerabilities?  Is it possible to have zero defects but to have plenty of vulnerabilities?  Or to have no vulnerabilities but still to have defects.  Or are the defects only security defects, in which case fair point.

I'd be interested to know how this works in reality:  I suspect that most software producers just want to get their product into production, rather than undertake vast historical analytics.  When I read the title I expected a view on SIEM; I'd be interested to know what operational security KPIs you are currently using, other than patching perhaps.  I guess that having all in one place would enable an holistic approach to be implemented.

InfosecChap

Friday, 14 October 2011

I say

The True Price of Being Hacked [??]
PCI DSS only exists to protect the card issuer and the bank. It transfers risk to the merchant. What would be really interesting is how much the PCIDSS fines are. I suspect that they are not very much and I suspect that they are rarely enforced. It's all about reputation: Sony = big deal. Bikesonline site (hacked recently, lots of losses) = not so big. I wonder what else happened to deliver the drop in card fraud. chip and pin? that's not in my interests as any loss incurred through chip and pin is now my liability, whereas it used to be the bank. chin chin @infosecchap
UK government says it can attract and retain the cyber defence skills it needs
The whole problem here is that HMG don't pay the same as industry.  A CLAS, CHECK or similar contractor can command around £700 per day.  That's about £140K just for following orders.  Even as a permie the salaries are in the £50 to £80K range.  A reasonable amount when you consider that this is about what a Senior Civil Servant grade gets at Grade 7 and above. 

I thought that GCHQ/CESG were getting into bed with the BCS and IISP to professionalise the industry.  They should be using that in their internal teams

Business survey shows ballooning security budgets
Security and information assurance has to becone a commodity item.  Security As A Service.  Pen testing over t'web and managed offerings are what it's all about.  There are no end of vendors who do this:  Vistorm (before it dissolved into HP) and Integralis for example.

As time moves on, the technology gets more sophisticated, costs get reduced and we outsource.  We are always playing catch up, but being smarter means spending less and being more focussed.

chin chin
infosecchap