Scientific New York Post
I recently saw a great piece of pseudo-science courtesy of Websense describing the cost of data loss and amazing ROI for the Websense Data Security solution. (a friend who studied physics with me used to call this sort of writing “Scientific New York Post”) See Websense white paper ROI of DLP Bruce Schneier correctly notes […]
Designing a data security system
User-Driven Design versus User-Centered design Alan Cooper, in his book The Inmates are Running the Asylum, draws a distinction between user-centered design and user-driven design. User-driven design is about collecting, prioritizing and implementing a system to the user requirements – we’ve all been seen software development projects where the requirements spiraled out of control and […]
The role of user accountability and training in data security
In this article I will show that DLP technology such as Fidelis XPS, Mcafee DLP, Verdasys Digital Guardian, Websense Data Security Suite and Symantec Data Loss Prevention 9 – is a necessary but not sufficient condition for effective data security. I submit that effective data security is a three-legged stool of: Monitoring – using DLP […]
Data at rest encryption
Two days in the same week to run into FCPA issues is strange. A prospect in Poland (ENEA) recently acquired Euro 6 million worth of disks from Hitachi and explained the purchase as a data loss prevention measure (Hitachi has data at rest encryption- i.e. the controller encrypts the data on the disk, which makes […]
Turning the tables on data theft
The State of Virginia is offering a very substantial reward for information that leads to the arrest of a malicious attacker who stole 8 million data records.
Entrapment – a solution for insider threats?
Not sweet, not a solution and not for insider threats. Roger Grimes on Infoworld is trying to promote the idea that entrapment tactics with a honeypot can be a cheap, easy, and effective warning system against the trusted insider gone bad. Of course, I don’t blame Roger for trying to game the search engines with […]
Imperfect knowledge security
A few months ago I wrote about The Black Swan of Security – how major data loss events have 3 common characteristics – 1) A major data loss event appears as a complete surprise to the company . 2) Data loss has a major impact to the point of maiming or destroying the institution (note […]
Postgresql 8.4 or MySQL
MySQL now belongs to Oracle – Oracle’s track record on keeping acquisitions alive is mixed. If you want a real database that is extremely Oracle compliant (PLpgSQL is very close to PL/SQL) look no further than then harder (more secure), better, faster Postgresql 8.4 the world’s most advanced Open Source database. Using the new […]
Data security case study
A lot of companies do V/A (vulnerability assessments) with scanners like Beyond Security or Nessus. We took a hybrid approach for an internal security assessment using a Fidelis Security Systems network DLP appliance for detecting data loss vulnerabilities and structured human interviews to identify assets and analyze business threats such as competitors who might steal […]
Business process mapping and risk management
Many risk management consultants tell organizations that they must perform a detailed business process mapping and build data flow diagrams of data and users who process data in order to achieve compliance and reduce the operational risk of information security. This is a very bad idea. Business process mapping is an expensive task to execute […]
