Application software in the cloud – power to the people
I think that it might be a novel approach to build a flat cloud security control model centered around consumers (stake holders, users and developers) of business applications software and the performance of the cloud services that they consume. This might be a more productive and relevant control model than then the current complex, multiple layer, […]
The importance of data collection in a risk assessment
A risk assessment of a business always starts with data collection. The end objective is identifying and then implementing a corrective action plan that will improve data security in a cost-effective way, that is the right fit for the business. The question in any risk assessment is how do you get from point A (current […]
It’s the most wonderful time of the year
Seems like ages since I last blogged. Got my head down on a few data security and compliance projects and the raw material is piling up. Today is Israel Memorial Day and the JP Big Band appeared last night in the Modiin Cultural Center with an evening of 23 Israeli classics arranged for large jazz […]
How to make Federal data security effective
I submit that a “no tickee, no washee” strategy might improve US Federal data security. An article published in the Federal Times states that Cyber attacks on Federal networks are up 40% from last year according to a report compiled by the OMB (Office of Management Budget) that is based on numbers reported by the […]
Cyber crime costs over $1 trillion
A pitch from Alex Whitson from SC TV for a Webinar on the LinkedIn Information Security Community piqued my attention with the following teaser: As you may have read recently, Cybercrime is now costing the UK $43.5 billion and around $1 trillion globally. Sponsored by security and compliance auditing vendor nCircle, the Webinar pitch didn’t cite any sources for the […]
3GPP Long Term Evolution – new threats or not?
3GPP Long Term Evolution (LTE), is the latest standard in the mobile network technology tree that produced the GSM/EDGE and UMTS/HSPA network technologies. It is a project of the 3rd Generation Partnership Project (3GPP), operating under a name trademarked by one of the associations within the partnership, the European Telecommunications Standards Institute. The question is, what will be […]
ניהול אבטחת מידע בענן – על תבונה ורגישות
ניהול אבטחת מידע בענן – על תבונה ורגישות ,ממשל נתונים הוא דרישה הכרחית להגנה על נתונים כשעוברים למחשוב בענן. קביעת מדיניות ממשל נתונים היא בעלת חשיבות מיוחדת במודל העבודה של מחשוב ענן שמבוסס על אספקת שירותים בתשלום ליחידת צריכה, בניגוד למודל המסורתי של מערכות מידע המבוסס על התקנה, שילוב מערכות ותפעול מוצרים. יחד עם ההיצע […]
Attacking the network via Rich Internet Applications
Vulnerabilities in rich Web 2.0 applications are definitely a problem when you start deploying more of your business to the cloud. Here is a good article from a Norwegian developer and security researcher – Erlend Oftedal on exploiting crossdomain.xml and clientaccesspolicy.xml in RIAs (rich internet applications). Unrestricted crossdomain.xml and clientaccesspolicy.xml files can be abused by […]
Practical advice for SME to use ISO 27001
ISO 27001 certifications are growing rapidly because of compliance regulation and increased awareness of information security risk. The ISO organization recently (October 2010) took measures to make ISO more accessible by “providing practical advice for small and medium-sized enterprises (SMEs) on how to achieve the benefits of implementing an information security management system (ISMS) […]
Why data security is like sex
We all think about sex – men (most of the time), women (some of time) and teenagers (all the time). Sex – despite the huge volume of content in the digital and print media, is one of those phenomena that demonstrate an inverse relationship between substance and talk. The more talk, chances are, the […]
