Better physical security with more eyeballs
Big companies have lobbies and receptionists. They may have many visitors during the day not to mention messengers from FedEx, DHL, TNT, Poczta etc. A DHL courier recently visited the offices of a client to pick up a package. He walked in, picked up 5 expensive mobile computers and notebooks, put them in the pouch […]
2009 CWE/SANS Top 25 Most Dangerous Programming Errors
I’ve been telling customers for years that most security exploits are caused by a small number of software defects (you can download my white paper on Software Security and see how to mitigate enterprise software vulnerabilities systematically using Business threat modeling Still it’s amazing how the trade press are gushing on this – must have […]
Why Israel is losing the war against terror
It is crucial to ask how we can adopt and execute a sustainable long-term strategy to combat and win the war against Islamic terror. I’m an Israeli and we have seen a series of Israeli governments attempt to combat terror. In most cases, the strategy to combat Palestinian terror centers on worrying what the US […]
The Israeli Supreme Court is a security vulnerability
I got this from my sister in-law Judith Bedichi this morning – it was written by Dr. Guy Bechor and describes an escalation of security threats to the Jewish State of Israel. The Israeli Supreme Court is highly-regarded yet clearly preferential to Israeli Arabs, with liberal rulings allowing operations of radical Islamic groups in the […]
70 years after Kristallnacht
It’s sad that on the 70th anniversary of Kristallnacht, Ehud Olmert and Tzipi Livni felt compelled to mitigate their political vulnerabilities with offers of appeasement to Palestinian terrorists. Political spin is not a sound replacement for national pride. Translated literally from the English as the Night of Broken Glass, Kristallnacht was a pogrom in Nazi […]
Data loss by cellphone
Is your 50-something IT manager the last one to know about the company getting acquired? An extremely obvious yet perhaps unpleasant observation for over-40 IT managers is that under 30 employees know a lot more about technology and ways to bypass the company security safeguards than they do. A young, hip, mobile and techology-facile workforce […]
The danger of losing your digital assets in a down market
Any information security professional will tell you that security countermeasures are comprised of people, processes and technology. The only problem is that good security depends on stable people, processes and technology. A stable organization undergoing rapid and violent change is an oxymoron. People countermeasures are a mix of security awareness training, background checks (at a […]
Automated hacking of Joomla Web sites
A lot has been written about Google-aided automation of hacking. There is little I can add to this topic besides some personal and practical advice. If you’re running Joomla 1.5 you may have noticed queries of the sort “powered by joomla .domain_name_extension” in your Apache access.log file. It’s almost certain you’ll find a few of […]
The physics of risk assessment
Quantity or quality – that is the question! There is a great deal of debate between the supporters of quantitative risk assessment and the supporters of qualitative risk assessment in the security and compliance business. The qualitative people say that since it is impossible to estimate risk as an absolute number such as “87 percent […]
Credit card security franchise available
just saw a post from a month ago by Jeremiah Grossman from White Hat Security on his blog PCI-DSS references the outdated OWASP Top Ten There are actually a number of more serious technical issues with PCI DSS 1.1 than using the OWASP Top 10 from 4 years ago. Note the definition of vulnerability management […]
