Why less log data is better
Been a couple weeks since I blogged – have my head down on a few medical device projects and a big PCI DSS audit where I’m helping the client improve his IT infrastructure and balance the demands of the PCI auditors. Last year I gave a talk on quantitative methods for estimating operational risk of […]
Small business data security
Here are 7 steps to protecting your small business’s data and and intellectual property in 2011 in the era of the Obama Presidency and rising government regulation. Some of these steps are about not drinking consultant coolade (like Step # 1- Do not be tempted into an expensive business process mapping project) and others are adopting best practices […]
Data availability and integrity – the Apple/Microsoft version
I have over 2,300 contacts on my iPhone and like any reasonable person, I wanted to backup my contacts. I figure my iPhone wont last forever. Like a fool, I thought it might be a good idea to test the restore process also. The Ubunutu One service based on Funambol doesn’t really work so that […]
I want data loss reasons, not numbers
Media reporting of data breach events like the UK NHS, Heartland, Hannaford and Bank of America has overwhelming focussed on the raw numbers of customer data records that were breached. Little information is available regarding the root causes – how attackers exploited the system and people vulnerabilities to get the data. Although US legislation requires […]
Is security a washing machine?
Most security appliance vendors use fluffy charts with a 4 step “information risk management” cycle. It’s always a 4 step cycle, like Symantec’s DLP “Discover, Monitor, Protect and Manage” and it’s usually on a circular chart but sometimes in a Gartner-style magic quadrant or on a line. It’s like a washing machine cycle that never […]
Data discovery for data loss prevention
A few years ago I did some work for an Israeli startup called nLayers that did applications, servers and devices discovery. They were later acquired by EMC. I thought it was a brilliant idea at the time, since large IT organizations don’t really know what assets they have in their IT portfolio. Therefore, it should […]
The role of DLP in IP protection
A common conversation I have with my technology clients touches on patent protection as a security countermeasure against abuse of intellectual property. The short answer is that if you’re not DuPont or Roche, then patent protection is not going to help you very much. If you develop software , you are probably infringing someone’s patents […]
Data loss prevention for SME
Is a SME like the old German expression – Kleine Kinder kleine Sorgen, große Kinder große Sorgen? “Small children, small problems, big children, big problems”? I wanted to call this post “The need to understand operational risk of information security” – but I realised that op risk is a concept used by big banks and […]
Choosing a data loss prevention solution
Data security is not one-size fits all. For example, if the threat scenario is an attack on your customer self-service Web application – obfuscating or encrypting fields in database tables is not an effective security countermeasure; you need a network DLP solution to prevent leaks of clear text data and a software security assessment that […]
Reducing risk of major data loss events
Martin Hellman (of Diffie Hellman) fame maintains the Nuclear Risk web site and has written a very insightful piece on risk analysis of nuclear war entitled Soaring, cryptography and nuclear weapons Hellman proposes that we need a third state scenario (instead current state – > nuclear war) where the risk of nuclear holocaust has been […]
