Paying the price for peace
An exceptional post by Lilac Sigan “To bad it doesn’t pay to be a nice guy” suggests that Israel may be better off in the long term with its relations with Turkey by demanding a quid-pro-quo (The Turks are demanding reparations and an official apology from Israel for boarding the now infamous Gaza flotilla boat […]
How to assess risk – Part II: Use attack modeling to collect data
In my article – “How to assess risk – Part I: Asking the right questions”, I talked about using attack modeling as a tool to collect data instead of using self-assessment check lists. In this article, I’ll drill down into some of the details and provide some guidelines on how to actually use attack modeling […]
How to assess risk – Part I: Asking the right questions
It seems to me that self-assessment of risk is a difficult process to understand and execute, primarily because the employees who are asked to assess the risk in their business process, a) don’t really understand the notion of risk and b) don’t really care. Let’s face it – risk is difficult to understand, since it […]
Run security like you run the business
Is there any conceivable reason why should not run your security operation like you run your core business? The sales people in your firm have sales quotas and are measured by gross profit margin and collections. The people who run manufacturing and distribution have quotas for manufacturing throughput and inventory cycle times. So why shouldn’t your […]
The psychology of data security
Over 6 years after the introduction of the first data loss prevention products, DLP technology has not mainstreamed into general acceptance like firewalls. The cultural phenomenon of companies getting hit by data breaches but not adopting technology countermeasures to mitigate the threat requires deeper investigation but today, I’d like to examine the psychology of data security […]
Counter cyber terrorism with social networks
The topic of offensive strategies against hackers comes up frequently and I am surprised and dismayed by the US strategies on combating cyber terror. The Americans are still thinking in a conventional warfare paradigm – in defending a new domain, William Lyn writes: It must also recognize that traditional Cold War deterrence models of assured […]
Stuxnet targeting specific SCADA configurations
The debate on whether or not the Israelis wrote the Stuxnet malware rages on – but it seems pretty clear from the research from ESET and Siemens own findings – here that the virus is apparently only activated in plants with a specific configuration. To be exact – the target is not the SCADA system […]
Are we glorifying the attackers and prosecuting the victims?
With all the media noise about Stuxnet, cyber war and cyber terror, I proposed taking a closer look at how we relate to the players. Whether uber hackers or PLO terrorists; are we glorifying the attackers at the expense of prosecuting the victims? In data security I don’t subscribe to utilitarian ethics (which attempts to […]
Open Source Security Testing
Pete Herzog, Founder of ISECOM, will be discussing the revised Open Source Security Testing Methodology Manual (OSSTMM v3) and how it applies to web application security today (10-13-2010) in Raleigh, NC. I’m not sure exactly if this project really qualifies as Open Source – since the license is not specified. As a methodology and not […]
Why software patents are a bad idea
In Bilski and software patents, Rob Tiller (vice president and assistant general counsel for Red Hat) attempts to make a case against software patents by claiming that they are abstract and therefore not patentable: In view of this serious problem, Red Hat submits that the Interim Guidance should be revised to recognize that software patents will ordinarily […]
