Protecting your data in the cloud
Several factors combine to make data security in the cloud a challenge. Web applications have fundamental vulnerabilities. HTTP is the cloud protocol of choice for everything from file backup in the cloud to Sales force management in the cloud. HTTP and HTML evolved from a protocol for static file delivery to a protocol for 2 […]
The security of open source software
A conversation with a client this morning revolved around software development tool alternatives in an environment of Web Socket. Why not use Flash on the client and AMF on the server side?, the client asked. I hesitated for a moment and answered – because Adobe is proprietary and closed source and the only developers looking […]
How to assess risk – Part II: Use attack modeling to collect data
In my article – “How to assess risk – Part I: Asking the right questions”, I talked about using attack modeling as a tool to collect data instead of using self-assessment check lists. In this article, I’ll drill down into some of the details and provide some guidelines on how to actually use attack modeling […]
Operational risk management – what we really need
Operational risk management has been the buzz word du-jour in recent years, due to the Basel II initiative in the banking industry and Solvency II in the insurance industry. The Basel II definition of operational risk is “the risk of loss resulting from inadequate or failed internal processes, people and systems, or from external events.” […]
The problem of security information sharing
In a previous post Sharing security information I suggested that fragmentation of knowledge is a root cause of security breaches. I was thinking about the problem of sharing data loss information this past week and I realized that we are saturated with solutions, technologies, policies, security frameworks and security standards – COBIT, ISO27001 etc.. The […]
Cutting through the marketing b/s of security products
I think FUD is not going to cut it anymore. There is currently no standard, vendor-neutral methodology tp quantify information security risk and justify technology purchases. Maybe during the GFC as budgets dwindle down and threats ratchet up – security analysts will finally get some real work done. In order for a company to decide […]
The financial impact of cyber threats
Kudos to ANSI for publishing a free guide to calculating cyber risk. Better late than never – thousands of security professionals in the world use the Microsoft Threat Modeling Tool and the popular free threat modeling software PTA, to calculate risk in financial terms – not to mention the thousands of other users of risk […]
