RSA Conference 2010 - Ghost of Conference Past

Thursday, March 4, 2010

RSA Conference 2010 - Ghost of Conference Past

I was talking with my buddy Ben Rothke tonight about the security graveyard - companies that are no longer with us (he’s been a part of a number of them, but I’m not making any connections ;-). He also challenged me to find an old list of companies exhibiting at RSA. Herewith is a list [...]
Continue Reading...
Addressing the Advanced Persistent Threat (APT)

Monday, February 1, 2010

Addressing the Advanced Persistent Threat (APT)

In the past few weeks, the Advanced Persistent Threat (APT) has been all the rage in the infosec world.  Security professionals everywhere are taking sides about whether APT is new or not, despite (or perhaps due to) the lack of a clear and consistent definition. It started with Google suggesting (but not explicitly stating) that the [...]
Continue Reading...
Quick and Dirty Risk Calculations - CSI Survey Edition

Monday, December 14, 2009

Quick and Dirty Risk Calculations - CSI Survey Edition

The Computer Security Institute recently released its 2009 survey results (must register). One of the charts in the executive summary lists the frequency of occurrence in the survey population. Without any other information more pertinent or specific to your organization, you can use this information for quick and dirty risk calculations. Let me illustrate. The frequency [...]
Continue Reading...
Notes on the Heartland breach

Monday, December 14, 2009

Notes on the Heartland breach

The Heartland saga continues and it appears that things are going its way. Not only has the company been on a campaign to make lemons out of lemonade by selling the equipment (”end-to-end” encryption) to their customers (and, presumably others), but at least one shareholder lawsuit was dismissed. The class-action suit had some interesting information: First, [...]
Continue Reading...
Should we change passwords every 90 days?

Tuesday, December 8, 2009

Should we change passwords every 90 days?

[I was unsuccessful trying to post this as a comment on the Securosis blog so figured I'd post it here instead.] David Mortman at Securosis recently posted with the following challenge: Show me any reasonable evidence that changing all your users’ passwords every 90 days reduces your risk of being exploited. No wonder they don’t always listen [...]
Continue Reading...
ENISA Cloud Computing Security Project

Friday, November 20, 2009

ENISA Cloud Computing Security Project

Today, the European Network and Information Security Agency (ENISA) released its Cloud Computing Risk Assessment report. I enjoyed participating on the project and making a number of new friends. As with most workgroups, this project had its ups and downs as each member found his position within the group. One of the biggest challenges was [...]
Continue Reading...
prev next
Posted on March 4 2010 Read more...

RSA Conference 2010 - Ghost of Conference Past

I was talking with my buddy Ben Rothke tonight about the security graveyard - companies that are no longer with us (he's been a part of a number of them, but I'm not making any connections ;-). He also challenged me to find an old list of companies exhibiting at RSA. Herewith is a list ...
Posted on February 2 2010 Read more...

More Breach Costs “per record”

Ponemon Institute has issued its annual report on the cost of data breaches. I wrote last year about using per record costs for data breaches. An excerpt: It is common when estimating costs of data breaches to quote costs "per record". Most recently, Ponemon Institute released a study that asserted a cost of $202 per record ...
Posted on February 1 2010 Read more...

Addressing the Advanced Persistent Threat (APT)

In the past few weeks, the Advanced Persistent Threat (APT) has been all the rage in the infosec world.  Security professionals everywhere are taking sides about whether APT is new or not, despite (or perhaps due to) the lack of a clear and consistent definition. It started with Google suggesting (but not explicitly stating) that the ...
Posted on January 14 2010 Read more...

What does “Aurora” mean in Chinese?

George Kurtz of McAfee is providing some details about the hack attack against Google et.al. purportedly originating in China. One of his comments: I am sure you are wondering about the name “Aurora.”  Based on our analysis, “Aurora” was part of the filepath on the attacker’s machine that was included in two of the malware binaries ...
Posted on December 14 2009 Read more...

Meet my friend Micromort - he’s one in a million!

No, it i's not some sort of mini-Mortman! It's micromort, or in other words, a one-in-a-million chance of death. How can you add (or is that subtract?)  a micromort to your... err.. life? Here are some options (from Wikipedia): smoking 1.4 cigarettes (cancer, heart disease) drinking 0.5 liter of wine (cirrhosis of the liver) spending 1 hours in ...
Posted on December 14 2009 Read more...

Quick and Dirty Risk Calculations - CSI Survey Edition

The Computer Security Institute recently released its 2009 survey results (must register). One of the charts in the executive summary lists the frequency of occurrence in the survey population. Without any other information more pertinent or specific to your organization, you can use this information for quick and dirty risk calculations. Let me illustrate. The frequency ...
Posted on December 14 2009 Read more...

Notes on the Heartland breach

The Heartland saga continues and it appears that things are going its way. Not only has the company been on a campaign to make lemons out of lemonade by selling the equipment ("end-to-end" encryption) to their customers (and, presumably others), but at least one shareholder lawsuit was dismissed. The class-action suit had some interesting information: First, ...
Posted on December 8 2009 Read more...

Should we change passwords every 90 days?

[I was unsuccessful trying to post this as a comment on the Securosis blog so figured I'd post it here instead.] David Mortman at Securosis recently posted with the following challenge: Show me any reasonable evidence that changing all your users' passwords every 90 days reduces your risk of being exploited. No wonder they don't always listen ...
Page 1 of 10012345»...Last »