Another story about false positives and what they really teach us. The traditional story is of a boy who is given the responsibility to guard the village herd of sheep. He is supposed to scream for help to notify the villagers when the sheep are threatened. He decides he wants company and screams “wolf” so … Continue reading
Category Archives: Cybersecurity
A change is gonna come
This will start with the first law of thermodynamics and end up with change management. All the while, we will keep information security in focus. So, simply put, the first law of thermodynamics says that the amount of energy in a closed system cannot be increased or decreased. If we substitute “effectiveness of security controls” … Continue reading
The 4th e-state of denial
Corporate web sites getting hacked is news. Corporate news sites getting hacked is news. News sites getting not hacked but going down anyway is…? When NYTIMES.com went down this week for a couple of hours, they felt they needed to provide the proper context for their downtime. The headline of the article they published read … Continue reading
Where Chicken Little Went Wrong
This is about the fundamental formula for assessing risk. I saw a post on a LinkedIn Group the other day, a group where myself and about 39,000 of my closest colleagues (more on them later) exchange ideas around IT Governance and related issues, and I made a comment which led to a discussion which brought … Continue reading
When is a breach notification not a breach notification?
In Memoriam Barnaby Jack.(1) When it’s an indictment, a settlement or an ethical hack. It is interesting to note the difference between a breach notification press release (these are required by law, for example, for breaches of health care data affecting over 500 individuals) and the subsequent coverage and reports of indictments, settlements and ethical … Continue reading
One hand washing the other
Can the HIPAA Security Rule learn something from the HIPAA Privacy Rule? When it comes to encryption at the application security level: yes. First, one of my particular soapboxes: in a world where medical records are increasingly found in digital form, the HIPAA Security Rule and the HIPAA Privacy rule cannot be minded by two … Continue reading
Why isn’t this blog more technical
I am getting a fair amount of questions (which is blogger speak for the more introspective “I keep asking myself”): why isn’t this blog more technical? Why aren’t I persistently advancing threads about advanced persistent threats? Am I intentionally filtering out packet filter discussions? (note to self: do not turn into cyber security’s answer to … Continue reading
The Winter of our discontent
Can information security professionals be satisfied? Ever? Yes. But should they be? Ever wonder if Advanced Persistent Threats came into the world in part because the information security profession became more and more predictable? Or worse: commoditized, as I will discuss below. Lately, as corporate web sites from multiple industries in virtually every continent are … Continue reading
Honest, Mom, lots of kids failed that test
The media are certainly becoming more sophisticated at reporting on data breaches and web site hacks. And as that happens, corporate communications departments are freer to craft ever more sophisticated messages about a breach/hack involving their organization. The new goal is to attempt to describe the organization as just the latest victim of an on-going attack … Continue reading
Raising the stakes by lowering them
The HIPAA Security Rule’s most significant flaw was on display recently. Hospice of Northern Idaho (HONI) has settled with the Federal Government for $50,000 to close out the case of a stolen unencrypted laptop that had the electronic protected health information of 441 patients on it. Media attention focused on the fact that this was the … Continue reading
{Cyber Security} 