Breach announcements / Cybersecurity

When is a breach notification not a breach notification (revisited)?

When it’s a customer service announcement.   At least that’s what one in-flight internet on demand service provider claimed. So, the first thing to understand is that there is no reason to believe that customer information was actually compromised.  On the other hand, as Bruce Schneier points out in Liars and Outliers, society runs on trust … Continue reading

Being an InfoSec Professional / Cybersecurity

I’m certain that too much certainty is certain failure

I’ve extolled the virtues of false positives before.  Talking about the Boy Who Cried Wolf, I’ve pointed out that the villagers who chose to ignore his false alarms rather than correct his behavior or replace him were taking an unnecessary risk.  The story and a pack of wolves bear me out on this. I still … Continue reading

Being an InfoSec Professional / Cybersecurity / Privacy

Security and Privacy walk into a bar…

There can be no question that Security and Privacy are strongly related.  It would be easier if they were the same thing.  But they’re not, of course; there are differences.   This blog has never shied away from stating the obvious. This post tries to enumerate the significant differences between privacy and security: I.                    They come … Continue reading

Being an InfoSec Professional / Cybersecurity

The other shoe drops: NIST issues version 1.0 of the Framework for Improving Critical Infrastructure Cybersecurity

It’s ironic that the new publication from NIST does not have an 800 series numeric designation.   Not that it needs to, but here we all are using those numbers as shorthand (e.g., “I took an 800-30 July 2002 approach because revision 1 from 2012 just seemed too complex for the environment”, “We are looking to … Continue reading