My latest article in Security Current, No Book to Be By, mentions that when it comes to security, there’s no such thing as “by the book”. But I don’t go into it in that article. There I am writing about how a task-based CISO (i.e., a PM promoted to the role) might be the worst … Continue reading
Tag Archives: David Sheidlower
When “it” talks back
Of the thousands of pages in the Harry Potter books, only one sentence ever really seemed to relate to the on-line world. One of the smarter parents in the series admonishes his daughter: ”Never trust anything that can think for itself if you can’t see where it keeps its brain” And, sure enough, then comes … Continue reading
When is a breach notification not a breach notification (revisited)?
When it’s a customer service announcement. At least that’s what one in-flight internet on demand service provider claimed. So, the first thing to understand is that there is no reason to believe that customer information was actually compromised. On the other hand, as Bruce Schneier points out in Liars and Outliers, society runs on trust … Continue reading
Aggregation is biased towards anonymity
Did the EU Court of Justice’s compromise on the right to be forgotten get its inspiration from a US law’s attempt at solving a logistical problem? I’ve written about the bias of aggregation towards anonymity in Anti-Viral, published by SecurityCurrent. In that piece, I show how the EU’s decision reinforces the idea that aggregation, the … Continue reading
I’m certain that too much certainty is certain failure
I’ve extolled the virtues of false positives before. Talking about the Boy Who Cried Wolf, I’ve pointed out that the villagers who chose to ignore his false alarms rather than correct his behavior or replace him were taking an unnecessary risk. The story and a pack of wolves bear me out on this. I still … Continue reading
Security and Privacy walk into a bar…
There can be no question that Security and Privacy are strongly related. It would be easier if they were the same thing. But they’re not, of course; there are differences. This blog has never shied away from stating the obvious. This post tries to enumerate the significant differences between privacy and security: I. They come … Continue reading
In Defense of Compliance
We read it everywhere: “compliance is not enough”. “Security must be more than compliance.” Granted. When the phrase “checking the box” only means working from a compliance checklist and never looking at how your servers are configured, you are vulnerable. When security professionals point this out, they are responding to the well intentioned attitude of … Continue reading
How to lie with risk analyses
How to lie with statistics was written by Yale Professor Darrel Huff in 1954. Now, 60 years later, many things he described as misuse of statistics are common place. He considered it ridiculous, for example, to take the combined years of work experience of the people at a company and add them together and say that the … Continue reading
A new role in data privacy: the searcher
The EU’s efforts to define a right to be forgotten and the recent U.S. Supreme Court decision about how privacy is protected on cell phones go hand in hand. They remind us that the medium is still the message and that there is a new role in discussing data access and control. Why connect these … Continue reading
Best…Practices…Ever
Just like common sense isn’t always common, best practices aren’t always. The best. This matters when describing security controls. And since it seems to be a professional trade secret, I want to come clean about it. There are at least three qualitative ways to describe a security control: How much it complies with something How … Continue reading
{Cyber Security} 