Security professionals feel no great joy in being right about patching. The past two months have been a period of “I told you so” moments for anyone who has ever had to have the conversation with a sys admin about the importance of patching (it’s been a long time for me but the memory lingers). … Continue reading
Tag Archives: Information Security
Awareness training always has an attitude
A lot depends on why you think you’re training people. That motivation comes through in the attitude. And that attitude has a lot to do with how successful the training is. By my estimate, there are any number of nuanced attitudes but they more or less gravitate to one of three motives: We’re training you … Continue reading
Depends what you mean by “guest” and other musings about WiFi
This is not primarily about the security of attaching to a wireless access point (WAP). But since communication is a two way affair, let’s start with the endpoints and get them out of the way: You are more likely to have your purse snatched at a train station than in your living room. And the … Continue reading
The internet is not a highway, but security is like driving a car
I think it is safe to say that the internet is not an information superhighway anymore. Maybe it was once, but now the interstates are threatening to become toll roads, the blue highways have sponsors and so many things are on the internet that if you do make a wrong turn you could literally end … Continue reading
The “Big” Risk Transfer
There is time between those risk management milestones. During that time, risk is in limbo. During that limbo, it’s the CISO that owns the risk. Orchestrating the transfer of risk to the appropriate risk owner is one of the most under appreciated things that a CISO does. Here’s a hypothetical example: let’s say that there … Continue reading
Big Data and the Paleolithic
Inference is the core technique for determining what happened for which you have little or no data. Lewis Mumford was dissatisfied with the stone tools that had been found all over the world and dated back hundreds of thousands of years. Not because he did not consider them telling of the state of technology employed … Continue reading
Hooked on hacks
To distort a phrase from media criticism: if it HEARTBLEEDS, it leads. I have no proof of this, but I am guessing that the number of journalists that now have experience writing about cybersecurity events has increased dramatically in the past year. Big breaches have always been news, but with a cluster of them occurring … Continue reading
When is a breach notification not a breach notification (revisited)?
When it’s a customer service announcement. At least that’s what one in-flight internet on demand service provider claimed. So, the first thing to understand is that there is no reason to believe that customer information was actually compromised. On the other hand, as Bruce Schneier points out in Liars and Outliers, society runs on trust … Continue reading
Aggregation is biased towards anonymity
Did the EU Court of Justice’s compromise on the right to be forgotten get its inspiration from a US law’s attempt at solving a logistical problem? I’ve written about the bias of aggregation towards anonymity in Anti-Viral, published by SecurityCurrent. In that piece, I show how the EU’s decision reinforces the idea that aggregation, the … Continue reading
Security and Privacy walk into a bar…
There can be no question that Security and Privacy are strongly related. It would be easier if they were the same thing. But they’re not, of course; there are differences. This blog has never shied away from stating the obvious. This post tries to enumerate the significant differences between privacy and security: I. They come … Continue reading
{Cyber Security} 