|
Verizon data breach investigations report, Part 2: Outsider attacks
07/03/08
The Verizon Business RISK Team recently published a valuable analysis of four years of data on security breaches among their
clients. The team said, 'In a finding that may be surprising to some, most data breaches investigated were caused by external
sources.' Today I want to explore the implications of that finding.
Verizon data breach investigations report, Part 1
07/01/08
The Verizon Business RISK Team recently published a valuable analysis of four years of data on security breaches among their
clients entitled "2008 Data Breach Investigations Report." Today I want to draw readers' attention to the methodology of this
landmark study.
Improved security raises threat to the unimproved
06/26/08
Reports on the Mississippi River flooding of recent weeks got me thinking about an issue that should concern organizations
which have fallen behind industry standards of improved security in recent times.
Extreme weather and business continuity
06/24/08
Does climate change have any relevance for information assurance and business continuity? My friend and colleague John Orlando,
program director of the Master of Science in Business Continuity Management (MSBC) program at Norwich University, thinks so.
Keep pace with vulnerabilities
06/19/08
Keeping track of the changing threat and vulnerability picture is a challenge for any security or network administration team.
Threats change because of the constant efforts of Bad Actors who actively seek to exploit known vulnerabilities and to discover
new ones. Vulnerabilities change because of changes in software versions, installation of new hardware or new firmware, installation
of new software patches, and changes in network topology.
Infowar resources
06/17/08
I found some resources in infrastructure protection and information warfare that might interest some readers. This column
will be a bit of a collage of neat infowar stuff that you may have overlooked but that bears attention and even rereading.
LBB2E: Joel Dubin updates his pocket guide
06/12/08
Joel Dubin has just sent me the update of his useful guide to computer security, The Little Black Book of Computer Security.
In October 2005, I published a review of the first edition. I liked the book so much I ordered it for the assigned readings
in one of the seminars in the MSIA program.
Master of Science in Business Continuity Management
06/10/08
Organizations both large and small are implementing BCM systems. Once relegated to the margins of corporate practice as an
aspect of information technology or corporate security, BCM has become recognized as a fundamental aspect of sound business
practice.
10 tips for moving e-discovery into the enterprise
06/05/08
StoredIQ writes: If you work for a mid- to large-sized company - say, one with more than $500 million in revenue - you are
probably familiar with the problems of e-discovery. Your enterprise may routinely face five or more litigation matters each
year, and you have terabytes of unstructured information that you need to sort through in order to find relevant information
and place it on litigation hold. Here are 10 tips to choosing an e-discovery solution that can get up and running quickly,
solve the problems you need it to, and pay for itself within months.
Useful guides to e-mail archiving
06/03/08
Organizations must balance the need for e-mail archives with the costs of storage, including the increasing difficulties that
users face in finding their own messages when they leave their e-mail in undifferentiated electronic piles of ordure. Although
e-mail indexing solutions such as Google Desktop may help users locate messages in years of unstructured archives, they don't
solve the problem of random deletions that may have legal implications if the organization is served with subpoenas for all
documents produced or received in specific data ranges.
Workshop on Economics of Information Security
05/29/08
One of the most difficult problems information-assurance managers face is integrating IA into the financial management architecture
underlying modern organizations. Because of the lack of centralized, verifiable reporting on information security breaches
and their costs, it is impossible to emulate the actuarial statistics common to other forms of loss avoidance such as insurance,
preventive maintenance, and healthcare.
Bordering on insanity
05/27/08
In my last column, I introduced the issue of crossing U.S. borders with encrypted data and advised corporate users to think
carefully about whether to do so. Today I want to discuss the implications of the way the U.S. Customs and Border Protection
service is demanding decryption keys from travelers and seizing portable electronic devices.
Crossing borders with corporate data
05/22/08
How should organizations handle devices that might cross national borders? One approach is to segregate confidential information
to encrypted external disk drives. The rule could then be that the portable computer can leave the country but that the encrypted
disk drive cannot.
Expanding roles for the CISO
05/20/08
In this series of three columns, I'm reviewing and commenting on ideas in 'A Seat at the Table for CEOs and CSOs: Driving
Profits, Corporate Performance and Business Agility' by Jackie Bassett and Daniel Rothman and edited by Raquel Filipek. Today
I'll finish with a brief summary of the rest of the book.
The CISO as strategic resource
05/15/08
There are five key reasons for CEOs to include CISOs in what I would call strategic planning - thinking about long-term, mission-critical
goals and global processes.
Building a bridge from the CISO to the CEO
05/13/08
Chief information security officers (CISO), security consultants and other security personnel constantly face the difficulty
of reaching across a cultural divide to communicate our concerns to business leaders such as CEOs and their C-level and board
colleagues. Here are some resources that can help us do that.
Identity Finder helps prevent identity theft
05/08/08
I recently received a well-crafted press release from Identity Finder. CEO Todd Feinman prepared these tips, which you may
find useful for your own internal security newsletters.
Central Ohio InfoSec Summit coming up soon
05/06/08
The Central Ohio ISSA, the Central Ohio ISACA, and the Central Ohio InfraGard chapters have joined together to promote the
first annual Central Ohio InfoSec Summit in Columbus on May 13.
Zapping 'zappers'
05/01/08
In cases of suspected embezzlement via software, I think we have to seize the working system, not only make bitwise copies
of the data but also create a clone of the entire system using hardware that's as close to the original as possible, and then
exercise the clone under tight observation using known inputs as if we were conducting a thoroughgoing software quality assurance
inspection.
Zap! You're under arrest
04/29/08
Richard T. Ainsworth, a lecturer at the Boston University School of Law, has written a fascinating report on the use of 'zappers'
- programs which divert funds for systematic embezzlement of tax obligations. The paper is 'Zappers: Tax Fraud, Technology
and Terrorist Funding.'
Scan ScanSafe's annual report for heuristic experience
04/24/08
Recently, ScanSafe released its 25-page 'Annual Global Threat Report: Trends for January 2007-December 2007.' The report was
written by Senior Security Researcher Mary Landesman. Here are some of the highlights of the report.
Comprehensive security needed to prevent printer hacking
04/22/08
Inadequate authentication and insufficient print activity records can compromise security. In general, there is little or
no control over the IT infrastructure responsible for printing.
Your printer: An open door for hackers?
04/17/08
It turns out that the old problem of misdirected faxes has a new twist: networked printers are posing the potential for misdirected
printouts - including printer hacking.
Managing CSIRT burnout and turnover: a case study, Part 3
04/15/08
We finish MSIA graduate Timothy Dzierzek's case study analysis of burnout and turnover in help desk and computer security
incident response teams (CSIRT). This last part of three discusses how his case-study organization ("Smith & Smith" is a pseudonym)
addressed the problems of turnover and finishes with recommendations for readers.
Managing CSIRT burnout and turnover: a case study, Part 2
04/10/08
We continue with MSIA graduate Timothy Dzierzek's case study analysis of burnout and turnover in help-desk and incident-response
teams. This second part of three discusses the problems of turnover at "Smith & Smith" (a pseudonym).
More articles
»
|
[1,407]
