Blog

Risk Management: Set Your Domain Experts Free

By Rich
The blogoshpere is kind of funny sometimes as we all run around referencing each other constantly, so you’ll have to excuse the “my sister’s best friend’s 2nd cousin twice removed’s boyfriends bookie” path for this post. (Actually, I really dig all our cross referencing, I think it creates a cool community of experts). Everything started with Alex Hutton’s What Risk Management Isn’t post, to which Mike Rothman replied, to which Arthur at Emergent Chaos replied. Follow that? Me neither, so here’s most of Arthur’s post (hopefully he doesn’t mind I lifted

The Three Types of Best Practices

By Rich
Jim over at DCS Security (a great new blog) just finished his last in a series of good posts on security layers. He brings up a favorite subject of mine, best practices: Essentially best practices is a bunch of smart (hopefully) guys sitting around in Gartner, Forester, D&T, PWC, E&Y, SANS, and other groups coming to a consensus on which controls cover the closest to 100% for a given threat they are looking at and which are the best controls to put in place. I hate to dash his hopes, but it turns out that’s not really how

How I Know There Are Very Few

By Rich
Anton Chuvakin eviscerates me here for claiming there are very few 0days (what Shimel is starting to call Less than Zero Days). Come, one, Rich? How do YOU know? Given that we know (and you yourself state) that there very few ways to prevent, block or even detect it … What might be more true is that an average security-sloppy enterprise has more to fear and more to lose from “stale” attacks; however, it is NOT the same as to say that there are few 0days out there. I am stunned when folks make those claims. BTW, check out this list

My Last Pitch for Defining

By Rich
Alan Shimel is reviving the zero day debate and coins a term “less than zero day” for vulnerabilities that are unknown from the public at large. Check out his series starting here, then here, and finally here. Rothman mostly agrees here, but (like me) isn’t enamored of the name. As I stated in my initial support for Alan’s position I think he’s mostly nailed it. There is a distinct difference between an unknown vulnerability, an unknown vulnerability for which there’s an active exploit, a new vulnerability that’s not patched (what most people call a 0 day),

This is not the Mac security you’re looking for.

By Rich
Arthur over at Emergent Chaos posted an amusing story on an organization’s reason for switching to Macs. It’s security. Just not necessarily what we mean when we say Macs are more secure. Yes- this company installed Windows on Intel Macs since Macs are more secure. We’re not talking virtualization or anything, but taking off OS X and installing Windows XP. I really never thought of that. (updated : direct link to the original story at deadbeat cafe)

It’s Time to Turn Off WiFi and Bluetooth When Not In Use (Mac or PC)

By Rich
A little birdie pointed me to the latest post over at the Metasploit blog. For those of you that don’t know, Metasploit is the best thing to hit penetration testing since sliced bread. To oversimplify, it’s a framework for connecting vulnerability exploits to payloads. Before Metasploit it was a real pain to convert a new vulnerability into an actual exploit. You had to figure out how to trigger the vulnerability, figure out what you could actually do once you took advantage of the vulnerability, and inject the right code into the remote system to actually do something. It

Apple, Security, and Trust

By Rich
Before I delve into this topic I’d like to remind readers that I’m a Mac user and Apple fan. We are a 2 person, 2 Mac, 3 iPod, 2 Airport Express household, with another Mac in the plans this spring. By the same token I don’t think Microsoft is evil and consider some of their products to be quite good. That said I prefer OS X and have no plans to switch to Vista, although I’ll probably run it in a virtual machine on my Mac. What I’m about to say is in the nature of protecting, not attacking,

Are Phishers Getting Lazy?

By Rich
I’ve noticed a marked decrease in the customer service from my phishers. Lately spam messages have been originating from “On-line Bank” and other generic addresses. Spelling mistakes are returning, and links no longer even pretend to go to a real bank’s site. Where’s the customer service guys? What’s wrong- is my business no longer important to you? Can’t you even make the effort to personalize your fraudulent messages and entice me with your ever-so-mangled, yet poetic, use of English? Phishing must be big business these days because, like other big businesses, they no longer seem

Data Protection- it’s More than A + B + C

By Rich
Stiennon covered the McAfee/Onigma deal over at Threat Chaos this weekend. Although I knew about the deal I try and avoid vendor/industry coverage here at Securosis, and, to be honest, it really isn’t worth covering. (Onigma is tiny and agent based, not really the direction the market is heading, and by the time McAfee integrates the tech they’ll be WAY behind the ball). But Richard does make an interesting statement; defining data protection as leak prevention + encryption + device management. It’s a reasonable start, but far too narrow. For the past 5 years I’ve covered data
Page 320 of 326 pages ‹ First  < 318 319 320 321 322 >  Last ›