Blog

Top Five Steps to Prevent Data Loss and Information Leaks

By Rich
One of the great things about the Internet is that it allows isolated assholes to connect and communicate like never before. Thus Rothman and I, mere professional acquaintances and friendly faces at a few industry events, can engage in deeper dialog, dragging any of our loyal readers down with us. (Mike and I are the assholes, not you guys. Except maybe for Will). I like it when smart guys like Mike push me, it makes for better analysis. I published a little on data security a few weeks ago, and Mike calls for a simpler approach. I thought about it

Evilsquirrel Enterprises Announces North American Expansion

By Rich
< p style=”text-align:center;”> < p style=”text-align:center;”>Evilsquirrel Enterprises Announces North American Expansion < p style=”text-align:center;”>Leaders in world domination to expand geographic services. Undisclosed HQ, USA, Oct. 31, 2006 – Evilsquirrel Enterprises, the leading provider of world domination services, announced today that they are leveraging their best-in-class international infrastructure to expand into the North American market. As the preeminent world domination specialists, enterprises now have a truly global provider offering unmatched services and support. “Our success at Evilsquirrel is that we listen to our customers,” said Squirrelzilla, CEO of Evilquirrel Enterprises. “Their screams of agony feed our

If You Think Boarding Passes and IDs Improve Security, You Shouldn’t Be In Security

By Rich
There’s been a lot of hubbub the past couple of days over Christopher Soghoian posting a tool to let anyone print their own boarding pass. While I’m all for publicizing security silliness, I personally try and avoid things that might invite 2 a.m. non-social visits from the FBI. The thing is, anyone who thinks ID checks and boarding passes provide any security at all to planes (or any public area), shouldn’t be working in security. I spent a lot of time providing security for large crowds and public spaces. ID’s and boarding passes are a weak

Security = Compliance, Compliance Rarely = Security

By Rich
Good security will almost always make you compliant (or pretty darn close, not counting all the documentation). Compliance alone will pretty much never make you secure. ‘Nuff said. (Inspired by this from Rothman, who I swear isn’t giving me kickbacks)

Risk Management: Set Your Domain Experts Free

By Rich
The blogoshpere is kind of funny sometimes as we all run around referencing each other constantly, so you’ll have to excuse the “my sister’s best friend’s 2nd cousin twice removed’s boyfriends bookie” path for this post. (Actually, I really dig all our cross referencing, I think it creates a cool community of experts). Everything started with Alex Hutton’s What Risk Management Isn’t post, to which Mike Rothman replied, to which Arthur at Emergent Chaos replied. Follow that? Me neither, so here’s most of Arthur’s post (hopefully he doesn’t mind I lifted

The Three Types of Best Practices

By Rich
Jim over at DCS Security (a great new blog) just finished his last in a series of good posts on security layers. He brings up a favorite subject of mine, best practices: Essentially best practices is a bunch of smart (hopefully) guys sitting around in Gartner, Forester, D&T, PWC, E&Y, SANS, and other groups coming to a consensus on which controls cover the closest to 100% for a given threat they are looking at and which are the best controls to put in place. I hate to dash his hopes, but it turns out that’s not really how

How I Know There Are Very Few

By Rich
Anton Chuvakin eviscerates me here for claiming there are very few 0days (what Shimel is starting to call Less than Zero Days). Come, one, Rich? How do YOU know? Given that we know (and you yourself state) that there very few ways to prevent, block or even detect it … What might be more true is that an average security-sloppy enterprise has more to fear and more to lose from “stale” attacks; however, it is NOT the same as to say that there are few 0days out there. I am stunned when folks make those claims. BTW, check out this list

My Last Pitch for Defining

By Rich
Alan Shimel is reviving the zero day debate and coins a term “less than zero day” for vulnerabilities that are unknown from the public at large. Check out his series starting here, then here, and finally here. Rothman mostly agrees here, but (like me) isn’t enamored of the name. As I stated in my initial support for Alan’s position I think he’s mostly nailed it. There is a distinct difference between an unknown vulnerability, an unknown vulnerability for which there’s an active exploit, a new vulnerability that’s not patched (what most people call a 0 day),

This is not the Mac security you’re looking for.

By Rich
Arthur over at Emergent Chaos posted an amusing story on an organization’s reason for switching to Macs. It’s security. Just not necessarily what we mean when we say Macs are more secure. Yes- this company installed Windows on Intel Macs since Macs are more secure. We’re not talking virtualization or anything, but taking off OS X and installing Windows XP. I really never thought of that. (updated : direct link to the original story at deadbeat cafe)
Page 321 of 327 pages ‹ First  < 319 320 321 322 323 >  Last ›