- Email Scams - Will It Ever End?
How Dumb Do You Really Think We Are?
- The Missing Cheney Email
Email - Just Like a Virus it both Spreads and Lingers
- The Perils of Metadata
The Monk Moment - or is it Perry Mason?
- Probing YouTube for Solid Risk Info - What Did I Find? Risk Management Chalk Talks - Masters of the Tellestrator
YouTube for Security and Risk Education
- GIGO Me This (or Is It Just Plain KIBO?)
Garbage In Gospel Out!
- Insurance? Cost of Doing Business? Risk Management Gets the Job Done
Going to the board with a testament from 20 other CISOs on what to do will not move them to opening their wallets. Using your own experience is great but without solid metrics (and they do exist) to support it, your qualitative opinion will only get you so far.
- Like Taking Candy from a Stranger
Last week I crawled out of bed and made my way to my office. When I booted my Windows XP virtual machine I was greeted with the familiar iTunes software update screen informing me of yet another upgrade, patch, or fix for iTunes"--or so I thought.
- Truth, Lies, and Data Tapes: The Politics of Dishonesty in IT
You've done it. I've done it. I'm sure we've all done it at some point, but why? I'm not talking about drugs or smoking, but misrepresenting the truth.
- Back to the future "¦ or at least the recent past
Leopard's Time Machine makes the backup process transparent
- Confessions of a Security Optimist
I used to be a cynic. I wore the black geek t-shirts and firmly believed that the worst would always happen. I used to say things such as "Users are dumb." So what happened?
- Have we all become "Patch Crazy?"
I've heard "Oh, I just can't wait until the next Service Pack" all too often by those loyal users that stand by their software no matter what. Most recently, I've heard it from early adopters of OS X Leopard, but it's the battle cry of Vista users the world over. Have software vendors given up on releasing good software the first time? Are they relying on patches and Service Packs to deliver software that's just decent?
- When DDoS Attacks Become Personal
Two semi-recent events have hit home for many people that have introduced them to the Distributed Denial of Service attack or DDoS. These events have shaken you to the core if you have children or if you are a baseball fan. The events: Hannah Montana and The Rockies trying to sell their tickets to online users only.
- The Identity Holy Grail
Martin Kuppinger has a post up that brings us back to one of the very earlies
- Sizing the Identity Management Market
It is not too often that a press release actually catches my eye.
- Moving identity past "security"
Bruce Schneier has posted an interesting prediction wherein he thinks that the RSA Conference "will shrink like a
- SQL Server : The Real Security Story
SQL Server has come a long way in the past 5 years, though the history seems to linger. Let's look at the recent history and see what the story is with database vulnerabilities.
- Windows Server 2008 Launch Security Highlights
Building upon the progress made in Windows Server 2003, SQL Server 2005 and Visual Studio 2005, Microsoft today launched the new generation of each of these products.
- Jesper Johannsen Does Some Windows Vista Analysis
Okay, so you had some further questions after reading my Windows Vista One Year Vulnerability Analysis. So, did Jesper Johannson, but he decided to do the analysis and find some answers. Read here to see what questions he asked ... and then go look at the findings.
- Hannaford spending in RIGHT place?
Recently, Hannaford's CEO announced that his company would "spend millions" to improve their security posture and prevent further data breaches.
- Software Security Serious Sh*t
Recently, my company's Marketing Director pointed everyone to a good article on software security. It talks about the biggest problem with insecure software being lack
- Security Smackdown - part 2
Building on the Security Smackdown blog entry posted earlier this week, here are the 15 topics I asked Mary Ann Davidson o
- Contractors and Laptops
When businesses entrust highly sensitive information (e.g., non-public information of a consumer or valuable trade secret information) to their consultants, a best practice is to preclude the consultant from storing any of the information on its laptop computers. The risk is simply too great a compromise of the laptop will lead to the business being featured in yet another front page story involving data loss.
- Laptops Gone Wild
Sadly this is not the title of new spring break video. Rather it reflects the continuing growth industry that is lost and stolen laptops. As the number of laptops going missing grows at an ever alarming rate, many businesses have adopted policies regarding laptop security, tried to better educate their users regarding the security risks associated with this problem, and implemented stronger user authentication and even encryption on laptops containing sensitive information. Proactive businesses are now taking a further step in deploying "phone home" software in their laptops or installing applications that can be triggered remotely to irretrievably erase or encrypt data on a missing laptop. Clearly, these are all steps in the right direction. There are, however, some risks associated with implementing remote erasure software that should be addressed in your contract with the vendor.
- More Thoughts on System Availability
Following up on my comments last week on the need for service level agreements (SLAs) to ensure data availability in hosted environments (e.g., ASPs, SAAS, cloud environments, and other online services). This week some further suggestions and considerations for SLA:
- Red Flag Rules - a scramble among creditors
CSOs subject to the Red Flag Rules of FACTA are scrambling to get compliant before the looming deadline.
- Notes from ISC West
I dropped in on the ISC West show this week in Las Vegas to see what's up in the physical security marketplace.
- eDiscovery: Watch out for FRCP changes!
Changes to the Federal Rules of Civil Procedure are creating a small storm as businesses begin to understand the new rules governing eDiscovery and realize that many of them aren't remotely prepared. Have you spoken with your general counsel today?
- Crews to Port of Houston; Weatherford to California
Recent security leadership changes
- Recent Moves: Prudential, Rackspace, Broadridge Name Security Leaders
Joseph Billy, Jr., former Assistant Director for Counterintelligence, Federal Bureau of Investigation (FBI), has been named Vice President of Global Security, Prudential Financial.
- New CSO Wanted job board is up and running
Movers and Shakers returns to its original commission of tracking job changes among security leaders.
