Risk-based security? Hogwash!

Nothing gets my goat as badly as “risk-based security” talk that is suffocating discussions lately. It is so pervasive and so obnoxiously delivered that you end up wondering if the authors of the term even know how poorly they understand information security, risk management, and the organisation they support. Dunning-Kruger effect in action if there ever was one. Decisions, decisions To explain what I mean, let’s look at it from top down: 1. Everything starts with objectives. The things you want to achieve, stuff you want to do.

Wassenaar Arrangement and dual-use computer code

The Wassenaar Arrangement is frequently mentioned in information security (and vulnerability research in particular) since inclusion of computer code as dual-use good. The Agreement does not clearly specify what is and isn’t considered a controlled good that should be subject to export controls, making a number of security researchers and long-term thinkers rightfully concerned about the future of security research. The section on dual-use technology that’s relevant to software (not crypto) says: >‘4. A. 5. Systems, equipment, and components therefor, specially designed or modified for the generation, operation or delivery of, or communication with, “intrusion software”.

Smart CISOs know when not to pay attention to the "wisdom of the crowds"

If Apple followed the ‘wisdom of the crowds’ in 2006-2007 they’d never made an iPhone. If smart CISOs paid too much attention to the article in the Information Risk Leadership Council’s latest article they’d be in as much trouble as they purportedly are right now. There is a lot wrong with CISOs that put all their hope and budget in prevention, but the word itself is definitely not the problem. Nor is the solution that CEB IRLC (Executive Board’s Information Risk Leadership Council) advocated - although they just followed the lead by NIST.

Why the cyber debate needs retired admirals and generals to stay out

OK, so the title may be a bit insensitive. A bit. But only until you read, yet again, what some of the best and brightest military minds have to say about cyber security: In the early 1980s cyber fiction film, “War Games,” a young hacker played by Matthew Broderick almost managed to start World War III when he accidentally nearly launched nuclear strikes against the Soviet Union. It seemed unlikely in those relatively primitive days before the widespread use of the Internet, but it foreshadowed the emerging era of the profound intersection of national security and the cyber world.

Australian Attorney-General is his own biggest enemy

I promise not to go through the whole “it’s not identity theft, it’s identity fraud” discussion here. The article misses that point, but that’s to be expected. What really got my goat, though is the following: McClelland tells us that […] “The survey also revealed that the majority of identity theft or misuse occurred […] through the loss of a credit or debit card (30 percent). Stolen identify information was primarily used to purchase goods or services (55 percent) […]”

Cyber Europe 2010. Learnings the same to Cyber Storm II and Cyber Storm III

Fresh from the press comes ENISA’s final report & video clip on ‘Cyber Europe 2010’: the 1st pan- European cyber security exercise. The report underlines a need for: • more cyber security exercises in the future, • increased collaboration between the Member States, • the importance of the private sector in ensuring security. Largely the same findings as were found in Cyber Storm II (2008) and Cyber Storm III (2010). There is always a lot of talk about increased sharing of information, but the reality remains that in the current environment you cannot share information without having to sign a different non-disclosure agreement for different task forces and different special interest groups and different trusted information sharing committees and groups.

What We Learned from Anonymous: DDoS is now 3DoS

What this means is organizations need to be thinking of security as spanning all attack vectors at the same time. It is imperative that organizations protect critical applications against both traditional attack vectors as well as those at the application layer disguised as legitimate requests. Organizations need to evaluate their security posture and ensure that every infrastructure component through which a request flows can handle the load in the event of a massive “3DoS”. It’s not enough to ensure that there’s capacity in the application infrastructure if an upstream network component may buckle under the load.