SECTOR Sniffing: It Smells, as does the Response

by adam on October 15, 2009

Apparently, at the SecTor security conference, someone tapped into the network and posted passwords to a Wall of Sheep. At the SecTor speakers dinner, several attendees were approached by colleagues and informed that their credentials appeared on the “Wall of (…)

Read the rest of this entry »

New Best Practice: Think

by adam on October 14, 2009

Since anyone can declare anything a best practice in information security, I’d like to add my favorite to your list. Think. Thank you.

Visual Complexity Web Site

by Russell on October 10, 2009

VisualComplexity.com intends to be a unified resource space for anyone interested in the visualization of complex networks. While it may not contain any examples specific to information security, there may be some methods and ideas that can be adapted to InfoSec.

The Cost of a Near-Miss Data Breach

by Russell on October 6, 2009

Near misses are very valuable signals regarding future losses. If we ignore them in our cost metrics, we might make some very poor decisions. This example shows that there is a qualitative difference between “ground truth data” (in this case, historical cash flow for data breach events) and overall security metrics, which need to reflect our estimates about the future, a.k.a. risk.

Botnet Research

by David Mortman on October 6, 2009

Rob Lemos has a new article up on the MIT Technology Review, about some researchers from UC Santa Barbara who spent several months studying the Mebroot Botnet. They found some fascinating stuff and I’m looking forward to reading the paper (…)

Read the rest of this entry »

Changing Expectations around Breach Notice

by adam on October 5, 2009

Earlier this month, the Department of Health and Human Services imposed a “risk of harm” standard on health care providers who lose control of your medical records. See, for example, “Health IT Data Breaches: No Harm, No Foul:” According to (…)

Read the rest of this entry »