According to Kim Zetter at Wired, in Senate testimony, Richard Schaeffer, the information assurance director at NSA, claimed that “If network administrators simply instituted proper configuration policies and conducted good network monitoring, about 80 percent of commonly known cyber attacks could be prevented.” I’m trying to find if that’s the FDCC (Federal Desktop Core Configuration), [...]
In the book, Andrew and I wrote about trading data for credibility. If Verizon’s enthusiasm for sharing their learning is any indication, the approach seems to be paying off in spades. At the Verizon Business blog, Wade Baker writes: Today ICSA Labs (an independent division of Verizon Business) released a report based on testing results [...]
You can’t tell the good guys from the bad guys without knowing the color of their hat. I wish there were some sort of map of the Black Hat ecosystem because it’s hard for non-specialists to tell. Case in point: Virscan.org. Looks like a nice, simple service that scan uploaded files using multiple AV software with latest signatures. But it seems *much* more useful to bad guys (malware writers and distributors) than for good guys. Who does it serve?
Our friend Rich Mogull has an interesting post up on his blog called “Always Assume“. In it, he offers that “assumption” is part of a normal scenario building process, something that is fairly inescapable when making business decisions. And he offers a simple, pragmatic process for assumptions which is mainly scenario development, justification, and action. [...]
Someone sent me a link to “How to Audit-Proof Your Tax Return: Don’t e-File,” by Paul Caron. In it he quotes a plausible theory that “you are giving the IRS easy electronic access to information it would otherwise have to enter, enabling the agency to examine your return and mine the data more easily than [...]
The Workshop on the Economics of Information Security (WEIS) is the leading forum for interdisciplinary scholarship on information security, combining expertise from the fields of economics, social science, business, law, policy and computer science.
In comments yesterday, both Kyle Maxwell and Nicko suggested that “standard” is a better adjective than “proven:” I like Kyle’s “standard” practice, since it makes it clear that you are just following the flock for safety by sticking to them. Perhaps we should call them “flocking standard practice” I do think there’s an important difference, [...]
After I posted the new Best Practice: Think, Dennis Fisher tweeted “Never catch on. Nothing for vendors (or Gartner) to sell.” Which is true, but that’s not the point. The point is to be able to ju-jitsu your best-practice cargo-culter into submission. For example: Cargo-culter: We don’t need a review, this project complied with all [...]
I spent yesterday in a workshop learning about and practicing scenario planning. It’s a really great tool for planning for (as opposed to predicting) the future. It feels like it’s a great addition to the risk assessment/management process. Check it out.
Margret Ann Hutton: Congratulations to Alex & Ms. Alex!