Questions about Schaeffer’s 80% improvement

by adam on November 18, 2009

According to Kim Zetter at Wired, in Senate testimony, Richard Schaeffer, the information assurance director at NSA, claimed that “If network administrators simply instituted proper configuration policies and conducted good network monitoring, about 80 percent of commonly known cyber attacks (…)

Read the rest of this entry »

ICSA Labs report

by adam on November 17, 2009

In the book, Andrew and I wrote about trading data for credibility. If Verizon’s enthusiasm for sharing their learning is any indication, the approach seems to be paying off in spades. At the Verizon Business blog, Wade Baker writes: Today (…)

Read the rest of this entry »

Can’t tell the players without a program

by Russell on November 16, 2009

You can’t tell the good guys from the bad guys without knowing the color of their hat. I wish there were some sort of map of the Black Hat ecosystem because it’s hard for non-specialists to tell. Case in point: Virscan.org. Looks like a nice, simple service that scan uploaded files using multiple AV software with latest signatures. But it seems *much* more useful to bad guys (malware writers and distributors) than for good guys. Who does it serve?

Rich Mogull’s Divine Assumptions

by alex on November 13, 2009

Our friend Rich Mogull has an interesting post up on his blog called “Always Assume“.  In it, he offers that “assumption” is part of a normal scenario building process, something that is fairly inescapable when making business decisions.  And he (…)

Read the rest of this entry »

Best Practices in Tax Management

by adam on November 12, 2009

Someone sent me a link to “How to Audit-Proof Your Tax Return: Don’t e-File,” by Paul Caron. In it he quotes a plausible theory that “you are giving the IRS easy electronic access to information it would otherwise have to (…)

Read the rest of this entry »

CFP: 9th Workshop on the Economics of Information Security (WEIS)

by Russell on November 11, 2009

The Workshop on the Economics of Information Security (WEIS) is the leading forum for interdisciplinary scholarship on information security, combining expertise from the fields of economics, social science, business, law, policy and computer science.

Practices: Proven vs. Standard?

by adam on November 11, 2009

In comments yesterday, both Kyle Maxwell and Nicko suggested that “standard” is a better adjective than “proven:” I like Kyle’s “standard” practice, since it makes it clear that you are just following the flock for safety by sticking to them. (…)

Read the rest of this entry »

How to Use the “Think” Best Practice

by adam on November 10, 2009

After I posted the new Best Practice: Think, Dennis Fisher tweeted “Never catch on. Nothing for vendors (or Gartner) to sell.” Which is true, but that’s not the point. The point is to be able to ju-jitsu your best-practice cargo-culter (…)

Read the rest of this entry »

Quick Thought: Scenario Planning

by David Mortman on November 10, 2009

I spent yesterday in a workshop learning about and practicing scenario planning. It’s a really great tool for planning for (as opposed to predicting) the future. It feels like it’s a great addition to the risk assessment/management process. Check it (…)

Read the rest of this entry »

Welcoming A New Addition

by adam on November 7, 2009

Margret Ann Hutton: Congratulations to Alex & Ms. Alex!