Gershwin & Stats…

by alex on October 29, 2010

I’m a nerd, yes.

TSA: Let us Take Nekkid Pics of You Or You Get “Bad Touch”

by alex on October 29, 2010

Apparently, the TSA is now protecting us so well that they make women cry by touching them inappropriately. According to (CNN Employee Rosemary) Fitzpatrick, a female screener ran her hands around her breasts, over her stomach, buttocks and her inner (…)

Read the rest of this entry »

A Letter from Sid CRISC – ious

by alex on October 25, 2010

In the comments to “Why I Don’t Like CRISC” where I challenge ISACA to show us in valid scale and in publicly available models, the risk reduction of COBIT adoption, reader Sid starts to get it, but then kinda devolves (…)

Read the rest of this entry »

Seriously? Are We Still Doing this Crap? (RANT MODE = 1)

by alex on October 20, 2010

These days I’m giving a DBIR presentation that highlights the fact that SQLi is 10 years old, and yet is still one of the favorite vectors for data breaches. And while CISO’s love it when I bring this fact up (…)

Read the rest of this entry »

Re-architecting the internet?

by adam on October 19, 2010

Information Security.com reports that: [Richard Clarke] controversially declared “that spending more money on technology like anti-virus and IPS is not going to stop us losing cyber-command. Instead, we need to re-architect our networks to create a fortress. Let’s spend money (…)

Read the rest of this entry »

Call for Questions: 451 & Verizon DBIR Webinar

by alex on October 13, 2010

Hey everyone. I wanted to mention that Josh Corman of the 451 Group has graciously decided to make a webinar with me on the Data Breach Investigations Report , and has even made the webinar open to the public. So (…)

Read the rest of this entry »

Java Security & Criminals

by adam on October 12, 2010

Brian Krebs has an interesting article on “Java: A Gift to Exploit Pack Makers.” What makes it interesting is that since information security professionals share data so well, Brian was able to go to the top IDS makers and get (…)

Read the rest of this entry »

Society Of Information Risk Analysts (SIRA) Meeting Thursday!

by alex on October 12, 2010

HEY! SIRA Meeting on Thursday – click here for a calendar invite/reminder thingy/.ics file -> http://bit.ly/b5RKl9 In long format: Topic: SIRA RISK OCT – SANS! Date: Thursday, October 14, 2010 Time: 10:30 am, Eastern Daylight Time (New York, GMT-04:00) Meeting (…)

Read the rest of this entry »

Lessons from HHS Breach Data

by adam on October 11, 2010

PHIPrivacy asks “do the HHS breach reports offer any surprises?” It’s now been a full year since the new breach reporting requirements went into effect for HIPAA-covered entities. Although I’ve regularly updated this blog with new incidents revealed on HHS’s (…)

Read the rest of this entry »

Fines or Reporting?

by adam on October 1, 2010

Over at the Office of Inadequate Security, Dissent does excellent work digging into several perspectives on Discover Card breaches: Discover’s reports, and the (apparent) silence of breached entities. I’m concerned that for many of the breaches they report, we have (…)

Read the rest of this entry »