Comments for The New School of Information Security

Comment on Why I Don’t Like CRISC by IT AUDIT

IT AUDIT — Wed, 16 May 2012 16:05:54 +0000

I know an IT Auditor who was just given the CRISC Cert because he is a member of ISACA, when they introduced the cert so he was grandfathered the CERT. and this guy knows nothing of IT, has no IT background, and from working with him I think he makes stuff up that he thinks is validate his existence here. I think he is a member of ISACA, and now a Chapter leader to have something to account for him of nothing at all.

Comment on Why Sharing Raw Data is Important by hrbrmstr

hrbrmstr — Fri, 11 May 2012 20:47:54 +0000

Thx for the kind words! I’m glad there’s an upward trend in information sharing in general and am optimistic that we will indeed start seeing more raw data sources being published alongside reports such as this.

With the increasing number of free services (Google Drive/Apps, Dropbox, etc) there is little-to-no cost for organizations and our particular community has extremely talented and creative individuals (I think particularly of some of the recent pusblished analysis by @jayjacobs) who really can do very creative and useful analytics and visualizations that original authors might not have looked at, not to mention the potential for normalization and aggregation across sources.

Comment on Why Sharing Raw Data is Important by Chris

Chris — Fri, 11 May 2012 19:04:59 +0000

Absolutely.

With respect to breach reports in particular, access to the reporting forms and other information provided to the government is also highly desirable. One thus has the same tangible sources, and can therefore take the analysis in a direction about which the original report preparer (or dataset creator was not intetrested.

This is one reason some of us are enthusiastic about FOIA as a research tool.

Comment on How to mess up your breach disclosure by Maureen Robinson

Maureen Robinson — Wed, 02 May 2012 13:35:11 +0000

Hello,
Even though the responsibility for the data breach belonged to the security vendor, we believe it was the affected companies responsibility, Visa and MasterCard, to announce the data breach to their customers, since they were directly prejudiced. Once the rumors got out of control, the 2 companies looked guilty in the eye of the public opinion. Please find here some considerations in regards to where to responsibility lies and how to train people to counter malicious acts: http://blog.securityinnovation.com/blog/2011/07/to-err-is-human-to-hack-is-well-human-too.html

Comment on Checklists and Information Security by atorm

atorm — Sat, 28 Apr 2012 19:59:01 +0000

I’ve started writing about the future of security compliance, would be nice to hear your thoughts: http://wp.me/p2mKzA-5

Comment on Doctors Make Mistakes. Can we talk about that? by Data Driven Security Presentation

Data Driven Security Presentation — Tue, 17 Apr 2012 14:00:38 +0000

[...] Ted Talk – Doctors Make Mistakes, Can We Talk About That? [...]

Comment on Why I Don’t Like CRISC, Day Two by Bill Clancy

Bill Clancy — Fri, 13 Apr 2012 16:30:38 +0000

I think risk is often talked about, but seldom undrestood. (Myself included). I’m as guilty of collecting certs as the next guy, but I figure if industry likes a string of letters after my name, I’ll play… especially if work is willing to finance my effort.
As far as the CRISC itself is concerned, I’m glad someone is paying attention to the science of risk. Places I work (DOD installations) always talk about risk, but are mostly clueless when actually trying to quantify it. Time will tell if the CRISC can mature past it’s current infant state.

Comment on Checklists and Information Security by Cliff Barbier

Cliff Barbier — Thu, 12 Apr 2012 19:16:50 +0000

I’d like to expand the items on your checklist slightly, simply because I find compound checklist items more difficult to grok.

1. Have you addressed the immediate concerns?
a. Have you addressed the breach?
b. Have you gotten the attackers out?
2. Have you notified all appropriate parties?
a. Have you notified management?
b. Have you notified regulators?
c. Have you notified shareholders?
d. Have you notified customers?
e. Have you notified all other stakeholders not already mentioned?

Et cetera, et cetera.

Comment on Checklists and Information Security by Jared

Jared — Tue, 10 Apr 2012 17:35:11 +0000

Excellent post. I add the following to your alpha:
- Did the failed controls have a metric?
If yes, was the target appropriate?
If no, should you periodically measure performance and what is the initial target value?

Honest question: Why don’t checklists include performance measurement beyond periodic audits?

I think it’s because the checklist stakeholders believe measurement is too expensive. Until they have an incident, they’re correct. Perhaps we need another question on the checklist:
Has management made the explicit decision to wait for an incident before investing in control performance measurement?

Comment on Dear FBI, Who Lost $1Billion? by Timmay

Timmay — Mon, 09 Apr 2012 14:13:04 +0000

Or Clarke is just *still* full of shit. Occam’s Razor. http://stickyboy.livejournal.com/497466.html