At the RSA Conference today, I attended an excellent panel discussion titled Y U NO HAZ METRICS? The speakers were David Mortman, Jack Jones, Alex Hutton, and Caroline Wong, and the panel was was moderated by John Johnson. The panel discussed risk management more than they discussed specific metrics, which was slightly different than what I expected. However, the panel surpassed my expectations. A commenter towards the end of the session made an analogy which I thought was a good one. He said that risk management is like risotto. It has three basic ingredients, and you put them together and adjust the balance until it tastes good to you. In other words, no two risottos (or risk management programs) will[…]
Category: risk management
Vavada - это онлайн-казино, предоставляющее широкий выбор азартных игр, включая слоты, рулетку, блэкджек и другие. Vavada привлекает игроков разнообразными бонусами и акциями.
The term “black swan event” was introduced by Nassim Nicholas Taleb in the book Fooled By Randomness. Black swan events have three major characteristics: they are rare, they cause a significant or extreme impact, and upon retrospection, they are actually predictable. As described very well in this Wired article, “getting hacked” is a black swan event. While “getting hacked” can mean many different things, let’s take the example as used in the Wired article of having your identity stolen by hackers. It is rare enough that many of us will probably never experience it. Some cases have an extreme impact such as having your identity stolen, losing funds from your bank account, or having your computer or mobile devices wiped. And as this blog and any number of[…]
We are working with a security policy that treats two passwords of equivalent strength: 8 character password with two character sets represented (pick two of upper/lower/number/symbol) 6 character password with three character sets represented (pick three of upper/lower/number/symbol) The question arises, how equivalent (or not) are they? Well, it’s time to do some math. Total Possible Passwords One way to measure password strength is in the total number of passwords that one might be able to generate that meet that criteria. More would be better. There are 26 uppercase, 26 lowercase, 10 digit, and 33 ASCII-printable symbols available on the average keyboard (totaling 95 options). If we simply asked how many possible 6 character passwords are there, you can multiply 95 for[…]
During security assessments, I always make sure they’re performing security testing as part of their development process. This is why: “Apple security blunder exposes Lion login passwords in clear text” No need to go into details as to what happened here; it’s well-researched in the linked article. However, this is exactly the scenario that development security testing is meant to avoid. A seemingly innocent patch disables or circumvents an important security feature. The results are predictable. It could be worse, though. Here’s the worst case: the problem isn’t detected. Because the security was included in the original version, and because nobody checked, it is assumed that the security is in place, and successive updates are made, with the security feature[…]
I’ve had some interesting experiences with two companies recently that I’d like to share. We all do business with companies online: we buy from them, we schedule appointments, we put in support requests, and so on. Today, I very seldom use the mail, and don’t shop in person very often. How these businesses treat customer security is interesting. Some places are very technically savvy and have robust, secure online transactions. Being realistic, though, I know that my dentist’s office does not employ a full-time sysadmin. They buy an off-the-shelf customer care solution and hire someone to install it on their website. Sometimes that’s good, sometimes that’s bad… First was with my mechanic. I like my mechanic – they’ve saved me[…]
A service provider shall not be liable for monetary relief, or, except as provided in subsection (j), for injunctive or other equitable relief, for infringement of copyright by reason of the provider’s transmitting, routing, or providing connections for, material through a system or network controlled or operated by or for the service provider, or by reason of the intermediate and transient storage of that material in the course of such transmitting, routing, or providing connections – 17 USC § 512, from the Cornell University Law School No business is an island. There’s no company that does not, to some extent, rely on other businesses. Business models assume that vendors will be able to assure a steady flow of goods, that[…]