newschoolsecurity.com
Threat Modeling Crypto Back Doors « The New School of Information Security
http://newschoolsecurity.com/2015/05/threat-modeling-crypto-back-doors
Threat Modeling Crypto Back Doors. By adam on May 19, 2015. Today, the Open Technology Institute released an open letter to the President of the United States from a broad set of organizations and experts, and I’m pleased to be a signer, and agree wholeheartedly with the text of the letter. I did want to pile on with an excerpt from chapter 9 of Threat Modeling: Designing for Security. It’s possible to assess the technical security implications of adding such mechanisms.). 8221; Blogs from Ross Anderson.
newschoolsecurity.com
Why I Don’t Like CRISC « The New School of Information Security
http://newschoolsecurity.com/2010/01/proving-crisc-is-stupid
Why I Don’t Like CRISC. By alex on January 19, 2010. Recently, ISACA announced the CRISC certification. There are many reasons I don’t like this, but to avoid ranting and in the interest of getting to the point, I’ll start with the main reason I’m uneasy about the CRISC certification:. We’re not mature enough for a certification in risk management. Don’t believe me? Good for you, I like critical thinkers. So let me offer up a little challenge in using ISACA’s own religion as my proof. Jack Jones and disc...
newschoolsecurity.com
Checklists and Information Security « The New School of Information Security
http://newschoolsecurity.com/2012/04/checklists-and-information-security
Checklists and Information Security. By adam on April 10, 2012. I’ve never been a fan of checklists. Too often, checklists replace thinking and consideration. In the book, Andrew and I wrote:. CardSystems had the required security certification, but its security was compromised, so where did things goo wrong? So it took a while and a lot of recommendations for me to get around to reading “ The Checklist Manifesto. So it’s important to understand that checklists don’t replace professional judg...So while ...
newschoolsecurity.com
The New Cyber Agency Will Likely Cyber Fail « The New School of Information Security
http://newschoolsecurity.com/2015/02/the-new-cyber-agency-will-likely-cyber-fail
The New Cyber Agency Will Likely Cyber Fail. By adam on February 10, 2015. The Washington Post reports that there will be a “ New agency to sniff out threats in cyberspace. 8221; This is my first analysis of what’s been made public. Details are not fully released, but there are some obvious problems, which include:. 8220;The quality of the threat analysis will depend on a steady stream of data from the private sector” which continues to not want to send data to the Feds. Who was behind it? Monaco called ...
newschoolsecurity.com
Security 101: Show Your List! « The New School of Information Security
http://newschoolsecurity.com/2015/01/security-101-show-your-list
Security 101: Show Your List! By adam on January 5, 2015. Lately I’ve noted a lot of people quoted in the media after breaches saying “X was Security 101. I can’t believe they didn’t do X! 8221; For example, “ I can’t believe that LinkedIn wasn’t salting passwords. That’s security 101! So I’m going to make three requests for 2015:. If you’re a reporter and someone tells you “X is security 101” please ask them for their list. Stay up to date–get most of your machines on the latest revisions of softw...
newschoolsecurity.com
Fear, Information Security, and a TED Talk « The New School of Information Security
http://newschoolsecurity.com/2011/03/fear-information-security-and-a-ted-talk
Fear, Information Security, and a TED Talk. By adam on March 7, 2011. In watching this TEDMed talk by Thomas Goetz, I was struck by what a great lesson it holds for information security. You should watch at least the first 7 minutes or so. (The next 9 minutes are interesting, but less instructive for information security.). Does Brand X firewall work better than Brand Y? And absent knowing, why invest? We’re going to need to move away from fear and to evidence of efficacy. Doing so is going to ...The iss...
newschoolsecurity.com
Seeking a technical leader for my new company « The New School of Information Security
http://newschoolsecurity.com/2015/07/seeking-a-technical-leader-for-my-new-company
Seeking a technical leader for my new company. By adam on July 30, 2015. We have a new way to measure security effectiveness, and want someone who’ll drive to delivering the technology to customers, while building a great place for developers to ship and deploy important technology. We are very early in the building of the company. The right person will understand such a “green field” represents both opportunity and that we’ll have to build infrastructure as we grow. Tech hiring aligned with budget.
newschoolsecurity.com
breach reports « The New School of Information Security
http://newschoolsecurity.com/tag/breach-reports
Posts Tagged “breach reports”. A Curmudgeon is a Little Confused by the 2009 DBIR. By Brooke on April 16, 2009. I’ve given Vz’s DBIR a quick perusal. The data are interesting indeed and the recommendations are obvious. There is little new here in the way of recommendations – I guess nobody is listening or the controls are ineffective (or a (…). Read the rest of this entry ». Bull; Tagged as: breach reports. Microsoft Security Intelligence Report. By alex on April 9, 2009. Bull; Tagged as: Add new tag.
newschoolsecurity.com
PCI & the 166816 password « The New School of Information Security
http://newschoolsecurity.com/2015/06/pci-the-166816-password
PCI & the 166816 password. By adam on June 22, 2015. This was a story back around RSA, but I missed it until RSnake brought it up. On Twitter: “ [A default password] can hack nearly every credit card machine in the country. 8221; The simple version is that Charles Henderson of Trustwave found that “90% of the terminals of this brand we test for the first time still have this code.” (Slide 30 of RSA deck. Now, I’m not a fan of the “ha-ha in hindsight” or “that’s security 101! Of the standard says:. This i...
newschoolsecurity.com
risk management « The New School of Information Security
http://newschoolsecurity.com/tag/risk-management
Posts Tagged “risk management”. Dear CloudTards: “Securing” The Cloud isn’t the problem…. By alex on September 14, 2010. GeorgeResse pointed out this article http:/ www.infoworld.com/d/cloud-computing/five-facts-every-cloud-computing-pro-should-know-174 from @DavidLinthicum today. And from a Cloud advocate point of view I like four of the assertions. But his point about Cloud Security is off: “While many are pushing back on cloud computing due (…). Read the rest of this entry ». Bull; Tagged as: Cloud.
