I realized that one of the things I didn’t mentioned in my Security Awareness blog post article was that if you’re trying to raise awareness, you should also strive to entertain people (hence the video I recommended). If you can make people laugh, they will be more willing to continue listening or reading. I know [...]
I read yesterday that Google unveiled their Chromebook. If you haven’t been following the news, this is supposed to be a revolutionary way of approaching Personal Computing. Only, it isn’t. ChromeOS is a stripped down version of Linux with security modifications. Google contends on their Security Overview page that “Chrome OS has been [...]
IDS is one of the oldest and most reliable security technologies available. But like any technology, IDS can have shortcomings if the deployment isn’t planned. I’ll briefly talk about three of my favorite misconceptions and how they can addressed:
IDS sees all – patently false. It only has visibility into what we feed it based [...]
I have split the original post into three parts: introduction, analysis, conclusion.
Analysis
We find out about the vulnerability. Hopefully the researcher contacted us and gave us time to address the issue before going public. We open a defect ticket and our engineers work to reproduce the vulnerability. We then get one of our [...]
I have split the original post into three parts: introduction, analysis, conclusion.
Conclusion
Albert Einstein said that insanity is “doing the same thing over and over again and expecting different results”. Stop the cycle of fire-fighting vulnerabilities in production code. First of all, the impact of a vulnerability can be much more significant than most defects. [...]
I read on Bruce Schneier’s blog that he is writing a new book that links concepts of sociology with information security called “The Dishonest Minority”. He posted his thesis which I think is a very interesting read. He builds his argument by first introducing a discussion on the evolution of morals and reputation [...]
In my experience people generally do the right thing. People also tend to focus on their role which may not include security. I recently drew parallels between infosec and the Militia in “War!”. I talked about evangelism, security awareness training, and accountability. In this post, I will give recommendations for building security awareness.
There’s [...]
The following is a continuation of my personal views on what makes PCI DSS good, bad, and even ugly depending on your perspective. I have split the original post into three parts: introduction and the good, the bad, the ugly and conclusions.
The ugly
The SAQ and compliance for the level 4 merchants. You can see [...]
The following is a continuation of my personal views on what makes PCI good, bad, and even ugly depending on your perspective. I have split the original post into three parts: introduction and the good, the bad, the ugly and conclusions.
The bad
PCI’s most singular strength is that it is prescriptive. Yet, that is also its [...]
This is a 5 part review of using OSSEC for File Integrity Monitor (FIM): introduction to OSSEC, platforms and pre-deployment, deployment, post deployment, conclusions.
Conclusions
I thought that OSSEC was easy to understand, install, and configure but it (like anything worthwhile doing in life) did take an investment of time to figure it [...]
Archives
- May 2011 (21)
- April 2011 (3)
Categories
- compliance (12)
- host security (9)
- identity theft (1)
- network security (4)
- news (1)
- policies (1)
- security awareness (1)
- software engineering (3)
Blogroll
