The InfoSec Blog

Audit Frequency

Anton Aylward — Sat, 20 Jun 2009 11:59:30 +0000

In one of the forums I subscribe to the question came up “How often should one carry out an internal audit?” There were variations on this to do with external audits as well. Lets suppose you aren’t one of the relicrant types that take the attitude that audits aren’t necessary or that an audit [...]

Technology does not fix process

Anton Aylward — Sat, 20 Jun 2009 11:49:18 +0000

A number of people outside InfoSec have pointed this out to me and I thought I’d pass it along with a couple of observations. The first is of course the (ISC)2’s motto “Security Transcends Technology” and the second is Marcus Ranum’s comment: “If you think that technology can solve your problems then you don’t understand technology and you [...]

Does the Certified Ethical Hacker add value to a CISSP

Anton Aylward — Fri, 19 Jun 2009 11:53:17 +0000

A young colleague asked about the value of the CEH certification. Would it “Add Value” to his existing CISSP? The syllabus looked interesting to him and he wondered how prospective employers would view this. This was my reply: There are TEN domains to the CISSP’s CBK. People come to security from many walks of life [...]

The U.S. has 18 percent of its machines controlled by botnets

Anton Aylward — Tue, 05 May 2009 16:07:30 +0000

http://blogs.zdnet.com/BTL/?p=17459&tag=nl.e589 A short while ago I read an article that tried to present both sides of the issue of whether companies should shut down their desktop machines at night. The ‘pro’ was of course the saving of electricity - all good and “Green“. The ‘con’ was that this saving would be offset by the cost in time as [...]

Famous Last Words

antonaylward — Thu, 02 Apr 2009 12:33:22 +0000

My favourite ‘famous last words‘ are “I wonder what this button is for” Mind you, one job I had that worked the graveyard shift, we had a TV tuned to the late night Axe murder horror movie channel. They get to look funny after a while ‘cos they are so hackneyed. Scenes such as walking backwards though the [...]

Vulnerability Management - The Next Fad?

Anton Aylward — Mon, 16 Mar 2009 13:22:57 +0000

The article is at http://securitywatch.eweek.com/flaws/vulnerability_management_payoff_requires_roadmap.html but I find it ominous. Vulnerability management may be the next big thing in terms of IT security strategy, but deriving the maximum value out of your efforts requires hard work and a comprehensive plan, industry insiders recognize. Well at least the author admits its not the next “Silver Bullet“! Speaking at the SOURCE Boston conference this week, [...]

Couldn’t happen to a nicer buncha guys …

antonaylward — Thu, 05 Mar 2009 13:01:28 +0000

An independent security consultant describes how vulnerabilities in unpatched releases of the Zeus crimeware kit are being exploited by hackers in order to steal resources from their fellow criminals. The security researcher has come across an interesting posting made by a botnet runner, who asks for help to secure his infrastructure after being compromised several times by other hackers. http://news.softpedia.com/news/Cyber-criminals-Target-Their-Own-Kind-105728.shtml

Yes! It’s the cardboard PC!

antonaylward — Thu, 05 Feb 2009 14:30:23 +0000

I would hate to have to do a risk analysis on the use of these! Oh, and then there’s Bamboo! http://www.reghardware.co.uk/2008/12/02/asus_bamboo_laptop/ What’s next? Soy? Hemp? Related articles by Zemanta Carry Your Laptop and Still Be Eco-Friendly (geeksugar.com)

Network Segmentation is Common Sense

Anton Aylward — Mon, 26 Jan 2009 14:41:31 +0000

On one of the professional forums I subscribe to there was a request for “references” to justify the separation of development and production networks and facilities. It seems some managers “don’t get it” when it comes to things like change control and undocumented and unplanned changes. Many guidelines discuss this, but its seems that some [...]

This should go down really well in homes for the deaf

Anton Aylward — Mon, 19 Jan 2009 14:24:41 +0000

http://www.reghardware.co.uk/2009/01/17/ces_video_hitachi_gesture_tv/ Every casual comment will make the TV do something (probably undesired). Not every security flaw is an opportunity for hackers!

The IDE of Choice: VI

antonaylward — Wed, 17 Dec 2008 14:24:48 +0000

I do a bit of work on the fringe of the Ruby community, and the Mac is popular there along with an IDE or two. However I’m beginning to see a few articles to the effect that the IDE is getting in the way after a point and that reverting to your favourite text [...]

Stolen laptop leads to drug bust

Anton Aylward — Mon, 01 Dec 2008 13:06:17 +0000

So when I see a laptop valued at $9,000 I get to wonder. If this hadn't been recovered and the owner tried to claim that amount on his insurance policy I wonder what the reaction of the insurance company would have been.

People under extreme stress may behave unpredictably and have limited capacity for rational thought

Anton Aylward — Thu, 27 Nov 2008 14:10:16 +0000

"People under extreme stress may behave unpredictably and have limited capacity for rational thought"

Going Rogue

Anton Aylward — Tue, 11 Nov 2008 16:02:24 +0000

In this article at TechRepublic, Tom Olzak tries to address the issue of insider threat by talking about why your employees might ‘go rogue’. I think he completely misses the point by discussing the motivation for spies and convicted traitors. This is a different class of people from toss that commit financial fraud [...]

Internet addiction defined

Anton Aylward — Mon, 10 Nov 2008 14:52:10 +0000

http://www.engadget.com/2008/11/10/internet-addiction-defined-in-china-entire-engadget-staff-now-o/ Is a “dependency” the same as an “addiction“? Many businesses and business processes, to say nothing of Government, are now _dependent_ on the Internet. Its a key part of our economy, not just our lifestyle. The world could possibly give up cell-phones but I doubt it could give up the ‘Net and continue without [...]

Cyber-terrorism will be punishable by death

Anton Aylward — Mon, 10 Nov 2008 12:53:39 +0000

http://www.dailytimes.com.pk/default.asp?page=2008\117\story_7-11-2008_pg1_8 Only in Pakistan? Shame! The penalty is limited to an offence that ‘causes death of any person’, according to the ordinance that will be considered effective from September 29. And, thinking of the “for want of a nail” poem, how indirect does this causality have to be? OK, I can see zapping someone’s pacemaker, but how about [...]

New Words

Anton Aylward — Mon, 20 Oct 2008 14:14:54 +0000

A non-native English speaker I was in correspondence with thanked me for helping expand his vocabulary. It occurs to me that understanding English grammar and the use of prefixes and suffixes cn also help expnad your vocabulary. Here are some words not often found IN dictionaries. (Of course this is British English spelling, American English [...]

All I Need To Know About Project Management I Learnt From My Cats

Anton Aylward — Fri, 22 Aug 2008 14:29:24 +0000

The most interesting, creative, fun and innovative people don’t run with the pack. You’re a leader because your team believes you are worth following, not because you are appointed leader. You don’t lead by giving orders, you lead by motivation. Don’t expect to generate consensus easily, and be very suspicious when it occurs other than spontaneously. ‘Who’s to blame’ is the [...]

Are Mission Statements High Entropy?

Anton Aylward — Fri, 22 Aug 2008 14:08:35 +0000

My friend and fellow security droid Gary Hinson asked why so many corporate mission statements end up being utter gibberish, with more meanings than bits. Hmm. A ‘bit’ being, according to /usr/share/units.dat, a measure of entropy. No Gary, I think that corporate mission statements, like political party policies, are high entropy. and with a high negative correlation with [...]

Billion and Billions.

Anton Aylward — Fri, 22 Aug 2008 14:00:24 +0000

No, not a Google its a Sagan! I’m sure that like me you get mails that read something like From:Mr.John Lewis Phone No: 44-702 409 9061 This is to inform you that your funds of US$15 Million has been approved for immediate delivery to you. For the purpose of clarification,you are advised to reconfirm your Full Names,Direct Telephone Numbers,Physical Address with Zip Code [...]