The InfoSec Blog

Why Info Sec Positions Go Unfilled

Anton Aylward — Fri, 25 May 2012 14:19:48 +0000

http://www.infosecleaders.com/2012/05/career-advice-tuesday-why-info-sec-position-go-unfilled/ There are many holes in this, but I think they miss some important points. First is setting IT HR to look for Infosec. That is because many people think InfoSec is a IT function as opposed to an organizational function. This goes in cycles: 20 years ago there was the debate: “Should Infosec report [...]

How to get a job in security

Anton Aylward — Thu, 17 May 2012 11:06:08 +0000

http://www.wired.com/threatlevel/2012/05/airport-security-id-theft/ I often get hit on by wannabes who want to – as they put it – “break into security” and get a job as a security consultant. Perhaps the media has something to do with it, making it look glamorous when in fact it is tedious and requires a lot of study and self-discipline. [...]

If Customers Ask for More Choice, Don’t Listen

Anton Aylward — Tue, 15 May 2012 15:26:33 +0000

http://blogs.hbr.org/cs/2012/05/customers_arent_as_savvy_as_yo.html Perhaps the reason that Apple is ahead with the iPod, iPhone and iPad is that the competitors are offering too much choice. That being said, ‘competitive advantage’ can lead to paralysis. In the auto world, each badge, each product line has an ‘advantage’. But what many customers want is a blend. Suppose you had [...]

An OP-ED by Richard Clarke on China

Anton Aylward — Thu, 05 Apr 2012 12:24:03 +0000

http://www.nytimes.com/2012/04/03/opinion/how-china-steals-our-secrets.html This is better written than most ‘chicken little’ pieces, but please can we have ‘history’ of how most nations, including the USA, have engages in ‘industrial espionage‘. I recall a presentation by CSIS that was making the point that Canada’s greatest threat on the Industrial Espionage scene was France, and France had been practising [...]

Managing Software

Anton Aylward — Sun, 01 Apr 2012 12:33:05 +0000

Last month, this question came up in a discussion forum I’m involved with: Another challenge to which i want to get an answer to is, do developers always need Admin rights to perform their testing? Is there not a way to give them privilege access and yet have them get their work done. I am [...]

Surely compliance is binary?

Anton Aylward — Sat, 24 Mar 2012 15:05:09 +0000

Call me a dinosaur (that’s OK, since its the weekend and dressed down to work in the garden) but … Surely COMPLIANCE is a binary measure, not a “level of” issue. You are either in compliance or you are not. As in you are either deal or alive. Now it may be that some “standard” [...]

Social Engineering and sufficency of awareness training

Anton Aylward — Fri, 23 Mar 2012 11:10:02 +0000

Someone asked: If you have a good information security awareness amongst the employees then it should not a problem what kind of attempts are made by the social engineers and to glean information from your employees. Yes but as RSA demonstrated, it is a moving target. You need to have it as a continuous process, [...]

Orwell: a quarter of a century late

Anton Aylward — Fri, 23 Mar 2012 01:34:28 +0000

http://hdguru.com/is-your-new-hdtv-watching-you/7643/ well 28 years actually … So, the two-way tv sets of Orwell’s novel have arrived, over a quarter of a century late! It just goes to show. Science fiction things like the Star Trek communicator (Motorola flip phones) or the tricorder (some of the enhanced versions of the Newton) or the data Pad (the [...]

About ISO 27001 Risk Statement and Controls

Anton Aylward — Sun, 18 Mar 2012 18:36:33 +0000

On the ISO27000 Forum list, someone asked: I’m looking for Risk statement for each ISO 27k control; meaning “what is the risk of not implementing a control”. That’s a very ingenious way of looking at it! One way of formulating the risk statement is from the control objective mentioned in the standard. Is there any [...]

The 19 most maddening security questions | Security – InfoWorld

Anton Aylward — Wed, 07 Mar 2012 12:46:30 +0000

http://www.infoworld.com/d/security/the-19-most-maddening-security-questions-187983 An interesting list, since it covers issues of public structural security. I recall reading that the greatest contribution to the health of individuals came about from good public sanitation and clean water, that is civic changes (presumably enabled by legislation) that affected the public in a structural manner. What would be on your list? [...]

Naval War College uses Russian software for iPad course material

antonaylward — Tue, 06 Mar 2012 13:38:17 +0000

http://www.nextgov.com/nextgov/ng_20120305_6368.php The Navy’s premier institution for developing senior strategic and operational leaders started issuing students Apple iPad tablet computers equipped with GoodReader software in August 2010, unaware that the mobile app was developed and maintained by a Russian company, Good.iWare, until Nextgov reported it in February. OK so its not news and OK I’ve posted [...]

Please Realize That Piracy is a Service Problem.

Anton Aylward — Fri, 10 Feb 2012 13:50:26 +0000

http://www.forbes.com/sites/insertcoin/2012/02/03/you-will-never-kill-piracy-and-piracy-will-never-kill-you/ The full article is a bit wordy, and manages to avoid lecturing about how the media industry failed at “service” when it came to view tapes and DVDs, how they objected even those turned out to be immensely profitable. We all know that and we all know that despite the opportunity for profits that [...]

Upside and downside: How I hate Journalists

Anton Aylward — Wed, 08 Feb 2012 23:30:28 +0000

http://compliancesearch.com/compliancex/insider-trading/senate-votes-to-ban-insider-trading-by-its-members/ And this doesn’t actually stop them form making use of ‘insider information’ they just have to declare it within 30 days. No, wait, sorry … you mean that the legislators are saying that legislators shouldn’t do something that is illegal anyway? Or that, if they do something that is already illegal, it is OK [...]

“Cybercrime” is still Crime and “Cyberfraud” is still Fraud

Anton Aylward — Wed, 25 Jan 2012 13:14:51 +0000

http://www.techsecuritytoday.com/index.php/our-contributors/michael-vizard/entry/lifting-the-veil-on-cybercrime This says it all: At the end of the day, cybercriminal activity is not all that different from more traditional forms of organized crime. Obviously, the way the crime is perpetrated is new, but the ways in which cybercriminals operate is not all that different from anything that has gone on before. Heck, once [...]

The Death of Antivirus Software

Anton Aylward — Tue, 24 Jan 2012 15:27:09 +0000

http://www.infosecisland.com/blogview/19386-The-Death-of-Antivirus-Software.html The real issue here isn’t Ubuntu, or any other form of Linux. Its that AV software doesn’t work. PERIOD. There are over 50,000 new piece of malware developed and released daily. The very nature of the AV software models that John McAfee foisted on the industry simply can’t cope. This isn’t news. Signature-based (and [...]

”My dog knows you don’t look like me”

Anton Aylward — Thu, 19 Jan 2012 12:49:14 +0000

http://www.zdnet.com/blog/identity/darpa-authentication-project-focuses-on-humans-as-secrets/157 So do my cats. But so what? Does this mean that DARPA/USGov will finance the supply of advanced biometrics with every PC from Microsoft or Apples and every Tablet and smartphone? Perhaps eyeball recognition like in “Minority Report“. And I’m sure there are _other_ ways to hack that than the one mentioned in the [...]

How to decide on what DVD backup software to use

antonaylward — Tue, 17 Jan 2012 14:24:57 +0000

You do do backups don’t you? Backups to DVD is easy, but what software to use? Why not simply k3b ? But if it some down to it, there’s a decision tree you can and should work though. Do you want the DVD backup ‘mountable’? If it is then you can see each file and [...]

Doubts about “Defense in Depth”

Anton Aylward — Wed, 30 Nov 2011 15:02:13 +0000

So to have great (subjective) protection your layered protection and controls have to be “bubbled” as opposed to linear (to slow down or impede a direct attack). I have doubts about “defence in depth” analogies with the military that many people in InfoSec use. Read what they are really talking about in those military examples: [...]

On the HP Printer Hack

antonaylward — Wed, 30 Nov 2011 12:45:36 +0000

The hack to make the HP printers burn was interesting, but lets face it, a printer today is a special purpose computer and a computer almost always has a flaw which can be exploited. In his book on UI design “The Inmates are Running the Asylum”, Alan Cooper makes the point that just about everything [...]

Which Risk Framework to Use: FAIR, FRAP, OCTAVE, SABSA …

Anton Aylward — Sun, 13 Nov 2011 16:37:57 +0000

What framework would you use to provide for quantitative or qualitative risk analysis at both the micro and macro level? I’m asking about a true risk assessment framework not merely a checklist. Yes, this is a bit of a META-Question. But then its Sunday, a day for contemplation… When does something like these stop being [...]