BlogInfoSec.com

Will the Real Sam DeKay Stand Up?

C. Warren Axelrod — Mon, 13 Jul 2009 10:00:45 +0000

Dr. Sam DeKay sent me an open letter via this very blog medium on June 1, 2009. But how do I know the letter is from the same Sam whom I know and admire, and not from some wily interloper who had hacked into the site and was masquerading as Sam? Well, I was able to verify that it was indeed a valid post, since I talked to Sam in person at a NY Metro ISSA meeting on June 10th and he admitted to having actually written the column.

(...)
Read the rest of Will the Real Sam DeKay Stand Up? (490 words)

© C. Warren Axelrod for BlogInfoSec.com, 2009. | Permalink | No comment | Add to del.icio.us
Post tags: authentication, Bing, Google, identity theft, mistaken identity, spotlight

Feed enhanced by Better Feed from Ozh

Singular Security

C. Warren Axelrod — Mon, 06 Jul 2009 10:00:20 +0000

As infosec professionals continue to struggle mightily trying keep up with the security and privacy vulnerabilities introduced by new technologies and IT environments, such as Web 2.0, Web 3.0 and Cloud Computing, there is a new game in town … singularity. As I will describe, singularity represents a quantum leap ahead in technology.

(...)
Read the rest of Singular Security (557 words)

© C. Warren Axelrod for BlogInfoSec.com, 2009. | Permalink | No comment | Add to del.icio.us
Post tags: artificial intelligence, botnets, Google, grid computing, NASA, Privacy, Singularity Univesity, spotlight

Feed enhanced by Better Feed from Ozh

Cyberspace Policy Review … Motivating the Private Sector

C. Warren Axelrod — Mon, 29 Jun 2009 10:00:28 +0000

You probably know the expression: “Those who ignore history are bound to repeat it.” This is apparently a misquotation of philosopher George Santayana’s opinion that “Those who cannot remember the past are condemned to repeat it.” Santayana published this around 1905-1906. However, the eighteenth-century British statesman and philosopher Edmund Burke is credited with perhaps originating the statement in the form “Those who don’t know history are destined to repeat it.” Whether the history was forgotten or never known, and whether the person doing the ignoring or forgetting is bound, condemned or destined to repeat the past, it is the basic concept that is critical, as has been proven time and time again. Despite our ready access over the Web to all manner of historical information, we still don’t appear capable of doing the necessary due diligence. to know what hasn’t worked in the past and is unlikely to work in the future.

(...)
Read the rest of Cyberspace Policy Review … Motivating the Private Sector (695 words)

Feed enhanced by Better Feed from Ozh

The Power of the Second Derivative

C. Warren Axelrod — Tue, 23 Jun 2009 10:00:44 +0000

We may recall from our calculus courses that the first derivative is the rate of change and the second derivative is the rate of rate of change, so, for example, if we consider distance traveled, then the first derivative is speed and the second derivative is acceleration or deceleration (if negative).

If some statistic, such as the weekly unemployment figure, is accelerating, that is unquestionably bad, but if it is decelerating, that’s considered good, even if the rate is still very high. Of course, it isn’t really good until the rate is low … but you need to decelerate to get there.

So where do we stand with security breaches? Unfortunately, we still appear to be in acceleration mode. Known vulnerabilities and the impact of exploits against them are not just increasing, they are both still accelerating. And there is no end in sight for these trends.

(...)
Read the rest of The Power of the Second Derivative (449 words)

Feed enhanced by Better Feed from Ozh

Here We Go Again … Demoted Security

C. Warren Axelrod — Mon, 15 Jun 2009 11:00:36 +0000

It’s happened again. The security folks present an agenda and it is immediately demoted to a low priority. There’s always some excuse … another higher priority has come on the scene, there is concern that putting resources on security could hamper economic progress, military activities, etc. Time and time again, information security folks have neither the authority nor the will to stand up to detractors. There are those who believe that it is what it is, and that infosec is merely getting the attention that it warrants, based on the priorities of others. It is just such an attitude that has put us into the mess that we are in.

(...)
Read the rest of Here We Go Again … Demoted Security (582 words)

© C. Warren Axelrod for BlogInfoSec.com, 2009. | Permalink | No comment | Add to del.icio.us
Post tags: Cybersecurity Review, Larry Summers, Melissa Hathaway, National Security Council, NSC, Obama Administration, Scott Borg, Siobhan Gorman, spotlight, U.S. Cyber Consequences Unit

Feed enhanced by Better Feed from Ozh

We Are Secure and Compliant – You Can Go Now! A Story of a Disturbing Trend

William Sieglein — Mon, 08 Jun 2009 11:00:22 +0000

In the past 2 months several members of my CSO Breakfast Club have been let go from their positions as senior level information security bosses. One was let go from a top 20 law firm, another from an international Fortune 1000 company, and the other from a spinoff of a large, international manufacturing organization. While I realize that 3 people does not make an epidemic, it does signal a trend that is very concerning to me, and hopefully to you.

(...)
Read the rest of We Are Secure and Compliant – You Can Go Now! A Story of a Disturbing Trend (277 words)

© wsieglein for BlogInfoSec.com, 2009. | Permalink | One comment | Add to del.icio.us
Post tags: CISO, cost cutting, fired downsizing, governance, information security governance, IT governance, lost job, spotlight

Feed enhanced by Better Feed from Ozh

An Open Letter to Warren Axelrod: Yes, InfoSec, You’re a Heck of a Job

Sam Dekay — Mon, 01 Jun 2009 11:00:35 +0000

Warren,

I was delighted-although also somewhat surprised-to read your column of April 27, “Infosec, You’re Doing a Heck of a Job!” The article depicted (I think accurately) the existence of a considerable chasm between claims espoused by the information security research industry (as exemplified by the RSA Conference) and the considerably less sanguine assessments of the capabilities of practitioners to prevent exploits and breaches (as reported in The Wall Street Journal and other media). I was surprised, though, by your bleak assessment: “…information security is in the worst state that it has ever been.”

I would like to raise issues concerning your summary of the current state of information security, explore some of the likely reasons for the research chasm, and speculate on possible relationships between the two.

(...)
Read the rest of An Open Letter to Warren Axelrod: Yes, InfoSec, You’re a Heck of a Job (1,067 words)

© sdekay for BlogInfoSec.com, 2009. | Permalink | No comment | Add to del.icio.us
Post tags: history of Information Security, management theory, organizational behavior, research and development, RSA, spotlight, Wall Street Journal, Warren Axelrod

Feed enhanced by Better Feed from Ozh

BSIMM – Top Ten Surprises

C. Warren Axelrod — Tue, 26 May 2009 11:00:17 +0000

In a prior column, I described the results of a survey conducted by Gary McGraw, Sammy Migues and Brian Chess published in the BSIMM (Build Security In Maturity Model) report available at http://bsi-mm.com/

Most of the results are intuitively obvious … after the fact, that is. But some of what they found was not. These unusual “surprise” findings are described in an article “Software [In]security: Software Security Top 10 Surprises” available at http://www.informit.com/articles/article.aspx?p=1315431

(...)
Read the rest of BSIMM – Top Ten Surprises (606 words)

© C. Warren Axelrod for BlogInfoSec.com, 2009. | Permalink | No comment | Add to del.icio.us
Post tags: application security, Audit, BSIMM, fuzz testing, information security metrics, QA, SDLC, secure development, spotlight

Feed enhanced by Better Feed from Ozh

BSIMM – A Giant Step for Application Security

C. Warren Axelrod — Mon, 18 May 2009 11:00:54 +0000

There’s a new acronym in town – BSIMM. It’s not BSIMM the rapper out of Louisville, Kentucky. But it is BSI-MM, which is how it is depicted in the website from which you can download the 50-page report, namely http://bsi-mm.com/

(...)
Read the rest of BSIMM – A Giant Step for Application Security (501 words)

© C. Warren Axelrod for BlogInfoSec.com, 2009. | Permalink | No comment | Add to del.icio.us
Post tags: application security, BSIMM, Building Security in Maturity Model, practices, Software Security Framwork, spotlight, SSF

Feed enhanced by Better Feed from Ozh

Dangers in Solutions Past

C. Warren Axelrod — Mon, 11 May 2009 11:00:52 +0000

In the March 2, 2009 edition of the Wall Street Journal, in the “Theory & Practice” section, Phred (sic.) Dvorak writes an article with the long title: “Dangers Can Lurk in Clinging to Solutions of the Past – Overconfidence, Bad Assumptions Can Cause Management Veterans to Underperform Less-Experienced Colleagues.” Coincidentally it is on page B4.

With such an explicit title, it isn’t even necessary to read the article to get the point. However, the article relates how Rohit Girdhar, who had managed software programmers at GE and product developers at Teradyne for eight years, failed miserably when his project management skills were tested using a computer-simulated exercise.

(...)
Read the rest of Dangers in Solutions Past (524 words)

© C. Warren Axelrod for BlogInfoSec.com, 2009. | Permalink | No comment | Add to del.icio.us
Post tags: Enterpise Information Security and Privacy, FSSCC, management, R&D, research and development, spotllight

Feed enhanced by Better Feed from Ozh