tag:blogger.com,1999:blog-9126889845924473010.comments2023-08-21T12:05:31.383+02:00Security ThoughtsAllen Baranovhttp://www.blogger.com/profile/15266570478283454532noreply@blogger.comBlogger29125tag:blogger.com,1999:blog-9126889845924473010.post-87559064665587347442022-11-19T05:58:36.964+02:002022-11-19T05:58:36.964+02:00Loved reading this thank yoouLoved reading this thank yoouChimney Cleaning Caryhttps://www.chimney-cleaning-repairs.com/us/chimney-repair-north-carolina/chimney-cleaning-cary.shtmlnoreply@blogger.comtag:blogger.com,1999:blog-9126889845924473010.post-70990558115253750222022-06-14T23:37:24.999+02:002022-06-14T23:37:24.999+02:00Loved reading this thaanksLoved reading this thaanksZoeyhttps://www.zoehanson.com/noreply@blogger.comtag:blogger.com,1999:blog-9126889845924473010.post-68376650633188507652009-09-03T05:03:53.340+02:002009-09-03T05:03:53.340+02:00GPL rules... god people can earn more success with...GPL rules... god people can earn more success with GPL. You're thinking that GPL will lose people money. But with GPL, you can let people find bugs in your program and fix it. It's so simple, so why do you say GPL sucks!? Hmmmm...Anonymousnoreply@blogger.comtag:blogger.com,1999:blog-9126889845924473010.post-58268400280211609012009-01-15T15:20:00.000+02:002009-01-15T15:20:00.000+02:00Hah! A typical comment from the Chuvakin. The answ...Hah! A typical comment from the Chuvakin. <BR/><BR/>The answer is, in this case, the issue will be so big that the company will know when their competitor(s) starts acting in a way that hints to them having access to the compromised company's information. <BR/><BR/>They may have logs and may have some log program but the company will probably not have much of an information security plan in place.Anonymoushttps://www.blogger.com/profile/03852785044280265442noreply@blogger.comtag:blogger.com,1999:blog-9126889845924473010.post-7162389457070618112009-01-13T19:59:00.000+02:002009-01-13T19:59:00.000+02:00But how will they KNOW that they lost it?But how will they KNOW that they lost it?Anton Chuvakinhttps://www.blogger.com/profile/12740087457147758558noreply@blogger.comtag:blogger.com,1999:blog-9126889845924473010.post-6889640135485046142008-12-01T15:07:00.000+02:002008-12-01T15:07:00.000+02:00This comment has been removed by the author.Anonymoushttps://www.blogger.com/profile/03852785044280265442noreply@blogger.comtag:blogger.com,1999:blog-9126889845924473010.post-42719822156025604892008-09-05T12:21:00.000+02:002008-09-05T12:21:00.000+02:00I am Paul Fleischer-Djoleto, Ghanaian analyst/prog...I am Paul Fleischer-Djoleto, Ghanaian analyst/programmer with 13 years experience in the said domain. I will be sitting for the cissp exams this October. I have been confused by the fact that I saw that the the cissp was not about specific vendor products. So I was always thinking of taking the ccna after passing the cissp to compliment the cissp. <BR/><BR/>after reading "CISSPis here to stay!Anonymousnoreply@blogger.comtag:blogger.com,1999:blog-9126889845924473010.post-37074024179409275592008-07-17T16:27:00.000+02:002008-07-17T16:27:00.000+02:00How about a link to the research that was the impe...How about a link to the research that was the impetus for this post. Specifically the Symantec/Verizon research. Throw me a link via email if you could (txs@donkeyonawffle.org)Anonymousnoreply@blogger.comtag:blogger.com,1999:blog-9126889845924473010.post-57921124693234368212008-07-13T19:05:00.000+02:002008-07-13T19:05:00.000+02:00"the challenge going forward will be for us to cre..."the challenge going forward will be for us to create an environment where it is possible to tie down exactly what every single person in the organisation does. Make sure that the technology supports this. Make sure that deviations are blocked.<BR/><BR/>And on top of that allow for agility.<BR/><BR/>This is not impossible but it won't be easy. But there won't be turn-key technology solutions to Anonymousnoreply@blogger.comtag:blogger.com,1999:blog-9126889845924473010.post-8621042864701198452008-07-07T09:22:00.000+02:002008-07-07T09:22:00.000+02:00Michael,Thank you so much for your comment.It is v...Michael,<BR/><BR/>Thank you so much for your comment.<BR/><BR/>It is very well thought out. <BR/><BR/>However, your first 3 points are issues with Server OS design which are being worked out. You won't get library conflicts on stable versions of Debian or Ubuntu. Perl libraries can be put into different directories so you can have multiple copies of a Perl library on a server. Point taken though.Anonymoushttps://www.blogger.com/profile/03852785044280265442noreply@blogger.comtag:blogger.com,1999:blog-9126889845924473010.post-14674936427016883192008-07-03T15:47:00.000+02:002008-07-03T15:47:00.000+02:00I've seen servers (Unix and Windows) where 'all ap...I've seen servers (Unix and Windows) where 'all apps in one' was the sysadmins preferred mode. They are not pretty. And not all of the reasons for one app per server are due to the poor design of modern operating systems (Unix and Windows).<BR/><BR/><B>Library conflicts.</B> Yes, on <I>all</I> platforms, conflicting libraries make a mess out of the all-in-one strategy. Running with multiple glib/Michael Jankehttps://www.blogger.com/profile/00357905802460949707noreply@blogger.comtag:blogger.com,1999:blog-9126889845924473010.post-91443758142695016762008-06-23T15:48:00.000+02:002008-06-23T15:48:00.000+02:00Alan,Great post. My thoughts closely follow yours....Alan,<BR/><BR/>Great post. My thoughts closely follow yours. <BR/><BR/>I was thinking about this issue this weekend. I strongly agree that there is a need for both specialists and "generalists." Another way I like to think of an InfoSec generalist is as a translator. Business often people need someone to help them understand what the technologists are saying and the technologists often need Anonymousnoreply@blogger.comtag:blogger.com,1999:blog-9126889845924473010.post-68730331436250040802008-06-20T17:14:00.000+02:002008-06-20T17:14:00.000+02:00What he really argues is that a "generalist" Infor...<I>What he really argues is that a "generalist" Information Security position is no longer very important, specialisation is the only way to go.</I><BR/><BR/>I totally didn't say that. I said the opposite.<BR/><BR/>Thanks for the other insights, though.<BR/><BR/>And CISSP is not here to stay. It's going to be replaced by the OWASP people certification. Read some of the comments and feel free drehttps://www.blogger.com/profile/17414510788948258195noreply@blogger.comtag:blogger.com,1999:blog-9126889845924473010.post-18527273996369568792008-06-03T06:52:00.000+02:002008-06-03T06:52:00.000+02:00The metrics are not lying, just the understanding ...The metrics are not lying, just the understanding of the quantitative methods used to determine them is lacking.<BR/><BR/>The methods and means of deteriming valid metrics are perception based and are not scientific. <BR/><BR/>There are many risk methodologies that are valid and which have been deployed in finance and operational engineering for decades. <BR/><BR/>Come on, even marketing is Anonymousnoreply@blogger.comtag:blogger.com,1999:blog-9126889845924473010.post-92146798737429042882008-04-30T09:06:00.000+02:002008-04-30T09:06:00.000+02:00This is just a simple example and I'm sure a lot o...This is just a simple example and I'm sure a lot of InfoSec departments measure % machines with up to date virus signatures. <BR/><BR/>The fact is that 90% is better than 80% but 99% is not nearly as good as 100%.Anonymoushttps://www.blogger.com/profile/03852785044280265442noreply@blogger.comtag:blogger.com,1999:blog-9126889845924473010.post-20623220404701307922008-04-30T02:54:00.000+02:002008-04-30T02:54:00.000+02:00I look at this differently. To me, metrics are use...I look at this differently. To me, metrics are useful when the context is understood in a way that allows a story to be told.<BR/><BR/>In this case, the metrics seem to be flawed - but I would argue the wrong things are being measured. Stated differently, the challenge is knowing what to measure and how to find it.Unknownhttps://www.blogger.com/profile/13919644217461896016noreply@blogger.comtag:blogger.com,1999:blog-9126889845924473010.post-79591625996958173892008-04-30T01:07:00.000+02:002008-04-30T01:07:00.000+02:00I have had this happen to me once before. I got a ...I have had this happen to me once before. I got a virus even though I have up to date anti-virus software installed on my PC.<BR/><BR/>I caught the virus via a web page with malware on it.<BR/><BR/>I had to discover how to rid my machine of the virus manually. I found instructions online, but it took a while before I managed that feat.<BR/><BR/>The virus blocked my access to certain known Richard Cattohttps://www.blogger.com/profile/03143030488851675036noreply@blogger.comtag:blogger.com,1999:blog-9126889845924473010.post-84373709063937766102008-04-29T17:15:00.000+02:002008-04-29T17:15:00.000+02:00Metrics don't lie, they're just interpreted badly....Metrics don't lie, they're just interpreted badly.Unknownhttps://www.blogger.com/profile/13259421662913673571noreply@blogger.comtag:blogger.com,1999:blog-9126889845924473010.post-67159288230687560402008-03-20T19:37:00.000+02:002008-03-20T19:37:00.000+02:00I thought you were reading my mind when I saw the ...I thought you were reading my mind when I saw the title. I read this article by Malcolm Gladwell last night: <A HREF="http://www.gladwell.com/2001/2001_06_11_a_crash.htm" REL="nofollow">Wrong Turn: How the fight to make America's highways safer went off course"</A>.rybolovhttps://www.blogger.com/profile/09022232218670789122noreply@blogger.comtag:blogger.com,1999:blog-9126889845924473010.post-16724457534135291942008-03-20T17:26:00.000+02:002008-03-20T17:26:00.000+02:00Hey Allen, interesting article (esp. in context of...Hey Allen, interesting article (esp. in context of recent breaches).<BR/><BR/><I>"I have seen a lot of complaints about PCI and SOX etc etc in the same way that people complain about "self protection" laws like safety belt laws. The thing is that the government is stepping in only because people are very bad at self regulation."</I> <BR/><BR/>A couple of points - <BR/><BR/>PCI is about the Anonymousnoreply@blogger.comtag:blogger.com,1999:blog-9126889845924473010.post-26014164217967676802008-03-20T16:13:00.000+02:002008-03-20T16:13:00.000+02:00"Once we can define a process and what information..."Once we can define a process and what information is used in it, who does it and when it happens - bingo - we can secure the process from start to finish."<BR/><BR/>Allen, you will notice that your statement reflects the usual object-centric approach to data classification. The final step is to determine who you trust (in user roles) with the data.<BR/><BR/>We take a different approach. We RU_Trustifiedhttps://www.blogger.com/profile/05287332677529399371noreply@blogger.comtag:blogger.com,1999:blog-9126889845924473010.post-13125080529823566352008-01-28T21:38:00.000+02:002008-01-28T21:38:00.000+02:00Looks like that may have already happened today!Looks like that may have already happened today!Anonymousnoreply@blogger.comtag:blogger.com,1999:blog-9126889845924473010.post-68922163460370540092008-01-17T18:46:00.000+02:002008-01-17T18:46:00.000+02:00Allen,WOW! I'm very honored to be at the top of yo...Allen,<BR/>WOW! I'm very honored to be at the top of your list. I agree that we do have lots in common. Even though we are a long, long way apart I hope that one day we get the opportunity to meet.<BR/><BR/>Keep up the good work on the blog and in protecting the data!Andy, ITGuyhttps://www.blogger.com/profile/09237512546845510001noreply@blogger.comtag:blogger.com,1999:blog-9126889845924473010.post-89411035363962139942007-08-17T09:25:00.000+02:002007-08-17T09:25:00.000+02:00Andy, I thought the same but I think that it shoul...Andy, I thought the same but I think that it should be a risk for all stores even if they do a good job of security. <BR/><BR/>But if they do a good job then the risk of them being hacked and having to pay out is less. <BR/><BR/>Your way leads to Bruce Schneier's security theater where companies will work harder to look like they are doing the right thing so they can prove they weren't negligent Anonymoushttps://www.blogger.com/profile/03852785044280265442noreply@blogger.comtag:blogger.com,1999:blog-9126889845924473010.post-49091794628568534902007-08-16T18:56:00.000+02:002007-08-16T18:56:00.000+02:00Allen, I like this law if they can prove that the ...Allen, I like this law if they can prove that the retailer was really negligent in securing the data. If they have done a good job and still got owned it's a different story. There are too many shops out there that just don't do security and if they want to collect $ vis CC then they need to play in the big leagues.Andy, ITGuyhttps://www.blogger.com/profile/09237512546845510001noreply@blogger.com