One of the biggest issues with security awareness is knowing what it is you are trying to achieve. It’s not enough to just run an awareness program – you have to be trying to drive an outcome. Over a period of time I have defined in my own head a kind of CMM for security […]
I was doing some reading on the distribute.it hack and stumbled onto a reference to a Risky Business podcast on probablistic risk assessments. It’s a great argument as to why risk assessment does not work well in the information security space. The basic thesis is you can’t assign a probability to a serious attacker. […]
I read No pic, no fly plan for airports in The Age yesterday with a small amount of dismay. It’s always frustrating to see security measures that seem to be more about the appearance of security rather than the reality, and which will negatively impact the users (or travellers in this case). I’m really not […]
Very belatedly I’ve been looking into the Stuxnet worm. Interesting new world we find ourselves in. This thing was surgical – not only damaging the equipment but hiding its footsteps. The question you have to ask though is if this is the one we know about – how many are out there that we don’t?
Network World have an interesting article based on a Forrester research report on iPhone and iPad security, arguing it’s good enough for most cases.
It’s interesting to watch the changing attitude to patching on workstations. I’m probably a bit behind the eight ball on this stuff – patching has never been a favorite subject of mine (I get frustrated with the amount of time and effort patching can take up with no real visible value created). But what’s interesting […]
I was reminded this week about just how bad complexity is for security people. And the problem is complexity is getting worse in our networks. Virtual systems have a lot to answer for here I reckon. I firmly believe that the first question any person should ask when running up a virtual system should be […]