Blog
Insights for Reasonable Cyber Security and Compliance
What’s happening in the world of cybersecurity? How do you define 'reasonable' security controls? Which cyber threats can be prevented? What steps should you take to make your systems safer? Read our blog posts to gain new insights into cybersecurity news, security awareness, the latest threats and risks, penetration testing, compliance, regulations and so much more.
While Technological Security Risks Are a Possibility, Management Security Risks are a Certainty
Most of my information security focus these past few years has concentrated on managing risks and governance, but this was not always the case. I came into this profession as a technologist and manager who focused on team building, turn-arounds and doing a lot with few resources. But as my career moved from technology operations to security it also moved from technology to governance. I chose this path on purpose, and as I tell the few techies who have asked, I did it for one main reason; while technological security risks are always a possibility, management security risks are a certainty. (more…)
NEXT-GEN MALWARE DEFENSE
‘Malware’ has come a long way – next-gen malware. From merely annoyance applications coded by bored engineering students for notoriety all the way to professionally developed stealth applications for financial gains and stealing state secrets. According to Verizon’s 2012 Data Breach Investigations Report, 69% of the breaches were attributed to malware infections. The business impact of such Advanced Malware is in the billions of dollars and the massive loss of intellectual property. The growing complexity of the malware and the risks it poses to business assets is a universal concern of Risk managers all over the world. (more…)
Password Facts & Tips for Secure Online Presences
Understand the importance of password safety. Every time Americans tune into the Nightly News and hear about the latest cyber attack, it sends millions of us to our computers to check and change our passwords. That’s because while most of us know we should use a unique username and password combination for each and every online account, we don’t. The reasons vary from sheer laziness to forgetfulness. After all, we’re only human, right? (more…)
Risk Acceptance Levels: Managing the Lower Limits of Security Costs
Last week I presented a topic here at Halock’s blog site on the Hand Rule, also known as the “Calculus of Negligence.” The basic message of the post was that we can use information risk assessments to help us keep our security costs to a reasonable level, but only by describing how we would arrive at the upper limits of a reasonable security cost. Be sure to read The Hand Rule: Managing the Upper Limits of Risk Management in order to understand the full point of this posting. (more…)
Has The OWASP Top 10 Been Effective For Web Applications?
Author: Todd Becker, PCI QSA, ISO 27001 Auditor
OWASP just released a new Top 10 for 2013, updating the list of key web application security weaknesses to reflect the evolution of the highest risk vulnerabilities. While everyone loves a good top 10 list, the fundamental question I wrestle with is, has the OWASP Top 10 been effective? (more…)
Insecurity – Et Tu Brute?
The death of Caesar at the hands of the senators. Painting by Vincenzo Camuccini, 1798. “Et tu, Brute?” meaning “Even you, Brutus?” is a Latin phrase often used poetically to represent the last words of Roman Dictator Julius Caesar to his friend Marcus Brutus who betrayed him at the moment of his assassination. (more…)
The Hand Rule: Managing the Upper Limits of Security Costs
While presenting a talk at CAMP IT last week I got into a number of conversations with attendees about the Hand Rule and security costs. At HALOCK Security Labs we talk about the Hand Rule a lot. Also known as the Calculus of Negligence, it is a way that an organization can mathematically estimate what a “reasonable” investment would be to prevent the risk of a threat. Briefly, the Hand Rule states that if the burden for reducing a risk is less than the likelihood of the risk times its impact, then the burden is reasonable. (more…)
Summary of the 2013 IP Commission Report
Last month the IP Commission Report was published by The National Bureau of Asian Research. This report chronicles the theft of American Intellectual Property and is a great read. The world of InfoSec tends to focus on vulnerabilities and infamous hacks. (more…)
We Need a Risk Management Tipping Point
While preparing for a keynote talk at CAMP IT that is rapidly coming up I was struggling to find the main point of my talk. I had been puzzling for several weeks, asking myself what single message I wanted to leave my audience with. I’ve been speaking for some time now about information security and information risk management and have always provided my audiences with a “how-to” talk. So my main point has always been easy to consider, “Now that you know you have to perform a risk assessment, here’s how to do it.” I often provide very detailed instructions for conducting risk assessments and tell a few good stories about valuable insights and transformations that have happened with some of my clients when they actually follow through with these assessments. But this time it’s different. (more…)
Are iPads HIPAA Compliant?
I hear this question very often. It is similar to the question, “Is email HIPAA compliant?” or “Are texts HIPAA compliant?” And while my gut often kicks in and I want to easily say, “No!” that is often a bad answer. Here is why. We don’t know whether something is compliant or not if we have not assessed the risk it poses. For example, is using iPads or email creating an intolerable risk? If so, what safeguards can you put in place to reduce those risks to a reasonable and appropriate level? If your risks are at a reasonable and appropriate level while using iPads, email and texts along with those safeguards, then yes, they are HIPAA compliant. (more…)