Schneier on Security: Hacking Cars Through Wireless Tire-Pressure
http://www.schneier.com/blog/archives/2010/08/hacking_cars_th.html A few alarming things here. More nanny State : In other words, the nanny state is forcing upon us expensive and insecure systems that...
View ArticleYour Asset is my Consumable
We've had the 'what is an asset' debate a few times in Gary Hinson's ISO27001 forum on Googlegroups, but I'd like to re-iterate that an asset is not necessarily (or even) a material object such as a...
View ArticleThe real reasons for documentation – and how much
he documentation required and/or needed by ISO-2700x is a perenial source of dispute in the various forums I subscribe to. Of course management has to define matters such as scope and applicability and...
View ArticleWhich Risk Framework to Use: FAIR, FRAP, OCTAVE, SABSA …
What framework would you use to provide for quantitative or qualitative risk analysis at both the micro and macro level? I'm asking about a true risk assessment framework not merely a checklist. Yes,...
View ArticleOn the HP Printer Hack
The hack to make the HP printers burn was interesting, but lets face it, a printer today is a special purpose computer and a computer almost always has a flaw which can be exploited. In his book on UI...
View ArticleDoubts about “Defense in Depth”
So to have great (subjective) protection your layered protection and controls have to be "bubbled" as opposed to linear (to slow down or impede a direct attack). I have doubts about "defence in...
View ArticleHow to decide on what DVD backup software to use
You do do backups don't you? Backups to DVD is easy, but what software to use? - How are you managing the backup archives? Do you need a specific dated version of a file or directory? Would a VCS be...
View ArticleNaval War College uses Russian software for iPad course material
http://www.nextgov.com/nextgov/ng_20120305_6368.php The Navy's premier institution for developing senior strategic and operational leaders started issuing students Apple iPad tablet computers equipped...
View ArticleAbout ISO 27001 Risk Statement and Controls
On the ISO27000 Forum list, someone asked: I'm looking for Risk statement for each ISO 27k control; meaning "what is the risk of not implementing a control". That's a very ingenious way of looking at...
View ArticleSocial Engineering and sufficency of awareness training
Someone asked: If you have a good information security awareness amongst the employees then it should not a problem what kind of attempts are made by the social engineers and to glean information from...
View ArticleSurely compliance is binary?
Call me a dinosaur (that's OK, since its the weekend and dressed down to work in the garden) but ... Surely COMPLIANCE is a binary measure, not a "level of" issue. You are either in compliance or you...
View ArticleHelp on ISO-27000 SoA
This kind of question keeps coming up, many people are unclear about the Statement of Applicability on ISO-27000. The SoA should outline the measures to be taken in order to reduce risks such as those...
View ArticleManaging Software
Last month, this question came up in a discussion forum I'm involved with: Another challenge to which i want to get an answer to is, do developers always need Admin rights to perform their testing? Is...
View ArticleAn OP-ED by Richard Clarke on China
http://www.nytimes.com/2012/04/03/opinion/how-china-steals-our-secrets.html This is better written than most 'chicken little' pieces, but please can we have 'history' of how most nations, including the...
View ArticleHow much Risk Assessment is needed?
In many of the InfoSec forums I subscribe to people regularly as the "How long is a piece of string" question: How extensive a risk assessment is required? It's a perfectly valid question we all have...
View ArticleDoes ISO 27001 compliance need a data leakage prevention policy?
On one of the ISO-27000 lists I subscribe to I commented that one should have a policy to determine the need for and the criteria for choosing a Data Loss Prevention mechanism. I get criticised...
View ArticleThe Truth About Best Practices
An article on Linked entitled 'The Truth about Practices" started a discussion thread with some of my colleagues. The most pertinent comment came from Alan Rocker: I'm not sure whether to quote "Up the...
View ArticleOpenBSD forks, prunes, fixes OpenSSL
http://www.zdnet.com/openbsd-forks-prunes-fixes-openssl-7000028613/#ftag=RSS86a1aa4 Interesting, eh? At the very least, this will apply a 'many eyes' to some of the SSL code and so long as the ssh...
View ArticleThis is not the IoT you want.
http://www.cnet.com/products/quirky-outlink/ If I plug in an IDE drive or a SATA drive or a USB drive or device my mobo or system recognizes what it is. The connection protocol tell the mobo or system....
View ArticleShould all applicable controls be mentioned in documenting an ISMS?
In my very first job we were told, repeatedly told, to document everything and keep our personal journals up to date. Not just with what we did but the reasoning behind those decisions. This was so...
View Article
