What we're reading, week of 9/29

From Network Security Blog… Be compliant through security Martin McKeay suggests that it is possible to be compliant and yet still insecure, and points us to an article from CSO Online that outlines the steps toward compliance through security. From TaoSecurity… Security vs IT at Computerworld Richard Bejtlich discusses the sometimes contentious and sibling-like relationship that can exist between corporate security and IT departments. In the comments section, readers share their tales of conflict, and suggest solutions. From Emergent Chaos… Blaming the Victim, Yet Again Mordaxus points us to a study that examines users’ habitual ignorance of the context of pop-up dialogue boxes. “My opinion is that this is blaming the victim. Users are presented with such a variety of elements that it’s hard to know what’s real and what’s not. Worse, there are so many worthless dialogs that pop up during normal operation that we’re all trained to play whack-a-mole with...

What we’re reading, week of 9/29

From Network Security Blog… Be compliant through security Martin McKeay suggests that it is possible to be compliant and yet still insecure, and points us to an article from CSO Online that outlines the steps toward compliance through security. From TaoSecurity… Security vs IT at Computerworld Richard Bejtlich discusses the sometimes contentious and sibling-like relationship that can exist between corporate security and IT departments. In the comments section, readers share their tales of conflict, and suggest solutions. From Emergent Chaos… Blaming the Victim, Yet Again Mordaxus points us to a study that examines users’ habitual ignorance of the context of pop-up dialogue boxes. “My opinion is that this is blaming the victim. Users are presented with such a variety of elements that it’s hard to know what’s real and what’s not. Worse, there are so many worthless dialogs that pop up during normal operation that we’re all trained to play whack-a-mole with...

What we're reading, week of 9/22

Security bloggers are all over the story of VP nominee Sarah Palin’s hacked email account this week. Some of the best coverage: From Zero Day… Attacker: Hacking Sarah Palin’s email was easy Dancho Danchev describes, step-by-step, exactly how Palin’s email was hacked. The key point of interest here is that none of the steps taken by the infiltrator required any advanced technical knowledge. Later, from Zero Day… Webmail and traditional e-mail face different threats Adam O’Donnell discusses the different threat models to consider when using web-hosted email versus desktop-based email. He argues that in order to decide which option is more secure, a user must also take into consideration reliability and the risk of data loss. Still later, from Zero Day… Webmail providers can fix Palin hack-style problems Finally, what can providers do to avoid this? Adam O’Donnell calls upon webmail providers to implement additional software and more secure processes to manage the password reset process. And from Errata Security… How Sarah got her hack on Robert Graham describes what can be done from a user perspective – and how high-profile, public persons need to employ a more thorough standard of personal IT...

What we’re reading, week of 9/22

Security bloggers are all over the story of VP nominee Sarah Palin’s hacked email account this week. Some of the best coverage: From Zero Day… Attacker: Hacking Sarah Palin’s email was easy Dancho Danchev describes, step-by-step, exactly how Palin’s email was hacked. The key point of interest here is that none of the steps taken by the infiltrator required any advanced technical knowledge. Later, from Zero Day… Webmail and traditional e-mail face different threats Adam O’Donnell discusses the different threat models to consider when using web-hosted email versus desktop-based email. He argues that in order to decide which option is more secure, a user must also take into consideration reliability and the risk of data loss. Still later, from Zero Day… Webmail providers can fix Palin hack-style problems Finally, what can providers do to avoid this? Adam O’Donnell calls upon webmail providers to implement additional software and more secure processes to manage the password reset process. And from Errata Security… How Sarah got her hack on Robert Graham describes what can be done from a user perspective – and how high-profile, public persons need to employ a more thorough standard of personal IT...

What we're reading, week of 9/15

Last week, we pointed to a post from Andy, IT Guy, about the concept of “Failure of Investment” to measure security initiatives. As this idea has taken root and inspired some discussion among other bloggers, this week we’ll explore the reaction to Andy’s idea. From Uncommon Sense Security… FOI, Failure of Investment Jack Daniel supports Andy’s FOI theory and offers some supporting evidence from his work with a variety of small to mid-sized companies. From Security Provoked… Failure-on-Investment a More Accurate Measure of Security? Sara Peters, meanwhile, is a bit more skeptical. She argues that for some companies, there are more factors that stakeholders find important other than the technical success or failure of a security investment – savings due to meeting regulatory standards, for instance. From Andy, IT Guy… FOI in depth Andy responds to the ongoing discussion and Sara’s challenges by reiterating that measures other than FOI are beside the point. Compliance is not its own reward, after all; it’s a means to an end – the end being actual protection of data. “Security for the sake of security is no security at all,” he...