A Simple Security Risk Assessment
June 2, 2009
Many security practitioners (and others) struggle to understand the environment they are working in and find it difficult to prioritise what needs to be done. To help, I’m going to share a series of articles that demonstrate an approach to completing A Simple Security Risk Assessment, an approach that takes into consideration both technical and business risk. The series comprises of:
1. Evaluating Industry Standard Risk Methodologies
2. Categorising Threats by Information Asset attributes
3. Assessing Technical Risk
4. Assessing Business Risk
5. Calculating Overall Risk
Top 10 Blog Posts
January 13, 2009
I no longer post regularly as I find the time is better spent on my own security research and with my family and friends. The existing content will remain available and to focus on this I have provided a list of the Top 10 Blog Posts.
Enjoy.
Forecasting Vulnerabilities for 2009
January 4, 2009
As we start 2009 it is prudent to think about what we may need to plan for in the year ahead. Many organisations will pursue existing projects and (hopefully) continue to mature their security capabilities. It is also necessary to be mindful of the current business environment and technology trends.
DarkReading has a somewhat fearsome contribution of Four Threats and vnunet.com five more likely threats in their look at The Year Ahead. Emerging security threats such as virtual malware will be the focus of high end attackers and expect many new variations of already known methods of exploitation.
Child porn ring busted using P2P
December 12, 2008
In a recent article on the politics of an Australian Internet filter, I shared some of the concerns being raised about the proposed legislation. One of those concerns was that the filter would be unable to handle the ever changing IP addresses used by peer-to-peer network and dynamic websites (see DynDNS and Fast Flux).
Having said that I went on to say it would be worth investing in police resources for tracking down those accessing or distributing illegal content. Two weeks after that post the AFP has been successful in doing exactly that. The success seems to substantiate further investment. The filter on the other hand could never keep up.
Work from Home Scams and Security
December 9, 2008
There are many legitimate reasons to be working from home, especially as Australian cities get busier, the roads become more congested, and we try to be more conscious of the environment. If you’ve ever been curious to know how work from home scams work, the Australian government SCAMwatch can fill you in.
And if you are already working from home the things to consider are; protecting printed information, encrypting portable media, connecting to the office through a Virtual Private Network (VPN) and disabling split tunneling that allows a user to connect an insecure network at the same time as the work network.
Equally important to setting a home worker up, is helping them work from home without growing isolated. Unified Communications (VoIP and a webcam) along with Web 2.0 technologies such as corporate wikis and blogs allow the home worker to communicate with the office, and of course, other home workers.
The 3 Dimensions of eCommerce Security
December 3, 2008
Industry standards help to define common operational practices for information security management. As a part of a competent information security program penetration testing is often relied upon to identify technical weaknesses in applications. However information security must take this approach into the third dimension by engaging the business, thoroughly understanding the application, and preventing non-technical weaknesses that abuse allowable parameters; fraud. This article will describe a few ways to protect an eCommerce system including a list of controls that may help reduce fraud.
