Skip to main content

Posts

Showing posts from December, 2012

Infosec Professional 2012 Review

This is the 2012 Infosec Professional review, containing all the articles and interviews from the past 12 months.  It's been a fascinating year from an information security perspective, with some eye-watering data breaches, great conferences and innovative new products coming to market.  A thank you to all who spent some time being interviewed and giving their comments on the industry - some great chats and thought provoking comments. 
Interviews The Future of Cloud Based Identity? Interview Series - David Emm Snr Researcher at Kaspersky Interview Series - Mourad Ben Lakhoua at SecTechno Interview Series - Jo Stewart-Rattray VP of ISACA Interview Series - Barry Hodge CEO SecurLinx Corp Interview Series - Javvad Malik
Conferences Infosec Europe 2012 Review Infocrime Summit 2012 - London Keynote Review RSA 2012 San Francisco - Keynote Review
Cyber Security Cyber Security Part V - Critical Infrastructure Cyber Security Part IV - Consumer Protection Cyber Security Part III - Enterprise Protection Cyb…

The Obligatory 2013 Infosec Predictions Post

2012.  Been and gone pretty much, in the blink of an eye.  Well it's lasted pretty much as long as 2011, give or take, but one thing's for sure, it seems information security became more of a big deal.  In my eyes, it always has been a big deal.  Security is a default in my opinion, both in my personal and professional life.  I fail safe when it comes to processes or technical changes.  I believe security is essential, not only for an individual team, system, person or organisation level, but also from an industry and society perspective too.

The Year That's Been

The biggest take away for me, seemed to be that non-security people started to take security seriously.  Governments got involved with information security in a big way.  The US had several issues with SOPA, the online piracy act and then turned its attention to cyber war, with several policy discussions and hardening of attitude towards the likes of China and Iran, from a cyber security standpoint.  October saw t…

Do Better Technical Controls Increase People Focused Attacks?

Technical controls are often the default security response for many organisations.  When I refer to technical controls, there is obviously a people element to that, from a design and implementation perspective, but ultimately the control is focused on a piece of hardware or software.  For example, cryptographic algorithms have continued to evolve over the last 40 years, to levels which allow them to be computational secure and can be used on a wide scale without major concern.  PKI and other crypto infrastructures are often too focused on the algorithms; hardware security module usage and technical touch points, than for example, the people related process and awareness.  It is all very well having an industry standard algorithm, but that becomes less useful if a user doesn't protect the un-encrypted payload when it’s at rest, or allows it to be stored in temporary memory for example.
Casually thinking of the default security controls for many organisations and many are in fact s…

Information Security: Why Bother?

I have heard this sentiment, perhaps not put quite as bluntly as that, on several occasions over the last few years when working with clients and engineers on security related projects. My role would have been to help embed a particular piece of security software or introduce a piece of consultancy or business process which would help improve the organisations security posture.

The question, often raised as a bargaining tool, is often focused on the, ‘well I understand what you propose and I know it will increase the security of scenario X, but why should I do it?’. In honesty, it is a good question. Organisations have finite budgets which will cover all of IT and related services, and it is a fair objective, to have to show and prove, either via tangible or intangible RoI, that a piece of software or consultancy will have a beneficial impact on the organisation as a whole.

Justification and SRoI Return on Investments, or Security Return on Investments are clearly a useful tool for p…