By David Sheidlower
For security professionals, the most familiar qualitative scale is the CRITICAL-HIGH-MEDIUM-LOW scale that is used for risk assessments.
With a nod towards Politifact, I’d like to propose a different scale that we can use to rate statements about how effective controls are.
I’m taking this from the kid’s game where you tell someone how close they are getting by indicating temperature: “you’re getting warmer” for when you are getting close and “you’re getting colder” for when you are moving away from it.
See what controls got a rating of "Absolute Zero"?
This week David Rosenberg of New York City asks:
Q: “How concerned should we be about Regin malware?”
Well, Mr. Rosenberg, I'll give you a few thoughts specifically on Regin in a bit. Let me first give you some pushback.
Each week I’m sure your local newspaper has a list of robberies in your area, as well as articles containing the names of burglars and bank robbers that were arrested or convicted in your area.
Each week do you wonder if you should be concerned about your house being broken into? I hope you wouldn’t look for different strategies for burglar A one week, Peeping Tom B the next and car thief C after that etc.
By Farhaad Nero
It is more important than ever to safeguard your business.
The battlefield is no longer contained and the battle is daily. One fact remains constant: there are those inside and outside of your organization who are looking for ways to pilfer and use your data.
A true information security leader knows who and what they need to protect and have the subsequent strategy, mindset, vision and allies as well as the right tools to survive. But with the field changing almost daily how do you measure true leadership?
If you are an information security leader, or looking to be one, or need to interview a potential one then I have created a simple (far from perfect) methodology that you can use to test or rank yourself or a candidate. It is a quick yet effective assessment. Give it a shot.
By Ben Rothke
For those contemplating using Amazon Web Services (AWS), their compliance page is quite assuring.
With a who’s who of compliance standards from SSAE-16, ISO 27001, PCI DSS, to CSA, MPAA, FEDRamp, FIPS 140-2, HIPAA and more; it’s more than enough to give an auditor a warm and fuzzy feeling.
While this article focuses on Amazon, the approach is the same for any cloud service, be it from Microsoft, Rackspace, Terremark and the rest.
There is a shortage of security professionals, with approximately 100,000 open positions seeking technically qualified people.
Supporting education in STEM (science, technology, engineering and mathematics), sourcing ex-military and promoting people from the ranks of general information technology are some of the ways the market is working to fill the gap.
securitycurrent's Vic Wheatman speaks with John Pescatore, securitycurrent's Ask Mr. Security Answer Person and the SANS Institute Director of Emerging Security Trends about the pressing nature of the problem.
How I learned to love a data exfilitration service
And the Breach Level Index Finds...
By David Sheidlower
People prefer to choose the groups they are in. Even before social media exploited that, there were fan clubs, fraternities, sororities, and many different kinds of groups that people associated themselves with.
There are also the groups that people don’t choose but through birth, prejudice, unforeseen circumstances and/or unwanted diagnoses, they find themselves in nonetheless. Those groups are generally more difficult to leave.
There is a different kind of group that can encompass any of these but does not have to. These groups overlay a different relationship between the group and the individual and the cohort.
By Mark Rasch
FBI Director Comey recently complained about the problem of people, “going dark,” in a speech before the Brookings Institution.
He explained, “the law hasn’t kept pace with technology, and this disconnect has created a significant public safety problem.
We call it 'Going Dark,' and what it means is this: Those charged with protecting our people aren’t always able to access the evidence we need to prosecute crime and prevent terrorism even with lawful authority.
We have the legal authority to intercept and access communications and information pursuant to court order, but we often lack the technical ability to do so.”