Welcome to Collaborative Strategy Guild Where insights are transformed into actions at the intersection of collaboration, information management, security, and business strategy.
|
I have a post over at the Verizon Business blog (Considering Vulnerability Disclosure in the Realm of SCADA Systems) about how vulnerability discovery and disclosure impacts risk. Although it provides a basic risk model that can be applied to any situation, it focuses on the recent SCADA disclosures by Digital Bond and Rapid7. These are some of the smartest people in our field and yet they insist (by implication) on increasing risk to make a point. I sincerely hope they reconsider their actions in the future, before any serious damage is done.
Continue reading: Vulnerability Research in the age of Embedded Systems (SCADA)
iang over at Financial Cryptography has a thought-provoking discussion of liability (ht @alexhutton) and its corresponding risks. I think I added a comment (but can’t be sure) that said this:
Culture and consciousness is all a distraction and very malleable. What really matters at the end of the day is the relative number of vulns in the software.
Also, worth noting that “secure software” is a derivative goal of less risk – that is, fewer incidents. We often opt for the former in the face of the latter, which is counterproductive.
Liability is a horrible idea. Here are some reasons why:
- It’s unenforceable.
- It will destroy innovation.
- It will destroy open-source.
- It will create an Xbox Internet.
- It will double prices.
- It will force lock-in.
- And, finally —… Continue reading: Liability and Secure Software
“Last month, our IT and information assets generated $20 million in revenue in support of 15,000 people using 350 applications. To accomplish this feat, over 32 million connections were attempted across our systems and we applied specific control measures an average of 2.4 times per connection to ensure the completeness and accuracy of our transactions. As a result, over 4 million connections were blocked instantly for not meeting our basic requirements (with 99.75 percent success rate) and we identified 1,700 suspect connections that required further analysis. We ultimately determined that five of those 1,700 were attempted intrusions which we subsequently acted upon according to established procedures. There were no losses associated with the incidents.”
“Last month’s activity has brought to light… Continue reading: My Dream Metrics Status Report
The recent RSA hack has once again (after Google and Aurora made a big splash a little over a year ago) brought to the surface this notion of an “advanced persistent threat.” There is great emotion on all sides of the debate about what it is and whether it matters. As I listened to Uri Rivner of RSA describe the nature of the attack on Friday, for some reason I couldn’t stop thinking about The Cuckoo’s Egg, which was a fascinating account by Clifford Stoll of how he tracked down an industrial espionage ring. Back in the early-mid 80’s. Over 25 years ago.
Of course, the attackers didn’t use spear-phishing then, but the idea of the “APT” as an adversary was… Continue reading: Thinking about APTs and the RSA Hack
It is no surprise that EMC has acquired Netwitness. Looks like they are serious about this security stuff 
Here is a list of EMC / RSA acquisitions through the years, for your historical enjoyment:
- July, 2001 RSA Security acquires Securant
- March, 2006 EMC acquires Authentica
- April, 2006 RSA Security acquires PassMark
- June, 2006 EMC acquires RSA Security
- September, 2006 EMC acquires Network Intelligence
- February, 2007 EMC acquires Valyd
- June, 2007 EMC acquires Verid
- August, 2007 RSA Security acquires Tablus
- May, 2009 EMC acquires ConfigureSoft
- January, 2010 EMC acquires Archer Technologies
- April, 2011 EMC acquires Netwitness
Continue reading: EMC (RSA) Acquires Netwitness
|
|
