Welcome to Collaborative Strategy Guild

Where insights are transformed into actions at the intersection of collaboration, information management, security, and business strategy.

Vulnerability Research in the age of Embedded Systems (SCADA)

By

I have a post over at the Verizon Business blog (Considering Vulnerability Disclosure in the Realm of SCADA Systems) about how vulnerability discovery and disclosure impacts risk. Although it provides a basic risk model that can be applied to any situation, it focuses on the recent SCADA disclosures by Digital Bond and Rapid7. These are some of the smartest people in our field and yet they insist (by implication) on increasing risk to make a point. I sincerely hope they reconsider their actions in the future, before any serious damage is done.

Continue reading: Vulnerability Research in the age of Embedded Systems (SCADA)

January 25th, 2012 | Category: Economics and Risk, Highlights, Vulnerability Management | Leave a comment

Evaluating the Oracle Security Manifesto

By

The cool thing about Mary Ann Davidson is she doesn’t mince her words; you know where she stands on every issue and she is willing to own it in the security world. So when I started hearing some buzz about her latest blog post – Those Who Can’t Do, Audit – I expected some sizzle. And got it.

It turns out the target this time is “SASO,” a company that must be making headway in driving legislation towards third party code reviews.

I’ve opined in previous blogs on the importance of defining what problem you want to solve, specifying what “it” is that you want to legislate, understanding costs – especially those pertaining to unintended consequences – and so on.”

->… Continue reading: Evaluating the Oracle Security Manifesto

August 30th, 2011 | Category: Highlights, Random, Vulnerability Management | Leave a comment

Liability and Secure Software

By

iang over at Financial Cryptography has a thought-provoking discussion of liability (ht @alexhutton) and its corresponding risks. I think I added a comment (but can’t be sure) that said this:

Culture and consciousness is all a distraction and very malleable. What really matters at the end of the day is the relative number of vulns in the software.

Also, worth noting that “secure software” is a derivative goal of less risk – that is, fewer incidents. We often opt for the former in the face of the latter, which is counterproductive.

Liability is a horrible idea. Here are some reasons why:

  1. It’s unenforceable.

  2. It will destroy innovation.

  3. It will destroy open-source.

  4. It will create an Xbox Internet.

  5. It will double prices.

  6. It will force lock-in.
  7. And, finally —… Continue reading: Liability and Secure Software

August 22nd, 2011 | Category: Economics and Risk, Highlights, Vulnerability Management | Leave a comment

My Dream Metrics Status Report

By

“Last month, our IT and information assets generated $20 million in revenue in support of 15,000 people using 350 applications. To accomplish this feat, over 32 million connections were attempted across our systems and we applied specific control measures an average of 2.4 times per connection to ensure the completeness and accuracy of our transactions. As a result, over 4 million connections were blocked instantly for not meeting our basic requirements (with 99.75 percent success rate) and we identified 1,700 suspect connections that required further analysis. We ultimately determined that five of those 1,700 were attempted intrusions which we subsequently acted upon according to established procedures. There were no losses associated with the incidents.”

“Last month’s activity has brought to light… Continue reading: My Dream Metrics Status Report

May 12th, 2011 | Category: Economics and Risk, Highlights, Metrics, Random | Leave a comment

Dr. Laura as Information Security Officer

By

[One of my first Trend Watch essays circa 2000 or whenever Dr. Laura - the queen of saying "no" - was popular]

Dr. Laura: “Hello Kate, you’re on the air”

Kate: “Hi, Dr. Laura, thanks for taking my call. My security dilemma is that I would like to open a port in our firewall…”

Dr. Laura: “ No. Absolutely not.”

Kate: “ But let me explain…If we make this connection to our business partner, we can save $1.2 million in the first 6 months!”

Dr. Laura: “You can make excuses all you want, Kate, but what you are asking is reprehensible, not to mention against policy. [click]. Hello, Nick, you’re on the air.”

Nick: “Hi, Dr. Laura, my security… Continue reading: Dr. Laura as Information Security Officer

April 29th, 2011 | Category: Highlights | Leave a comment
 
  Older Entries »