Welcome to Collaborative Strategy Guild Where insights are transformed into actions at the intersection of collaboration, information management, security, and business strategy.
|
The cool thing about Mary Ann Davidson is she doesn’t mince her words; you know where she stands on every issue and she is willing to own it in the security world. So when I started hearing some buzz about her latest blog post – Those Who Can’t Do, Audit – I expected some sizzle. And got it.
It turns out the target this time is “SASO,” a company that must be making headway in driving legislation towards third party code reviews.
“ I’ve opined in previous blogs on the importance of defining what problem you want to solve, specifying what “it” is that you want to legislate, understanding costs – especially those pertaining to unintended consequences – and so on.”
->… Continue reading: Evaluating the Oracle Security Manifesto
“Last month, our IT and information assets generated $20 million in revenue in support of 15,000 people using 350 applications. To accomplish this feat, over 32 million connections were attempted across our systems and we applied specific control measures an average of 2.4 times per connection to ensure the completeness and accuracy of our transactions. As a result, over 4 million connections were blocked instantly for not meeting our basic requirements (with 99.75 percent success rate) and we identified 1,700 suspect connections that required further analysis. We ultimately determined that five of those 1,700 were attempted intrusions which we subsequently acted upon according to established procedures. There were no losses associated with the incidents.”
“Last month’s activity has brought to light… Continue reading: My Dream Metrics Status Report
Mike Rothman of Securosis stirs things up a bit with his “Risk Metrics are Crap” post. This type of exercise forces participants to make public commitments. In itself, this is not a huge deal since many positions of those in our space are relatively well documented already, however, anyone familiar with Cialdini knows that commitment serves to reinforce positions and not promote compromise or learning. Not surprisingly, nobody changed sides. In fact, nobody moved an inch (or maybe that’s a “teeny-tiny bit” for those quant-averse participants).
More importantly, nobody is budging because there is nothing new here. Mike simply took semi-random potshots at risk quantification, used a lot of potty language and then sat back. Perhaps the most… Continue reading: Attention InfoSec Pros: measuring risk is in your future
(is that title the proper English spelling of two kids disagreeing? who knows…)
Andrew Gelman’s enlightening blog points to a great example how scientific research helps us get smarter. He excerpts:
Three articles published [by Brett Pelham et al.] have shown that a disproportionate share of people choose spouses, places to live, and occupations with names similar to their own. These findings, interpreted as evidence of implicit egotism, are included in most modern social psychology textbooks and many university courses. The current article successfully replicates the original findings but shows that they are most likely caused by a combination of cohort, geographic, and ethnic confounds as well as reverse causality.
[Unfortunately, the entire original appears to be behind a paywall.]
The studies… Continue reading: Nuh, uh; Yuh, huh
Michael Janke at Last In, First Out is rightly concerned about the respective run rates of the vulnerability creation process and our ability to fix them individually. He asks the question “Are we creating new vulnerabilities faster than we are fixing old ones?” after providing a list of publicly disclosed vulnerabilities from various time periods.
I am not clear whether this list of disclosed vulnerabilities is intended to represent vulnerabilities created or fixed (it is neither), but it certainly does its job in highlighting the problem. It is worth first understanding that vulnerabilities can exist in various states after creation – undiscovered/discovered; undisclosed/disclosed (publicly); and unfixed/fixed, giving us 8 different possible state combinations (though 2 are… Continue reading: Vulnerability Creation vs. Discovery vs. Fix
|
|
