Lately I’ve been immersed in metrics for my day job at Tripwire. It’s been enlightening, to say the least. I thought that, for sure, we’d have a solid set of metrics to look at for this industry, but I think I’m wrong. Metrics are much harder than they may seem on the surface, and I’ve been learning a lot. Along the way, I’ve come across a model for security metrics published by ISO/IEC – ISO 27004 (Information technology – Security techniques – Information security management – measurement), published back in 2009.
We all know passwords suck. We’re reminded of this fact often, and most recently due to the Evernote breach disclosure (more at WSJ). There are efforts underway in the Internet Engineering Task Force (IETF) to obviate the need for passwords in the first place, but in the meantime we need better operational security. This is what I recommend.
Earlier today Bruce Schneier posted about another post by David Lacey over at Computer Weekly. Mr. Lacey makes some awesome statements regarding our (the security and compliance industry) lack of technical control exploitation. Mr. Lacey claims, rightly, that “such a landscape can no longer be policed by humans and procedures,” and “the Golden Triangle of people, process and technology needs to be rebalanced in favour of automation.” I couldn’t agree more, and it seems that Mr. Schneier feels similarly:
I watched an awesome documentary last night, Jiro Dreams of Sushi. Jiro is (at least was at the time of filming) an 85 year old Japanese sushi maker. He has spent the past 75 years of his life perfecting his trade. What does this have to do with Information Security? Continue reading
I think this happened about a month ago, but it’s been bothering me ever since. Names have been changed to protect the other party. As a professional I subscribe to a variety of mailing lists and/or belong to a lot of groups. I use a variety of tools to carry out my tasks, and I was experiencing an issue with a trial the next version. Continue reading
It’s the New Year for many of us, but not yet for those who follow the Chinese Zodiac. But, February 10 ushers in the Year of the Snake, which makes for a good post. Why? Because this particular Year of the Snake is, more specifically, the Year of the Water Snake. The “Water” part of Water Snake is symbolic of the end of a thing or matter (this according to Wikipedia, anyway). Continue reading
The New Year is upon us (I wonder how many bloggers have written that sentence today). Last week I authored a post on Tripwire’s State of Security blog on the first of twenty critical security controls according to CSIS. The last post of the year for the State of Security turned out to be the first in a long, long series (I post there once every other week, so covering 20 controls will take a while). I welcome your comments there, by the way. Continue reading
I’ve been busy lately. So busy that I’ve not really posted anything here since July. That’s far too long – I’m sure I have more to say. Still, it’s difficult to find the time. The thing is that life and everything in it flows and changes with time. Some days are better than others, and some days are downright terrible.
Nevertheless, I’m going to try to post here more frequently as I continue exploring the nuances of security and compliance and risk management. I think there’s a lot yet to learn for us. Stay tuned, and I’m sure there will be an increase in posts yet to come.
It’s been a long time since I’ve posted anything here. I hope to post more frequently, but can’t promise much. I do have a new post over at Tripwire’s blog, State of Security. It’s a book review of Bruce Schneier’s Liars and Outliers, which is both a great read and something you should consider sharing with others within your sphere of influence. You can reach the full review here.
My employer (@TripwireInc) has sent me to OSCON 2012, where I’m learning quite a lot. Getting back into the swing of software architecture has been rough after a decade-long diversion into operations and compliance. But, it has been amazingly fun! The best thing about it is that I’ve come to realize that it’s the soft skills that matter more than anything else, and this extends right into fostering communities. Continue reading