While preparing for the imminent release of Windows 8.1 and Windows Server 2012 R2, I thought I’d set up a quick domain. I didn’t really want to do this on my MacBook Pro, though, but these images weren’t available on Amazon Web Services. So, I set out to import an image from Fusion to AWS. It wasn’t straightforward – at first.
It turns out that August is the most important month in 2013. No, it’s not because my birthday falls in August. It’s because the Security Automation and Continuous Monitoring (SACM) working group is presently accepting, compiling, and refining use cases associated with:
1. Standardizing assessment of endpoint security posture, and
2. Standardizing interacting with repositories of content related to such assessment.
Whether you’re a security tool vendor or end-user organization this is your opportunity to influence the outcome of SACM in a meaningful way – to ensure that we get it right for present and anticipated future needs.
Now that I have a new gig with the Center for Internet Security (CIS), I’m working from home. It’s been a real challenge to get into a proper rhythm after going to an office for, well, ever… There’s a security story to tell with remote workers, but it’s not really about “security” as you might think about it. Maybe it’s more of a Operational Risk Management story.
Lately I’ve been immersed in metrics for my day job at Tripwire. It’s been enlightening, to say the least. I thought that, for sure, we’d have a solid set of metrics to look at for this industry, but I think I’m wrong. Metrics are much harder than they may seem on the surface, and I’ve been learning a lot. Along the way, I’ve come across a model for security metrics published by ISO/IEC – ISO 27004 (Information technology – Security techniques – Information security management – measurement), published back in 2009.
We all know passwords suck. We’re reminded of this fact often, and most recently due to the Evernote breach disclosure (more at WSJ). There are efforts underway in the Internet Engineering Task Force (IETF) to obviate the need for passwords in the first place, but in the meantime we need better operational security. This is what I recommend.
Earlier today Bruce Schneier posted about another post by David Lacey over at Computer Weekly. Mr. Lacey makes some awesome statements regarding our (the security and compliance industry) lack of technical control exploitation. Mr. Lacey claims, rightly, that “such a landscape can no longer be policed by humans and procedures,” and “the Golden Triangle of people, process and technology needs to be rebalanced in favour of automation.” I couldn’t agree more, and it seems that Mr. Schneier feels similarly:
I watched an awesome documentary last night, Jiro Dreams of Sushi. Jiro is (at least was at the time of filming) an 85 year old Japanese sushi maker. He has spent the past 75 years of his life perfecting his trade. What does this have to do with Information Security? Continue reading
I think this happened about a month ago, but it’s been bothering me ever since. Names have been changed to protect the other party. As a professional I subscribe to a variety of mailing lists and/or belong to a lot of groups. I use a variety of tools to carry out my tasks, and I was experiencing an issue with a trial the next version. Continue reading
It’s the New Year for many of us, but not yet for those who follow the Chinese Zodiac. But, February 10 ushers in the Year of the Snake, which makes for a good post. Why? Because this particular Year of the Snake is, more specifically, the Year of the Water Snake. The “Water” part of Water Snake is symbolic of the end of a thing or matter (this according to Wikipedia, anyway). Continue reading
The New Year is upon us (I wonder how many bloggers have written that sentence today). Last week I authored a post on Tripwire’s State of Security blog on the first of twenty critical security controls according to CSIS. The last post of the year for the State of Security turned out to be the first in a long, long series (I post there once every other week, so covering 20 controls will take a while). I welcome your comments there, by the way. Continue reading