Roger Halbheer on Security
It is not the first time I am talking about Zero Trust here. And often it is absolutely clear to the customers that the next perimeter is the identity and not necessarily the network to the same extent anymore. Read this article: More Than 99% of Cyberattacks Need Victims’ Help – the network protection will…
This is not fundamentally new but the figure is really high…
So, why are you still using username/password?
Interesting how the title turned out: Microsoft welcomes scrutiny of tech industry that has roiled its competition this year, says CEO Nadella. Easy for him to say. Kind of true as Microsoft was not in the focus of all the troubles this year but on the other hand, one could say that we learned our…
I was just reading an article called Does Facebook even need a CSO? – initially my reaction was (as most of yours I guess): “What a stupid question, for sure we need a CSO”. However, is this true? Do we really need a CSO? Are there other models which would work as well? What is…
A lot of people just throw away their boarding pass after a flight. I mean, what information do you find on it? Name, seat, date and flight. So what? You can find this information for a lot of people on social media anyway, right? Well, not really. There is other information on it as well…
Unfortunately, we do not see too many women in security – even though there are huge opportunities irrespective of the gender. Over the years, I had the pleasure to work with great women in this business. We will run an event on Thursday, April 28, 2016 at 6.30pm at the Accenture Office in Zurich with…
Dear CEOs, I know that you feel that security is important – something which was not always the case in all the years I am working in the industry. But you changed your mind and this is great. But I know as well that you rarely feel comfortable, when it comes to working with your…
Quite a while ago, I provocatively asked the question, whether Anti-Malware Technology is dead. Back then it caused quite some reaction. Honestly, I still see little value to be added by classical anti-malware products if we would finally be willing, able and ready to use the technology, which is built in today’s operating system. Unfortunately,…
When I look at the recent events and data exfiltration cases, it really looks like we are at the losing end of a battle. It seems to be fairly simple to compromise a network and exfiltrate data nowadays. Now you may claim that you deployed all kinds of cool technology like hardened clients, data loss…
Measuring security is a problem – and not something new. When I look at what we did at Swisscom, we are severely challenged in this area. A lot of companies measure things like incidents etc., metrics which are a complete failure in my opinion. Let’s look at the incident metric for a second. You could…
I am a fan of simple and easy to read policies. I do not think that policies consisting of several thousand documents to any good nor will they be followed.
In this context I found a noteworthy blog post: 5 Tips on Writing Security Policies
Roger
Managers often do not understand the engineers – and engineers do not understand what drives a manager. A typical conflict, which gets worse when we enter the world of agile development methods. Control and processes lose importance, speed and therefore “gut feelings” need more focus. Günter Dück, former CTO of IBM Germany had a very…
One of the key challenges in the every day’s world of a CSO is reporting. How and especially what do we report to the board and how do we make it relevant to the people there? We all know that finance has a fairly clear and standardized reporting scheme as the subject matured over time…
This is kind of interesting: IDC reports endpoint security market is booming, but isn’t antivirus dead? I am still deeply convinced that Anti-Virus by itself does not add a lot of value. You can use better technology to protect against malware (see Is Anti-Virus Technology Dead?). If I see that this market is still predicted…
When I look at the way security is treated in a lot of companies, I see two fundamental challenges: Security is seen as a compliance function only. In other words, security people tend to hide behind policies. This is fairly simple for us, isn’t it? We can take the policy and tell somebody to follow…
Let’s assume for a second, that the content of this article is correct: Google’s backward step on Android app privacy. Then it shows – once more – that Google is a very innovative company with a very limited view on user’s privacy and security. When you look at the new security user experience in the…
A lot has been written about the European court decision and the right to be forgotten. It seems that about 12’000 people now asked Google to get something deleted. There are different aspects now, when we look into this: I guess it would cause a wrong sense of security – well better privacy – if…
To start with the way I look at the answer of the question above: Yes, I think so. Basically, when you talk with people knowing the industry, the classical signature-based approach never even worked. It was able to detect a certain number of viruses, which typically is a just small percentage of what the technology…
It is obvious: Less admin privileges reduces the risk of successful attacks. This is not really news, isn’t it? That this reduces the attack surface dramatically, well, not new either: Time to drop unnecessary admin privileges What I am really wondering: We are all talking about Bring Your Own Device scenarios, where it is to…
I came across this article this morning: 5 Ways Event Log Management Makes You More Secure. The claim there is, that adding 5 additional tasks will make you more secure: Centralized logging makes it possible to review all the logs SIEM is French for “locked down” Event correlation helps you find bad things Search and…
