Roger Halbheer on Security
In my last blog post I claimed that I have not seen a good security metrics system working so far and asked whether it is a failure. On different channels I got some reactions, which I would like to share here. One claim is that – as risk management is at the heart of security…
DetailsMeasuring security is a problem – and not something new. When I look at what we did at Swisscom, we are severely challenged in this area. A lot of companies measure things like incidents etc., metrics which are a complete failure in my opinion. Let’s look at the incident metric for a second. You could…
DetailsThere is a jewel in a security professional’s toolbox, which – in my opinion – is highly underused. At least this is true in infrastructures I know. Since years, Microsoft offers a free tool called EMET (Enhanced Mitigation Experience Toolkit). EMET helps you to leverage the security technology built into Windows. To quote the above…
DetailsThe insider threat is a real threat – nothing new here, this is something we know since quite a long time. Protecting data against misuse by insider (accidentally or criminal) is a key challenge for security organizations as you have to protect data against abuse by people who need to have access to the same…
DetailsThis was interesting to me: I am used to receive these scam mails, promising me millions of dollars. Nothing new there and if I would have gotten rich if I just got 1% of the promised sums across all these years. Now, this week I actually got a letter, real paper with interesting content –…
DetailsI am guilty as charged: There was a time, where I was convinced that companies will never ever outsource their security functions. It seems that I was wrong. It even seems that for some companies the country, where the service is really delivered starts to get less relevant as long as quality fits. And the…
DetailsI am a fan of simple and easy to read policies. I do not think that policies consisting of several thousand documents to any good nor will they be followed.
In this context I found a noteworthy blog post: 5 Tips on Writing Security Policies
Roger
No, I am not offering you any consulting. In the US, a new platform just opened trying to close the gap between freelancers and businesses. It will be interesting to see, how they do:
Startup ‘Stealth Worker’ Matches Businesses With Security Talent
Stealthworker
Roger
I blogged about the work of Jonathan Lusthaus already in the past. To me, he does really interesting work in the area of the underground and how social links and norms impact the underground market. It seems that the Ukrainian war had significant impact on the Russian underground scene. Read yourself: All’s Fair in Love…
DetailsThe US government seemed to have initiated a 30-day security sprint to fix the most important vulnerabilities in their network (US Federal Agencies Launches “30-Day Cybersecurity Sprint” Program). I guess it is a good approach to generate attention and fix the immediate issues. What I do not get is how they are able to address…
DetailsThe typical discussion when it comes to the public cloud is the location of the data. To me, the underlying question is the question about jurisdiction. Who is responsible (legally) if you need support or want to go after the criminals? ZDNet seems to look at it as a question from the past: If you…
DetailsWhen I was working at Microsoft I was sometimes asked, what keeps me up at night. The answer was (and still is) fairly clear: If an attacker would be able to infect a security update, he/she would be able to infect millions of PCs at once. Blackhat is always the time, when such nightmare scenarios…
DetailsIn my opinion, this is an interesting problem: We are very used to today’s asymmetric crypto algorithms, which all base on the problem that it is unbelievably hard to factor a very large number into primes. A hard mathematical problem and security of the Internet is based on it. Now, with quantum computing, this mathematical…
DetailsIf I would have to speculate, I would guess that security in the internet of things will keep appearing in my blog continuously in the future… Looking at the last few weeks, there are different vulnerabilities and incidents which took place showing that the “things” connected to the Internet are more vulnerable than we would…
DetailsThe Dutch TV broadcaster VPRO made a great video (about 50 minutes) about zero-days and security leaks for sales.
It raises really good social questions about the role of governments and citizens. Really worth looking at.
Roger
It is really scary to me: We get discussions again about backdoors in crypto-algorithms, export control for encryption etc. etc. The list is endless. When I started in security just before the change of the millennium, we already had these discussions and I thought that it was agreed that this is a bad thing. Backdoors…
DetailsManagers often do not understand the engineers – and engineers do not understand what drives a manager. A typical conflict, which gets worse when we enter the world of agile development methods. Control and processes lose importance, speed and therefore “gut feelings” need more focus. Günter Dück, former CTO of IBM Germany had a very…
DetailsIn IT security we talk about the limited impact perimeter security has since a long time. The firewalls do not play the roles anymore they used to as the business got too complex and the term “perimeter” has a completely different notion today. So we try to find new ways to defend: We focus more…
DetailsNow for something completely different: I guess that the link between business and security is one of the big challenges of today. How can we make security more relevant for the business or coming from the other side, how can we enable the business to understand, what we do in security? A few months ago,…
DetailsOne of the key challenges in the every day’s world of a CSO is reporting. How and especially what do we report to the board and how do we make it relevant to the people there? We all know that finance has a fairly clear and standardized reporting scheme as the subject matured over time…
Details