Roger Halbheer on Security
You might have seen that I changed the design of my blog – I did this each time I changed job. So it is time to do it again….
If you see anything which does not work, please let me know: webmaster@halbheer.ch
Thank you
Roger
When you do risk management, one of the key questions is always, how a possible incident impacts the trust and then the customer base. Do you really lose customers when incidents happen? Well, the VW group learns this the hard way currently but how does online trust really impact the business? Ponemon published an interesting…
DetailsI had to smile, when I read that: My Government Doesn’t Understand How Encryption and Cyber Security Work. I hate to say it but “I told you so” (Thoughts on Responsible Disclosure and Wasenaar) – but why shall they. Government elites and politicians are typically lawyers or have a degree in business administration. And then…
DetailsOutsourcing IT Security : A Recipe for Success or Disaster?
Good question but looking at the resources companies can (and want to) invest in security, most probably a recipe for success
One thing I was always worried about when we talked about biometry: What do you do if the database which stores your credentials gets compromised? Well, it happened: Stolen OPM Fingerprints: What’s the Risk? I am not aware of any successful and active attack so far as I guess nobody tried to replay the…
DetailsWhen I look at the recent events and data exfiltration cases, it really looks like we are at the losing end of a battle. It seems to be fairly simple to compromise a network and exfiltrate data nowadays. Now you may claim that you deployed all kinds of cool technology like hardened clients, data loss…
DetailsIt seems that the whole Ashley Madison case is used in a lot of areas as a learning exercise. We all were surprised (at least I hope) that people were stupid enough to use their business mail addresses to register – well, you cannot use your private one, can you? We – once again –…
DetailsIn the two years as a Chief Security Officer at Swisscom, I had the privilege to work with a really outstanding team to prove what I said since years: Security has to be a business enabler – even in one of the most critical infrastructures of a country. Together we removed the dust from the…
DetailsThis seems to be a discussion since I am in security – and this is quite a while. How and when shall vulnerabilities be disclosed? Shall be paid? Is it legal or illegal? Etc. I try to put a few experiences and thoughts “on paper” here. Before we go into details a disclosure: This is…
DetailsIs there still somebody saying that the police is not innovative? Clever idea (if you know the MAC address of your stolen phone): Police develop MAC-sniffing software to track stolen devices Roger Related articles US policeman goes war-driving to find stolen kit by MAC address (go.theregister.com) Cops Wardriving To Find MACs Of Stolen Gear (packetstormsecurity.com)…
DetailsAs criminals get access to better technology and as the underground markets get more active, it is not surprising that targeted attacks become more mainstream. This is something we have seen over the last 6-8 months as well as extortion threats grew in parallel. There is another trend I see talking to other organizations: Midsize…
DetailsJust read this post by Martijn Grooten ‘Why I fell victim to a LinkedIn scam – and why I would do so again tomorrow’. It is basically about when you accept connection requests on LinkedIn, Xing, Facebook etc. I agree with Martjin that I treat stuff I write on these platforms as public but still,…
DetailsIn my last blog post I claimed that I have not seen a good security metrics system working so far and asked whether it is a failure. On different channels I got some reactions, which I would like to share here. One claim is that – as risk management is at the heart of security…
DetailsMeasuring security is a problem – and not something new. When I look at what we did at Swisscom, we are severely challenged in this area. A lot of companies measure things like incidents etc., metrics which are a complete failure in my opinion. Let’s look at the incident metric for a second. You could…
DetailsThere is a jewel in a security professional’s toolbox, which – in my opinion – is highly underused. At least this is true in infrastructures I know. Since years, Microsoft offers a free tool called EMET (Enhanced Mitigation Experience Toolkit). EMET helps you to leverage the security technology built into Windows. To quote the above…
DetailsThe insider threat is a real threat – nothing new here, this is something we know since quite a long time. Protecting data against misuse by insider (accidentally or criminal) is a key challenge for security organizations as you have to protect data against abuse by people who need to have access to the same…
DetailsThis was interesting to me: I am used to receive these scam mails, promising me millions of dollars. Nothing new there and if I would have gotten rich if I just got 1% of the promised sums across all these years. Now, this week I actually got a letter, real paper with interesting content –…
DetailsI am guilty as charged: There was a time, where I was convinced that companies will never ever outsource their security functions. It seems that I was wrong. It even seems that for some companies the country, where the service is really delivered starts to get less relevant as long as quality fits. And the…
DetailsI am a fan of simple and easy to read policies. I do not think that policies consisting of several thousand documents to any good nor will they be followed.
In this context I found a noteworthy blog post: 5 Tips on Writing Security Policies
Roger
