Category: Internal security

  • Ethics and data loss prevention

    Are we loving  the attackers and prosecuting the victims? In data security – I don’t subscribe to utilitarian ethics (which attempts to balance the benefit versus the damage of an act) and can lead to the ends justifying the means. For data security and compliance – I personally implement the “Ten commandments” approach – if […]

  • Imperfect knowledge security

    Keeping the organization robust in a highly dynamic threat environment Our capacity to predict will be confined to . . . general characteristics of the events to be expected and not include the capacity for predicting particular individual events. . .Yet the danger of which I want to warn is precisely the belief that in […]

  • Scientific New York Post

    I recently saw a great piece of pseudo-science courtesy of Websense describing  the cost of data loss and amazing ROI for the Websense Data Security solution. (a friend who studied physics with me used to call this sort of writing “Scientific New York Post”)  See  Websense white paper ROI of DLP Bruce Schneier correctly notes […]

  • Designing a data security system

    User-Driven Design versus User-Centered design Alan Cooper, in his book The Inmates are Running the Asylum, draws a distinction between user-centered design and user-driven design. User-driven design is about collecting, prioritizing and implementing a system to the user requirements – we’ve all been seen software development projects where the requirements spiraled out of control and […]

  • The role of user accountability and training in data security

    In this article I will show that DLP technology such as Fidelis XPS, Mcafee DLP, Verdasys Digital Guardian, Websense Data Security Suite and Symantec Data Loss Prevention 9 – is a necessary but not sufficient condition for effective data security. I submit that effective data security is a three-legged stool of: Monitoring – using DLP […]

  • Turning the tables on data theft

    The State of Virginia is offering a very substantial reward for information that leads to the arrest of a malicious attacker who stole 8 million data records. Tell your friends and colleagues about us. Thanks!Share this Follow

  • Entrapment – a solution for insider threats?

    Not sweet, not a solution and not for insider threats.  Roger Grimes on Infoworld is trying to promote the idea that entrapment tactics with a honeypot can be a cheap, easy, and effective warning system against the trusted insider gone bad. Of course, I don’t blame Roger for trying to game the search engines with […]

  • Imperfect knowledge security

    A few months ago I wrote about The Black Swan of Security – how major data loss events have 3 common characteristics – 1) A major data loss event appears as a complete surprise to the company . 2) Data loss has a major impact to the point of maiming or destroying the institution (note […]

  • Open Access publishing

    The GM of a prospect recently asked me how to control disclosure of internal research documents prior to publication.  It had come as a revelation to him that anyone can post on a blog without permission from a central secretariat.  I asked him how they control face-to-face information exchange with colleagues or competitors outside the […]

  • Data security case study

    A lot of companies do V/A (vulnerability assessments) with scanners like Beyond Security or Nessus.  We took a hybrid approach for an internal security assessment using a Fidelis Security Systems network DLP appliance for detecting data loss vulnerabilities and structured human interviews to identify assets and analyze business threats such as competitors who might steal […]