Category: Risk Assessment

  • US companies had no plan for the downturn?

    Alistair Milne, a professor at the City University of London’s Cass Business School deserves gets my nomination for Cassandra of the year award. I saw a report on BNET this morning that “1/3 of US companies had no plan for the downturn”. In Israel it’s more like 99% of companies and 100% of the government […]

  • The danger of losing your digital assets in a down market

    Any information security professional will tell you that security countermeasures are comprised of people, processes and technology.  The only problem is that good security depends on stable people, processes and technology. A stable organization undergoing rapid and violent change is an oxymoron. People countermeasures are a mix of security awareness training, background checks (at a […]

  • Business threat modeling

    These are dangerous times for a business. Every day brings another threat. The sub-prime crisis, the crash of world financial markets, the price of oil (going way up and now going down again), an impending crash of the US sub-prime credit card market (like how long can you charge 35% over the top interest rates?), […]

  • 7 tips to improve security in a tough economy

    Are you waiting for the next Gartner Security Report, making plans to evaluate some technology your CEO might not approve after she slashes your funding and maybe your job? As a security professional, you can blame hackers, buggy software and the economy – or you can do something different. “Life is what happens to you […]

  • To write secure code, you do have to think like an attacker

    A security checklist for a developer might make it look like writing secure code is kids stuff, but even kids think like attackers sometimes. Microsoft are doing some interesting work on SDL – Secure Development Lifecycle. I’m just not sure I agree with dumbing it all down to a checklist and letting developers work without […]

  • Automated hacking of Joomla Web sites

    A lot has been written about Google-aided automation of hacking. There is little I can add to this topic besides some personal and practical advice. If you’re running Joomla 1.5 you may have noticed queries of the sort  “powered by joomla .domain_name_extension” in your Apache access.log file. It’s almost certain you’ll find a few of […]

  • Operational risk is not a bad business decision

    I was looking at the CSI 2008 security survey recently and noticed that the top three loss categories are fraud (number 1), viruses (number 2) and data loss (number 3). I’m a little dubious about viruses landing up in the number 2 slot.  We haven’t even installed anti-virus software on our office workstations in the […]

  • The physics of risk assessment

    Quantity or quality –  that is the question! There is a great deal of debate between the supporters of quantitative risk assessment and the supporters of qualitative risk assessment in the security and compliance business. The qualitative people say that since it is impossible to estimate risk as an absolute number such as  “87 percent […]

  • How to classify assets in a risk assessment

    One of the more difficult tasks in any fraud, revenue assurance, security or compliance risk assessment is classifying assets and tagging them with a financial value.  Here are a few tips on asset classification and valuation. There are 5 fundamental types of assets: physical assets (like a building or a data center), digital assets (like […]

  • Risk Assessment is a threat to vendors

    I took a couple hours out from work today to pop over to Infosec 2008 in Airport CIty. I don’t normally go to these events unless I’m invited to speak – but it is a good networking opportunity and chance to reconnect with old friends and colleagues. Whenever I go somewhere – I’m always looking […]