Risk Assessment | Software Associates.

7 tips to improve security in a tough economy

Posted in: Data leakage, Information security, Risk Assessment, Technology|Tags: attack modeling, Data loss, Gartner, John Lennon|By: Danny Lieberman|October 7, 20081 Comment

Are you waiting for the next Gartner Security Report, making plans to evaluate some technology your CEO might not approve after she slashes your funding and maybe your job? As a security professional, you can blame hackers, buggy software and the economy – or you can do something different. “Life is what happens to you …

To write secure code, you do have to think like an attacker

Posted in: Information security, Risk Assessment, Software security, Threat modeling|Tags: Avnet Security, Microsoft, SDL|By: Danny Lieberman|October 6, 2008No Comments

A security checklist for a developer might make it look like writing secure code is kids stuff, but even kids think like attackers sometimes. Microsoft are doing some interesting work on SDL – Secure Development Lifecycle. I’m just not sure I agree with dumbing it all down to a checklist and letting developers work without …

Automated hacking of Joomla Web sites

Posted in: Open Source, Privacy, Risk Assessment, Risk mitigation, Software security, Technology, Threat modeling|Tags: Joomla 1.5, Ubuntu, vulnerable CMS software|By: Danny Lieberman|September 14, 20081 Comment

A lot has been written about Google-aided automation of hacking. There is little I can add to this topic besides some personal and practical advice. If you’re running Joomla 1.5 you may have noticed queries of the sort “powered by joomla .domain_name_extension” in your Apache access.log file. It’s almost certain you’ll find a few of …

Operational risk is not a bad business decision

Posted in: Information security, Risk Assessment, Risk management|Tags: Basel II, mobile phone security|By: Danny Lieberman|September 7, 20082 Comments

I was looking at the CSI 2008 security survey recently and noticed that the top three loss categories are fraud (number 1), viruses (number 2) and data loss (number 3). I’m a little dubious about viruses landing up in the number 2 slot. We haven’t even installed anti-virus software on our office workstations in the …

The physics of risk assessment

Posted in: Compliance, PCI DSS, Risk Assessment, Risk mitigation, Threat modeling|Tags: high school physics, Information security|By: Danny Lieberman|August 12, 20081 Comment

Quantity or quality - that is the question! There is a great deal of debate between the supporters of quantitative risk assessment and the supporters of qualitative risk assessment in the security and compliance business. The qualitative people say that since it is impossible to estimate risk as an absolute number such as “87 percent …

How to classify assets in a risk assessment

Posted in: Anti-Fraud, Risk Assessment, Risk mitigation, Threat modeling|Tags: Digital assets, Operational assets, Revenue assurance|By: Danny Lieberman|July 29, 2008No Comments

One of the more difficult tasks in any fraud, revenue assurance, security or compliance risk assessment is classifying assets and tagging them with a financial value. Here are a few tips on asset classification and valuation. There are 5 fundamental types of assets: physical assets (like a building or a data center), digital assets (like …

Risk Assessment is a threat to vendors

Posted in: Information security, Risk Assessment, Threat modeling|Tags: PTA, Security vendors|By: Danny Lieberman|May 13, 2008

I took a couple hours out from work today to pop over to Infosec 2008 in Airport CIty. I don’t normally go to these events unless I’m invited to speak – but it is a good networking opportunity and chance to reconnect with old friends and colleagues. Whenever I go somewhere – I’m always looking …

Archives