Risk mitigation | Software Associates.

The danger of losing your digital assets in a down market

Posted in: Data leakage, Internal security, Risk Assessment, Risk management, Risk mitigation|Tags: Data loss, Lehman Brothers, M&A, Morgan Stanley, Reduction in force, RIF|By: Danny Lieberman|October 22, 2008No Comments

Any information security professional will tell you that security countermeasures are comprised of people, processes and technology. The only problem is that good security depends on stable people, processes and technology. A stable organization undergoing rapid and violent change is an oxymoron. People countermeasures are a mix of security awareness training, background checks (at a …

Automated hacking of Joomla Web sites

Posted in: Open Source, Privacy, Risk Assessment, Risk mitigation, Software security, Technology, Threat modeling|Tags: Joomla 1.5, Ubuntu, vulnerable CMS software|By: Danny Lieberman|September 14, 20081 Comment

A lot has been written about Google-aided automation of hacking. There is little I can add to this topic besides some personal and practical advice. If you’re running Joomla 1.5 you may have noticed queries of the sort “powered by joomla .domain_name_extension” in your Apache access.log file. It’s almost certain you’ll find a few of …

The physics of risk assessment

Posted in: Compliance, PCI DSS, Risk Assessment, Risk mitigation, Threat modeling|Tags: high school physics, Information security|By: Danny Lieberman|August 12, 20081 Comment

Quantity or quality - that is the question! There is a great deal of debate between the supporters of quantitative risk assessment and the supporters of qualitative risk assessment in the security and compliance business. The qualitative people say that since it is impossible to estimate risk as an absolute number such as “87 percent …

Credit card security franchise available

Posted in: Information security, PCI DSS, Risk management, Risk mitigation, Threat modeling|Tags: Jeremiah Grossman, OWASP Top 10|By: Danny Lieberman|August 6, 20083 Comments

just saw a post from a month ago by Jeremiah Grossman from White Hat Security on his blog PCI-DSS references the outdated OWASP Top Ten There are actually a number of more serious technical issues with PCI DSS 1.1 than using the OWASP Top 10 from 4 years ago. Note the definition of vulnerability management …

Debating estimates of loss is a dead end

Posted in: Anti-Fraud, Compliance, Information security, Risk mitigation|Tags: Revenue assurance|By: Danny Lieberman|August 3, 20082 Comments

I was working on an article on a holistic approach to data leakage, fraud and revenue leakage today. Spend most of my Sunday, reading and trying to summarize some of the work we’ve done with our telecom service provider customers in Israel and Poland. I came across a thread entitled What is the acceptable percentage …

How to classify assets in a risk assessment

Posted in: Anti-Fraud, Risk Assessment, Risk mitigation, Threat modeling|Tags: Digital assets, Operational assets, Revenue assurance|By: Danny Lieberman|July 29, 2008No Comments

One of the more difficult tasks in any fraud, revenue assurance, security or compliance risk assessment is classifying assets and tagging them with a financial value. Here are a few tips on asset classification and valuation. There are 5 fundamental types of assets: physical assets (like a building or a data center), digital assets (like …

Archives