Information security | Software Associates.

Debugging security

Posted in: Risk management, Risk mitigation|Tags: DLP, Information security, internal audit, Security engineering, security management|By: Danny Lieberman|February 8, 2012No Comments

There is an interesting analogy between between debugging software and debugging the security of your systems. As Brian W. Kernighan and Rob Pike wrote in “The Practice of Programming“ As personal choice, we tend not to use debuggers beyond getting a stack trace or the value of a variable or two. One reason is that it is …

Build your security portfolio on attack scenarios

Posted in: Information security|Tags: credit cards, health care, HIPAA, Information security, medical devices, PCI DSS 2.0|By: Danny Lieberman|January 21, 20121 Comment

In our experience, building a security portfolio on attack scenarios has 2 clear benefits; A robust, cost-effective security portfolio based on attack analysis results in robust compliance over time. Executives related well to the concepts of threat modeling / attack analysis. Competing, understanding the value of their assets, taking risks and protecting themselves from attackers …

Problems in current Electronic Health Record systems

Posted in: Compliance|Tags: EMR, health, health care, Healthy living, HIPAA, Information security|By: Danny Lieberman|December 7, 20111 Comment

Software Associates specializes in helping medical device and healthcare technology vendors achieve HIPAA compliance and improve the data and software security of their products in hospital and mobile environments. As I noted here and here, the security and compliance industry is no different from other industries in having fashion and trends. Two years ago, PHR (Personal …

Security sturm und drang – selling fear.

Posted in: Anti-Fraud, Compliance, Information security|Tags: cybersecurity, Information security|By: Danny Lieberman|November 29, 2011No Comments

Sturm und Drang is associated with literature or music aiming to frighten the audience or imbue them with extremes of emotion”. The Symantec Internet Security Threat Report is a good example of sturm und drung marketing endemic in the information security industry. Vendors like Symantec sell fear, not security products, when they report on “Rises on Data …

The effectiveness of access controls

Posted in: Information security|Tags: Data classification, data governance, data security, Information assurance, Information security, IT Governance, Microsoft, Sharepoint, Varonis|By: Danny Lieberman|March 11, 2010No Comments

With all due respect to Varonis and access controls in general (Just the area of Sharepoint is a fertile market for data security), the problem of internally-launched attacks is that they are all done by the “right” people and / or by software agents who have the “right” access rights. There are 3 general classes …

Risk in IT

Posted in: Compliance, Information security|Tags: Information security, IT Governance, Security leadership|By: Danny Lieberman|October 20, 2009No Comments

Dissonance between IT and security management. Mark Brewer wrote a thoughtful post on Risk in IT – I liked his use of the term “resilient organizations”, although I have been using the term “robust organizations”. The semantic difference between robustness and resilience may be related to the difference between IT and security management world-views. “Risk …

The physics of risk assessment

Posted in: Compliance, PCI DSS, Risk Assessment, Risk mitigation, Threat modeling|Tags: high school physics, Information security|By: Danny Lieberman|August 12, 20081 Comment

Quantity or quality - that is the question! There is a great deal of debate between the supporters of quantitative risk assessment and the supporters of qualitative risk assessment in the security and compliance business. The qualitative people say that since it is impossible to estimate risk as an absolute number such as “87 percent …

Archives