Tag Archives: Training skills

Dissonance is bad for business

In music, dissonance is  sound quality which seems “unstable”, and has an aural “need” to “resolve” to a “stable” consonance.

Leading up to the Al Quaeda attack on the US in 9/11, the FBI investigated, the CIA analyzed but no one bothered to discuss the impact of Saudis learning to fly but not land airplanes.

Dissonance in organizations is often resolved  by building separate silos of roles and responsibilities.

However, it is impossible to take wise decisions on risk management in the business when the risk intelligence is in separate silos.

Resolving dissonance in your business is key to getting actionable intelligence in order to reduce risk and improve compliance Why should I care? After all – for this we have security, risk and compliance specialists.


According to the Verizon Business Report, 285 million records were breached in 2008;  32% of the cases implicated business partners.

Information assurance of third parties that have access to your business assets is crucial for contract due diligence, complying with best practices, internal and external audit and regulation.

Due diligence of third parties that work with your business requires actionable intelligence.

Remember Madoff?

Actionable risk and compliance intelligence requires breaking down silos and recycling commonalities instead of fragmenting activities and duplicating resources.

Learn how to make that happen at our next  online workshop on security management coming this Thursday October 29, 2009,
10:00 Eastern 14:00 GMT, 16:00  in Israel and Central Europe 17:00 MT.

Go green by recycling policies and controls.

Don’t make any of the 10 data security mistakes

Register today for this free online workshop.

Through specific Business Threat Modeling(TM) tactical methods we teach you how to quantify threats, valuate your risk and choose the most cost-effective security technologies to protect your data. Data security is a war – when the attackers win, you lose.  We will help you win more.

We help protect customer data and intellectual property from fraud and breaches of confidentiality.  We’re always looking for interesting projects – call or text me at  +972 54 447 1114 at  any time.

Tell your friends and colleagues about us. Thanks!
Share this

Information security best practices workshops

Information Security Best Practices

Every Thursday at 14:00 GMT  we host a best practice security workshop online for business professionals, vendors and consultants. There is a short high-quality presentation and we share  knowledge gained in the  trenches. It’s 20 minutes, it’s free and it’s always a lot of fun.

Register Here you will receive a confirmation email with a link to the webinar.

Tell your friends and colleagues about us. Thanks!
Share this

Research shows that software defects are a key factor in data theft

A recent article on Internet Evolution , written by Gideon Lenkey quotes the SANS Institute: “application software is a major vulnerability for enterprises“. The root cause of application security vulnerabilities is bugs (usually design bugs but often implementation defects).

A research study performed in 2007, analyzed over 180 data theft events.  The empirical data shows that software bugs accounted for over 55% of the contributing vulnerability to the event (See the  Business Threat Modeling study) but 100% of the data theft events were done by people who were able to exploit the application software vulnerabilities – usually in a rather simple-minded way – for example, by typing in the account number of a banking customer in the query string of a home banking Web application,  it was possible to discover information about other bank customers. All of the software security vulnerabilities were in the SANS Top 10.

Less than 5% of the data theft events involved social engineering but almost all of the data theft events involved a trusted insider colluding with a malicious outsider.

The study  considered why organizations don’t do more to improve their production software quality.

  • Users are conditioned to accept unreliable software on their desktop and development managers are inclined to accept faulty software as a tradeoff to meeting a development schedule.
  • Executives, while committed to quality of their own products and services, do not find security breaches sufficient reason to become security leaders with their enterprise systems because:
  1. They usually receive conflicting proposals for new information security initiatives with weak or missing financial justifications.
  2. The recommended security initiatives often disrupt the business. ( “Top-down Security”, Alan Paller,SANS Institute)

The one vulnerability that is politically correct to mitigate is the trusted insider – employees and contractors.   An advantage with working at the human level is that responsibility and action can be shared by IT with HR and contracts management. Ethical behavior for employees can be reinforced using cheap and simple methods such as a 1-2 page AUP (acceptable usage policy).A hinge factor for AUP  is monitoring and enforcement – when monitored and enforced – an AUP is a hig cost-effective security countermeasure against the vulnerabilities contributing to a data breach. More on acceptable usage policies in this article – Writing an Internet Acceptable Usage Policy

Tell your friends and colleagues about us. Thanks!
Share this