What we’re reading, week of 9/29

From Network Security Blog…
Be compliant through security
Martin McKeay suggests that it is possible to be compliant and yet still insecure, and points us to an article from CSO Online that outlines the steps toward compliance through security.

From TaoSecurity…
Security vs IT at Computerworld
Richard Bejtlich discusses the sometimes contentious and sibling-like relationship that can exist between corporate security and IT departments. In the comments section, readers share their tales of conflict, and suggest solutions.

From Emergent Chaos…
Blaming the Victim, Yet Again
Mordaxus points us to a study that examines users’ habitual ignorance of the context of pop-up dialogue boxes. “My opinion is that this is blaming the victim. Users are presented with such a variety of elements that it’s hard to know what’s real and what’s not. Worse, there are so many worthless dialogs that pop up during normal operation that we’re all trained to play whack-a-mole with them.”

What we’re reading, week of 9/22

Security bloggers are all over the story of VP nominee Sarah Palin’s hacked email account this week. Some of the best coverage:

From Zero Day…
Attacker: Hacking Sarah Palin’s email was easy
Dancho Danchev describes, step-by-step, exactly how Palin’s email was hacked. The key point of interest here is that none of the steps taken by the infiltrator required any advanced technical knowledge.

Later, from Zero Day…
Webmail and traditional e-mail face different threats
Adam O’Donnell discusses the different threat models to consider when using web-hosted email versus desktop-based email. He argues that in order to decide which option is more secure, a user must also take into consideration reliability and the risk of data loss.

Still later, from Zero Day…
Webmail providers can fix Palin hack-style problems
Finally, what can providers do to avoid this? Adam O’Donnell calls upon webmail providers to implement additional software and more secure processes to manage the password reset process.

And from Errata Security…
How Sarah got her hack on
Robert Graham describes what can be done from a user perspective – and how high-profile, public persons need to employ a more thorough standard of personal IT security.

What we’re reading, week of 9/15

Last week, we pointed to a post from Andy, IT Guy, about the concept of “Failure of Investment” to measure security initiatives. As this idea has taken root and inspired some discussion among other bloggers, this week we’ll explore the reaction to Andy’s idea.

From Uncommon Sense Security…
FOI, Failure of Investment
Jack Daniel supports Andy’s FOI theory and offers some supporting evidence from his work with a variety of small to mid-sized companies.

From Security Provoked…
Failure-on-Investment a More Accurate Measure of Security?
Sara Peters, meanwhile, is a bit more skeptical. She argues that for some companies, there are more factors that stakeholders find important other than the technical success or failure of a security investment – savings due to meeting regulatory standards, for instance.

From Andy, IT Guy…
FOI in depth
Andy responds to the ongoing discussion and Sara’s challenges by reiterating that measures other than FOI are beside the point. Compliance is not its own reward, after all; it’s a means to an end – the end being actual protection of data. “Security for the sake of security is no security at all,” he says.

What we’re reading, week of 9/8

From 360 Degree Security…
No surprise – we have more Apple iPhone security flaws
Andrew Storms highlights what he calls “a fundamental design deficiency with the iPhone”: users’ ability to access iPhone functionality through the Emergency Call option, even when the phone is locked.

From Zero Day…
How to: Securing iPhone
Meanwhile, Ryan Naraine points us to a Wired how-to for implementing iPhone security best practices.

From Schneier on Security…
Security ROI
Bruce Schneier discusses the failings of ROI as a measurement in security, and instead suggests we evaluate security measures in terms of ALE (annualized loss expectancy). The problem with ALE, of course, is that it requires companies to analyze probability data that may never realistically be gathered – so its usefulness as a measure of ROI is theoretical at best.

From Andy, IT Guy…
Security ROI – The debate continues
Andy argues that there is only one meaningful way to analyze the cost/benefit of security, and that is “Failure of Investment,” or FOI. “When it comes to buying, implementing, or doing anything in regards to security the value of the investment is determined by success or failure. Not how much it cost vs. saved. Not how easy it is to deploy or manage. Not how much time it saves, etc…. The real measure is made when it protects or fails to protect.”