by Jay Heiser | March 28, 2013 | Comments Off
We’ve riffed for years on the distinction between “Dr. No” and “Mr/Ms Yes”, but many enterprises continue to back the security professional into the awkward far corner of the Business Prevention Department. If the risk assessor is going to be blamed for security failures, then that person is always going to be motivated to make [...]
Comments Off
Category: Cloud IT Governance risk management security Tags: risk assessment, risk management
by Jay Heiser | March 20, 2013 | 1 Comment
It would be the rare soul indeed, who, after spending hours or even days cleaning up from a hack, didn’t feel the strong red rage of revengeful urges. And how many PC owners or site managers, still recovering lost data, time, and pride, if presented an opportunity to strike back at their attacker, to make [...]
Category: Policy risk management security Tags: hack back, hackback, hacking, law, retaliation
by Jay Heiser | November 28, 2012 | 1 Comment
Anyone with a stake in the overall success of cloud computing should take a few minutes to read the recent NYT interview with Peter G. Neumann, a highly-respected computer security researcher who, now entering his 9th decade, continues to do ground breaking work on digital reliability. Commercial cloud computing creates new levels of urgency for [...]
Category: BCP/DR Cloud risk management security Tags: complexity, Peter G. Neumann, security, security history
by Jay Heiser | August 10, 2012 | 2 Comments
The process in which the buyer asks a random list of questions that might have some minor relevance to some aspect of a provider’s security posture, and the potential provider pretends to answer them.
Category: Cloud risk management security Tags: cloud computing risk, cloud security standards, risk assessment, security
by Jay Heiser | August 8, 2012 | Comments Off
I was recently forced to change my password on a UK pension system, and my first 4 password offerings were unacceptable. I was baffled as to what part of the password didn’t meet the requirements. Today, I needed to login and review a pay stub, had to reset my password, and the exact same thing [...]
Comments Off
Category: Cloud security Tags: authentication, password complexity, password reuse, password slurping, passwords
by Jay Heiser | August 1, 2012 | 1 Comment
I spent a frustrating 5 minutes this weekend enduring a forced password change on a retirement account containing $400. I was sure that the randomly generated and completely unmemorizable string my password utility came up with exceeded 7 characters, contained upper and lower case letters, at least 1 number, and a special character. It finally [...]
Category: security Tags: authentication, Dropbox, hacking, password slurping, passwords, SaaS security, security
by Jay Heiser | July 4, 2012 | 3 Comments
I managed to miss the excitement of yet another weather-related disaster by being in Japan during the the derecho incident that knocked out power to approximately 3 million customers, including my parents in Ohio and our house in Virginia, 400 miles away. Another disaster that I just missed took place here in Japan, a major [...]
Category: Cloud risk management security Tags: data loss, failure, quality, resiliance, software, upgrades
by Jay Heiser | April 26, 2012 | Comments Off
When you buy SaaS, you get what is written on the box. Well, you get what is written on the virtual box. That text may consist of page after page of dense legalese that puts a higher level of emphasis on what you do NOT get than what you DO get. Consumer-oriented agreements often amount [...]
Comments Off
Category: Cloud IT Governance Policy risk management security Vendor Contracts Tags: Cloud, contracts, lawyers, legalese, SaaS, SLA, SLAs
by Jay Heiser | April 19, 2012 | 1 Comment
I frequently see end user policies that contain the following two elements: Passwords must be so complex that they cannot be guessed Passwords may not be written down This is almost a model case of perfectly secure and perfectly unusable. I say almost, because the unfortunate fact of the matter is that strong passwords only [...]
Category: Policy security Tags: malware, password slurping, passwords, policy, slurping attack
by Jay Heiser | March 20, 2012 | Comments Off
It is not an exaggeration to say that virtually all IT security specialists owe the late Hal Tipton a debt of gratitude for helping set the stage of their careers.
Comments Off
Category: security Tags: Hal Tipton, ISC(2), ISSA
