by Jay Heiser | August 13, 2012 | 2 Comments
Has anyone ever created a web-based application that wasn’t flaky and prone to data loss? Every time Facebook comes out with some new functionality, the entire service gets slower, and harder to use. I’m not sure that there could be a more efficient way to lose text as it is entered than by trying to [...]
Category: Applications Tags: client server, HTML5, malware, reliability, www
by Jay Heiser | April 19, 2012 | 1 Comment
I frequently see end user policies that contain the following two elements: Passwords must be so complex that they cannot be guessed Passwords may not be written down This is almost a model case of perfectly secure and perfectly unusable. I say almost, because the unfortunate fact of the matter is that strong passwords only [...]
Category: Policy security Tags: malware, password slurping, passwords, policy, slurping attack
by Jay Heiser | July 5, 2011 | 1 Comment
I get a never-ending stream of questions that usually amounts to something like “What control tasks do I need to do to be sure that this SaaS service we are going to use will be adequately secure?” Unfortunately, at this point in time, SaaS providers offer relatively little support for enterprise control over anything. Assuming that the [...]
Category: Applications Cloud IAM IT Governance risk management security Vendor Contracts Tags: backups, BCP/DR, Cloud, cloud security, continuity, disaster recovery, information security, malware, phishing, Trojan horse, vendor risk
by Jay Heiser | May 13, 2011 | Comments Off
How much mental anguish is the result of ignorant accounting grads working for Big 4s, struggling to find SOX-relevancy, totally oblivious to the huge amount of HCI research that has been done on the topics of passwords, so ignorant to the history of computer security that they don’t recognize they are demanding the use of pre-network, pre-malware controls that were developed by mathematicians who were completely ignoring human factors.
Comments Off
Category: risk management security Tags: authentication, malware, passwords, security, Security-Summit-NA, slurping, sniffing attack, standards
by Jay Heiser | October 1, 2010 | Comments Off
Whatever the source of Stuxnet, it would be naïve not to expect that the knowledge that such a thing is possible and existent has not already begun stimulating the minds of the politically-motived malware makers.
Comments Off
Category: security Tags: critical infrastructure, history, malware, security, Stuxnet
by Jay Heiser | May 3, 2010 | 1 Comment
I was cleaning up some old notebooks (paper, not digital) this weekend, and found this diagram from a 1997 Powerpoint presentation (if you look carefully, you can see my ‘Excite’ starting page): Even before the generic term ‘firewall’ was consistently applied to apply to network perimeter security devices (which happened after 1994), military researchers had [...]
Category: security Tags: firewall, history of infosec, infosec, malware, phising, security
by Jay Heiser | March 19, 2010 | Comments Off
I’ve recently become aware of several incidents of client data being lost because their service provider administrators had managed to infect their administrative workstations with malware. If your service provider were to suffer an embarassing failure like that, would they tell you? Before allowing an outsider to have privileged access to any of your systems, [...]
Comments Off
Category: risk management security Tags: administrative privilege, administrator risks, infection, malware, notification, outsourcing, security, service provider risks
by Jay Heiser | January 27, 2010 | Comments Off
Google’s January 12 blog about their apparently falling victim to a cyberattack of Chinese origin, a cyberonslaught which also targeted several dozen other commercial and defense corporations, has been thoroughly reported on, blogged, and discussed. There will undoubtedly be a lot of valuable lessons–if we ever learn what actually happened. Hopefully, this will increase the [...]
Comments Off
Category: Cloud security Tags: cybercrime, espionage, malware, mobile code, PDF, spyware, targeted attack, Trojan horse
