Welcome to the SecAware blog
31 Jan 2010
* Not so, of course, it was purely a coincidence.
21 Jan 2010
I'm currently reviewing the second Committee Draft of ISO/IEC 27034-1 "Information technology — Security techniques — Application Security — Part 1: Overview and concepts" which lays out the basic concepts and principles for other parts of 27034 to elaborate upon.
Despite this overview section being around 78 pages in length, part 1 states explicitly that 27024 is not a software application development standard, an application project management standard, nor a software development cycle standard. Its purpose is to provide general guidance that will be supported, in turn, by more detailed methods and standards in those areas.
The standard explictly takes a process approach to specifying, designing, developing, testing, implementing and maintaining security functions and controls in application systems. For instance it defines application security not as the state of security of an application system but as "a process an organization can perform for applying controls and measurements to its applications in order the manage the risk of using them".
The draft standard draws on concepts such as auditing and certification of application systems similar in style to the Common Criteria and similar schemes primarily used for government and military systems. It tends to emphasize deliberate threats arising from external adversaries over those from insiders, and perhaps more importantly in many situations accidental threats and hence the need for integrity and availability controls.
The standard is not projected to be released until 2012 - such is the glacially slow pace of ISO/IEC. The upside, though, is that the final product will - we hope - be well worth the wait.
17 Jan 2010
HELP HAITI LONDONJust in case you missed the rather obvious signs of a 419 scam such as the rotten grammar and spellings and other inconsistencies, there's a completely unnecessary request for personal information to cap it all off.
13 Liverpool Road,
On Tuesday, a catastrophic earthquake struck near Port-au-Prince almost the whole of Haiti. The full extent of the damage is still being assessed, but the death toll -- already in the thousands -- is climbing fast.
This is the worst earthquake to hit the area in more than 200 years. Entire communities have been ripped apart and as many as 3 million people have been directly affected, including tens of thousands of American citizens who are in Haiti.
Haiti is racing to confront the enormous devastation -- and the OFA community can help.
Footage is pouring in of homes collapsing, Haitians carrying injured family members, and hospitals being overrun in what was already the poorest nation in the Western Hemisphere.
we have directed this means of contact individuals to respond with a swift, coordinated, and aggressive effort to save lives. Personnel from the United States and our partners in the international community are on the ground in damaged areas right now, working side by side with the Haitian people. They're providing food, water, and sanitation supplies, saving lives and helping Haitians,please your help is also needed
Despite the fact that we are experiencing tough financial times now we encourage those who can to reach out and help. It's in times like these that we must show the kind of compassion and humanity that has defined the best of our national character for generations.
PLEASE FOR NOW YOU CAN SEND YOUR DONATIONS BY WESTERN UNION TO OUR HELP HAITI LONDON CORDINATIOR ANN BROWN WITH THE BELOW INFORMATION,NO AMOUNT ITS TOO SMALL HELP AND GOD WILL BLESS YOU!!
send her all related information or call john on +447031842276
Please if you make any donation send us the following informations for reference .
1) Your full name:
5) Mobile / Telephone Number:
As this story continues to unfold, I hope you will continue to keep the people of Haiti in your thoughts and prayers, as well as the many Haitian-Americans who have done so much to enrich our country and who are worried about friends and loved ones in this time of need.
11 Jan 2010
So, less than 60% of organizations surveyed spend at least 1% of their 'security budget' (whatever that means) on 'awareness training' (whatever that means also). I can't say I'm surprised by that but I'd like to know more and check the original source for details.
"But respondents also expressed even greater concern over a perceived lack of proper security awareness training for users at endpoints. A whopping 43.4 percent of them said that less than 1 percent of their security budget was allocated to awareness training, and 55 percent said current investments in this area were inadequate.
"I think that's too bad it is that way, but consider that you could cut half of the losses simply by taking care of that problem," Richardson said.
Twenty-five percent of respondents said more than 60 percent of financial losses came from accidental breaches by insiders, not external hacks, and 16.1 percent said 81 to 100 percent of all losses came from accidental breaches as well."
The GovTech report didn't include a link to the survey, merely a link to the CSI website. There's an obvious link to the survey on CSI's home page, but Heuston we have a problem: it seems the only way to obtain the survey is either to purchase membership of CSI, for over US$200, or obtain a 'free preview' of the report .... which requires me to enter a bunch of personal information.
If, as the GovTech article, suggests there really is a problem with security awareness, it seems rather ironic that the CSI report is not freely available to all without invading our privacy. The report sounds like it might be useful from an awareness perspective but not at that price.
Similar surveys are freely available from many other organizations. Guess I can live without CSI's.
5 Jan 2010
From a non-US perspective, the very idea that privacy and security are "opposite sides of the same coin" seems a little weird. For most of the rest of the world, privacy has long been acknowledged as a subset of information security, being essentially the confidentiality of information about specific individuals. But, as host Julia Allen mentions in the podcast, the US is still shifting from the idea that it's perfectly OK to collect all sorts of personal information from people and use it as you wish.
One of the interesting approaches discussed in the podcast is that personal information needed purely for aggregation or statistical purposes should be collected and held only temporarily, then deleted as soon as possible. Personal information in server logs, for example, may be parsed out, analyzed and deleted by a regular process. While this would make post-hoc validation of the data difficult, this slight drawback is outweighed by the privacy advantages for those who supply their information.
The podcast is one of the excellent Security for business leaders series by CERT at Carnegie Mellon University. An impressive range of podcasts is available to download.