RealSecurity

I come across a number of social engineering scenarios and typically find that people underestimate the process and overestimate the effectiveness of the results when using oversimplified methods. As you might expect, I have a perspective. And that perspective is based squarely on what exactly are you testing and the relationship of that test to some very fundamental security concepts that everyone accepts, but do not incorporate in their formation of security activities.

In the first week of September this year the IEEE Spectrum published a news report titled, “Quantum Chip Helps Crack Code” which highlighted that researchers at the University of Bristol, in England, report the first factoring using Shor’s algorithm on a quantum chip. In short, what they did was to successfully factor the number 15. This seemingly benign event in using a computer to do what any small child could accomplish in as much time masks a much, much larger development. If we don’t acknowledge this event, it has the potential cast us back a millennia.

Anyone who knows me or has subjected themselves to my writings knows I have some uneasiness with today’s role of risk. It’s not the process, but more of how there is so much focus on risk as if it was a science, and it’s not. Not even close. Risk management is, of course, extraordinarily important to a security program, but I regularly see it being positioned as “the” security program with all things stemming from risk measurements as if it were an absolute. One of the things I hear a lot is “risk appetite” and I’ve even used this phrase many, many times. But what is it?

Appearing in a blog last week a Google employee, “Marie”, commented that they will be allowing Google Docs to be searchable in google.com and other search engines in a few weeks. For the millions of people and groups using Google docs as a platform for managing documents this may be disturbing, especially if they made the mistake of assuming their information was private. Nevertheless, Google has provided a “stop publishing” option to that your documents won’t get crawled.

I’m not one to shoulder ISPs with the responsibility of policing the Internet. There are very good arguments on ensuring ISPs are providing wide open, unfettered access to the Internet. This is analogous to buyer beware from the user’s perspective. However, ISPs are in a unique position in helping to sanitize the Internet from the obvious undesirable, dark side of the Internet. This is not about perfectly cleaning the Internet, but one can’t deny - as a community - they could potentially wipe out some of the most damaging threats, like botnets.

In early August I wrote a short piece on the HITECH Act that is part of the American Recovery and Reinvestment Act (ARRA) of 2009. Granted, it was a bit tongue –in-cheek, so I wanted to write something that really boils down the act into salient points that will actually help people within the realm of information security.

First of all... HEY! I’m back! Well, at least the one or two of you out there may have noticed I wasn’t writing for the last week or so. My previous web host was r-e-a-l-l-y slow so I decided to switch… and it was actually more economical anyway. This one is a bit better. I think some of my performance issues are actually due to the code I use to generate this site. Anywho… nothing ventured, nothing gained. Through the transition the site was always up, but very complicated to keep content flowing, so I just took a break. Nevertheless, what’s up with all those CDs getting shipped out from whitehat MicroSolved out of Ohio?