General Security
Page 1 of 912345...Last »

Jun 23rd, 2008

Comments: 0
Category: General Security
Read More

Avoiding controls which are “designed to fail”

One of the great problems and frustrations of working in security is when those darned users don’t follow the nice policies that people have spent so much time working on. But here’s the thing, security professionals actually indoctrinate users not to follow policies! How do they do this? Well people like following patterns, and so […]

May 4th, 2008

Comments: 0
Category: General Security
Read More

Are we Secure yet? (Part 1)

One of the questions that a Information Security person dreads most is someone from the business asking “Are we secure?”. You can be torn between the urge to explain in detail why that question can’t be easily answered and the details of the controls in place and residual risks (and sending them to sleep) or […]

Apr 8th, 2008

Comments: 0
Category: General Security
Read More

Security Shorthand problems

I was thinking about a story I saw recently about the recent update to the british banking code There’s a lot of discussion about Internet banking users potentially being liable for fraud if their PCs aren’t “secure”, as a result of this update. The code says “Keep your PC secure. Use up-to-date anti-virus and spyware […]

Apr 7th, 2008

Comments: 0
Category: General Security
Read More

Some More UK Data Loss

http://news.bbc.co.uk/1/hi/business/7334249.stm This time HSBC have lost 370,000 sets of personal details from insurance customers. One thing that puzzles me in the reporting of this story is the statement that although the data on the disc was protected by a password it had not been encrypted How do you password protect something without encrypting it ?! […]

Mar 8th, 2008

Comments: 0
Category: General Security
Read More

Infosec Scotland

There’s a new portal over at www.infosec-scotland.com thats been started up to provide information about upcoming security events in Scotland (and the wider UK). There’s a calendar of events available and some links to relevant sites. If you’ve got any events you’d like to get added to the calendar, just send an email over to […]

Mar 8th, 2008

Comments: 0
Category: General Security
Read More

February OWASP meeting

The February meeting of the scottish OWASP chapter went pretty well on the 28th. We had Steve Moyle doing a presentation on Database security (slides can be found here ) I picked up some interesting ideas from his presentation. Firstly the idea that relational databases have a fundamental flaw when it comes to security, which […]

Oct 6th, 2007

Comments: 0
Category: General Security
Read More

Risk Assessed Password Policies – Account Lockout

The last piece of the puzzle when it comes to password policies is the account lockout . Also this is another area where a tighter policy doesn’t necessarily lead to improved security. A lot of companies go for 3 incorrect attempts, and this does lead to a lot of lockouts on Monday mornings and consequently […]

Sep 27th, 2007

Comments: 0
Category: General Security
Read More

Risk Assessed Password Policies – Password Strength

The next stop in my trip through password policies and some of the mistakes that are made is password strength (length and complexity). It seems that for a lot of IT and IT Security people, there’s one inevitable truth about password strength which is you can’t have too strong passwords. Unfortunately not true. Like any […]

Aug 22nd, 2007

Comments: 2
Category: General Security
Read More

Some great insight on thinking about security

TaoSecurity: Marcus Ranum Highlights from USENIX Class There’s some very good points here in TaoSecuritys summary of a Marcus Ranum session at Usenix. I’ve not seen the original talk but the summary makes me wish I’d been there. The point on the perimeter being a complexity management tool is very well made in reference to […]