Since at least a couple people find these posts helpful and/or interesting (thanks Zach and Kees), they will continue.
Dean De Beer posts about the increasing complexity of scams our users are seeing. One wonders how long until it will be virtually impossible for the average user to determine if an email is legitimate or not.
Andy Willingham has penned a missive that discusses something that every information security professional has to come to terms with at one time or another. He calls it audit driven programs.
Our last entry today comes from Alex Hutton. He posits that under certain circumstances checklists are not for dummies, but they sure are dumb. As he says, checklists have their place, but are completely inadequate and often misleading when used for some purposes.
Have a great day.
Kevin
Technorati Tags: scams, complexity, audit, security program, checklists
Monday thru Friday, when not on vacation or traveling or such, I post my Interesting Information Security
Bits posts. I have two questions regarding these posts:
1) Are they of value to you or are they just noise?
2) If they are of value, are my comments helpful or would you just as soon just get the links?
I would much appreciate everybody's feedback. Leave it in the comments.
Kevin
Good afternoon everyone or at least those who share my timezone. We have a good bunch of interesting things to look at that were posted over the weekend. So here we go!
Mike Rothman posted some thoughts on the rapidly evolving Manage Security Services space. He likens it to the process banking went through. It's an interesting read.
Jennifer Jabbusch shares a really good analogy with us regarding Logging, Correlation and IT Search. Very helpful for those times when you are trying to get across an inherently technical topic to a group of non-technical people.
Via Xavier at /dev/random a free and nifty looking tool.
HijackThis™ is a free utility which quickly scans your Windows computer to find settings that may have been changed by spyware, malware or other unwanted programs. HijackThis creates a report, or log file, with the results of the scan.
Security4all points us towards a video that gives us a introduction to XSS using Webgoat. The video is hosted at securitydistro.com.
By way of John M Willis, a pointer to an article on Network World, 20 great Windows open source projects you should get to know.
Richard Bejtlich shares his experience attending a Edward Tufte class on Presenting Data and Information. I have not read Edward's stuff, but it is on my list to check out.
Jeff Lowder has an article up on BlogInfoSec.com about Agility and Risk Compensation. He has some interesting points about perceived risk and the actions that people take in light of their understanding of risk as it pertains to agility in business. He also points to a good article on wikipedia about Risk Compensation Theory. Both are worth a gander.
Well that's it for now.
Have a good day.
Kevin
Technorati Tags: mss, logging, correlation, search, hijackthis, xss, webgoat, open source, powerpoint, presentation, risk compensation
by kriggins on June 6, 2008
in General
So, just got back from our vacation and while I noticed many occasions where security was definitely not priority one, the most egregious was in pretty much every place we stayed. Most of the places we stayed have a policy where you return your room key to the front desk whenever you leave the hotel.
The epic fail comes in when we would return to the hotel from gallivanting about in exotic locations 
You walk up to the desk and say your room number and the helpful individual there hands you your key and off you go. No identity verification of any kind. Oops.
Now, if it is a small hotel with limited staff, the argument can be made that they recognize you and no further controls need to exist. Not really buying it, but there it is. The real problem I noticed is in the last hotel we stayed. Pretty much every day there was someone new behind the counter and over the course of four days I was asked for my name exactly once! To give credit to that indiviual, she even checked the register to ensure that I was the one staying in the room I asked for.
Second problem, the keys were located in plain view. This means it was easy to see which rooms were empty, i.e. key present, and which weren't, i.e. key gone.
So what's my point? I have an observation and a question.
1) don't leave stuff you want to keep in your hotel room even if the hotel says it safe unless you can secure it somehow
2) When you see things like this do you/should you bring it to the attention of those responsible?
-Kevin
by kriggins on June 2, 2008
in General
Howdy folks.
I am back from vacation. Unfortunately, that means there are quite a few items in the old inbox to be read, RSS feeds to catch up on, messenger pigeons to respond to, etc...
I plan to start back up with Interesting Information Security Bits posts tomorrow or Wednesday at the latest, however I will not be posting a backlog from my time away.
Have a great day.
Kevin