Wednesday, January 20, 2010
Coping With IE Until 'Aurora' Fix
DarkReading suggests 7 steps to protect your organization from 'Aurora' style attacks on Internet Explorer until Microsoft releases a patch. To review, versions of IE from 6 and up are vulnerable and were exploited to obtain proprietary information in a targeted attack on Google. The actual attack was on IE 6, although versions subsequent are also believed to be vulnerable. Microsoft is scheduled to release a patch tomorrow, January 21st. That's probably faster than you can switch your users to Firefox.
Saturday, January 16, 2010
How Hackers Are Taking Advantage Of The Haitian Earthquake
SecurityOrb has a good review of the ways in which the bad guys are taking advantage of the situation in Haiti. It's worth a read, especially as a warning to unaware acquaintances who might be duped.
How Can A Security Professional Help In Haiti?
I trust we all have the same feeling of hopelessness when we pause to think about the situation in Haiti. We can help though.
1) Cash. If you are an employed security professional, you probably have some of this. Send it to your relief organization of choice yesterday. I like Mercy Corps.
2) Technical Expertise. There are a few groups trying to volunteer technical expertise in support of restoring the communication infrastructure. Crisis Commons looks interesting, and there are others.
3) Prayer. 'Nuff said.
1) Cash. If you are an employed security professional, you probably have some of this. Send it to your relief organization of choice yesterday. I like Mercy Corps.
2) Technical Expertise. There are a few groups trying to volunteer technical expertise in support of restoring the communication infrastructure. Crisis Commons looks interesting, and there are others.
3) Prayer. 'Nuff said.
Book Review - "Security Metrics"
I'm just about done with Andrew Jaquith's book, "Security Metrics: Replacing Fear, Uncertainty, and Doubt". Measuring the success of an infosec program is a challenge in any organization. Specific tools (AV, etc) might come with their own metrics packages, but often times don't get to the heart of a measurement that management can identify with. Jacquith does a really nice job of divide-and-conquer in this book. For each area of a security program, he asks 'What problem are we really trying to solve?" and then proceeds to drill down to the data that actually measures progress against that problem. There are myriad examples of specific things to measure and even some suggestions for how to get at the data points. The last couple chapters get away from specific areas of measurement and focus on statistical analysis and presentation. If you're struggling to demonstrate to management (or yourself) that your security program is making progress, then this book should be on your desk.
Subscribe to:
Posts (Atom)