Jon's Network » around the web girl

RSA Conference 2012

Jon — Mon, 05 Mar 2012 16:34:43 +0000

RSA 2012 was my first RSA. I used a vendor code to get an expo-only pass. I’ll be attending again since it’s a good chance to visit vendors, customers, prospects and online buddies in a short amount of time.

I had the chance to speak briefly to Richard Bejtlich, whose NSM principles we borrow from at our company when giving advice to customers. I recently revived my interest in metrics so I asked about metrics. He said to track two metrics: incidents per unit time and elapsed time to resolution per incident. An incident is whatever your organization thinks it is.

I was as a breakfast on Wednesday morning with a panel of about 8 CISOs from large corporations. Afterward I asked a couple of them which KPIs they use or have developed. I know the sample size is small, but it appears that they all develop their own indicators and don’t share with other CISOs or are in the process of developing them. The reason for this is no company wants anyone to see how much money they spend on security or risk they tolerate compared to their peers. Seems to me that they wouldn’t be giving their peers any advantage but perhaps there is a social stigma to sharing this stuff – like admitting you have herpes.

During the breakfast, a few of the CISOs also mentioned that security ROI is a waste of time and just to look at TCO. I’m of the opinion that you can’t avoid at least a gut ROI calculation. If you calculate the TCO, then decide it is worth purchasing, you just calculated the ROI right? My need to call it something else since it isn’t an investment per se. Paying for security is usually trying to avoid a probable loss. Like paying extra for a car with airbags

These same CISOs also said quantitative risk management is a waste of time and unnecessary. I don’t think you can escape at least a gut risk calculation and that the quantitative and qualitative are just different ends of a spectrum rather than binary options.

Find Files with No User or Group

Jon — Sat, 20 Aug 2011 23:21:30 +0000

This command can yield some interesting information:

find / -nouser -o -nogroup

Learned about it while playing with NeXpose today.

Mobile Security Webcast

Jon — Sat, 16 Jul 2011 05:29:14 +0000

Here is a recorded webcast by Daniel Miessler:

http://t.co/Zf5GhL8

Bank Robbery Analysis

Jon — Thu, 14 Jul 2011 06:31:08 +0000

Interesting article that applies the OSSTMM to a famous diamond heist.

http://www.isecom.org/Bank_Robbery_Analysis_OSSTMM3.pdf

Internet sales tax: Online retailers to start collecting sales taxes in California

Jon — Thu, 30 Jun 2011 23:24:23 +0000

Well, this just sucks.

http://www.latimes.com/business/la-fi-amazon-tax-20110630,0,4344787.story

$1 Billion That Nobody Wants

Jon — Thu, 30 Jun 2011 03:35:56 +0000

http://n.pr/ilLcLO

No one wants to use the dollar coins the government is minting and they are piling up in a warehouse. They keep minting them though because of congressional mandate.

Phone Marketing Blacklist

Jon — Tue, 28 Jun 2011 20:35:51 +0000

I have been getting calls at my work number from an 800 number where the caller is a recording. Usually it is at night or on the weekend so I just get a voice message of the recording. Today I picked up and out of habit hit ’3′ since that is delete on my voicemail service. The call transferred to the blacklist service where I received instructions on how to remove my number from their list. Just had to hit ’2′. I guess I got lucky.

DEF CON® 19 Hacking Conference

Jon — Thu, 09 Jun 2011 05:44:16 +0000

I think I will go this year.

https://www.defcon.org/html/defcon-19/dc-19-index.html

Why Zombies Love PCI Video

Jon — Thu, 09 Jun 2011 05:41:37 +0000

Josh Corman of the 451 Group. The gist is that compliance regulations are too static and set the bar too low to protect us against attackers. http://www.youtube.com/watch?v=JQEBYxp_vKs

Why to use the cloud

Jon — Tue, 07 Jun 2011 07:43:19 +0000

http://www.singlenameserver.com/1142/is-it-time-to-abandon-cloud-computing

According to this healthcare CIO, the chief benefit is saving you time. Don’t expect less downtime or cost.