Category Archives: Auditing

BSIMM – Top Ten Surprises

May 26, 2009 – 6:00 am – In a prior column, I described the results of a survey conducted by Gary McGraw, Sammy Migues and Brian Chess published in the BSIMM (Build Security In Maturity Model) report available at http://bsi-mm.com/   Most of the results are intuitively obvious … after the fact, that is. But some…
By | Also posted in General, Security Metrics | Tagged , , , , , , , , | Comments (0)

Security and Audit – BFFLs? Maybe not, but…

November 21, 2008 – 6:00 am – …we may have lots of reasons to work together more closely. Maybe it is just the luck of the draw that at almost every employer for the last 15 years, I have been the one to manage our audit relationships, but I am certainly suspicious my good fortune is other than divinely inspired. …
By | Tagged , , , , , , | Comments (2)

Slashdot Post On Security Ethics Demonstrates Professional Naiveness

April 18, 2008 – 6:00 am – Over at Slashdot, an anonymous reader was quoted as follows (in entirety): “I am a senior security xxx in a Fortune 300 company and I am very frustrated at what I see. I see our customers turn a blind eye to blatant security issues, in the name of the application or business requirements. I…
By | Also posted in Compliance and Laws, CSO/CISO Perspectives, Cybercrime, Privacy, Risk Analysis | Tagged | Comments (4)

The Misleading Nature of Schneier’s Security Mindset

April 10, 2008 – 6:00 am – Recently Bruce Schneier wrote an essay on the Security Mindset. In it he wrote: Security requires a particular mindset. Security professionals — at least the good ones — see the world differently. They can’t walk into a store without noticing how they might shoplift. They…
By | Also posted in CSO/CISO Perspectives, Risk Analysis, Security in Popular Culture | Tagged , , | Comments (6)

Reflections on Passwords: Cracking and Log Analysis

August 22, 2007 – 6:00 am – This post on Emergent Chaos caused me to reminisce a bit. Back in the day, one of my responsibilities was password auditing (cracking). Unlike many other password auditors, I was internal to the company, not an external auditor. I knew the people who’s passwords I was cracking. In addition,…
By | Tagged | Comments (0)