tagged 
compliance, risk, security in Writing
compliance, risk, security in Writing Entries in risk (7)
Data, Data, Everywhere
Saturday, February 20, 2010 at 10:42PM Suppose your security system chooses 10,000 controls (vulnerability checks, scripts, signatures, etc -- pick your preferred terminology) that can be applied to some example asset (a server, executive laptop, or whatever). That number could be smaller or it could be larger depending on the system but let’s say that 10,000 is the count after filtering out those controls that don’t apply (e.g., there’s no Apache server on that Windows 7 laptop).
Now, suppose that each control returns 100 characters of evidence data. That means you have 1,000,000 characters of data for one full assessment of one system. You are going to store those data in Unicode format because our company is international and hence so are our evidence data. That turns our 1,000,000 characters into 2,000,000 bytes of data.
The original story was on the M2GRC blog: http://m2grc.com/2010/01/18/data-data-everywhere/
The full article can also be found here. :)
CIS Consensus Information Security Metrics - Converting Uncertainty into Risk
Sunday, January 31, 2010 at 3:19PM Full Disclosure
In my day job I am Solutions Architect for the McAfee Risk and Compliance Business Unit. Our products cover compliance management, risk management, IT security risk analysis, and a range of application and change control technologies.[3/2/2010 note: when I wrote this article I worked for McAfee. I do, however, no longer. :)]
In a former life I evaluated complex, multidimensional data sets using models and metrics - I was a scientist performing quantitative analysis of noisy data. The result is that I've spent many years and a lot of energy thinking about and using models, metrics, and measurement. That background gives me certain views, opinions, and expectations.
Now that you know where I'm coming from let's talk about risk, measurements, metrics, and uncertainty. ;)
tagged metrics, risk, security, vulnerability in Writing
metrics, risk, security, vulnerability in Writing Predatory Encryption and Risk Management
Saturday, December 19, 2009 at 10:09AM We learned some things this week about the US Predator drone program that has some people appalled and indignant - it is the kind of story that makes news.
A Predator drone is an unmanned aerial vehicle (UAV) used by the United States Air Force both for reconnaissance and for offensive operations. It seems that the video downlink from these drones has never been encrypted and it has been possible for those under surveillance to intercept and view the video feed.
This is the kind of news that makes great headlines. People read about it and slap their foreheads, proclaiming in a righteous voice, "What were they thinking? Head's should roll!" Stuff like that.
Here is an alternative viewpoint: this whole situation could just be a result of acceptable RISK MANAGEMENT practices.
tagged UAV, cryptography, military, news, risk in Writing, risk, risk management
UAV, cryptography, military, news, risk in Writing, risk, risk management Risk Is Better Than Uncertainty
Sunday, December 6, 2009 at 3:28PM The IT GRC field is in transition. Today we are dealing with UNCERTAINTY when we really, really want to be working with RISK because the management tools are so much better. However, there is a light at the end of the tunnel. The electronic medium that caused the situation should also help us solve the problem. We just need to keep collecting data, tracking the improvements produced through compliance, and creating new models and metrics.
tagged compliance, metrics, models, risk in philosophy, risk
compliance, metrics, models, risk in philosophy, risk Risk, Metrics, and Models
Saturday, November 28, 2009 at 2:17PM It is widely agreed that managing IT security risk requires security metrics. This seems to be where widespread agreement stops, however. If we are going to work through this phase of the maturing of IT security we must speak a common language derived from common conceptual frameworks.
Are Vulnerability Metrics and Risk Metrics Different?
Sunday, September 20, 2009 at 10:41AM The Common Vulnerability Scoring System (CVSS) was constructed as a Vulnerability Metric. However, there is no structural difference between CVSS and a generalized Risk Metric model. The types of information that go into both are the same and the behavior of CVSS is consistent with the model.
tagged metrics, philosophy, risk, vulnerability in metrics, philosophy, risk
metrics, philosophy, risk, vulnerability in metrics, philosophy, risk Risk? What Do You Mean?
Sunday, September 13, 2009 at 5:28PM The products that my employer develops are all about buzzwords like Vulnerability, Compliance, and Risk. You will find these words and phrases all over the computer security field along with others, like Buffer Overflow, Malware, PUPS (potentially unwanted programs, meaning, stuff you probably don't want but if someone called it Malware someone could get sued), Data Loss Prevention, Host Intrusion Prevention System, SPAM, and Antivirus. Most folks are only really aware of one, Antivirus, and may think it means all of the above. :)
tagged compliance, metrics, philosophy, risk, security, vulnerability in metrics, philosophy, risk
compliance, metrics, philosophy, risk, security, vulnerability in metrics, philosophy, risk