February 2010

CUISPA 2010 - Top Threats Forum Slides

The following slide deck was presented during the CUISPA 2010 security conference. The talk included a broad overview of information security trends for this year, both from the perspective of threats as well as regulation. This session included significant audience participation, especially around e-mail archiving and eDiscovery.

CUISPA 2010 - Virtualization Workshop Slides

This is the slide deck that I used for the virtualization workshop. The actual discussion was much more open-ended in terms of audience participation. The slides are good references for a few things that were talked about. Other topics included the benefits of virtualizing a 'one of' where the ratio is one hypervisor to one guest. We also went over the order of what systems to virtualize when, both from a production support and security standpoint.

Social Media Privacy

I shared the following text with my organization recently for security awareness purposes. I thought it was worth posting as well.

There's a fairly new website called Foursquare. It is a free site that allows people to publish their physical location via twitter. The idea is you can tell the world you are at the movies and perhaps catch up with friends who are also in the area. Do you see where this is going yet?

Economic Incentives and Security

As I write this, there is a massive recall and public outcry against Toyota for a faulty accelerator that could cause unintended acceleration. This presents a risk of accident or death in a number of cases and has been taken very seriously by the government, public, and media. My first reaction was this: they should put their CIO/CISO in charge of the recall because they deal with ‘recalls’ multiple times a week in the form of vulnerable software.

Are software vulnerabilities any less risky than a faulty accelerator? Does software not control every major facet of our critical infrastructure, transportation, financial, and personal health and well being? Imagine the highway was filled with cars that have the same number of ‘severity 5’ defects that our software and applications have. How safe would you feel driving home? Would you be willing to take your car in monthly on “Recall Tuesday” to have it fixed?

If we have established that software defects and vulnerabilities (which could be misconfigurations, programming errors, and the like) are critical to our well being and economic viability, why do we continue to make choices to purchase new software and develop new applications that are not secured to the level of risk we wish to accept? It seems that we would want to consider security and reliability as one of the cornerstones of our decision-making process, yet we rarely do.

My personal conclusion to that question is because we have the economics wrong. The risk reduction incentives of safer software aren’t aligned with the business decisions when choices are being made. This includes choice of what vendor to work with, what software to purchase, how to develop your own application, how to configure your server, and all of the other factors that contribute to our technical vulnerabilities.

It doesn’t have to be this way. There are models that have been effective in realigning choice and incentives to achieve a goal. Let’s take one specific example as a case study in redefining the incentives to realize a desired outcome.