Would you Believe it? Twitter as a Way of Coping With Infosec Information Overload

Posted on February 21, 2010 by John Reno in Main | Leave a comment

The job of keeping up with latest threats and vulnerabilities is a daunting task for security professionals. There are many excellent resources for both threats (for example, Symantec DeepSight data feeds) and vulnerabilities (DHS National Cyber Security Division/U.S.-CERT). But it still requires skilled human effort to synthesize which assets in an organization are impacted by the threats, and interpret vulnerability information to understand how likely the threats are to the business, given the current controls that exist. As I’ve discussed … →

Healthcare sector investments in information security make good business sense

Posted on February 19, 2010 by John Reno in Main | Leave a comment

While companies in the healthcare sector focus on HITECH act compliance and meaningful use and healthcare reform dominates the headlines, it is worthwhile to consider some of the business reasons for investing in a strong information security program. Modernization of the healthcare payments system is one big area where the potential for cost savings are dramatic. Both providers and healthcare plans stand to benefit. For healthcare plans the benefits include easier reconciliation of payments and remittances as well as better … →

More Cyber Criminal Activity

Posted on February 18, 2010 by John Reno in Main | Leave a comment

This morning the Washington Post once again reported a widespread and ongoing set of attacks sponsored by a cybercriminal organization based in Eastern Europe. Amit Yoran of Netwitness was quoted as saying, “The traditional security approaches of intrusion-detection systems and anti-virus software are by definition inadequate for these types of sophisticated threats,” Yoran said. “The things that we — industry — have been doing for the past 20 years are ineffective with attacks like this. That’s the story.” I have … →

IT Risk Management

Posted on February 11, 2010 by John Reno in Main | 2 Comments

In my last few posts I mentioned using risk management as an effective mechanism for combating cyber crime. A number of readers from the LinkedIn Information Security Group asked about recommendations for improving their risk management processes: “In my corporation risk management is mostly controlled by finance. We can’t seem to get a discussion of IT risk, particularly cyber crime, on the executive staff agenda. Do you have any ideas to improve our situation?” “We invested in the COSO framework … →

Advanced persistent threats – how organizations can keep pace with the growing sophistication of cyber crime

Posted on February 5, 2010 by John Reno in Main | 1 Comment

Threats posed by cyber crime have increased dramatically in the past year. Yesterday the Washington Post announced that Google has enlisted the help of the NSA to combat cyber crime attacks directed at them and other U.S. corporations. While this is sure to generate privacy concerns in the user community, it is more importantly a visible indicator that cooperation is one of the more important factors in combating cyber crime. In fact in the last 6-12 months there has been … →

Dealing with cyber crime

Posted on February 3, 2010 by John Reno in Main | Leave a comment

CSO magazine recently released the 2010 Cyber Security Watch survey of over 500 respondents from both the public and private sector. In reading through the answers I was not surprised to find several results that set off a cause for alarm. Of course it’s always difficult to draw conclusions from survey results and you should realize that I am not really interested in a rigorous analysis of the survey information. Rather it’s simply a vehicle for discussing a significant shift … →

Network Security Data Considerations

Posted on January 21, 2010 by John Reno in Main | 1 Comment

Earlier this month Google discussed the nature of the cyber attacks they have been facing from China. The targets included not only politically motivated email accounts, but also attacks on the corporate infrastructure that resulted in theft of intellectual property. During their investigations, Google also found evidence of ongoing attacks on major U.S. corporations including Dow Chemical, Goldman Sachs, and Juniper Networks with intellectual property as the target. One outcome of this chain of events for any enterprise organization should … →

ROI, NPV and a few other words about predicting the financial performance of information security projects

Posted on January 14, 2010 by John Reno in Main | Leave a comment

Over the course of many years in the information security profession, I have heard claims that the return on investment associated with security projects cannot be calculated. Most often the perspective is that security is a cost center and should be treated as such. I do not have that opinion. The following discussion summarizes Redspin’s work with one of its healthcare customers to calculate return on investment (ROI) and Net Present Value (NPV) in order to justify and manage an … →

» John Reno