Comments for Art of Information Security

Comment on AoIS Interviews Lee Kushner, Part 2 by Art of Information Security » AoIS Interviews Lee Kushner, Part 1

Art of Information Security » AoIS Interviews Lee Kushner, Part 1 — Tue, 12 May 2009 03:27:39 +0000

[...] Stay Tuned for Part 2 (link) [...]

Comment on AoIS Interviews Lee Kushner, Part 1 by Art of Information Security » AoIS Interviews Lee Kushner, Part 2

Art of Information Security » AoIS Interviews Lee Kushner, Part 2 — Tue, 12 May 2009 03:26:30 +0000

[...] the final part of our interview series with Lee Kushner (part 1), Information Security recruiter and career coach, we will jump right in with a discussion of [...]

Comment on AoIS Interviews Heather Deem, Part 1 by Art of Information Security » AoIS Interviews Heather Deem, Part 2

Art of Information Security » AoIS Interviews Heather Deem, Part 2 — Tue, 12 May 2009 03:00:44 +0000

[...] of Information Security’s interview with seasoned Information Security marketer Heather Deem (part 1 link). In the first part Heather discussed the importance of having reasonable time and resource [...]

Comment on AoIS Interviews Lee Kushner, Part 2 by Interesting Information Security Bits for 05/11/2009 | Infosec Ramblings

Interesting Information Security Bits for 05/11/2009 | Infosec Ramblings — Mon, 11 May 2009 20:32:25 +0000

[...] Lee and Mike Murray’s career talk and the ensuing question period at Defcon 15. Good stuff. Art of Information Security >> AoIS Interviews Lee Kushner, Part 2 Tags: ( career [...]

Comment on Secure Your Linux Host – Part 3: Why A Host Firewall ? by Interesting Information Security Bits for 02/25/2009 | Infosec Ramblings

Interesting Information Security Bits for 02/25/2009 | Infosec Ramblings — Wed, 25 Feb 2009 21:43:16 +0000

[...] has part 3 of his securing Linux series up. Art of Information Security >> Secure Your Linux Host – Part 3: Why A Host Firewall ? Tags: ( linux [...]

Comment on Lie Detector Libel by Erik

Erik — Sat, 31 Jan 2009 02:36:24 +0000

Thanks for the comment.

Yes, I should have been clearer about the fact that the article in question was focused on Voice Stress as the “lie detection” feature.

None the less, as far as I am aware there has never been a double-blind study of any lie detection technology. The danger in pseudo-science isn’t that lie detection technology X works, but that it doesn’t work but is used as a basis for significant decisions.

Cheers, Erik

Comment on Lie Detector Libel by FoolsGold

FoolsGold — Fri, 30 Jan 2009 23:17:32 +0000

The article deals with Voice Stress Analyzers and was published by a firm financially unable to afford lawyers in a UK court where libel laws are generous. The authors in failing to first contact the manufacturers involved appear to have been lacking in journalism ethics though I am sure such a contact would have been futile anyway.

Comment on Secure Your Linux Host – Part 2: Secure SSH by Interesting Information Security Bits for 01/26/2009 | Infosec Ramblings

Interesting Information Security Bits for 01/26/2009 | Infosec Ramblings — Mon, 26 Jan 2009 19:40:32 +0000

[...] 2 of Erik’s series on Security Your Linux Host is available. Art of Information Security >> Secure Your Linux Host – Part 2: Secure SSH Tags: ( linux securing [...]

Comment on Are You in Central Ohio Wednesday January 21st, 2009 ? by Alex

Alex — Tue, 20 Jan 2009 13:01:29 +0000

Yep! See you there.

Comment on Secure Your Linux Host – Part 1: Foundations… by Interesting Information Security Bits for 01/06/2009 at Infosec Ramblings

Interesting Information Security Bits for 01/06/2009 at Infosec Ramblings — Tue, 06 Jan 2009 20:15:41 +0000

[...] has part 1 of a series that will address securing our Linux hosts. Art of Information Security >> Secure Your Linux Host – Part 1: Foundations… Tags: ( linux securing [...]

Comment on CISSPs… Lend me your ears… by Dan Houser, CISSP-ISSAP, CISM, etc.

Dan Houser, CISSP-ISSAP, CISM, etc. — Fri, 12 Dec 2008 22:42:14 +0000

Erik,

Thank you for the kind endorsement, and your assistance at getting out the vote. The word is now out, and I was successful elected to the Board of the (ISC)². Thanks to all who cared enough to vote, regardless of who you voted for!

I look forward to this challenge, and serving the constituency and the profession in this new way.

Dan Houser, CISSP-ISSAP, CISM, etc.

Comment on Congratulations Rebecca ! by Rebecca

Rebecca — Mon, 08 Dec 2008 01:08:41 +0000

Thank you very much, Erik; I appreciate your warm words!

Rebecca

Comment on Coming Soon to a Movie Plot Near You… by Mike Brown

Mike Brown — Tue, 07 Oct 2008 11:13:12 +0000

I like it!
Building on Kevin’s thoughts, what about a fan attachment which would blow the balloon around.
The blades on such a fan could be sharpened to deter physical interference with the fan. . .

Comment on Coming Soon to a Movie Plot Near You… by Mark Long

Mark Long — Thu, 11 Sep 2008 09:37:03 +0000

If I wanted to disable a security camera, a paintball marker would be my first choice. It isn’t that loud, has a good range, is easily available and leaves no useful forensics in case of a failure.

You would need to get near to use a balloon.

Mark Long, Digital Looking Glass.

Comment on CISA and CISSP Preparation by pass

pass — Sun, 24 Aug 2008 05:03:09 +0000

good article.

Comment on Coming Soon to a Movie Plot Near You… by Kevin Frey

Kevin Frey — Fri, 01 Aug 2008 01:26:07 +0000

Interesting stuff Erik! It’s been an incredibly LONG time since I talked to you, so I figured why not comment on a post to start off the conversation ;0). The balloon hack is a great one. They need to build a little arm that comes out of the camera and punches impediments as to clear the line of sight. That would be an even better hack. Then of course the other side invents the balloon that responds to the arm punch. And then….well you get the idea. Its always so hard to stay ahead of those clever criminals.

Good stuff though.

Comment on Blended Attacks and “The Tiger Team” by Dan Houser, CISSP-ISSAP

Dan Houser, CISSP-ISSAP — Thu, 03 Jul 2008 12:28:10 +0000

in addition to being very impressed with themselves”…. classic!!

Comment on Got Entropy ? by Dave S.

Dave S. — Thu, 08 May 2008 17:29:38 +0000

Why not just use a dedicated hardware RNG which uses radioactive decay, generated white noise, or quantum events to generate randomness, if your application is important? There are numerous devices now which have drivers for all OS’es.

Comment on Risk ROI for –Some– Provisioning Solutions… by Erik

Erik — Tue, 22 Apr 2008 01:06:54 +0000

Matt -

I think we are closing in on violent agreement

Reconciliation can add tremendous value to the provision solution, if tight management of “privilege drift” is risk appropriate. And of course, the trust one can have in any control system is limited by the trust inspired by the integrity controls for the platform those controls run on.

- Erik

Comment on Risk ROI for –Some– Provisioning Solutions… by Matt Flynn

Matt Flynn — Mon, 21 Apr 2008 13:34:26 +0000

I’m not claiming that one system can do 100% of anything. But, we can get closer to 100% by adding on to what provisioning already does for us. All I’m saying is that I believe there are holes in what provisioning systems can do alone. They weren’t designed for today’s expanded requirements for audit and risk management. And no, audit is not the ultimate goal, but it is a reality for many companies.

AD, for example, generally takes 15 minutes to replicate. So, even if the provisioning system sync’s every 2 minutes to a DC, there may be a 15 minute window where an account could be created, used and deleted — and then the logs cleared. That’s just an example. Another is that provisioning system logs can’t tell you WHO created a rogue account in one of the connected systems or that a DBA opened a table to review identity data in Oracle.

My point is that we should look at extending the reach of the overall systems to protect against additional attack vectors – encrypt the database, monitor the database for local changes, record who makes those changes, etc.. It provides additional security, audit ability and deterence.

Dan – logging isn’t bad by itself, but we need logs of what’s happening at the connected stores in addition to logs of what the provisioning systems are doing.

Am I way off base here? Are you saying that there are no holes or that there’s no need to fill them? I thought I heard a little of both of those arguments. I know you both by reputation and appreciate your input.