December 14, 2006 - #172
Good Morning:
First, I want to thank everyone who sent a note of encouragement as I begin my path to getting back into physical shape. My physical assessment yielded the expected results - I have a lot of work to do and that work started yesterday. But I know this is a security blog, so I'm done boring you with the trials and tribulations of my soon-to-be contracting waistline.
In security-land there was a decent flow to today's stories. First let's look at what the US Department of Energy is doing from a security standpoint (here [0]), the organizational model is pretty interesting. Then let's riff on the insider threat a bit (here [0]), discuss some logging (here [0]) which can help to detect an insider attack, and finally let's see what Roger Duronio (the convicted UBS insider) will have under his tree in the big house this year (here [0]).
In blog land, I pick on some ideas about incentive programs for security folks (here [0]) because I think once again the risk is in incenting the wrong behavior, and when there is money involved that potential damage magnifies exponentially. Then I poke at Jon Oltsik's contention that some enterprises should just upgrade to Vista (here [0]), as opposed to buying standalone full disk encryption. If someone is going to go whole hog with Vista, then that's fine - BitLocker will get it done. But to force a widespread panic, I mean migration, to Vista just to encrypt the disk doesn't make a lot of sense to me.
Have a great day.
Technorati: Information Security [1]
 [2]Coming January 2, 2007 |  [2] |
Top Security News
http://www.gcn.com/print/25_34/42704-1.html?topic=security [3]
Link to this [3]
http://www.informationweek.com/showArticle.jhtml?articleID=196602853 [4]
Link to this [4]
http://searchwindowssecurity.techtarget.com/tip/0,289483,sid45_gci1234029,00.html [5]
Link to this [5]
http://www.informationweek.com/showArticle.jhtml?articleID=196603888 [6]
Link to this [6]
http://searchsecurity.techtarget.com/originalContent/0,289142,sid14_gci1233873,00.html [7]
Link to this [7]
Top Blog Postings
Emergent Chaos [8]). I can see the underlying thought process, but I have a fundamental issue with the idea of capping information security expenses to about 1/3 of the expected loss. Now I haven't read Gordon & Loeb's book, so maybe there is a reason it's 37% and not 50%. Obviously you need to show a "return" on the security investment, so it isn't going to be 100% - but whatever. Then basically you figure out a bonus pool based upon the delta of the expenses cap and the actual budget. And the costs to clean up any breaches comes out of the bonus pool, to keep folks incented to do their job. I think Mordaxus on the Emergent Chaos blog has it right. We may want to spend more than 37% (which would eliminate the bonus pool), but it also sets up an incentive for security folks to bury problems because admitting a problem will cost them money. I'm not sure what the answer is to build a comp plan to incent the right behavior from security professionals, but this one seems Wikid wrong. As Mordaxus says "Always, always beware when you set up incentives. People will act according to the incentive."
http://www.wikidsystems.com/WiKIDBlog/incentive-plan-for-an-information-security-team
[9]http://www.emergentchaos.com/archives/2006/12/costbenefits_incentives_a.html [10]
Link to this [10]
http://news.com.com/2061-11203_3-6143577.html
[11]Link to this [11]
http://www.stillsecureafteralltheseyears.com/ashimmy/2006/12/vulnerability_a.html
[12]Link to this [12]
http://siblog.mcafee.com/?p=41
[13]Link to this [13]