Cyber Cyber Cyber

The industrialisation of cyberwar and cyberespionage using techniques developed in the last decade of massive expansion in cybercrime has presented a serious challenge to the security industry.

The myriad breaches, whether at the lulz end of the scale or at the national security end of the scale, has highlighted the fact that while we as an industry may have been doing the component parts of information security for a long time we haven’t done it very well.
Read the rest of this entry »

Cyberwar what is it good for? Absoutely nothing?

Cybersecurity is a very hot topic right now, for example:

· A contact in the UK government agency responsible for government information security has reported anecdotally that they have had more ministerial visits in the last 12 months asking about cyber than in the last 10 years for any purpose.

· A friend who is an audit partner in a Big4 accountancy firm in the UK has spent many years trying to get boards to consider information security, in the last six months he has seen an unprecedented groundswell of interest from board members asking about cyber. It’s one of their hot topic items right now and every board is asking him his opinion.
Read the rest of this entry »

Zones of Trust

The key security design decision is the balance to be taken at every step of a system design between trust and inconvenience.

For every system to system, subsystem to subsystem and component to component connection a decision must be made as to whether either side of the connection will trust the other, and to what degree. Trust is in some ways analogous to coupling. The higher the level of trust, the more likely that a compromise of one side of the connection will lead to the compromise of the other.
Read the rest of this entry »

How to develop a security test strategy, part three

This is the third in a series of posts describing how to put together a security testing stategy and the associated test plans. Part one is here and part two is here.

This is what I want to see covered in security test plans. Whenever I ask the supplier to specify or carry out the security tests I ensure I get to review and approve the test plans and the test outputs as part of the formal project deliverable process. I also try to make sure that the inputs to the test plan are made available to the actual security testers completing the test so they get a better feel for what the context of their test results is. Read the rest of this entry »

How to develop a security test strategy, part two

This is the second in a series of posts describing how to put together a security testing stategy and the associated test plans. Part one is here and part three is here.

What do you need to write a security test plan?

The folowing documents comprise the list of what I would expect as inputs to the creation of the individual security test plans. This is a good point to go and review your overall security delivery plan. Does it include these documents as deliverables? Does the supplier have any of these as standard off-the-shelf products? Read the rest of this entry »

Twitter RSS