As a former Facebook user, I was sad to see the direction and risk that the company was taking on when it began partnering with web sites to integrate their tool. Of course, Facebook has a long history of setting its own course and has suffered minor setbacks in the past as a result.
With the media hype coming down from the iPad, it appears from my vantage point that Facebook will continue its death spiral at a more rapid pace. The questions will be coming from all angles in the media, but I think there is more to learn than "violating trust is bad" from the Facebook model. Social networking as we know it has some very real benefits and constraints, and there are certainly some ethical boundaries that need to be addressed so that the data that exists on these sites are used only for its intended purpose.
Essentially, Facebook is the worst example of our best social networking community. As is the case in research and scholarly writing, we must continue to evolve, let the market forces play themselves out, and not only question, but apply the lessons learned to advance the technology.
For now, the question is simply... will Facebook survive?
Friday, May 21, 2010
Tuesday, May 4, 2010
New Research Project
I am beginning a research project today that will attempt to explore how humans can possibly use the kinetic energy that is transmitted through the body to charge and power Implantable Cardioverter Defibrillators (ICDs). With an average lifespan of 7 to 10 years, and the earlier onset of obesity that causes Chronic Heart Disease, these devices will need to be changed more frequently, with each surgery (however minor) resulting in independent game theory outcomes.
I am finding the convergence of biology and technology very fascinating, and while researchers like Kevin Hu are squarely focused on the security of these devices from malicious wireless transmissions, I am becoming particularly interested in the business applications of biotechnology.
I am finding the convergence of biology and technology very fascinating, and while researchers like Kevin Hu are squarely focused on the security of these devices from malicious wireless transmissions, I am becoming particularly interested in the business applications of biotechnology.
Thursday, April 8, 2010
Is Lock Picking a Lost Art?
By now, most of the people in the security field have become aware of near foolproof means of bypassing pin tumbler locks and the like using a special key and hammer. My naive thought was that once the new method would come to light, the art of lock picking would soon fall by the wayside.
Furthermore, particularly in information security circles, people mostly lose sight of the need to address physical security as a means of ethically penetrating a client's infrastructure. To this end, I encourage information security pratitioners to expose themselves to lock picking as a means of increasing concentration, and solving puzzles. Whether it be a door to a server room, or a lock protecting a rack of servers, having a basic understanding of how locks work and some general techniques to defeat them can make all the difference in the world.
Furthermore, particularly in information security circles, people mostly lose sight of the need to address physical security as a means of ethically penetrating a client's infrastructure. To this end, I encourage information security pratitioners to expose themselves to lock picking as a means of increasing concentration, and solving puzzles. Whether it be a door to a server room, or a lock protecting a rack of servers, having a basic understanding of how locks work and some general techniques to defeat them can make all the difference in the world.
Tuesday, April 6, 2010
Data Disclosure and Compensation
I was recently thinking about the data disclosure breach of 3.3 million from ECMC, and as I read the article, I was becoming increasing disturbed about the lengths that companies that sustain a data breach are taking to compensate the victim. It seems as it is customary to send a letter to the victim and offer one year of credit monitoring services. This is garbage in my opinion, as many of the victims are already under a credit monitoring service from some other company and their data breach.
We are quickly heading towards two unique tipping points:
1) Credit monitoring service is not retributive justice for the violation of one's private, personal data. Sure it stings the company bottom line, but chances are, this is in a cash account just waiting for the day it may need to be used. The real victims are the one's whose data is stolen, kicked around, and ends up who knows where. So we give the victim the equivilent of a carnival prize. "Thanks for playing."
2) It appears that the information security community places a high value on private (PII) information. We spends trillions of dollars protecting 9-digit SSNs because they can easily be paired with a name as the basis of identity theft. What if we devalued this information, instead of throwing everything but the kitchen sink at it to keep it secret. Maybe it is biometrics, or maybe it is some form of smart card. I don't claim to know the answer; however, we should consider all options to protect the identity of the victims and potential victims, not the random bits and bytes that identify us.
I would be interested in hearing others' perspective on these points.
We are quickly heading towards two unique tipping points:
1) Credit monitoring service is not retributive justice for the violation of one's private, personal data. Sure it stings the company bottom line, but chances are, this is in a cash account just waiting for the day it may need to be used. The real victims are the one's whose data is stolen, kicked around, and ends up who knows where. So we give the victim the equivilent of a carnival prize. "Thanks for playing."
2) It appears that the information security community places a high value on private (PII) information. We spends trillions of dollars protecting 9-digit SSNs because they can easily be paired with a name as the basis of identity theft. What if we devalued this information, instead of throwing everything but the kitchen sink at it to keep it secret. Maybe it is biometrics, or maybe it is some form of smart card. I don't claim to know the answer; however, we should consider all options to protect the identity of the victims and potential victims, not the random bits and bytes that identify us.
I would be interested in hearing others' perspective on these points.
Monday, September 7, 2009
It has been a while... My apologies.
I know, I know... it has been a long time since I posted to this blog. It is truly unfortunate that there is not 25 or 26 hours in a day. Truth be told, things are heating up substantially at work. With this, coupled with my doctoral coursework, being a dad and a husband, time is pretty valuable for me to decompress. However, no excuses. I will get back into the swing of things and find some time to post to this blog.
With that, I may as well check in with how I am seeing the information security profession and the things I am coming into contact with (or avoiding intentionally).
1) Data Loss Prevention is a much bigger problem than most companies realize. While this may not come as a newsflash to some, peers and organizations that I have come into contact with are starving for justifications; yet, are probably grossly underestimating the time, budget, and strategy needed to effectively manage data before it leaves the cloud.
2) Is anyone else waiting for the next big virus to stem from the shortening of URLs ala Twitter and Facebook?
3) It should be interesting to see the adoption of Windows 7 in the corporate world. A colleague of mine recently made the statement that Microsoft may be in financial trouble if Windows 7 does not succeed. To a certain extent, I think he is correct. We are 3-5 years removed from anything truly innovative, and from the sidelines, it does appear that Microsoft is too busy regaining footing in the web browser and desktop operating systems space. Maybe they should think about...
4) Varonis. In working with the Data Loss Prevention suite directly, what Varonis is bringing to the market is truly innovative. In my humble opinion, I am not convinced that they scale to the enterprise level, but they are getting there.
5) Finally (for tonight at least), I think the security industry is still lacking a fundamental strategy for its customers. With the economy being in such a tumultuous state, every move should be calculated, justified, and brought into the wider context for our business partners. I still, to this day, believe that metrics are such a fundamental construct for justification of efforts and setting the vision. Yet I am completely surprised that organizations are still overcommitting and under-delivering on metrics that would allow the executives with the money to make a common sense call to arms.
With that, I may as well check in with how I am seeing the information security profession and the things I am coming into contact with (or avoiding intentionally).
1) Data Loss Prevention is a much bigger problem than most companies realize. While this may not come as a newsflash to some, peers and organizations that I have come into contact with are starving for justifications; yet, are probably grossly underestimating the time, budget, and strategy needed to effectively manage data before it leaves the cloud.
2) Is anyone else waiting for the next big virus to stem from the shortening of URLs ala Twitter and Facebook?
3) It should be interesting to see the adoption of Windows 7 in the corporate world. A colleague of mine recently made the statement that Microsoft may be in financial trouble if Windows 7 does not succeed. To a certain extent, I think he is correct. We are 3-5 years removed from anything truly innovative, and from the sidelines, it does appear that Microsoft is too busy regaining footing in the web browser and desktop operating systems space. Maybe they should think about...
4) Varonis. In working with the Data Loss Prevention suite directly, what Varonis is bringing to the market is truly innovative. In my humble opinion, I am not convinced that they scale to the enterprise level, but they are getting there.
5) Finally (for tonight at least), I think the security industry is still lacking a fundamental strategy for its customers. With the economy being in such a tumultuous state, every move should be calculated, justified, and brought into the wider context for our business partners. I still, to this day, believe that metrics are such a fundamental construct for justification of efforts and setting the vision. Yet I am completely surprised that organizations are still overcommitting and under-delivering on metrics that would allow the executives with the money to make a common sense call to arms.
Saturday, December 20, 2008
Security Metrics as a Process
Recently, I was presented with an interesting challenge within my organization. Quite honestly, the challenge is not anything new or specific to this organization; it is a systematic problem within the Information Security function. The concept of Information Security metrics is, in my opinion, largely based on snake oil sales. Unfortunately, it perpetuates as a nebulous science, complicated further by inconsistency and contention on resources that fail to see the value of the art.
If you had to read that last sentence multiple times to catch the meaning, well then you are at the same wavelength that our decision makers are at when it comes to the metrics that we define as a horizontal function. The statement is based on opinion, contains fancy words, and yet somehow dos not address the challenge in quantitative terms.
This is the crux of my challenge, and one that I hope can translate into my dissertation in organizational management. Metrics can be defined by nearly everyone; effective metrics cannot. The practice of arriving at effective security metrics will take many resources: human, financial, temporal, and technological.
Like the Information Security function itself, the effective metrics process is a process, not a product. Borrowing from Andrew Jaquith's book Security Metrics: Replacing Fear, Uncertainty, and Doubt, I believe he is correct when he defines the criteria for an effective metric:
Surprisingly to me at this point, is the noticable lack of material on the subject of Information Security Metrics. Outside of Andrew Jaquith's book and the works of ISO 27004, which is yet to be published, I have yet to find good material on the topic.
What I would be interested to see, is what practioners in the field use to measure their effectiveness in Information Security as a process.
If you had to read that last sentence multiple times to catch the meaning, well then you are at the same wavelength that our decision makers are at when it comes to the metrics that we define as a horizontal function. The statement is based on opinion, contains fancy words, and yet somehow dos not address the challenge in quantitative terms.
This is the crux of my challenge, and one that I hope can translate into my dissertation in organizational management. Metrics can be defined by nearly everyone; effective metrics cannot. The practice of arriving at effective security metrics will take many resources: human, financial, temporal, and technological.
Like the Information Security function itself, the effective metrics process is a process, not a product. Borrowing from Andrew Jaquith's book Security Metrics: Replacing Fear, Uncertainty, and Doubt, I believe he is correct when he defines the criteria for an effective metric:
- Consistently Measured
- Cheap to Gather
- Expressed as a Cardinal Number or Percentage
- Expressed using at least One Unit of Measure
- Contexually specific
Surprisingly to me at this point, is the noticable lack of material on the subject of Information Security Metrics. Outside of Andrew Jaquith's book and the works of ISO 27004, which is yet to be published, I have yet to find good material on the topic.
What I would be interested to see, is what practioners in the field use to measure their effectiveness in Information Security as a process.
Sunday, December 14, 2008
First Stripe
Thursday marked an important day in my brazilian jiu-jitsu training. Along with a handful of other students, I received my first promotion in the gentle art. As many of you have heard or read, I felt I had plateaued in my training, and was struggling for answers. In the ceremony, Luis "Sucuri" Togno explained how this was natural for students, and further went on to explain how proud he was of all of his students.
The interesting thing about Team Alliance from my vantage point is that, unlike many schools, Luis is very interested in the student's advancing through strict adherence to the details of each technique. He does not promote in order to run a profitable business and maintain student tuition. This is extremely important for the real world defense of the art and the skills of the practitioner. Too often we read about students at other schools being promoted to blue after 6 months or so. However, in many cases, these students do not understand the roots of the art, the accomplished fighters, or the reasons why details are so important.
I am proud to have received my bar and stripe this week, and sincerely look forward to the day I can look back on this and provide that new student, struggling in his or her own training and provide the motivation to continue on, regardless of how difficult it may seem.
Check out Alliance of Charlotte and reach out to Luis "Sucuri" Togno for more information about the academy.
Good night!
The interesting thing about Team Alliance from my vantage point is that, unlike many schools, Luis is very interested in the student's advancing through strict adherence to the details of each technique. He does not promote in order to run a profitable business and maintain student tuition. This is extremely important for the real world defense of the art and the skills of the practitioner. Too often we read about students at other schools being promoted to blue after 6 months or so. However, in many cases, these students do not understand the roots of the art, the accomplished fighters, or the reasons why details are so important.
I am proud to have received my bar and stripe this week, and sincerely look forward to the day I can look back on this and provide that new student, struggling in his or her own training and provide the motivation to continue on, regardless of how difficult it may seem.
Check out Alliance of Charlotte and reach out to Luis "Sucuri" Togno for more information about the academy.
Good night!
Subscribe to:
Posts (Atom)
Posts
