There’s been a bit of a debate on some blogs about the merit of blocking Skype on corporate networks. One blogger argued that the decision to block Skype at his company was a very easy one, in part because it offered little benefit to the company. He arrived at this conclusion by calculating the potential [...]

Recently, the Seattle Post-Intelligencer had a depressing article about a victim of identity theft whose experience has been far worse than most. Several times he has come close to losing his disability benefits because of identity mix-ups, and one time he even wound up in jail due to a mistake by law enforcement. The man’s [...]

In a post at Security Park, a business continuity consultant looks into the crises that businesses prepare for. He notes the case of Victor Litvinenko — a Russian man with some spy connections who was apparently poisoned with radiation and died — in the UK, and how it has resulted in more interest among his [...]

With so many stories lately about laptop thefts, it’s good to see people beginning to think more seriously about the impacts of “mobile data” on security. The simple fact is that more data is “on the go” with laptops and mobile phones, the old beliefs about keeping things secure within the network may not apply [...]

Best practices can often be dangerous. They lead to complacency and a tendency to ignore changes in the environment and new risks. Over at RiskAnalys.is, they’ve put up a good blog post that graphically demonstrates how non-IT risk management works. Rather than simply putting in place the one “standard” way of doing things, you perform [...]

Jeremiah Grossman is having a bit of fun pointing out the quite accurate “5 stages of grief” in the context of security:

Denial
“We have firewalls, IDS, and SSL. We are Secure.”
Anger
“How the heck did this get so bad?!?!?”
Bargaining
“We can solve this with frameworks, developer education and some scanners.”
Depression
“We have so many websites and the code is [...]

On Friday, we announced the winners of “Build and Defend your
Digital Fortress,” McAfee’s third annual computer security competition at the Rochester Institute of Technology (RIT) in upstate New York. Seven teams with four students each participated in this two-day event locally called “McAfee Day”, wherein they each used McAfee security products (HIPS, Firewall, VirusScan [...]

The “security by obscurity” concept is well known, but we may have a winner on a related, but equally problematic security method: Security by Self-Delusion. Jim C explains it quite well:
Organizations that are very good at “Security by Self-Delusion” may not even have problems with external audit (though internal audit often knows [or at least [...]

A very interesting blog post over at the 360 degree security blog raises some interesting questions. It’s pretty common in the security industry to debate over “disclosure” issues. That is, when a vulnerability is discovered, should the discovering party disclose the vulnerability publicly, or alert the company quietly to give them time to fix it. [...]

The Security Catalyst and Alex Barkman both have written interesting blog posts lately with something of a seasonal reminder that security and compliance aren’t seasonal. It’s easy to think of any kind of security efforts as something that you should review every so often (6 weeks? 6 months? 6 years?), but that’s not the way [...]