Posts by Frederick Scholl
Background Checks May Not Be Enough
The NY Times reported on 2/15/2012 the amazing story of Edward Maher, the suspect in a $1.5M 1993 armored car heist in the UK. Recently apprehended, for almost 20 years he had been on the run in the US. He had a number of regular jobs including, including eight years at Nielsen, the television ratings…
Read MorePERFECT SECURITY STORM FOR LAW FIRMS?
Marc Russinovich’s recent book Zero Day: A Novel tells an action-packed tale of international hackers; the action passes through a NYC law firm and brings the entire firm down. Great story, but it seemed a little farfetched when I read it. In the book, the entire fictional law firm grinds to a halt as a result of…
Read MoreHow Not To Be a Cyber Janitor
A recent blog post by Jeff Bardin (“The Proliferation of Cyber Janitors”) really resonated with me. He points out how much of the security industry is focused on incident response and breach notification. This started with CA 1386 in 2003 and more recently has become a requirement for breaches of health information (HIPAA/HITECH). While I don’t have…
Read MoreSECURITY MEMO: IT CAN’T HAPPEN HERE, CAN IT?
I have always been a big believer in background checks for new employees. While many companies do this prior to hiring someone, some still do not and pretty much everyone relies on outsource firms to do the background check. Yesterday, January 30, 2012, the NY Times reported the case of a church worker within the Archdiocese of…
Read MoreDon’t Forget Cloud Availability
Most assessments of cloud security risks highlight data integrity and confidentiality issues. But the business bottom line is service availability. With many of today’s cloud services being offered without warranty, users need to be cautioned before relying on that service. It is too easy to ignore the digital supply line that is behind the convenient…
Read MoreCompliance v. Security
An essay in a recent Wall Street Journal (December 3, 2011) caught my attention on the subject of compliance v. security. The article, “Starting Over With Regulation” by Philip K. Howard (also available at www.commongood.org), makes the case that government regulation in general is too complex to work. Recent failures by Congress to simplify Sarbox 404…
Read MoreGAO Report on Information Security in Federal Government
Do you think your information is secure within the federal government? You can make your own decision by reading the recent Information Security assessment by the Government Accountability Office (GAO). Some observations by GAO are expected, others are disturbing. Here are some statements that caught my attention: 1. Growth in reported incidents from 2006 to 2010…
Read MoreLean Security
Earlier this year I published an ISSA Journal article (ISSA Journal, May 2011) advocating the use of lean management techniques to manage security. This is just an observation that security needs to use business management methods to tie together people, process, technology and partners. Recently in the Harvard Business Review of October 2011 a good article appeared…
Read MoreMitigate Your Social Engineering Vulnerabilities
Security managers spend significant amounts of time analyzing software vulnerabilities and patching the same. I just looked at the Common Vulnerability and Exposure database (CVE) and see that it now has 47,555 vulnerabilities. But how many security managers have analyzed or cataloged the social engineering vulnerabililties faced by their organizations? I suspect few. Virtually all security managers…
Read MoreHIPAA Security. Are We Making Progress?
The recent breach of 20,000 medical records at Stanford Hospital has me concerned. The institution is part of Stanford University Medical Center and is a top rated health care provider. Are we making progress on HIPAA security? Are things getting better? If this institution cannot effectively protect patient data, who can? I analyzed the data…
Read More