Machine Learning, Society and Cybersecurity

Machine Learning (ML) appears to have made great strides in many areas, including machine translation, autonomous vehicle control, image classification, enabling games on Xbox, PlayStation, Nintendo, and Steam. This has made Artificial Intelligence popular and securing the information in it is challenging. Let’s take a look at an industry that many of us use. We… Continue reading Machine Learning, Society and Cybersecurity

Information Security Risk Analysis (ISRA)

The ISRA methodology is used by a system designer, manager, or security analyst to identify security concerns, develop an action plan, analyze costs, and assign responsibilities. The process allows a facilitator to perform a subjective risk assessment on a particular system, application, or other corporate assets. The ISRA involves the system users from the very… Continue reading Information Security Risk Analysis (ISRA)

Facilitated Risk Analysis and Assessment Process (FRAAP)

FRAAP is a structured approach to an accelerated assessment of each component of a system within a short timeframe. It is consistent with the National Institute of Standards and Technology October 2001 Special Publication “Risk Management Guide of Information Technology Systems” and the FFIEC December 2002 “Information Security Risk Assessment.” The approach allows us to… Continue reading Facilitated Risk Analysis and Assessment Process (FRAAP)

Security in Agile Methodology

Many large organizations are moving towards the Agile software development lifecycle (SDLC) methodology. Agile methodology is a combination of iterative and incremental process models with a focus on process adaptability and customer satisfaction by rapid delivery of working software product. The general characteristics of any Agile methodology are: Prioritizing feedback. Agile teams rely heavily on the… Continue reading Security in Agile Methodology

Best of Breed or Best Suite of Products

Should organizations implement layered defenses from different vendors? Should we rely upon a single vendor for an organization’s overall security? According to a Gartner research paper, “Two firewall platforms are not better than one. We believe there is a higher risk associated with configuring and managing firewalls from multiple vendors than from a single vendor.… Continue reading Best of Breed or Best Suite of Products

Acknowledging Non-Applicable Threats

Is it important to account for or acknowledge risks that may not apply to an organization or system? What if you identified a risk that you would typically consider for but would not use due because of the context. Say, for example, your organization is not in a floodplain however it is usual to consider… Continue reading Acknowledging Non-Applicable Threats

Roles of Management and Technology in InfoSec

Information security is both a management issue and a technology issue. The management of an institution could be the owner or custodian of the data that their information security program is trying to protect. They need to ensure that the systems they employ execute all the functions on the data as they are supposed to… Continue reading Roles of Management and Technology in InfoSec

Who doesn’t need to be concerned about InfoSec?

Would there be any person or group within an organization that does not need to be concerned with information security? The only person who need not worry about information security is the one who has no value bearing data. Unfortunately, in this day and age, every single person who is connected to modern world has… Continue reading Who doesn’t need to be concerned about InfoSec?

Risk Based Authentication

The technique that uses both contextual and historical user information along with data supplied during an internet transaction to assess the probability of whether a user interaction is authentic or not is called risk based authentication. Traditional username and password along with information such as who the user is, from where the user is logging… Continue reading Risk Based Authentication

Security Must Haves in a SaaS Provider

The past year was a learning curve on Cloud Computing, especially on SaaS providers. More and more ASPs are coming back rebranded as SaaS provider. As a security practitioner, it would be good to have a must have check list that we need to use to assess them. I prepared the following must have check… Continue reading Security Must Haves in a SaaS Provider