Speaker: Jennifer Bayuk Based on work for Stevens Institute of Technology. How do professional systems engineers work? History: Mainframe physical security (punch cards) cables to terminals network to workstations (some data moves there & on floppies) *spike in misuse & abuse modems and dedicated links to external providers/partners added midrange servers (including e-mail) added dial-back… Continue reading
Post Category → Risk
Metricon: Measuring Metrics Programs (Why Aren’t We?)
Speaker: Jared Pfost (@JaredPfost) Framing: IT Security Metrics in an Enterprise If metrics are valuable, why aren’t we measuring them. Virtually no research on them. The Chase Measuring metric program maturity would be easy, but not valuable Metric programs aren’t a priority for enough CISOs for a benchmark to matter Additional proof needed:… Continue reading
Metricon: Software Security’s Futures Plural
UPDATE – 2011-02-26: Alphonso has posted his slides and BeeWise is open! Speaker: Alfonso De Gregorio How do we build a future in software security? /me: the slides that will be posted have a ton of detail that Alfonso sped through. you’ll get a very good feel from them Metrics are the servants of… Continue reading
Metricon: Name Server Log Data
Speakers: Fruhwirth, Proschinger, Lendl, Savola “On the use of name server log data as input for security measurements” CERT.at ERT coordinate sec efforts & inc resp for IT sec prblms on a national level in Austria constituted of IT company security teams and local CERTs Why name server data? CERT.at is mandated to… Continue reading
Metricon: Automated Incident Reporting
Speaker: Juhaniu Eronen “The Autoreporter Project” – Background Goal: make finland mostly harmless to the rest of the internet (that’s actually in the law – Protection of Privacy in Electronic Comms/Finland) /me: I’ll need to put some verbiage around this tonight to give you a good picture of what Juhaniu was conveying…really good description… Continue reading
Metricon: Critical Consumption Of Infosec Statistics
Speaker: Chris Eng / Veracode Every major infosec company publishes quarterly/yearly summary reports. Some based on survey, some based on real captured data. Recognizing the Narrative Every fancy looking infosec metrics report is a marketing vehicle; each has different perspectives; no consistency, but you can figure out the framing by looking at the exec summary… Continue reading
Metricon: Evidence Based Risk Management
Better management through better measurementSpeakers: Wade Baker and Alex Hutton and Chris Porter State of the industry: are we a science or pseudoscience? random fact gathering morass of interesting, trivial, irrelevant obs variety of theories that provide little guidance to data gathering Sources of knowledge under “risk” aggregate: asset landscape impact landscape threat landscape… Continue reading
AwesomeChartJS Meets Microsoft Security Bulletins
I wanted to play with the AwesomeChartJS library and figured an interesting way to do that was to use it to track Microsoft Security Bulletins this year. While I was drawn in by just how simple it is to craft basic charts, that simplicity really only makes it useful for simple data sets. So, while… Continue reading