Blog moved

I have moved this blog to Wordpress.

Reflections On Security

Close call...

One of the goals I set for myself this year was to obtain the ISSMP certification in information security management. Between work and a family with two small children, there wasn't much time for study. I almost ran out of time, but it looks like fortune smiled upon me: today I received notification of successful completion of the certification exam and my new ISSMP status as of December 13, 2008. Phew! Just in time!

Book Review: Privacy and Health Care

Working for a health care organization, I must admit that I have at times wondered what all the hoopla regarding medical privacy was about. What is the harm in freely sharing patient information, and why is access to it so tightly regulated?

Privacy and Health Care is a collection of six essays on this difficult subject. Having been exposed to the different viewpoints and the reasoning behind them, I now have a much better understanding of the issues surrounding health care privacy. The most surprising revelation for me was the number of seemingly good reasons for allowing third party access to patient medical records. The relatively rare instances of harm coming to individual patients as a result of inappropriate disclosure would, on the face of it, seem like a reasonable price to pay for the overwhelming benefits to medical research and other legitimate uses.

Yet for all the purported benefits and efficiencies of such free access, the primary purpose of the health care system is to help the patients get better. If they avoid seeking much needed treatment for fear of medical disclosure, or do not feel free to be fully honest with their doctor about their conditions, then the health care system will fail in its primary role. And that is why preserving patient privacy is so important.

Book Review: Outsourcing Information Security

Whenever the topic of outsourcing comes up, many find it difficult to think rationally. Much of the time, the decision of whether (and what) to outsource hinges on factors that are too difficult to estimate, and the hidden agendas or preconceived notions of the decision makers come into play.

Such is the case with most information security risk management decisions as well: subjectivity reigns. Combine the two together, and what do you get? The world of information security consulting firms and managed security service providers.

Outsourcing Information Security by C. Warren Axelrod is a very high level overview of this world. While the discussion is too shallow and generic to be of much use in a practical sense, it does serve as an introduction to the risks and rewards of outsourcing information security.

Book Review: Security Engineering

For the past two months, I have been busy reading the 2008 Second Edition of Prof. Ross Anderson's Security Engineering: A Guide to Building Dependable Distributed Systems. It is, without a doubt, destined to become a classic and will influence my thinking on the subject for years to come. Although written at a level suited to non-specialists, the book has a lot of meat to it, and is packed with deep insight and wisdom gained from the author's years of real-world experience. I have been recommending the book to colleagues at work, and for those who are not willing to part with their hard-earned money, the first edition (2001) is freely available in electronic format from the author's web site.

Book Review: Against The Gods - The Remarkable Story Of Risk

To many practitioners, information security is a form of risk management. Since it is impossible to protect a complex system against all conceivable security threats, an approach based on the assessment of risk is employed to distinguish between the threats that are worth worrying about and those that aren't. But what exactly does the concept of risk represent? How does one measure (never mind control) risk? This is an age-old problem mankind has been struggling with for centuries.

Against the Gods: The Remarkable Story of Risk is a historical overview of the advances made in the struggle to measure and control uncertainty. While the author's viewpoint is primarily from the perspective of risk to investments made on the stock market, the lessons learned are of value to security professionals as well. Contrasted with the sophisticated methods employed by financial institutions controlling their exposure to the unpredictable ups and downs of the global economy, the risk management methods currently available to security managers seem crude and laughable in comparison. If we are to make any headway in the battle against identity theft, data breaches, malware, and all the other information security woes that currently plague us, we need better risk management tools, so that our limited security budgets can be spent more effectively.

Book Review: Understanding UNIX/Linux Programming

I've posted a review of Understanding UNIX/LINUX Programming: A Guide to Theory and Practice by Bruce Molay on Amazon. While not a security topic per se, a solid grounding in systems programming is a prerequisite for vulnerability researchers and other technically oriented security professionals. Arguably, there is no better introduction to the subject than this book.