Categories
Articles

Information Sharing: Learning from Social Networks

Information sharing is something of a holy grail in computer security. The idea is simple enough: if we could only find out the sort of attacks our peers are experiencing, then we could use that information to protect ourselves. But, as Alexandre Sieira pointed out at the FIRST conference, this creates a trust paradox. Before […]

Categories
Presentations

Learning from Software Vulnerabilities

The slides from our Networkshop session on Learning from Software Vulnerabilities are now available. All three talks showed how managing the process of finding, reporting and fixing vulnerabilities can improve the quality of software and the security of our systems. Graham Rymer and Jon Warbrick presented a case study of discovering and fixing a bug […]

Categories
Articles

Information Security and the Data Protection Regulation

The new European Data Protection Regulation is relevant to many areas of our work. Yesterday I had the opportunity to look at its likely effect on information security at a Jisc Special Interest Group meeting. For now, we’re still working from the three draft texts published by the European Commission in 2012, the Parliament in […]

Categories
Articles

Vulnerability Coordination – a maturity model

Vulnerability handling – how organisations deal with reports of security weaknesses in their software and systems – is a field that has developed a lot in my time working for Janet. When I started most organisations received reports and fixed vulnerabilities on an ad hoc basis, if at all. Now we have guidelines on policies, […]

Categories
Articles

Phishing exercises?

Recently I had a thought-provoking discussion on Twitter (thanks to my guides) on the practice of setting your users phishing tests: sending them e-mails that tempt them to do unsafe things with their passwords, then providing feedback. I’ve always been deeply ambivalent about this. Identifying phishing messages is hard (see how you do on OpenDNS’s […]

Categories
Articles

Network Neutrality and Network Security

There’s a tension between network neutrality – essentially the principle that a network should be a dumb pipe that treats every packet alike – and network security, which may require some packets to be dropped to protect either the network or its users. Some current attacks simply can’t be dealt with by devices at the […]

Categories
Articles

ENISA – working out cloud security requirements

ENISA’s new report proposing a “Security Framework for Governmental Clouds” may be more widely useful than its title and explicit scope suggest. Chapter 3 of the report suggests something pretty close to a project plan that any organisation could use to assess which applications and data are appropriate to move to a cloud service, what […]

Categories
Articles

Thinking about Cyberinsurance

A couple of discussions at Networkshop this week have raised the question of cyber-insurance, and whether this might be useful to universities and colleges. To think about that I split the question into three: What sort of risks does insurance cover, and are they things that are high on your risk register? If an incident […]

Categories
Articles

Incorporating security into development processes

Tilmann Haak’s presentation at this week’s TF-CSIRT/FIRST meeting was on incorporating security requirements into software development processes using agile methods, but his key points seem relevant to any style of software or system development: Make sure security features are treated as first-class user requirement, of equal status with the functional requirements provided by others. We’ve […]

Categories
Presentations

BYOD: What’s the Difference?

I’ve done a couple of presentations this week, comparing the risks and benefits of Bring Your Own Device (BYOD) with those that research and education organisations already accept in the ways we use organisation-managed mobile devices. As the title of my talk in Dundee asked, “BYOD: What’s the Difference” Nowadays, most of the significant risks […]