Last week on Twitter, Jeremiah Grossman, Whitehat Security, asked if there was a simple way to perform asset valuation. Since then there have been posts from Russell Cameron Thomas, Andrew Jaquith, and Gunnar Peterson on the subject that have all been very interesting. The answers provided ranged from the simple to the complex.

Before we talk about asset value and Infosec, let’s first discuss some accounting concepts (I always like to get the unpleasantness out of the way as soon as possible).

To begin with, our IT assets usually are utilized in what we might think of as an object-oriented manner. That is, we can model them (from a risk standpoint) as parts of a greater process that generates revenue. Some can be seen as more directly contributing to revenue than others possibly, but they all operate as a whole. Think of an e-commerce order for example, and how many IT assets might be involved in taking that order. Now if we could value that whole process as an asset itself we might be able to break down contributions into sub categories and discuss value that way, but unfortunately, processes aren’t usually classified as *assets* in common accounting statements.
(more…)

The following is the executive summary paragraph to the weekly Intelligence Summary report Verizon Business Cybertrust Security’s Risk Team provides. The purpose is to capture in one paragraph the most risk-significant events, over the past week, from an enterprise perspective.

The most risk-significant event this week was Oracle’s quarterly release of a Critical Patch Update, but none of the vulnerabilities are the target of known attacks. Data breaches dominate the rest of the week’s events with news of medical records off-shored for transcription being sold on India’s information black-market. A NASA scientist was arrested for trying to sell classified information. A former Ford employee was arrested for copying 4,000 proprietary files to an external drive prior to leaving Ford to work for BIAC, the fifth largest automaker in the People’s Republic of China. Point of sale devices were suborned at McDonalds locations in Australia. A security team in Europe reported 1,045 incidents of a compromised ATM “trapping” cards for later criminal use and a payment processor in Belgium reported a breach and at least 1,000 victims with financial losses.

The following is the executive summary paragraph to the weekly Intelligence Summary report Verizon Business Cybertrust Security’s Risk Team provides. The purpose is to capture in one paragraph the most risk-significant events, over the past week, from an enterprise perspective.

Risk relevant events this week were dominated by security bulletins from Microsoft and Adobe. Infrastructure component vulnerabilities have also been announced, but without widespread reporting and discussion among security professionals. Availability failures disrupted service for T-Mobile Sidekick users, all of Sweden, OS X Snow Leopard users and customers of Google’s Postini mail service. While there was a surge in reports of several different Trojan horses, the malicious code risk environment has become more risky at roughly the same pace we’ve been experiencing over the last several months.

A couple of weeks ago, I wrote a post on how we in the security industry make decisions. After a bit of waxing philosophical, I proposed a list of decision “methods” I regularly see in use among organizations. I also created a small survey (that contained a few additional methods) to capture your experiences for comparison. The response was not overwhelming by any stretch but the results are below (click the image to make it bigger).

(more…)

The following is the executive summary paragraph to the weekly Intelligence Summary report Verizon Business Cybertrust Security’s Risk Team provides. The purpose is to capture in one paragraph the most risk-significant events, over the past week, from an enterprise perspective.

Microsoft made their pre-release announcement for October Black Tuesday and 13 bulletins, eight “critical” using their criteria. Patches for the SMB2 and IIS/FTP vulnerabilities are among those expected. Adobe’s advance notice for their quarterly security update to Adobe Acrobat and Reader includes a vulnerability they know is being used in limited, targeted attacks, other vulnerabilities will be patched too. The mass compromise of web mail passwords dominated this week’s news; we agree with ScanSafe’s assessment they were probably the result of malcode infections and not phishing. The scale of this infection/breach is more significant to enterprise security than the web e-mail accounts that were compromised. Reports the FBI director’s spouse refuses to allow on-line banking is a serious indictment of on-line trust and we will be tracking related reports of trust erosion, especially by high-profile individuals, groups and companies.

The URL for the main blog’s feed is at:
http://feeds.feedburner.com/verizonbusiness/tWvQ

The URL for the Comments feed is now at at:
http://feeds.feedburner.com/CommentsForVerizonBusinessSecurityBlog

Note:  you can now also get blog posts in email via Feedburner.

Finally, if you do have any difficulties, please let us know in the comments.  Thanks!

Hi, an administrative note to let you know that the URL for our RSS feed is changing to:

http://feeds.feedburner.com/verizonbusiness/tWvQ

If you encounter any difficulties, please let us know in the comments to this post.

Thank You!