Disqus - Latest Comments for Camayoc

Re: How to be a social professional – Microsoft buys LinkedIn

Colin Robbins — Wed, 22 Jun 2016 09:52:07 -0000

I think the Outlook integration could go a lot further.

One of the challenges in providing end-to-end secure communication is the need to access encryption keys. This challenge is often solved by a global directory. Until now, Microsoft has not had a real solution for a global address book, only address books at the enterprise level.
Linked gives them the opportunity to create an integrate business to
business capability enabling secure business-user to business-user communications.

Re: Juniper Network’s Hidden Backdoors Show the Risk of Government Backdoors

Colin Robbins — Wed, 13 Jan 2016 11:55:44 -0000

There is a debate here about how did the unauthorised code appear. We can speculate, but it’s not been
disclosed.

Is it: Lack of
configuration control process; Legitimate engineer not following correct
internal process; Insider attack, deliberately modifying the code; or External
attack, deliberately modifying the code.

The bigger question is can the software be trusted. For me this is about how Juniper reacted to
the finding, which seems responsible.

I discuss this more in my blog on the subject…

http://cybermatters.info/20...

Re: Intercede CIO: Winning back smart car trust with industry standards

Colin Robbins — Tue, 18 Aug 2015 07:34:23 -0000

Great article Nick. I think it is worth observing that the standards the article calls for are not only technical standards (which is what most people seem to think about), but also process standards around design, development, manufacture and in-service operation of these vehicles.

Re: IT leaders and security experts reject GCHQ call for firms to ban BYOD

Colin Robbins — Fri, 27 Mar 2015 05:05:17 -0000

I think this is recycling of old news, attributed to the 10-Steps document which was published in 2013.
Since then the GCHQ have published the platform guidance (https://www.gov.uk/governme... which helps organisations asses the risks that comes with each platform, and have published the Cyber Essentials standard that acknowledges the use of BYOD with suitable controls.

Re: Majority of U.K. Business Would Consider Hiring Hacker to Address Cyber Security Skills Gap: Survey

Colin Robbins — Wed, 19 Nov 2014 12:07:49 -0000

I think we have to be a bit careful here, about what the message says going back the other way.
"Can't get a job? Improve your employabilty - go and hack something".

Re: The one cyber security threat everyone misses

Colin Robbins — Tue, 14 Oct 2014 12:08:33 -0000

I find the comment "But smaller vendors who can't afford expensive security measures" very frustrating, as it is tarring all smaller suppliers with the same brush - but a view all large companies seem to have.
There are a number of smaller companies that take security very seriously, and see it as part of doing business in their chosen market place. If your smaller vendor claims security is too expensive, change to a different small vendor!

Re: Next Generation Firewall: Looking Back to See Ahead

Colin Robbins — Tue, 14 Oct 2014 03:12:00 -0000

Great article Scott. A core element of this advice is that by having multiple edges, closer to the assets that need protectng, you can also be far more precise in defining the business logic, and thus configure edge controls far more precisely. At the outer edge, typically a lot of data types and protocols are needed. But as you get close to the data centre, the informaiton exchange needs can be far more preceisely defined, and thus controlled.

Re: Cyber Essentials: benchmarking best practice

Colin Robbins — Wed, 03 Sep 2014 16:38:38 -0000

I think you have to remember the context of Cyber Essentials. We are coming from a World where many SMEs have paid little or no attention to cyber security. In many case they lack the skills to do so. So we need to take them on a journey, Cyber Essentials is the first rung on that journey that will improve things quite a bit.
For companies that really care about cyber security, then as pointed out, cyber essentials is only a small part of what is needed, but there are comprehensive standards that can be used for such situations already, such as 27001. This issue will not be solved overnight, and I fully anticipate that if a critical mass of companies get on the cyber essential ladder, then we can look at raising the bar. This is how PCI DSS has worked - each year the bar has risen a little more.

Re: Google Apps receives ISO 27001 security certification

Colin Robbins — Thu, 28 Aug 2014 14:14:15 -0000

It would be good to see the ISO27001 scope statement from Google. Does anyone know if this is published anywhere?

Re: Ensuring your developers love - or at least don't hate - security

Colin Robbins — Thu, 21 Aug 2014 16:55:28 -0000

Great article Maty.
Do you see value in standards like TickITPlus or PAS 754, that can be used to embded the SDLC into verifiable proceses?

Re: Microsoft Unveils New Threat Information Exchange Platform

Colin Robbins — Mon, 23 Jun 2014 15:10:27 -0000

Will be interesting to if this get integrated into existing information exchanges such as CISP. Having standards based APIs has to be a move in the right direction.

Re: TrueCrypt's abrupt demise 'puzzling, bizarre'

Colin Robbins — Sat, 31 May 2014 04:29:50 -0000

Before we throw away a good tool, l we should take a step back, and do some security basics, such as a simple threat analysis...
http://cybermatters.info/20...

Re: Government’s digital-friendly security classifications come into force

Colin Robbins — Tue, 08 Apr 2014 05:57:13 -0000

As an SME working in this space, I am not sure I agree with
Peter Groucutt that will further strengthen the SI hold.

We see the new classification scheme as an opportunity to be
more pragmatic in our handling of government data, leading to simplified
processes, and this cost. Thus enable SMEs better, and weak the SI grip.

This is not to say the scheme does not have it challenges –
I am on record discussing some of the issues:

http://cybermatters.info/20...

Re: Security Metrics - Why Should You Care?

Colin Robbins — Thu, 27 Feb 2014 13:44:35 -0000

Richard, I am not sure I agree. I think there are other important metrics you can collect, that give a measure of your security exposure, to enable a management decision.
For example, the number of client machines missing latest patches; the number of machines which have out of date AV... Sure, these should all be fixed - but that takes resource.
So for a management perspective, this starts to inform me; I can then decide do I need to deploy more resource to improve the metric and thus reduce risk, or am I happy to accept the risk.
The difficult part is chosing the right metric set for a specfic business.

Re: Cyber security: the solutions aren't working?

Colin Robbins — Tue, 18 Feb 2014 12:46:56 -0000

Pity the most important observation in the article is somewhat hidden...

‘In many cases, the breaches were due to poor management of the security technology, such as missing software and security patches, misconfigured security software, weak passwords, or security systems not being monitored to detect attacks,’

Re: UK companies left in the dust by Americans in cyber-awareness

Colin Robbins — Thu, 13 Feb 2014 15:14:01 -0000

While this is an interesting headline grabbing statistic For the UK to ponder, I am left wondering where the evidence is to show the effect of the lower awareness rates?
For example, is there evidence to show that the US and Brazil have achieved an ROI by having been victim to few attacks - and conversely UK companies have had to spend more in reactionary measures than pre-emptive measures?

Don't get me wrong, I am not a doubter, but think the solution lies in being able to put real hard facts onto the board table.

Re: Ubuntu 12.04 Tops GCHQ Operating System Security Report

Colin Robbins — Thu, 06 Feb 2014 15:02:02 -0000

While this report put Ubuntu in a really good light as a secure platform, is does also identify some areas of weakness, specifically “There is currently no secure boot mechanism in a standard Ubuntu platform.”

While this is true for an out of the box solution, At NEXOR, we have looked at this process and in short,
we used signatures held by the trusted platform module (TPM) to validate the
UEFI environment, then UEFI extensions to start the boot sequence, with the
integrity of each component loaded being checked at each step of the way, by
way of signature validation, using both kernel and application level signing.

So while we agree with the CESG report with a standard Ubuntu platform there is no secure boot
mechanism; we assert that with the appropriate knowhow this problem can be
overcome and a secure boot environment provided, using open source components.

For more details see: http://cybermatters.info/20...

Re: Is Facebook Destroying Email?

Colin Robbins — Wed, 05 Feb 2014 14:52:56 -0000

Email will remain - needed to reset your facebook password!

Re: The moral of the Twitter-GoDaddy breach: People are the easiest thing to hack

Colin Robbins — Mon, 03 Feb 2014 14:43:27 -0000

There is a crucial point here. The weak link maybe the human - BUT in hacking your account, the weak link is not (necessarily) you, but another human. This is critical, as many people take the "I am aware, it won't happen to me" view. But this user was very aware, but it did still happen to him - due to a human failing at the service provider end of the chain.

Re: Target hackers have more data than they can sell

Colin Robbins — Wed, 15 Jan 2014 03:01:44 -0000

Hackers suffering from the economic facts of supply and demand.
Steal too many passwords, and the market price drops..

Re: 5 Cyber Security Resolutions to Make for 2014

Colin Robbins — Fri, 03 Jan 2014 10:51:46 -0000

... and I'll spread the message. The trouble with these messages is they are circulating in communities of people with the knowhow. We need to find a way to break out and inform the wider community.

Re: Why security education is at the heart of smart security preparation

Colin Robbins — Fri, 03 Jan 2014 10:38:59 -0000

So we're basically saying we can't get the technology to work properly, so lets put the burden on the users?

Re: Top ten cyber security stories of 2013

Colin Robbins — Mon, 09 Dec 2013 13:24:23 -0000

#11, the rise of the cyber insurance industry?

Re: Adobe Flash, PDF and Oracle Java “most dangerous” file types

Colin Robbins — Mon, 09 Dec 2013 13:12:30 -0000

As suggested, running current AV and keeping on top of patching is good advice. It does surprise me however, that many home users run with admin rights as default. Running in restricted most will stop many of these content based attacks, but this advice seems to be rarely given.

Re: Even Disconnected Computers May Face Cyberthreats

Colin Robbins — Fri, 06 Dec 2013 12:53:09 -0000

In the 1980's we called it a modem, with acoustic coupler.