Browsing Archives of Author »Heiko Herrmann«

bother with logs

September 19, 2011


At most places ( that I came across so far) the sea of log files produced by usually talkative IT infrastructures was still used in just a rudimentary fashion (if at all) for diving into it and retrieving information intelligence to be used for InfoSec analysis and management. The problem The security management team is desperately looking for […]

Reality Check: Using Digital Signatures for Business Email

August 21, 2011


Communication is the lifeblood to do business – and email is still the lifeblood for communication. Out of the box email of even the newest software and systems is not digitally signed. When looking at  the advantages the use of digital email signatures theoretically has (sender authenticity, message integrity, communication transaction non-repudiation) one should think it should […]

Protect your Intellectual Property – with (cookie) cans

July 10, 2011


In the meeting rooms of Evonic Industries, a German company specialized in chemicals, one can nowadays always find empty cookie cans. Not because Evonic managers are particular affectionate about sweets, but because they are supposed to put their cell phones into the cans when discussing confidential matters. The measure is one of the many instructions […]

The Return Of The Thin (Cloud) Client

June 21, 2011


Is the arrival of the (Google) Chromebook  the arrival of a business class Thin-Client-for Cloud-Computing? Now, the Thin-Client concept is anything but new, and thin clients are actually an endpoint-security dream for the InfoSec Manager. Application as well as OS vulnerability based attack vectors against thin clients are minimal compared to those of a “fat” […]

Interesting: SIRv10 and the MMPC Thread Report

June 3, 2011


This May, Microsoft released some interesting reports: the Microsoft Security Intelligence Report Volume 10 (SIR v10) and the Microsoft Malware Protection Center (MMPC) Threat Report. The latter, a follow up to the 2010 special report on Battling Botnets, focuses on Qakbot, a rootkit based stealth-mode backdoor that steals sensitive user data from infected machines. SIRv10 […]

Tricky: The Scope of Compliance Certifications

May 14, 2011


Compliance The need to be compliant to this or that is one of the rare principles that are relatively easy to sell to the board. Confusion, however, usually kicks in as soon as the scope of the compliance has to be decided on.  By that, I do not mean the scope of the compliance criteria […]

Supervisors First

May 10, 2011


An important lesson learned from dealing with an organization-wide Information Security Awareness program: train the supervisor, or more precisely: train the supervisors first ! Let’s face it: if you are not Google, Amazon or a financial player, chances are high that your senior management has a rather vague idea of information security areas and what […]

New technologies, old questions – Canada’s efforts on privacy protection

May 8, 2011


The Privacy Commissioner of Canada recently published a report called Report on the 2010 Office of the Privacy Commissioner of Canada’s Consultations on Online Tracking, Profiling and Targeting, and Cloud Computing. There are two laws in Canada dealing with privacy protection: The Privacy Act and PIPEDA, the Personal Information Protection and Electronic Documents Act. While the Privacy […]

How a Giant Manages a Giant Incident (watching Sony)

April 28, 2011


Now, it is a kind of a must to comment on the recent  Hacking of the Sony PlayStation Network (SPN). The scope and numbers are staggering. 77 million customer’s personal information got compromised, and we are talking about every detail a customer had to give away when registering with the Sony service (and Sony asked for a […]