Scott Wright’s Security Views

While trying to brush up on the state of Web Application security, I thought I’d follow a link to an article at White Hat Security on “Myth-Busting AJAX (In)Security“. I had recently had a comment from someone that they had heard “Java Applet use is declining in favour of technologies like AJAX”. However, in a recent CNET podcast, I also heard about how AJAX was being associated with a lot of new Cross-Site Scripting (XSS - I guess CSS was already too commonly used for Cascading Style Sheets…) attacks. So, this warranted some investigation to see what the real story is. Continue Reading »

Today, I am interviewing Goldy Gaind, an Ottawa-area IT Security Professional who has done many Threat and Risk Assessments (TRAs) for Government of Canada Departments. Hopefully, my questions and his answers will be helpful for GC managers and consultants who are trying to meet all their MITS compliance targets by yesterday (or at least Dec. 31, 2006). Continue Reading »

A term I heard software security guru Gary McGraw use when talking about how you can’t just do a static analysis of an application’s code and expect it to find all vulnerabilities.  That’s because vulnerabilities often creep into applications via poor architectures and designs.  Unless analysis is done from the architectural level on down through source code scans and penetration testing, there are only limited types of vulnerabilities that can be found.

In an IT News story called “The Truth About Software Security“, a spinoff of Symantec named Veracode is offering a static analysis service to analyze compiled software code.  They don’t analyze source code, just the machine code.  Continue Reading »

The recent announcement of a new debit machine fraud scheme shows that merchants need to take more physical security precautions. Store clerks were being distracted long enough for crooks to exchange the real machine with one wired to collect the card and PIN information. They come back a few days later and do the same thing to retrieve the machine.

If the store doesn’t physically secure the machine and have video surveillance, it can very easily miss this attack.

I have heard about the “USB Token Penetration Test Experiment” that is reported on the searchsecurity.techtarget.com site. It illustrates how risky USB tokens are, not just to enterprises, but to everyone.

Did you know that if a USB token has an “autorun” file on it, that file will execute automatically as soon as it is inserted. Continue Reading »

For a regular discussion on VOIP Security issues, check out the “Blue Box Podcast“, hosted by Dan York and Jonathan Zar.

Apparently, Canada is behind the curve on “breach notification” legislation. In the “Reality V2.0” blog, I came across this interesting note, which surprised me…

“The Canadian Internet Policy and Public Interest Clinic is requesting that changes be made to the Personal Information Protection and Electronic Documents Act (PIPEDA) to force businesses to inform those whose personal information may have been compromised as a result of a security breach. ”

Usually, Canadian laws tend to mirror US laws when it comes to security issues (passport laws aside). I would have thought we already had a law saying companies have to disclose to stakeholders when they have had a security breach. I guess I was wrong.

- Scott

The title above is the name of a book by Bruce Schneier, well known author and commentator on the field of security.

I just listened to a podcast of an interview with him on ITConversations.com which was quite interesting. Bruce has evolved from being a cryptography expert to a network security expert, now to a security generalist. He has some great insights and analogies for security problems. I haven’t read the book, but intend to.

- Scott

My name is Scott Wright, and I’m a Security consultant with a wide range of experience in Security Management and Information Technology Management issues. My plan for this blog is to provide a way of sharing practical (or sometimes theoretical) ideas about risk management and security for executives, managers and staff of all types of business organizations.

Whether you are interested in corporate governance , security awareness, application development, social engineering or insider threats, I have views that can help make your organization better managed for security. I can also find many ways to help you more actively through coaching, seminars, training, keynotes, organizational development, team building, risk assessments and other tools.

I want to make this an interesting and interactive blog. I will be asking questions, and will post ideas and links for things I find to be useful for my Clients, and hopefully you and your associates.

As a first post, I have been trying to come up with a meaningful first link. I could link to my consulting business’ Web site, but that would be shameful and blatant. Besides you can find that link in the About Scott Wright page.

Let’s start with something that we should all keep an eye on, the CERT web page (not an acronym for Computer Emergency Response Team, but the CERT/CC was the first Computer Incident Response Team). They have lots of news and information on that security status of the Internet.

So, I hope your readings here are interesting and add value to your business in some form. I also hope you will post comments and links to relevant sites. See you in the next post.

- Scott