Friday, June 26, 2009

What went wrong?











Another day, another breach notice in the mail. This one to my wife yesterday.

What I want to know is:
  • What merchant breached the data?
  • How many other cards were breached?
  • How long after the breached was this detected?
  • How was this detected?
  • How long before the lapse that allowed this breach is fixed?

What are the odds that calling the 1-800 number will give us these answers?

Tuesday, June 16, 2009

IT Infrastructure Threat Modeling Guide.

Russ Mcree (now at Microsoft) has just released the official 1.0 version of the IT Infrastructure Threat Modeling Guide.

I contributed a teeny tiny little bit of reviewage to this when it was in beta, and I have to say, it looked real good. A nice first jab at the problem of looking at whole of your infrastructure risk-wise. At the time, I was already using a similar model at work, but I'm definitely going to be adding this model to the mix.

It's worth a read.

PS: Russ is a great guy and totally open to feedback. If you've got something intelligent and useful to say about the model, please do speak up.