The Security Catalyst

By David Stern The Federal Reserve building in NYC is a fortress; literally. There are layers of physical security mechanisms inside and out to keep people away from where they aren’t supposed to be. If you ever go to a meeting there, you will find that you cannot wander too far before hitting a nicely [...]

By David Stern I really dislike ROSI. Return on Security Investment is a cancerous outgrowth of ROI. Bean counters use this metric to determine the effectiveness of a security program. The logic follows this path: invest $100 in security technology, process, or procedure. If the organization cannot quantify more that $100 in savings, then the [...]

By David Stern The proliferation of web based applications has added a new element to perimeter protection. 99% of firewall functionality is geared towards allowing or blocking network packets. It is now just as critical to control the payload of those packets as well. 5 years ago, adversaries primarily attacked unprotected servers. Today, they are [...]

By David Stern  It is 2006 and I still encounter organizations that would rather bury their heads in the sand or float down “de-nile” than acknowledge that information security is an enabler of business. More and more states are passing laws that require the disclosure of a breach that includes personally identifiable information. In this [...]

by David Stern, CISSP In the first part of this section, we introduced the need to consider a decision making framework. Now we’ll go through some real world examples to gain a better understanding of the process. What is the vulnerability? This question aims at gaining a broad situational awareness of the problem.  From Secunia [...]

by David Stern, CISSP In the last session we discussed the taxonomy and terminology of security vulnerability. Now that the language is not foreign, some of the FUD (fear, uncertainty, and doubt) should be gone. However, the daunting challenge of determining an appropriate response to a vulnerability alert or discovery still looms. Evaluating the real [...]

Understanding Vulnerability By David E. Stern, CISSP This is part 3 of a 3 part series about truly understanding vulnerabilities and taking this knowledge to make a difference in the way you practice information security. How do we protect ourselves? By now, we should have cleared a lot of the FUD (fear, uncertainty, and doubt) [...]

Understanding Vulnerability By David E. Stern, CISSP This is part 2 of a 3 part series about truly understanding vulnerabilities and taking this knowledge to make a difference in the way you practice information security. How do adversaries launch attacks to exploit vulnerabilities? Like an explosive charge, an exploit needs to be delivered to its [...]

This is part 1 of a 3 part series about truly understanding vulnerabilities and taking this knowledge to make a difference in the way you practice information security. Understanding Vulnerability By David E. Stern, CISSP Introduction Most IT practitioners today are familiar with Microsoft Patch Tuesday. On the second Tuesday of every month, Microsoft publishes [...]