Security » Services

How DNS cache poisoning works

There has been a long history of attacks on the Domain Name System ranging from brute-force denial-of-service attacks to targeted attacks requiring specialized software. In July 2008 a new DNS cache-poisoning attack was unveiled that is considered especially dangerous because it does not require substantial bandwidth or processor resources nor does it require sophisticated techniques.

By Bob Halley | 21 October, 2008 09:30

Tags: DNS, internet security

Information security governance: Centralized vs. distributed

The management of information risk has become a significant topic for all organizations, small and large alike. But for the large, multi-divisional organization, it poses the additional challenge of determining how to deploy an information security governance program among what are often disparate business units. Should the policies, procedures, and processes that define the program be developed and managed within a central, corporate body? Or perhaps responsibility would be better placed at the individual unit level? Is there a workable middle-ground?

By Audrey Agle | 05 September, 2008 10:15

Tags: information security

Separation of duties and IT security

Separation of duties is a key concept of internal controls and is the most difficult and sometimes the most costly one to achieve. This objective is achieved by disseminating the tasks and associated privileges for a specific security process among multiple people.

Choosing the right XML security appliance

As companies embark on efforts to build loosely coupled service-oriented architectures they inevitably have to tackle the issue of securing their SOA service infrastructure, and many turn to XML security appliances to get the job done.

One size doesn't fit all for IT productivity and ITIL compliance

IT productivity is under increasing focus as businesses look for ways to reduce the cost of their daily business operations and increase profitability.

Silence of top security voices a cause for concern

Remaining platform and technology agnostic in Information Security is a progressively more difficult task as people and companies develop the skills and abilities to form professional fee-based relationships with the vendors that they previously reported about.

Notes from AusCERT 2008

I've had the pleasure of speaking and attending this year's AusCERT 2008 security conference held in Gold Coast, Australia. If you've never been to Australia, you're missing some of the best that life has to offer, and I feel the same way about the conference. Although a bit smaller than most US security conferences, it's intentionally kept small (around 1,000 participants) and makes up in quality speaker presentations and vendor participation what it lacks in headcount. One of the great attributes of the typical Aussie is their aversion to marketing hype, along with their ability to "cut the fat off a chicken" (as my grandmother used to say) and pull out the salient points. If a vendor tries to push marketing fluff about their product too much, they are likely to get verbally assailed rugby-style. Here are some of my favorite notes and quotes from selected speakers:

Fixing the Internet

Long-time readers know that I often rant about how insecure the Internet is, and how few solutions will do anything to change that equation during the next 5 to 10 years. I've also recommended a handful of solutions over the years, and accepted the resulting criticism that goes along with proposing big ideas.