CIA triad of security

CIA triad of security

The CIA triad of security has become controversial. I think this is due to a lack of understanding of what it means. The CIA triad remains a good fundamental model of why security exists and what it protects. Here’s what the CIA triad is all about, and what’s wrong with the trendy model some say should replace it.

The CIA triad refers to three things: the confidentiality, integrity, and availability of computer systems and data. Although it is an old model, it is also enduring.

Read more

Are password managers a good idea?

Are password managers a good idea?

No matter what I say in response to this question, someone’s going to say I’m wrong. But I’ll bite. Are password managers a good idea? I’ll hedge and say they solve more problems than they cause. We need a better idea, but no one has found it yet.

The problem with password managers is there’s always the danger they’ll get breached. But the alternatives are people using weak passwords, reusing passwords, or both–and that’s worse.

Read more

Median vs mean vs mode

Median vs mean vs mode

I do a lot of statistical analysis in my day job. Though my job title is no longer security analyst, I literally analyze computer security issues and make recommendations for a living. You couldn’t study information security when I was in college, because the field barely existed then. My formal training is in journalism. But my journalism degree means I have more formal training in statistics than most people I know. So let’s look at median vs mean vs mode, and when to use each of them.

Median, mean, and mode are three different approaches to trying to answer the same question. Out of all the numbers you collected, what is typical?

Read more

A Linux sudo bug

I had a busy day at work today, writing for my current employer about something my previous employer discovered. Qualys discovered a buffer overflow condition in sudo that, well, basically makes all your users root. I joked with one of my coworkers that Qualys could have used this to solve all its permissions problems when scanning Linux and Unix instead of disclosing this, but they did the right thing.

Most any Linux distro released between 2011 and 2020 has this flaw. So, run yum update or apt-get update to clean up those old sudos. Because we all know giving all your users root isn’t a good idea.

View headers in Gmail to see if that mail is real

View headers in Gmail to see if that mail is real

For nearly 20 years, I was the guy people asked if an e-mail message they got was real. And if they were interested, I’d show them how I figured out if it was real. To do that, you have to look at the headers. Here’s how to view headers in Gmail.

Gmail doesn’t have an option called view headers–it’s called Show Original. Choosing this obscure option lets you view the headers and investigate a message.

Read more

Qualys severity vs CVSS

Qualys severity vs CVSS

I’ve spent a little more time than I would like studying severity models in vulnerability scanners. One question that comes up occasionally is Qualys severity vs CVSS, or any of its competitors, for that matter. Let’s take a look at how Qualys severity compares against the industry standard.

Qualys’ severity score predates CVSS, which is now the industry standard. The two have similarities but there are various reasons for choosing one over the other.

Read more