25 Jun

Items of Interest Week of 6/22/2015

rp_InterwebsSquare-150x150.pngHere are some quick reads compiled by Shane and Christian for the week of June 22, 2015. If you have interesting links of your own share them in the comments.

  •  NSA Tracking: NSA Has Reverse-Engineered Popular Consumer Anti-Virus Software In Order To Track Users
  • Norman Marks on Risk Analysis: Popular GRC expert shares a few thoughts (and excerpts from him book) on risk analysis. Specifically, the need to consider all relevant information and outcomes when it comes to assessing risks.
  • Auditors – You’re Killing Security: Things auditors should consider from a IT security executive’s perspective.
  • Is Google Chrome listening in on your conversations?: A new update to Google Chrome might indicate ease-dropping (or at least the ability to ease-drop) on you conversations. A new code snippet activates your computer’s microphone and transmits information back to Google servers.
  • How to hack fiber optic to steal sensitive data: A hacker shows how easy it is to tap into fiber optic networks to and steal potentially sensitive information. Further demonstrating the importance of physical and network level security controls.

3 thoughts on “Items of Interest Week of 6/22/2015

  1. Another great list – though the “You’re Killing Security” article did give me pause. There was a mention of standardized questionnaires for auditing. In my 18 years of auditing, I’ve never used a questionnaire or checklist. I always have a standard request list (and I’ve borrowed some ideas from your article), but the questionnaire struck me as odd. I’d rather ask my questions in person, gauge responses, and then tailor follow-up questions.

    I’m curious on your thoughts about questionnaires.

    Thanks

    • @AuditTechMate
      I’ve never used a questionnaire either and I suspect that if I were to go around passing them out, very few people would ever take the time to fill them out anyway.

      I have a hard enough time getting quality responses from people as it is!

  2. In the Aritlce I think the author is talking about Vendor questionnaires. I’ve seen a lot of companies send out “Audit” questionnaires to each vendor to gain assurance they meet a minimum set of standards. The questionnaire might request recent attestation reports, vulnerability scans, policies, etc. That sort of thing sets a minimum bar when you are dealing with a vendor and probably makes sense. It is especially good to get a dialog going in respect to security.

Leave a Reply