Comments on: The New School of Information Security

By: Iang

Iang — Tue, 11 Mar 2008 10:27:02 +0000

CJ calls it: Spam is used for phishing. If phishing is a threat, then spam must be part of that.
It is true that spam without meaningful content (noise) could be just modelled as a threat to governance of the organisation’s assets (time & attention & budget). It’s close, but only an estimation; to say that spam is only noise isn’t sustainable. Spam has been around since whenever, and its existence is proof of its success. That success means someone in your organisation might click on it. Quietly…
So, it’s a threat, but it might still be an acceptable risk.

By: jamsler

jamsler — Tue, 11 Mar 2008 09:33:36 +0000

Congratulations! Looking forward to your always original thinking on the security issue. Thanks for offering up some basic, practical ideas.

By: jayskew

jayskew — Mon, 10 Mar 2008 11:17:59 +0000

Arbitrary lines between job descriptions that permit some of them to ignore a problem like spam that has effects across all of them and has made many people completely abandon electronic mail seems to me part of the problem.

By: Adam

Adam — Mon, 10 Mar 2008 11:07:38 +0000

I don’t really want to rathole on the question of “is spam an issue,” but spam affects availability and integrity of email service, by overwhelming systems, and requiring filters, which are imperfect.

By: CJ

CJ — Mon, 10 Mar 2008 10:23:00 +0000

“In any field of the security arena, should something be considered an issue if it isn’t a threat? Aren’t the issues security is supposed to manage all threats?”
Surely it must. It lowers the bar for targeted phishing lures, which can enable all sorts of badness targeting your information, or in my case, critical infrastructure.
Dealing with the spam problem isn’t that hard – just politically damning in today’s environment. Case in point, walk into any bank with a ski mask and watch what happens.

By: Pedro

Pedro — Mon, 10 Mar 2008 09:50:17 +0000

I’m planning to buy the book, it should be a good read. This is one of only two or three ‘blogs’ I visit and I respect the authors.
It just irritates me when I read references to spam (and such like) in InfoSec publications when it hasn’t anything to do with InfoSec. I reckon we’d make much better progress towards ITSec and InfoSec if the IT/ITSec/InfoSec/CorpGov industires could sort our their nomenclature and focus on tackling problems within their remit.
In any field of the security arena, should something be considered an issue if it isn’t a threat? Aren’t the issues security is supposed to manage all threats?

By: janice

janice — Mon, 10 Mar 2008 09:35:49 +0000

Can’t wait for it to hit ‘available’ status at bookstores here in Canada. Congratulations, Adam!

By: rob sama

rob sama — Mon, 10 Mar 2008 08:54:13 +0000

Thank you for the clarification, Napoleon Dynamite’s friend.
Congratulations Adam (and Andrew)!

By: Perplexed

Perplexed — Mon, 10 Mar 2008 08:53:41 +0000

Pedro – it says “issue” not “threat”. Perhaps you should buy the book and see what it says before passing judgement :-)

By: Pedro

Pedro — Mon, 10 Mar 2008 06:37:57 +0000

“We start with a look at some persistent issues like spam and identity theft. From there, we look at why the information security industry hasn’t just fixed them”
Spam doesn’t represent a threat to an organisation’s information assets – it’s merely an annoyance to the workforce and a drain on IT resources. Statements like this only perpetuate the muddled line of thinking that confuses Information security with IT Security (hint: they’re different!).