Thursday, October 15
Joanna and the crew over at Invisible Things have posted a tool to demonstrate how trivial it is to circumvent full-disk encryption products. Evil maid requires that you have access to the machine and can boot it using a usb-stick with the software installed. It then is able to transparently record the user's passphrase for the disk.
This is another example of how full-disk encryption products need to be architected carefully to ensure that problems like this can be considered and controls put in place to avoid them.
Thursday, October 1
NIST has published an excellent draft guide on the basics of information security without throwing the users over the deep end. It seems to address the "certainties" of security risks, and provide very basic methods of addressing them, without being too product focused.
It is likely, although it will depend on the organization, that SMB's will need to work through this to understand how their current practices compare to this guidance, and figure out the most effective ways to address any short falls.
I would encourage all security professionals to give the guide a read and provide Richard with comments on improvements to make this guide as helpful as possible. Just don't be like Gartner's Adam Hills and post a critique before the standard is published.