We serve security decision-makers, providing them with the content and tools they need to make and execute better security management decisions faster and more reliably. We do this by addressing the people and process issues as well as the technology issues at the business decision-making level.

Community content serves the community as a whole

Part of this service is our community content. It provides the global community with insight into what our analysis has produced over the years, in a series of short and easily readable essays. The best way to keep up to date on these issues is to join our monthly no-solicitaiton mailing list. To sign up, email to mailinglist at fredcohen.net.


Short Analysis Reports

  • 2014-11-B - Eat your own dog food
  • 2014-11 - What's the big deal about big data loss (actually theft)?
  • 2014-10 - Cyber (whatever that is) insurance yet again?
  • 2014-09 - 2-factor this into your thinking
  • 2014-08-B - A touch of the Ebola
  • 2014-08 - Aurora and why it doesn't really matter
  • 2014-07 - Encrypt it all!!!
  • 2014-06 - Is it secure?
  • 2014-05 - May Day - attack mechanisms revisited - were you surprised by the NSA's activities?
  • 2014-04 - The RSA: Science Fiction and Humor
  • 2014-03-B - The Snowden virus - disrupting the secret world by exploiting their policies
  • 2014-03 - The four tactical situations of cyber conflict
  • 2014-02 - Countering hardware storage device Trojans
  • 2014-01-B - After the Red Team
  • 2014-01 - Why we need better reporters to solve our security problems
  • 2013-12 - Return of the telnet return
  • 2013-11-B - Transparency - a different protection objective
  • 2013-11 - Demystifying control architecture
  • 2013-10-B - The "big deal" approach to risk management
  • 2013-10 - Trust and worthiness
  • 2013-09 - The surveillance society: pros, cons, alternatives, and my view
  • 2013-08 - Three words you should never use in security and risk management
  • 2013-07-B - How to justify (security) metrics and what to measure
  • 2013-07 - Mobility and industrial control systems
  • 2013-06 - Separation of Duties and RFPs
  • 2013-05-B -The harder problems
  • 2013-05 - Write lock the past, access control the present, anticipate the future
  • 2013-04-B - Actionable metrics (Guest Editor)
  • 2013-04 - Managing Oops
  • 2013-03-C - Limiting Insider Effects Through Micro-Zoning
  • 2013-03-B - Welcome to the Information Age - a 1-page primer
  • 2013-03 - Security Heroes
  • 2013-02-B - Stupid Security Winner for 2012
  • 2013-02 - Thinking more clearly
  • 2013-01 - Raising all boats - by improving the average
  • 2012-12 - Ten Bad Assumptions
  • 2012-11 - The Design Basis Threat
  • 2012-10 - Changing the leverage
  • 2012-09 - Eventually, you are going to make a mistake
  • 2012-08 - As the consequences rise, where is the risk management?
  • 2012-07-B - The Facebook debacle and what it says about the other providers
  • 2012-07 - Open CyberWar - Early Release
  • 2012-06 - Question everything
  • 2012-05 - The threat reduction approach - Point - Counterpoint
  • 2012-04 - Insiders turning
  • 2012-03 - Three emerging technologies
  • 2012-02 - Ethics in security research
  • 2012-01 - The security squeeze
  • 2011-12 - Can we attribute authorship or human characteristics by automated inspection?
  • 2011-11b - Saving SMBs from data leakage
  • 2011-11 - Webification and Authentication Insanity
  • 2011-09 - Consistency under deception implies integrity - ICSJWG version
  • 2011-10 - Security vs. Convenience - The Cloud - Mobile Devices - and Synchronization
  • 2011-09 - Consistency under deception implies integrity
  • 2011-09-11 - CIP version of "Progress and evolution of critical infrastructure protection over the last 10 years?"
  • 2011-08 - Progress and evolution of critical infrastructure protection over the last 10 years?
  • 2011-07 - The structure of risk and reward
  • 2011-06 - Security Metrics - A Matter of Type
  • 2011-05 - The R word
  • 2011-04 - Change your passwords how often?
  • 2011-03 - Any is not All
  • 2011-02 - Why are we so concerned about governments getting our data?
  • 2011-01B - The Bottom Ten List - Information Security Worst Practices - Getting Even Worse
  • 2011-01 - Risk aggregation - again and again and again...
  • 2011-00 - All.net has moved to the cloud!!!

    2010

  • 2010-12B - Book code cryptography may be nearly dead
  • 2010-12 - Changes to the Federal Rules of Evidence - Rule 26
  • 2010-11 - How do we measure "security"?
  • 2010-10 - Moving target defenses with and without cover deception
  • 2010-09 - User Platform Selection Revisited
  • 2010-08 - The DMCA Still Restricts Forensics
  • 2010-07 - Mediated Investigative Electronic Discovery
  • 2010-06 - The difference between responsibility and control
  • 2010-05 - The Virtualization Solution
  • 2010-04 - Attacks on information systems - a bedtime story
  • 2010-03 - The attacker only has to be right once - another information protection fallacy
  • 2010-02b - Another ridiculous cyber warfare game to scare deciders into action
  • 2010-02 - Developing the science of information protection
  • 2010-01 - The Bottom Ten List - Information Security Worst Practices

    2009

  • 2009-12b - COFEE and the state of digital forensics (Christmas special!!!)
  • 2009-12 - Using the right words
  • 2009-11 - Passwords again - why we can't leave well enough alone
  • 2009-10 - Partitioning and virtualization - a strategic approach
  • 2009-09 - Forensics: The limits of my tools, my techniques, and myself
  • 2009-08 - Virtualization and the cloud - Risks and Rewards
  • 2009-07 - The speed of light, it's easy to forge, email is always fast, and more
  • 2009-06 - Security Decisions: Deception - When and where to use it
  • 2009-05b - Culture clash: Cloud computing and digital forensics
  • 2009-05 - Protection testing: What protection testing should we do?
  • 2009-04b - Proposed Cyber-Security Law: What's the problem?
  • 2009-04 - Risk management: There are no black swans
  • 2009-03 - How spam vigilantes are wrecking email and encourage violations of law
  • 2009-02b - Digital forensics must come of age
  • 2009-02 - A structure for addressing digital forensics
  • 2009-01 - Change management: How should I handle it?

    2008

  • 2008-12-B - Short Note: Twittering away your privacy
  • 2008-12 - Digital Forensic Evidence: A Wave Starting to Break
  • 2008-11 - Security Decision: Zoning your network
  • 2008-10 - Social tension and separation of duties
  • 2008-09 - Default deny is best practice? Not anymore!
  • 2008-08 - Control architecture: Access controls
  • 2008-07 - Fault modeling, the scientific method, and thinking out of the box
  • 2008-06 - Inventory Revisited - How to reduce security losses by 70%?
  • 2008-05 - Control Requirements for Control Systems... Matching Surety to Risk
  • 2008-04 - The Botnets have come - The Botnets have come...
  • 2008-03 - Enterprise Information Protection - It's About the Business
  • 2008-02 - The Digital Forensics World
  • 2008-01 - Unintended Consequences

    2007

  • 2007-12 - Security, justice, and the future
  • 2007-11 - Security by Psychology
  • 2007-10 - Making compliance simple - not
  • 2007-09 - Identity Assurance and Risk Aggregation
  • 2007-08 - The ethical challenge
  • 2007-07 - Security Decision Support
  • 2007-06 - User platform selection
  • 2007-05 - Risk Management
  • 2007-04 - Security Ethics and the Professional Societies
  • 2007-03 - Emerging Risk Management Space
  • 2007-02 - Emerging Market Presence
  • 2007-01 - Market Maturity and Adoption Analysis Summary
  • 2007-00 - Analysis Framework

    "Get Smart" - our older monthly newsletter

    2008

  • 2008-02 - Who Should Do Your Digital Forensics?
  • 2008-01 - Accidental Security

    2007

  • 2007-12 - Security End-of-year
  • 2007-11 - Covert Awareness
  • 2007-10 - Measuring Compliance
  • 2007-09 - Identity Assurance
  • 2007-08 - Conflicts of Interest
  • 2007-07 - Making Better Security Decisions
  • 2007-06 - Which User Platform
  • 2007-05 - Managing Risks
  • 2007-04 - Information Content Inventory
  • 2007-03 - Sensible Security - You Wouldn't?
  • 2007-02 - Measuring Security
  • 2007-01 - Closing the Gap

    2006

  • 2006-12 - The Security Schedule
  • 2006-11 - The Holidays Bring the Fraudsters
  • 2006-10 - Physical/Logical Convergence??
  • 2006-09 - How can I Show I am Me in Email?
  • 2006-08 - Service Oriented Architecture Security Elements
  • 2006-07 - The Life Expectancy of Defenses
  • 2006-07 - BONUS ISSUE: The End of the World as we Know it
  • 2006-06 - Why the CISO should work for the CEO - Three Case Studies

    Managing Network Security

    2003

  • July, 2003 - Why?
  • June, 2003 - Background Checks
  • May, 2003 - Operations Security for the Rest of Us
  • April, 2003 - Documenting Security
  • March, 2003 - Novelty Detection
  • February, 2003 - Switching Your Infrastructure
  • January, 2003 - Security Programming

    2002

  • December, 2002 - Back Up a Minute
  • November, 2002 - Breaking In - to test security?
  • October, 2002 - Reworking Your Firewalls
  • Sepember, 2002 - Deception Rising
  • August, 2002 - You're in a Bind!
  • July, 2002 - Is Open Source More or Less Secure?
  • BOUNS ARTICLE - July, 2002 - Smashed Again by Stupid Security
  • June, 2002 - Academia's Vital Role in Information Protection
  • May, 2002 - Terrorism and Cyberspace
  • April, 2002 - Misimpressions We Need to Extinguish
  • March, 2002 - Embedded Security
  • February, 2002 - How to Get Around Your ISP
  • January, 2002 - The End of the Internet as we Know it

    2001

  • December, 2001 - The World Doesn't Want to be Fixed
  • November, 2001 - The Deception Defense
  • October, 2001 - The DMCA
  • September, 2001 Special Issue - The Balancing Act
  • September, 2001 - The Best Security Book Ever Written
  • August, 2001 - Bootable CDs
  • July, 2001 - A Matter of Power
  • June, 2001 - The Wireless Revolution
  • May, 2001 - The New Cyber Gang - A Real Threat Profile
  • April, 2001 - To Prosecute or Not to Prosecute
  • March, 2001 - Corporate Security Intelligence
  • February, 2001 - Testing Your Security by Breaking In - NOT
  • January, 2001 - Marketing Hyperbole at its Finest

    2000

  • December, 2000 - The Millennium Article - Yet Again! - The Bots are Coming!!! The Bots are Coming!!!
  • November, 2000 - Why Everything Keeps Failing
  • October, 2000 - The Threat
  • September, 2000 - Chipping
  • August, 2000 - Understanding Viruses Bio-logically
  • July, 2000 - What does it do behind your back?
  • June, 2000 - Why Can't We Do DNS Right?
  • May, 2000 - Eliminating IP Address Forgery - 5 Years Old and Going Strong
  • April, 2000 - Countering DCAs
  • March, 2000 - Collaborative Defense
  • February, 2000 - Worker Monitoring
  • January, 2000 - Digital Forensics

    1999

  • December, 1999 - Why it was done that way
  • BONUS ARTICLE - November, 1999 - So Much Evidence... So Little Time
  • November, 1999 - The Limits of Cryptography
  • October, 1999 - Security Education in the Information Age
  • September, 1999 - In Your Face Information Warfare
  • August, 1999 - What's Happening Out There
  • July, 1999 - Attack and Defense Strategies
  • June, 1999 - The Limits of Awareness
  • May, 1999 - Watching the World
  • April, 1999 - Simulating Network Security
  • Bonus Article: Incident at All.Net - 1999 Edition
  • March, 1999 - The Millisecond Fantasy
  • February, 1999 - Returning Fire
  • January, 1999 - Anatomy of a Successful Sophisticated Attack

    1998

  • December, 1998 - Balancing Risk
  • November, 1998 - The Real Y2K Issue?
  • October, 1998 - Time-Based Security?
  • September, 1998 - What Should I Report to Whom?
  • August, 1998 - Third Anniversary Article - The Seedy Side of Security
  • July, 1998 - How Does a Typical IT Audit Work?
  • June, 1998 - Technical Protection for the Joint Venture
  • May, 1998 - Risk Staging
  • April, 1998 - The Unpredictability Defense
  • March, 1998 - Red Teaming
  • February, 1998 - The Management of Fear
  • January, 1998 - Y2K – Alternative Solutions

    1997

  • December, 1997 - 50 Ways to Defeat Your Intrusion Detection System
  • November, 1997 - To Outsource or Not to Outsource - That is the Question.
  • October, 1997 - The Network Security Game
  • September, 1997 - Change Your Password – Do Si Do
  • August, 1997 - Penetration Testing?
  • July, 1997 -
  • June, 1997 - Relativistic Risk Analysis
  • May, 1997 - Prevent, Detect, and React
  • April, 1997 - Would You Like to Play a Game?
  • March, 1997 - Risk Management or Risk Analysis?
  • February, 1997 - Network Security as a Control Issue
  • January, 1997 - Integrity First - Usually

    1996

  • December, 1996 - Where Should We Concentrate Protection?
  • November, 1996 - How Good Do You Have to Be?
  • October, 1996 - Why Bother?


    Internet Holes

  • September, 1996 - The SYN Flood
  • August, 1996 - Internet Incident Response
  • July, 1996 - Internet Lightning Rods
  • June, 1996 - UDP Viruses
  • May, 1996 - Eliminating IP Address Forgery
  • April, 1996 - Spam
  • March, 1996 - Bonus: Incident at All.Net
  • March, 1996 - The Human Element
  • January, 1996 - Automated Attack and Defense

    1995

  • December, 1995 - 50 Ways to Attack Your World Wide Web Systems
  • November, 1995 - Network News Transfer Protocol
  • October, 1995 - The Sendmail Maelstrom
  • September, 1995 - Packet Fragmentation Attacks
  • August, 1995 - ICMP