Monthly ArchivesMarch 2010

Another Security by Obscurity FAIL standard

I was doing some technical testing for a friend of mine the other day ((Sometimes security guys get tagged like other techies and we’re some guys best friend’s college roomate’s sister-in-law’s cousin, twice removed on her MOM’s side (that’s very important apparently), and we get to try and “hack our way” into someone’s online presence.)), let’s call him George, and came across yet another bad example (or a good one) on security by obscurity failing miserably. George just set up his first online service portal for his customer base.  He’s running a Pro Shop for a small, independent country club, and is trying to cut back on costs.  He decided to invest in a simple online tee-time reservation system, and ...

Continue Reading

The Mistakes QSAs Make standard

Aside from a rather embarrassing moment last night with Keynote ((Note to self, make your FIRST and LAST slides different, and actually test MOVING slides before the room is filled with expectant eyes boring holes through my skull into the screen behind me.)), I spoke to a local group of PCI DSS enthusiasts about the mistakes that QSAs make, and how to deal with them.  I came up with several, but would really like to see what YOU FOLKS out there think! Submit comments below anonymously or with your name, either way.  This is open to anyone!  QSAs, ASVs, acquirers, issuers, merchants, service providers, ISOs, security professionals, PCI HAY-TAHs, payment brands, Council members, Jim, forensic investigators, and other PCI experts. ...

Continue Reading

More Advice when using Public WiFi standard

Scott Carmichael from the great travel blog Gadling published a post yesterday with tips on keeping your data safe when connecting to public wireless hotspots.  There are some really good tips for everyone here, but I wanted to add to a few of the options. One of the recommendations is to get a 3G or 4G data card.  In working for a Telco for a few weeks, I did learn a thing or two about these networks and how laptops of employees can be locked down almost to be unusable.  This is definitely a fantastic recommendation but has two key drawbacks—cost and usability. While data cards can be obtained reasonably cheap, and depending on how you connect to the internet ...

Continue Reading

Sample Book Chapter posted! standard

Anyone know I didn’t write a book with Anton Chuvakin last year?  If not, I’ll tell you ALL about it. OK, seriously, I know I’ve talked a lot about it here.  If you have not bought it and are still skeptical, go check out the sample chapter we have posted on CSO Online.  This chapter, entitled “The Art of the Compensating Control,” is an expansion of the article of the same name.  There are some case studies at the end, and more details on compensating controls.  If you are like most people dealing with PCI, you probably have lived the compensating control euphoria turned nightmare turned compromise. If you still have not bought one and want a chance to win ...

Continue Reading

Securing your Social Networking Brand standard

This post originally appeared on Jennifer Leggio’s Social Business blog at ZDNet (now with more links!). Social networking sites as innocent as LinkedIn and as provocative as Twitter (have you seen my stream?) have now become a personal branding vehicle for many professionals. Some of us have had the unfortunate experience of losing a job we barely had thanks to social networking. Others have seen it as the boost to their career they have been wanting for years. Let’s talk about security in the context of the latter. When I moved my blog to a setup I administered, I made two commitments to myself. The first is that I would make frequent backups because there has yet to be a ...

Continue Reading

Herding Cats March: The Business of Security standard

Have you checked out ISSA Connect yet?  The next issue is up there with my column, The Business of Security.  In it, I discuss the business side of security and the transition that has to happen for security leaders to be more effective and valuable to their corporations. If you are a member, log into ISSA Connect and join the discussion!  Interact with great professionals globally as well as the authors that you enjoy reading every month.  If you are not a member, go sign up! Possibly Related Posts: Top Posts from 2015 October 2015 Roundup September 2015 Roundup August 2015 Roundup June-July 2015 Roundup

Continue Reading

The Social Security Office, an Identity Thief’s Heaven! standard

My wife is not into technology.  Or security.  Or UNIX.  Basically she looks at her Macbook as a way to check email, buy shoes, organize photos and videos, and make checklists for the babysitter.  So when she takes an interest in what I do, I REALLY perk up. She is very attentive to the things I do with our mail and sensitive information, only because she hears me talking about it all the time.  She knows not to give out passwords or personally identifying information.  She shreds expired cards and junk mail. She’s definitely more in tune to security than the average citizen. We recently noticed a reporting error from the Social Security Administration and the only way to clear ...

Continue Reading

This is a unique website which will require a more modern browser to work!

Please upgrade today!