Monthly ArchivesJanuary 2013

How Starbucks is Revolutionizing Mobile (micro) Payments standard

For those of you that have not been living under a rock for the last couple of years, you may have patronized a Starbucks and seen a customer scan their phone at the checkout and then somehow magically get coffee without ever paying. What is this wizardry that is going on? I mean, you’ve seen people pay with pretty looking cards that have a Starbucks logo, but that’s clearly a gift card, not some magical electronic thingie. This magical pay-by-phone is not only a convenience for regular customers, but it’s Starbucks’s way to push mobile payments forward while device manufacturers do their best Benny Hill trying to implement mobile payments. Enter the Starbucks app (and Passbook integration). Sure, techies love ...

Continue Reading

Fun Research on Information Flows standard

I am doing some research on inference attacks in advance of one of my RSA Conference sessions and happened across this very interesting piece of research by Roya Ensafi, Mike Jacobi, and Jedidiah R. Crandall from the University of New Mexico’s Department of Computer Science entitled, “Students Who Don’t Understand Information Flow Should be Eaten: An Experience Paper.” Not only is it absolutely true (and frankly, this applies to practitioners too), but it’s another fascinating example of how games (and game theory) can teach us about real scenarios we face every day. One key element to understand in this paper is this is a lab environment that is closely monitored with a tight feedback loop that allowed the game makers ...

Continue Reading

Big Data Fuels Intelligence-Driven Security standard

On Tuesday, RSA released a new security brief entitled “Big Data Fuels Intelligence-Driven Security.” Indeed, one of the themes of this blog over the last year or so has been looking for the bad guys hiding in plain sight. Your standard controls won’t catch them—or at least won’t catch them in time. Instead, you will probably rely on poorly constructed logs and expensive forensics to try and piece together exactly what happened. The brief identifies two key shifts are driving the need for behavior-based controls: Dissolving network boundaries whereby legitimate users are probably not doing all of their activity within the physical four walls of the building, and Adversaries are getting much more sophisticated and they surgically attack organizations using ...

Continue Reading

MasterCard Releases Mobile POS Best Practices standard

Mobile POS is becoming a hotter topic as more vendors create hardware designed to leverage smartphones and tablets. To this end, MasterCard released a fantastic document detailing the Best Practices for Mobile Point of Sale. I have written before about how to make a mobile payment application comply with PCI DSS, and this document really goes into the details of the payment stream, the acceptance types, and great detail into the challenges and solutions for mobile payment acceptance. This document isn’t just for people who are considering mobile payment acceptance; every merchant should read this as someone in your organizations is already thinking along these lines (and maybe even piloting equipment). This is a key reference for me and I ...

Continue Reading

The Phoenix Project, a Novel for Today’s IT Professional standard

Today is a great day for aspiring (and perhaps current) IT leaders as The Phoenix Project by Gene Kim, Kevin Behr, and George Spafford is now finally available and shipping. If you are in any way connected to anything related to information technology, this book should be on your reading list for Q1 2013. I read the final manuscript in a matter of days and could not put it down. This book is modeled after the iconic manufacturing title, The Goal. But instead of an overweight scout causing an enlightening view into the theory of constraints (poor Herbie), it’s a failing IT department in a business outpaced by competitors. All of the classic themes of today’s IT issues are explored ...

Continue Reading

Flick-through Friday! standard

Sorry, that was the closest thing to alliteration I could get to for this blog. It’s Friday! How’s everyone doing after their first full week back? Other than the circus of CES 2013, things at Oracle have to be a little tense with this newly discovered massive hole in Java. I do have a couple of reading suggestions for you today as you close out the week. What has two thumbs and finally updated his Herding Cats page? THIS GUY! Man, I’m sorry about being so slow with this. No excuses. But now every issue is available, including the ones from May to this January that are now live. Go see if you can find the title that made my ...

Continue Reading

Deceit as a Defense standard

An information security professional’s job is becoming more like military defense every day. We are charged with battling on multiple fronts, typically without enough resources to do the job well. Yet, our creativity can serve us well in defeating any number of attackers before they steal our goods. Now we have another great example of a company taking military defense techniques to a new level and leveraging deception in their daily process. Keep in mind, deception of this level is much different from throwing a honeypot on your network and waiting for a low to mid-level hacker to stumble upon it. This is the kind of deception designed to confuse even the most sophisticated bad guys by using one of ...

Continue Reading

The SBIC 2013 Trends Report standard

Today the Security for Business Innovation Council (SBIC) released their 2013 Trends Report which is chocked full of lots of great stuff for security professionals to consider as they begin to tackle the challenges this year will bring. While this report is not like anything the SBIC has released in the past, the four key findings are quite compelling and true to much of what my mission has been over the last several years. They are: Boost risk and business skills. Readers of my column (which has not been updated here in a while, but will be soon) know that the security professional that understands how the business works will be much more effective in adding value to his position ...

Continue Reading

This is a unique website which will require a more modern browser to work!

Please upgrade today!