Monthly ArchivesFebruary 2013

RSA Conference 2013, YOU READY!? standard

Seems like just yesterday I was gearing up for RSAC 2012 being all ninja like with my security persona. It’s a new year, and a new RSAC, and it promises to be one of the most exciting ones yet. I’m extremely excited to be a part of it. So, where can you find me at RSA Conference? Monday: Expo Pub Crawl! Tuesday: Available during the day to meet, will be attending Bob Griffin’s RSA session in the afternoon. Wednesday: BIG DAY! Speaking: Managing Daily Security Operations with Lean and Kanban, 9:20am, Room 309. Book signing at the book store. 11am. Security Bloggers Meetup! See you there! Thursday: Available during the day to meet. Will be at the Securosis Recovery Breakfast ...

Continue Reading

Fixing the CAs, A New Approach standard

The last few years has been a bit rough for Certificate Authorities (CAs) as hackers have figured out how to obtain certificates in a manner that erodes trust in the system. Not only have they gone after the middle-men in the chain of certificates, but they have gone directly after major CAs effectively compromising the entire system. There have been a few alternatives proposed such as Notary and now the Certificate Authority Security Council (CASC) proposed a new model that leverages OCSP stapling, a technology designed to fix one major issue with the revocation process. Before OCSP and OCSP stapling, we had Certificate Revocation Lists (CRLs). This fail safe is designed to allow for an issued certificate to be revoked, ...

Continue Reading

PCI SSC Releases Cloud Guidance standard

It looks like it’s been a busy couple of weeks for the Council! We saw their release of the eCommerce guidelines, which had some good nuggets while missing the key point of understanding the contracting process for scoping. Now we have the release of the Cloud Guidance, the latest SIG to conclude and publish a report. Read this post, then check out StorefrontBacktalk’s post, then go download the document. First, let’s highlight the good stuff. There are some great charts that attempt to give examples on how responsibilities might be allocated depending on your setup. Go through these as a benchmark, but instead of taking their defaults as gospel, validate them with your CSP using Appendix C. They reference the ...

Continue Reading

Want to learn more about the Research behind the Phoenix Project? standard

So The Phoenix Project has been out for about a month now (read an excerpt here), and it has been the talk of IT and IS professionals all over the place. I’ve been pestering Gene to release some of the underlying research that went into the book for people that want to learn more. The fable is a GREAT place to start, but when you go to implement the concepts in the book, it’s nice to have some of the underlying theory behind it when you go change your operations. So here’s the first installment of the core concepts in The Phoenix Project. If you are affiliated with a university (as a student or alumni) you may be able to ...

Continue Reading

Roadmap to a Secure Organization standard

Last week I got an email from one of my favorite colleagues in Australia, Peter Baussman. We used to work together at VeriSign both as an employee and contractor. His company, Foresight Consulting, developed a maturity guide for the top four items listed in the Defence Signals Directorate’s Top 35 Strategies to Mitigate Targeted Cyber Intrusions. Check this out (if nothing else than for the rockin’ little e-bee in the masthead!) and see how it maps to your expectations. Frankly, I think this document is absolutely fantastic as a baseline for any security organization. You may not elect to do every one of these things per your risk or operational models (for example, application whitelisting on laptops isn’t very practical ...

Continue Reading

RSA Security Analytics Revolutionizes IS standard

Last week RSA launched their new Security Analytics product that combines a number of capabilities required by today’s security operations professional into one platform. If you have not checked this out, go here to see Art Coviello’s video announcement and check out the virtual kickoff here. Once you see the demo, you will be THRILLED to see what the future of information security tools can be. But don’t believe them, check out what these folks have to say! “The sophistication of advanced attacks and the associated malware is growing every day testing the limitations of existing security analytics tools. The Big Data phenomenon could help address this situation for security professionals making it important for organizations to rethink their choice ...

Continue Reading

January 2013 Roundup standard

What was popular in January, a special SuperBowl Edition! The big game is over, and many of us are pouting until August because of the lack of NFL action. Or at least we’re watching reruns on the NFL network on Sundays until we can flip over to NASCAR and root for crazy (but survivable) crashes. January was a busy month for security professionals! We saw new, game changing products released and we’re all gearing up for RSA Conference at the end of this month. Here are the five most popular posts from the last month: How Starbucks is Revolutionizing Mobile (Micro) Payments. You know how you see those crazy fools that pass their phone in front of some magical sensor ...

Continue Reading

PCI Releases eCommerce Guidelines, READ THIS FIRST! standard

This week saw the release of the new PCI DSS 2.0 eCommerce Guidelines, one of the latest work products from a Special Interest Group in the PCI Community. Before you go clicking on the links above, there are a few things I wanted to outline for you here. First, remember that this is a GUIDANCE document, and is not an official extension of PCI DSS. That said, there is some valuable things in here to consider as well as a few misleading statements that I wanted to comment on. Keep in mind, I am not an official mouthpiece of the Council, but I’ve been involved in the community for a long time. I have submitted my feedback to the Council ...

Continue Reading

This is a unique website which will require a more modern browser to work!

Please upgrade today!