Categories ArchivesEnterprise Security

Exploiting Human Trust and Complacency standard

I was speaking with an industry insider a few weeks ago and he started asking questions about supply-chain security. We kicked off a rather awkward discussion whereby I dipped into my SCM educational background and he tried to convey his actual meaning which was much closer to informational supply chains, or better yet, the flow of trusted information. This lead to a great hour of discussion about an attack vector that I call, Exploiting Human Trust and Complacency. I’ve blogged about social engineering and the new perimeter (Sally in Accounting) in the past, and this expands upon that very notion. How do attackers take advantage of this attack surface, and how are they so successful? Before we delve into that, ...

Continue Reading

Where is your Chaos Monkey? standard

Netflix has been in the news quite a bit lately. Regardless of the side you pick on this first world problem, there is something really neat that they do that I wanted to share with a larger audience. If you read Harvard Business Review, you already know what I am talking about. Andrew McAfee published an article entitled “What Every CEO Need to Know About the Cloud.” In this basic primer for business folks, McAfee describes something that Netflix created called the Chaos Monkey, a process largely credited for preparing the company to weather the Amazon ECC outage with minimal issues of their own while others, like Foursquare, experienced problems for days. McAfee talks about this in the section of ...

Continue Reading

Transformational Security standard

It seems like the industry always says things like, “the traditional way of securing things simply doesn’t work anymore.” I’ve been doing security for many years now, and we’re always behind. Even today in a landscape of targeted, advanced threats, we are too far behind the bad guys and are struggling to catch up. Those of you that have been reading my blog lately may have noticed that I finally made good on my promise to talk more than just PCI DSS. Payment security is something that I am passionate about, but I love some of the new things I am being exposed to and that means that I get to share them with you as well. It’s part of ...

Continue Reading

To Win, you must Know Everything standard

I hate when people use the term “cyberwarefare” outside of its original context—a true war of nations trading bombs for bytes in the tubes. Sure, organizations are being attacked by nefarious groups that seem to be marching toward specific and fruitful goals, but is it really cyberwarfare? Regardless of what you want to call it, you still must act and react like someone is launching a digital missile campaign against your information. You can either sit and wait for someone else to tell you that you have been compromised, or you can take ownership of the problem and start up-leveling your intelligence gathering and analysis. It’s the Big Data problem of security. Your enemy is doing this, so why aren’t ...

Continue Reading

Living in a State of Compromise standard

Imagine for a second that your boss came up to you and said, “We’ve been compromised. Assume trust doesn’t exist. Now define our new security organization and architecture!” Unfortunately, it may take events like that to change our perceptions or actions when approaching securing our organizations. Depending on who you talk to, we already are living in a state of compromise. I prefer removing the element of trust form my strategy as much as I can, and focus on how I would secure a system, application, or network if I knew there were hostile elements in it. Changes your perspective a bit, doesn’t it? All of the sudden, those satellite locations start looking less like friends and more like foes. ...

Continue Reading

Attack the Humans First standard

Information security professionals live in exciting times. It’s a constant battle of escalations between the new ways technology can be used to conduct business, and the new ways the bad guys can incorporate technology in their overall strategy to steal information. But an interesting trend emerged this year that has always been around, but now is used in a much larger sense when going after data: Human hacking. The nice way to say it is “social engineering.” How do I convince Sally in Accounting to give me information that i can then use for my own personal financial gain? It’s not a new concept, and frankly tamer versions are used daily by politicians, sales professionals, and children. The challenge for ...

Continue Reading

Walls Aren’t Enough standard

The bad guys are getting smarter, more creative, and more persistent, so what are we doing in response? I can’t tell you how sad it is to hear things like this when I ask how companies are shifting their security programs in order to combat advanced threats: We’re upping our patch schedules from one month to two weeks. We’re deploying anti-virus signatures faster. We’re consolidating all of our user laptop images to a gold master. We’re deploying outbound content filtering. Sure, those things help. But individually they are largely ineffective in shifting the balance in your favor. Think about how IT evolves through bolted-on enhancements. What did day one of the business look like from an IT perspective? What does ...

Continue Reading

Apparently You DO Need Assurance standard

I was going through some tweets last week and came across a tweet by @rybolov touting the most interesting blog post he will read all month about code scanning and regulatory capture. It’s from Mary Ann Davidson, the CSO of Oracle and entitled, “Those Who Can’t Do, Audit.” While I’m not an auditor (and never have been), I’ve performed many-an-assessment in my career so I thought I’d take a look at the re-purposed cliché titled post. The first thing you will notice is that the post really isn’t about auditors, it’s about static code analysis. If I can distill the meat of the post down (and cull the 2/3s that compose fat/rant), her point is that certain groups have created ...

Continue Reading

Herding Cats: Trust in the System (September 2011) standard

It’s September, and you know what that means! It’s time for another edition of Herding Cats! Last month’s, entitled “Walk that Walk,” is available here, and this month’s edition is titled Trust in the System. For regular readers, you might wonder why I am not talking about ISSA Connect and reading it over there. This month there was so much good stuff in the ISSA Journal, that my column didn’t make the cut. But I spent time writing it, and I’m not breaking my streak! DO take the time to go check out the articles on ISSA Connect this month, though, as there are quite a few great ones to comment about. Also, if you are not a member, join ...

Continue Reading

Last Word on the Visa TIP standard

The Visa Technology Innovation Program (TIP) is certainly stirring up all kinds of discussions in the technology community. I had an opportunity to get some clarification on exactly what these new changes from Visa mean for you, and wanted to summarize them here. Unlike the Compliance Acceleration Program (CAP) which used fines and interchange fees to motivate merchants, there is no true financial incentive to participate in the TIP… today. The closest resemblance to a financial incentive is the domestic and cross-border counterfeit liability shift. Merchants that cannot accept an EMV or contactless card when presented one by a customer will bear the liability of a fraudulent transaction instead of the issuer after October 1, 2015. The TIP mandates that ...

Continue Reading

This is a unique website which will require a more modern browser to work!

Please upgrade today!