Categories ArchivesEnterprise Security

To Win, you must Know Everything standard

I hate when people use the term “cyberwarefare” outside of its original context—a true war of nations trading bombs for bytes in the tubes. Sure, organizations are being attacked by nefarious groups that seem to be marching toward specific and fruitful goals, but is it really cyberwarfare? Regardless of what you want to call it, you still must act and react like someone is launching a digital missile campaign against your information. You can either sit and wait for someone else to tell you that you have been compromised, or you can take ownership of the problem and start up-leveling your intelligence gathering and analysis. It’s the Big Data problem of security. Your enemy is doing this, so why aren’t ...

Continue Reading

Living in a State of Compromise standard

Imagine for a second that your boss came up to you and said, “We’ve been compromised. Assume trust doesn’t exist. Now define our new security organization and architecture!” Unfortunately, it may take events like that to change our perceptions or actions when approaching securing our organizations. Depending on who you talk to, we already are living in a state of compromise. I prefer removing the element of trust form my strategy as much as I can, and focus on how I would secure a system, application, or network if I knew there were hostile elements in it. Changes your perspective a bit, doesn’t it? All of the sudden, those satellite locations start looking less like friends and more like foes. ...

Continue Reading

Attack the Humans First standard

Information security professionals live in exciting times. It’s a constant battle of escalations between the new ways technology can be used to conduct business, and the new ways the bad guys can incorporate technology in their overall strategy to steal information. But an interesting trend emerged this year that has always been around, but now is used in a much larger sense when going after data: Human hacking. The nice way to say it is “social engineering.” How do I convince Sally in Accounting to give me information that i can then use for my own personal financial gain? It’s not a new concept, and frankly tamer versions are used daily by politicians, sales professionals, and children. The challenge for ...

Continue Reading

Walls Aren’t Enough standard

The bad guys are getting smarter, more creative, and more persistent, so what are we doing in response? I can’t tell you how sad it is to hear things like this when I ask how companies are shifting their security programs in order to combat advanced threats: We’re upping our patch schedules from one month to two weeks. We’re deploying anti-virus signatures faster. We’re consolidating all of our user laptop images to a gold master. We’re deploying outbound content filtering. Sure, those things help. But individually they are largely ineffective in shifting the balance in your favor. Think about how IT evolves through bolted-on enhancements. What did day one of the business look like from an IT perspective? What does ...

Continue Reading

Apparently You DO Need Assurance standard

I was going through some tweets last week and came across a tweet by @rybolov touting the most interesting blog post he will read all month about code scanning and regulatory capture. It’s from Mary Ann Davidson, the CSO of Oracle and entitled, “Those Who Can’t Do, Audit.” While I’m not an auditor (and never have been), I’ve performed many-an-assessment in my career so I thought I’d take a look at the re-purposed cliché titled post. The first thing you will notice is that the post really isn’t about auditors, it’s about static code analysis. If I can distill the meat of the post down (and cull the 2/3s that compose fat/rant), her point is that certain groups have created ...

Continue Reading

Herding Cats: Trust in the System (September 2011) standard

It’s September, and you know what that means! It’s time for another edition of Herding Cats! Last month’s, entitled “Walk that Walk,” is available here, and this month’s edition is titled Trust in the System. For regular readers, you might wonder why I am not talking about ISSA Connect and reading it over there. This month there was so much good stuff in the ISSA Journal, that my column didn’t make the cut. But I spent time writing it, and I’m not breaking my streak! DO take the time to go check out the articles on ISSA Connect this month, though, as there are quite a few great ones to comment about. Also, if you are not a member, join ...

Continue Reading

Last Word on the Visa TIP standard

The Visa Technology Innovation Program (TIP) is certainly stirring up all kinds of discussions in the technology community. I had an opportunity to get some clarification on exactly what these new changes from Visa mean for you, and wanted to summarize them here. Unlike the Compliance Acceleration Program (CAP) which used fines and interchange fees to motivate merchants, there is no true financial incentive to participate in the TIP… today. The closest resemblance to a financial incentive is the domestic and cross-border counterfeit liability shift. Merchants that cannot accept an EMV or contactless card when presented one by a customer will bear the liability of a fraudulent transaction instead of the issuer after October 1, 2015. The TIP mandates that ...

Continue Reading

More Problems with Averages standard

Math fascinates me—much more now than it did in school. I wish I had more interest in advanced math while I was in school because I feel like I would use it in my job. Part of the problem is the way that mathematics is taught, and for that I place part of the blame on my teachers during my formative years. Nobody cares about when a couple of trains would intersect. If the material was related to things that interested me at the time, I would definitely have enjoyed it more. I was reading an article from Harvard Business Review about the average cost overruns in large IT projects, and there was a figure thrown out about the average ...

Continue Reading

Is Visa Taking the Training Wheels Off of Security? standard

Step into the way-back machine with me and let’s turn the dial to 2000. What a glorious time that was! We were at the peak of what would soon be known as the DotCom Bust((Although poor corporate accounting practices had a hand in this one as well.)). Information security was this fledgling group in most companies that was called to clean up virus outbreaks. Then we weathered the storm. Markets crashed, IT budgets were slashed to the bone, and security professionals suffered too. We fought hard for every single dollar that came our way, yet we still were playing catch up. Now let’s forward to December 15, 2004, when the first release of the PCI DSS made its way into ...

Continue Reading

Why Visa’s TIP Doesn’t Matter standard

On Thursday, I posted about a memo released by Visa, Inc. last week discussing the acceleration of EMV adoption. There is much buzz going on right now as merchants now have a false sense of hope. PCI Assessments aren’t going anywhere any time soon. Why? One of the fundamental rules about PCI DSS is that you are dealing with five competing payment brands that handle their own enforcement. This means that as a merchant you can be a different level with a different payment brand, which may or may not affect how you validate compliance. A move by any one payment brand does not necessarily represent all five brands, nor does it guarantee that you will see the effects in ...

Continue Reading

This is a unique website which will require a more modern browser to work!

Please upgrade today!