Categories ArchivesEnterprise Security

Cloud Ain’t So Scary! standard

After the end of quarter madness calmed down on Friday afternoon, I had a few minutes to reflect on an interesting panel discussion I sat on (to which I was almost late). I was speaking with a group of underwriting and legal professionals about cloud computing and the security and compliance problems it presents. The fear in the room was nearly tangible. As with most issues relating to information security, it all comes back to the data. Cloud services are perfect for some applications, and downright frightening for others. It’s not to say that certain cloud types are inherently more insecure (although in some cases they are), but it’s more about the structure of the cloud services as it relates ...

Continue Reading

How Desktop as a Service (DaaS) can Benefit You standard

Among all the fancy “as a service” cloud acronyms, one that is particularly interesting to me is the Desktop as a Service (DaaS). It seems like most information workers have a personal device and internet connection for their intertube browsing needs—many of those personal devices easily outperforming their corporate issued bretheren. So why do corporations insist on issuing laptops to road warriors when many of us end up carrying multiple devices (even if one of those is an iPad)? One big reason why I see this being an issue is support. IT support centers cannot be expected to efficiently troubleshoot problems on machines where they are unfamiliar with the build (i.e., non-standard builds or non-gold builds). Anyone out there who ...

Continue Reading

Do you know your IT? standard

This post is mostly going to apply to smaller companies as I would HOPE (tongue in cheek a bit here) that larger merchants wouldn’t have this problem. Small- and Medium-sized businesses (SMBs) have more advanced software tools available to them today than ever before. Cloud-based solutions allow for multi-million dollar software packages to be available to SMBs at affordable monthly subscription prices. This level of business analytics, automation, and intelligence can make a big difference in how a business competes.  What once would take dedicated headcount can now be automated and scaled. But with great power, comes great responsibility. SMBs that entrust their business or data to these third parties must invest time and effort to understand not only what ...

Continue Reading

What’s the Value? standard

If you were to give someone the task of protecting a room that holds anywhere from $10,000 to $100,000 in cash, the yearly spend to protect that room (in basic risk management theory) should not exceed the Annualized Loss Expectancy (ALE).  ALE is a simple representation that contains an extremely complex portion of applied mathematics called probability. ALE = Impact of the event in Dollars * Probability of that event occurring on an annualized basis ((Meaning if the event probability is once every three years, you would use (1/3) here.)) Why is this complex? How hard is it to multiply a couple of numbers together? Imagine if someone tried to explain the complex dynamics of Football to you by saying, ...

Continue Reading

Check me out on the Network Security Podcast! standard

I met up with Martin Mckeay out at BlackHat this year, and we found what we thought was a quiet corner to chat about security.  Go check out the Network Security Podcast here! Possibly Related Posts: Selective Domain Filtering with Postfix and a SPAM Filtering Service PCI DSS 4.0 Released plus BOOK DETAILS! Preventing Account Takeover, Enable MFA! Proofpoint Patches URL Sandbox Bypass Bug Improve Outbound Email with SPF, DKIM, and DMARC

Continue Reading

Why your QSA should not be your Security Partner standard

This one is link-laden folks.  Enjoy 🙂 It’s just mere weeks before we’ll see the FOURTH iteration of the PCI DSS, and companies inside the US seem to be getting better at it as we go. PCI continues to be a driving force in information security, and as the standard changes, your business environment will undoubtedly change as well. Many merchants and service providers mistakenly depend on their QSAs to find all security and PCI compliance issues. Considering the downward market pressure on assessment prices, many security professionals are discussing how QSAs are pressured to get a complete and compliant ROC in the cheapest way possible.  QSA companies are motivated by three main things: Scope and price the deal in ...

Continue Reading

2010 Verizon Business Data Breach Report Released standard

Verizon Business released their 2010 Data Breach report hours ago, and with the combination of Secret Service data for the 2010 report, there is a ton of interesting things in here.  Here are a few of the highlights that I took from the report: Financial & Hospitality Beware: These two categories represent 56% of the groups involved in breaches ((Add in retail and you are up to 71%)).  Those of us in the industry know the ridiculously poor state of security in the hospitality sector.  Now with the economy on its way to recovery, these businesses will once again see an uptick and criminals will see an opportunity to capture valuable data. Medium-Sized Businesses are in the Crosshairs: The grouping ...

Continue Reading

A Thought to Take You to the Weekend standard

It’s been a crazy week, and I’ve been busy gearing up for BlackHat on top of all the fun stuff my day job entails.  To close out the week, I wanted to throw something at you that I thought about while discussing how to better approach compliance initiatives. It’s a simple one liner that really describes why companies should invest in security instead of compliance: A good information security program makes compliance with any standard a tweak, not an overhaul. Compliance should not be the notion that drives security in your organization. Security, among other things, should support and drive compliance. Compare that to your approach.  Does that fit with how you execute your security strategy?  If not, why? Possibly ...

Continue Reading

PCI Council, How About a Map? standard

When I started writing this post, I was trying to think of a metaphor for a map and a journey of some sort, but everything came out dripping with Cliché Cheese ((It’s somewhere between month-old shredded Cheddar cheese that you would toss on some chips and zap for “nachos,” and that orange substance you get on nachos at a high school football game.)) or would have made sense only to a limited audience (Shout out to the P1, between the devil and the deep blue sea, and kick the tires and light the fires… as it were). The point I was trying to make, however, was in light of PCI, we seem to be navigating a changing world with a ...

Continue Reading

Herding Cats July: Back to Basics standard

Have you checked out ISSA Connect yet? The next issue is up there with my column, Back to Basics. This issue’s theme centered on the basics of information security, and what better time to take a step back and really evaluate what we’re doing? Are we actually accomplishing our goals? Or just treading water? And do you want to take away my man card after reading this one? If you are a member, log into ISSA Connect and join the discussion! Interact with great professionals globally as well as the authors that you enjoy reading every month. If you are not a member, sign up today! Possibly Related Posts: Selective Domain Filtering with Postfix and a SPAM Filtering Service Preventing ...

Continue Reading

This is a unique website which will require a more modern browser to work!

Please upgrade today!