Categories ArchivesEnterprise Security

What Egress Filters Should I Use? standard

Another reader comes to the rescue!  This reader asks: Like everyone else, I have been so involved doing ingress filtering, that I have neglected egress filtering. To me, ingress filtering is easy: Block everything except what is absolutely necessary. Egress filtering is another animal. Everyone tells me I should do it, but no one tells me what I should be filtering for. Can you suggest a basic scheme for a small to medium business (SMB) to follow? Great question!  And you are most definitely correct in that the majority of guidance on firewalls focuses on how to limit traffic from un-trusted networks into trusted networks.  Outbound traffic tends to be much trickier for several reasons like: You have to do ...

Continue Reading

Pushing Virtualization to the Store standard

One of the key areas that stands to benefit from wide adoption of virtualization is the retail store front.   It’s an expensive road to get there, but would be a long-term benefit to retail. Why is it expensive?  For one, you have the problem of scale.  It’s difficult to stomach an investment that requires touching all of your stores.  The long term benefits can be substantial depending on how you approach it. If you touch all of your stores ONCE with an upgraded, beefy machine that can run a hypervisor, you can continue to stand up and offer new services for quite some time without physically touching your stores.  This can be a huge benefit for companies looking to roll ...

Continue Reading

Views on Application Security standard

I had an interesting conversation with a client the other day, and while shocking at first, it made a ton of sense long term when looking at how to apply security controls to assets based on risk.  I’ve blogged and written about things like this in the past, but the concept was interwoven as a theme to a different concept, or all together buried under links to YouTube. The conversation was with a customer that wanted to put out a small informational site in support of a minor product feature, but also wanted to have the ability to dynamically update content through a web browser from anywhere in the world as he and some of his less technical staff thought ...

Continue Reading

Avoid Looking Like a Rookie standard

In my recent presentation, “The Mistakes QSAs Make,” one of the mistakes I highlighted is that QSAs will often send the F’ing New Guy (FNG) to perform your assessment.  Now before we go bagging on junior consultants, I want to be clear that (most) of these guys are both capable and qualified.  Starting this year, new QSAs have to take a closed book exam which should cause the amount of late night partying and drinking to decrease during training, and push the fail rate up (which is not necessarily a bad thing). Let’s say that you are the FNG.  Step Zero to avoiding looking like a rookie is to admit to yourself that you are the FNG.  Once you admit ...

Continue Reading

Getting Support for PCI DSS standard

For the record, I LOVE it when people send in emails requesting a specific blog topic.  I can’t get to them all, but it sure helps set the direction.  The part of the writing process that is sometimes hardest for me is finding a starting point. Thank you for this one (I’ll keep this person anonymous as their email bounced)! In the book we discuss how to manage a project to completion (Chapter 10), and one of the key steps is getting buy in from senior management. A reader emailed me this week asking about how to go about getting this support. Specifically (paraphrased for brevity): How do I make executive management (C-level) aware of the necessity for, and importance ...

Continue Reading

Herding Cats April: Spread the Disease standard

Have you checked out ISSA Connect yet? The next issue is up there with my column, Spread the Disease. This issue’s theme was the Psychology of Security, and I decided to compare the thought process behind security to a psychosis.  It’s fun! If you are a member, log into ISSA Connect and join the discussion! Interact with great professionals globally as well as the authors that you enjoy reading every month. If you are not a member, go sign up! Possibly Related Posts: Selective Domain Filtering with Postfix and a SPAM Filtering Service Preventing Account Takeover, Enable MFA! Proofpoint Patches URL Sandbox Bypass Bug Improve Outbound Email with SPF, DKIM, and DMARC Life after G-Suite/Postini

Continue Reading

Key Logger Attacks on the Rise (this is no joke!) standard

Visa released a report yesterday on their website (dated March 17) warning merchants about the rising threat of key logger and screen capture attacks.  I went back looking through my archives to see if I’ve written about this danger before, but I think my examples are ones that I typically talk about.  But don’t worry, I’ll put one for you here! This particular alert from Visa targets software key stroke and screen captures.  At the bottom of page two, Visa puts some MD5 sums for various malware probably obtained while investigating merchant breaches.  They also provide eight mitigation strategies to be used as preventative measures for areas that are likely to be targeted for malware installation. My real world example ...

Continue Reading

Another Security by Obscurity FAIL standard

I was doing some technical testing for a friend of mine the other day ((Sometimes security guys get tagged like other techies and we’re some guys best friend’s college roomate’s sister-in-law’s cousin, twice removed on her MOM’s side (that’s very important apparently), and we get to try and “hack our way” into someone’s online presence.)), let’s call him George, and came across yet another bad example (or a good one) on security by obscurity failing miserably. George just set up his first online service portal for his customer base.  He’s running a Pro Shop for a small, independent country club, and is trying to cut back on costs.  He decided to invest in a simple online tee-time reservation system, and ...

Continue Reading

Healthcare Letter Follow Up standard

Frequent readers may remember that I sent a letter to a healthcare provider (who is anonymously referred to as Dr. Leo Spaceman) because he used a four digit, numeric PIN to access all of my medical records (assuming that he would also be using that same one for ANY patient).  Well, Dr. Spaceman responded. OK, I’m sure his admin responded, not personally him. But the response is a classic example of someone who has been asked a question like this before and had a pre-canned answer prepped.  I don’t think I’m the only person to observe Dr. Spaceman doing this. Dear Resident ((No, he didn’t say resident, but I think it would be funny and fitting if he did)): I ...

Continue Reading

Compliance, Easier than Security! standard

My undergrad is in Marketing.  I sometimes call myself a marketing guy, but only right before I rip on one that hypothetically might do something causing a technical guy to lose his weekend.  One of my favorite marketing guys is Seth Godin, and every once in a while he posts something that works not only in the Marketing world, but in our world. On Friday, his post “It’s easier to teach compliance than initiative” reminds me of how our business works.  Isn’t it WAY easier to talk about some kind of security-related compliance versus actually talking about security?  Think about your past interactions with information security.  Did you have a chance to create a 3-5 year plan detailing how you ...

Continue Reading

This is a unique website which will require a more modern browser to work!

Please upgrade today!