Categories ArchivesEnterprise Security

Secure SSH, Go Beyond the Defaults standard

Secure Shell, or ssh, quickly became the replacement for telnet, rlogin, and rsh once system and network administrators realized how easy it was to capture credentials and modify traffic in flight. It’s the stuff out of movies. An administrator is logging into a system with an elevated account (such as root) while a bad guy is snooping all of the traffic and displaying the stream on his screen. He’s got all the credentials and can see everything that administrator is doing. Or worse, he’s sitting in between the administrator and his equipment and modifying the keystrokes from the administrator before forwarding them to the device. Cue the dramatic music. After its release over twenty years ago, it has seen near ...

Continue Reading

The UCF Common Controls Hub, You Need This Thang! standard

Full disclosure, I was contacted by UCF’s marketing folks and given a demo of the Common Controls Hub, but I did not receive any compensation for this post. These are my thoughts. You get the call from the boss you have been dreading for weeks. “Jimmy, it’s time to add FISMA to our control set, and we need to be compliant in three weeks. GO!” Great, another compliance initiative to work into the alphabet soup of controls-pain that haunts security professionals. More standards means more work to make sure that the standard control set you use in your organization will cover any new requirements you face. Compliance and Security frameworks often overlap, and usually just have a small number of ...

Continue Reading

Two reports, many questions standard

April was a busy month for consumers of information security reports as two highly cited reports released 2016 versions: the Trustwave Global Security Report and the Verizon DBIR. And shortly thereafter, security luminaries start picking them apart for various reasons. One of the challenges with these reports is the datasets have some bias. Early on in the DBIR, the bias was substantial because the only data used in the analysis came from Verizon. As the report gained wider distribution, more datasets were included to reduce the bias. Make no mistake, there is still bias in the data as it only represents a subset of what is actually happening in the industry. You can even tell how different Trustwave’s & Verizon’s ...

Continue Reading

Gender Differences in Breach Awareness standard

Over the next few posts, I’m going to show you a few more visualizations that didn’t make it in my Consumer Attitudes Toward Breaches report (sponsored by MAC). Most were omitted for brevity as they didn’t add anything material to the content already presented. Below is a graph that shows how consumers reported their awareness of breaches as separated by gender—pink for female, baby blue for male. What made this interesting to me was that even though males were generally more aware of breaches than females, but the two breaches where females were more aware (Michael’s and Target) seem to target that demographic. The respondents split the gender line at almost 50/50 (11 more females responded than males of the 1031 responses). ...

Continue Reading

Consumer’s Attitudes on Breaches? Meh. standard

Fear, uncertainty, and doubt… three very dirty words when pushing products at security and IT professionals. Commonly known as FUD, it’s one of the techniques that sales and marketing folks use to create discomfort in their targets. If I can highlight a serious problem to you (and make you think that you have this problem), I might be able to sell you my solution that will make that problem go away. In the information security product space, one of the biggest claims that vendors make is that security breaches impact your brand’s value. I once said that in front of the CFO of a large retail establishment and was quickly called out for making such a general statement (he called ...

Continue Reading

The Un-Sexy Process of Vulnerability Management standard

This week I wrote a blog post over at AlienVault entitled, Internal Scanning for PCI Compliance—Not Sexy but Necessary. Many of us who work in security started our careers doing some kind of vulnerability chasing. It’s our version of firefighting. Look for a vulnerability, patch it, and repeat. As our environments grow, the fervor with which we perform this endless cycle builds until we realize that it’s ultimately unsustainable. That’s when we start to look to treat the cause with the symptom. Go check out the post and let me know what you think. Does IT Hygiene end up being one of the root causes to vulnerability wildfires in our organizations? How do small businesses with little to no IT ...

Continue Reading

Game Theory and Payment Security standard

For those of you who do not know, the Federal Reserve branches (the head ones for each district) all conduct and publish research and facts on their respective webpages. The Kansas City Fed is one of my favorite places to go to look for current (and historical) research that is relevant to our industry. Last month they released a summary from the 2015 International Payments Policy Conference which included a session on applying Game Theory to payment security. I’m fascinated by game theory. It’s an area of applied mathematics where even someone like me (who is NOT a math whiz) can grasp. The primary models they applied appear to focus on the EMV liability shift to examine payoffs and equilibria before and ...

Continue Reading

The Cost of EMV Re-Issuance standard

It’s nearly November, and many of us in the payments space are still reeling from EMV. Nothing like waiting until the last minute to convert, right? One of the topics that has not been covered as much from a breach perspective is the consideration of the cost of re-issuance in a post-EMV world. Graves, Acquisti, and Christin (2014) published a working paper discussing some of the challenges that issuers face when it comes to the decision of re-issuance. Through their analysis they suggest investing in analytics to only re-issue when fraud losses begin occurring on lost cards. When a payment card is known to be included in a card dump from a breached merchant, issuers have a choice to make. Should they ...

Continue Reading

Samsung Pay is Here standard

The first major challenge to Apple Pay is now here (I’m not counting the Google Wallet as it predates Apple Pay). While I hate the name (seriously Samsung? You accuse Apple of copying you all the time), there is a very cool technology (Thanks LoopPay) that allows for some backwards compatibility that is not present with Apple Pay. These features are part of the Samsung Galaxy S6 and S6 Edge. Couple of key highlights: There are two method of payment, Contactless EMV using Near Field Communications (NFC) and Magnetic Secure Transmission (MST). MST is backwards compatible with (most) existing terminals and will transmit payment information by creating a field that the magnetic stripe reader can interpret. As far as the ...

Continue Reading

Pleeeeze Stop Exposing Weaknesses in my Code! standard

In the latest round of “I just don’t get it” moments from Mary Ann Davidson of Oracle, a blog post escaped the PR department that just explains how ridiculous her views on information security are. Thankfully, the Internet never forgets. Before going any further, go read that post. Then when you are done, enjoy this previous gem where she insults anyone who has ever performed an audit function. And here are my comments from 2011. Davidson really wants to be considered a security person. She reminds me of Jerry Jones wanting to be known as a Football Man. She ran for and sits on the ISSA International Board of Directors. She has keynoted several conferences as a security expert. Yet, based on ...

Continue Reading

This is a unique website which will require a more modern browser to work!

Please upgrade today!