Categories ArchivesEnterprise Security

What SHOULD Keep You Up At Night standard

Times are tough. Unless you are just now coming out of your winter hibernation, you are probably so beaten by that phrase that you are not far off from striking the next person that vomits it upon your day. Listen up executives, this one is for you. Breaches cost money. OK fine, I know that is not paradigm shattering knowledge I just dropped like it was hot. Still, executives miss the mark when trying to securely manage or grow their business. We know this because of the nearly daily additions to the breach list that PrivacyRights.org manages. Executives have been failing at managing long term expectations for years. Any of us that work for a public company know that an ...

Continue Reading

Companies need PCI++ (not just PCI) to be safe! standard

Going through some email over here and looked through the recent edition of The Aegis from the Society of Payment Security Professionals, and found a great little snippet from Chris Mark entitled “Wear Your Seatbelt…and Maybe a Helmet.” In it, he pulls a quote from the PCI SSC that seems directed at detractors of the PCI DSS. They state: “The PCI SSC believes that the best way to protect cardholder data that is stored, transmitted, and processed is by implementing the PCI DSS and remaining in full compliance.” Chris points out that this seems to imply that PCI DSS is the high water mark, not the baseline from which you should build a program. It may just be that a ...

Continue Reading

Sanity DOES Exist! standard

I know, it seems rare when we find it. I would have been hauled off along time ago and locked in the loony bin if I had stopped down every insane security discussion I was having by screaming SERENITY NOW! I spoke with a retailer this morning that started a conversation with “We do security in an unconventional way.” At this point, my finger is moving toward the giant eject button I carry with me for situations just like this. Think about the “Easy Button,” but instead of easy, it says EJECT and flies me far, far away. Then the individual surprises me and says, “We treat our network as compromised instead of trusted, and adjust our security practices and ...

Continue Reading

The Threat You Forget standard

Here’s a rare one from me, some Friday Night blogging! Why are you so lucky as to get this? Because I didn’t have time to do it yesterday! In speaking with a customer today, I remembered something that many companies (not this customer) are missing when it comes to building secure and compliant environments. It’s really a scope creep issue when you look at it. Unfortunately, a very dangerous one. What could this mystical threat be? That of core systems. Those systems that provide IT services to the larger server population. Here are a few systems to think about. Domain Controllers Anti-Virus Servers Log Aggregators Patch Management Remote Access Network Monitoring Why are these a threat? Let’s take a look ...

Continue Reading

Satellite Hacking on the Cheap standard

Are you one of the many companies that rely on satellites to communicate with your, uh… satellite offices? We security professionals often ask hard questions about how that data is protected en-route and usually are quickly dismissed with a “Oh, it is too hard to do and would require a six-figure investment in hardware to accomplish.” Well, thanks to Adam Laurie, you can do it for around $1,000! If you are relying on satellite communications, you should now be asking those hard questions of your provider, and making sure that you have acceptable encryption on those lines preventing someone from intercepting or injecting traffic into that stream. Possibly Related Posts: Level Up Cybersecurity with Kasm Workspaces Let’s Encrypt for non-webservers ...

Continue Reading

Really Peter? 219K Sites? standard

I’m not Seth Meyer. I’m not a television star. I don’t have a team of writers feeding me stuff on cue cards. That said…. According to an article by Fred Aun, Peter Alguacil from Pingdom released a report recently suggesting “there are probably 219,000 sites with outdated SSL certificates.” Probably. Fred, who rounded the original 219K figure from Peter up to 250K in his posting, goes on to describe the “bit of math” that Peter used to come to this conclusion using data from two different sources. First, Netcraft estimates there are one million sites with valid SSL certificates. Next, a report by Venafi released in 2007 suggests 18% of Fortune 1000 sites had expired certificates. So then Peter does ...

Continue Reading

Does your data flow free? standard

The first challenge to securing your data (or meeting compliance) is understanding where your data lives. An alarming number of people I speak with in the industry have no idea how bad their problem is because they only know where half of the data lives and goes. HALF! That is a BIG problem. Engaging in data flow mapping exercises can be painful. So painful, that you might be forced to look outside your organization for help! Yes, VeriSign has a service that does this… OK, shameless plug complete. Where do you start? In an article that I published last year entitled, “Data Flows Made Easy,” I detail an adaptation of the Design Structure Matrix that can be used to help ...

Continue Reading

January Issue of Herding Cats now online! standard

This month’s article entitled “Trust THIS” tackles Trusted Computing and the role it might play in corporate security today. There’s a mini iPhone rant in there… and while I don’t have one (yet), it certainly would irk me if I did. Click here to read Trust THIS, or go see the whole repository of articles! Possibly Related Posts: Level Up Cybersecurity with Kasm Workspaces Let’s Encrypt for non-webservers Selective Domain Filtering with Postfix and a SPAM Filtering Service Preventing Account Takeover, Enable MFA! Proofpoint Patches URL Sandbox Bypass Bug

Continue Reading

What CEOs (and CISOs!) Can Learn from Heartland standard

It’s one week later. With limited public announcements, what is this post going to tell you? Well, let’s start off by stating what it won’t tell you. You won’t find any gory details about the breach or the other parties involved. You won’t find anything here that cannot be deduced using public information sources. You won’t find anything here that has not been stated before. So what use is it? How about we assemble some key points and do a little bit of analysis to understand how something like this can be prevented in your company. According to the original press release, the investigation uncovered malicious software that compromised data that crossed Heartland’s network. Before we start attacking PCI and ...

Continue Reading

Revisiting Botnets for Profit standard

One thing about Botnets that scares me is the amount of idle computing power that is available to the owner of the Botnet. Suddenly, things that were once computationally infeasible with one machine become plausible or even possible with thousands of machines. It seems like most Botnets churn out SPAM right now to the tune of trillions per day. SPAM may be profitable–the fraud generated by the SPAM anyway–but in light of recent attacks, I wonder if there are more enterprising methods. If Botnet owners didn’t happen to have 200 PS3s laying around for a research project on SSL, they could develop a program to break a large task down into work units, and have each bot on the net ...

Continue Reading

This is a unique website which will require a more modern browser to work!

Please upgrade today!