Categories ArchivesEnterprise Security

Will 2009 finally be the year for the insider threat? standard

Finance and Commerce Magazine published an article based on a survey revealing that most companies are unprepared for IT risks. *blink* What? You mean that with all the emphasis we put on it, and all the spending after some of the biggest breaches in history, we’re still not ready? This is not coming from the consultant who sees this stuff every day, this is coming from people working for these unprepared companies. With the economic situation as it is, will your own employees finally turn on you and take advantage of weak security controls in your network? This may be an unpopular position, but while the risk is definitely much higher for insider threat, it doesn’t seem to make the ...

Continue Reading

When Not to do Forensics standard

The following is a guest post by Jonathan Care. Jonathan is a Sr. Consulting Manager inside the EMEA practice at VeriSign. Why do we want to do a forensic investigation? The goal of a forensic investigation is to establish certainty of fact in a particular situation, normally as part of an incident response. Therefore one chooses to perform a forensic examination when one needs to establish facts relating to activities performed on a computer. The scenario for forensic computing is usually around a litigation support case, for example, tracing fraud, unauthorised activity, illicit content perpetration, or other computer misuse. Where are forensic investigative results commonly used? Forensic computing reports are normally used as part of a court process, or an ...

Continue Reading

Using OpenSource Tools for Compliance & Security standard

The following is a guest post by JD Smith. JD is a Sr. Consultant inside the PCI practice at VeriSign. PCI DSS 1.2 has several sections that require a security application to be used to satisfy a requirement. Some of these areas are file integrity monitoring, firewalls, encryption, wireless scanners, intrusion detection/intrusion prevention and anti-virus. All of these areas have several tools available to address the specific requirement. However, what if a merchant needs to keep the budget to a bare minimum? What if there is absolutely no way a merchant is able to purchase several of these solutions straight off the shelf and pay the licensing associated with them without severely impacting the business? Open-source solutions exist for practically ...

Continue Reading

Deming Points Applied to Security standard

The following is a guest post by Phil Fuhrer. Phil has many years of experience in the assessment and management of IT systems quality. In addition to his current work at VeriSign his interests include requirements, systems architecture and security technology. Edward Deming is considered the father of statistical quality control .The “Deming Cycle” and his fourteen points for managing quality improvement are the most widely known parts of Deming’s work. The “Deming Cycle” is much like the Systems Development Life cycle and other methods that ratchet change allowing continuous improvement. Less well known is Deming’s insistence that effective quality improvement can not be done without statistically stable quality measurements (Bell Laboratories Deming Quality class about 1996). As a statistician ...

Continue Reading

ACK! No browser is safe!! standard

What a confusing time it is for me those of us who just like sitting around all day and poking at the interweb through a browser. We have a rather nasty 0-Day exploit for Internet Explorer roaming around, and Mozilla Firefox makes Bit9’s list as one of the most vulnerable applications in 2008 (surprisingly, IE is not on there). The Internet Explorer 0-Day is so bad that some experts are urging users to switch to another browser. Naturally, the first choice for a number of users would be Firefox. But now Bit9 has released this telling report saying that it was one of the most vulnerable apps in 2008. So where do you turn? Well, the list is not the ...

Continue Reading

Something is afoot with Cloud Computing standard

Something is going on. I don’t know exactly what it is, but all the sudden I’m hearing more of this buzzword. “Cloud Computing” may be the buzzword for 2008. There are even blogs that dedicate content to it. It sure seems to be thrown around a lot… especially in the economic hiccup we are experiencing right now. Should we blame Gartner for its use? Only for using cloud computing and $3.4 trillion in the same article. I bet that’s the root of the problem. So what is cloud computing? Well, according to IEEE, “Cloud Computing is a paradigm in which information is permanently stored in servers on the Internet and cached temporarily on clients that include desktops, entertainment centers, tablet ...

Continue Reading

Past Issues of Herding Cats now ONLINE! standard

Herding Cats is the monthly column that I write for the ISSA Journal. If you have read my previous posts on Herding Cats, you probably noticed that the links require membership in the ISSA. If you are a reader of this blog and NOT a member of the ISSA, you should join today. Society membership rant aside, I now have a small page that has all of my past columns and publications for the Journal. Please navigate over to http://www.brandenwilliams.com/brwpubs/ to download those versions! These will be posted one month behind the printed version. Navigate over and enjoy! Possibly Related Posts: Level Up Cybersecurity with Kasm Workspaces Let’s Encrypt for non-webservers Selective Domain Filtering with Postfix and a SPAM Filtering ...

Continue Reading

BUSTED! Why passing the blame for a PCI Breach will fail. standard

After the year we had in 2007 with PCI related breaches, who would have thought that 2008 would give us more? I mean, after last year, who would have thought that we would see another major breach given the “lessons” we learned? Um, I did. Fo-sho. Why? Because early in my career I learned that most executives don’t care about problems until they hit close to home. Like right under their nose. We’ve seen two instances this year of companies that had validated compliance with a QSA, but were subsequently breached. Without specifically commenting on either of these cases, we have never conducted an investigation of a compromised entity and learned that they were compliant at the time of the ...

Continue Reading

Your Doctor does not take Security Seriously standard

Probably. Well, at least one of mine doesn’t. Let me take you through the scene I lived as I completed a routine checkup at my doctor’s office last week. After arriving and being called back, they did the standard how tall are you (thankfully, I have not shrunk), how much do you weigh (PRE-thanksgiving, thanks!), do you have a pulse, and is your blood pressure somewhere in between dead and explodingly high. Yep, I said it. Explodingly. It’s a smashup between a gerund and an adverb. An “adverunderb.” So after all the basic stuff, we sit down and review my medical history as they have it, including any surgeries or medications I have been on prior to my visit. As ...

Continue Reading

Where to get good PCI Training standard

Yep, it’s been a PCI heavy week. Want me to discuss other topics? T and suggest one! Last week I sat through the Certified Payment-card Industry Security Manager training here in Dallas. The folks at Aegenis planned it at a hotel that happened to be about 10 minutes from my house, so getting there was easy. There were several bigwigs from the information security and PCI industry there with me in the sold out training, and the industry perspectives were valuable. If you are not an employee of a QSAC and are looking for a GOOD source of training around PCI, data breach laws, and a detailed look into the payment industry, this training is for you. If you opt ...

Continue Reading

This is a unique website which will require a more modern browser to work!

Please upgrade today!