Categories ArchivesEnterprise Security

Last Call @ the Expo standard

Just finished up with the last booth work at the show. Today was fairly slow (as to be expected), though there were still plenty of people coming through. I got to see the VeriSign VIP token work, and that was pretty cool! Hope you stopped by to get your free token! As I was leaving, the last hunters of conference trinket treasure were hurriedly making the rounds before the expo closed. All in all, quite a show. If I missed you this time, I hope to see you somewhere else soon! Possibly Related Posts: Level Up Cybersecurity with Kasm Workspaces Let’s Encrypt for non-webservers Selective Domain Filtering with Postfix and a SPAM Filtering Service Preventing Account Takeover, Enable MFA! Proofpoint ...

Continue Reading

The Haps at RSA! standard

Today has been filled with all kinds of activities, including meeting with some customers and vendors. I just finished the first meeting of the NSS Advisory Group and I am very pleased with the direction that it is heading. I think there is a lot of promise there for helping customers figure out which vendors DO solve PCI issues, and which ones don’t. I will be AT THE BOOTH at 10am tomorrow! Please stop by! I have a pretty “Blog This!” button on (Thanks K-Dog!). Also you can follow me on Twitter at http://twitter.com/brandenwilliams. See you there! Possibly Related Posts: Level Up Cybersecurity with Kasm Workspaces Let’s Encrypt for non-webservers Selective Domain Filtering with Postfix and a SPAM Filtering Service ...

Continue Reading

A SQL Injection Attack! standard

(This post is brought to you today by the letter A). This weekend, I took a hiatus from the computing world and headed down to the family lake house. Time to get ready for summer and clean out all the junk! Well, not junk, but lots of ladybugs for some reason. When we arrived home yesterday, I caught up on my personal email, and noticed that someone posted a comment to my personal blog. Like this blog, when someone comments, I get excited since I’m never sure if anyone is reading. (Please leave comments, it makes me feel useful. Just like all the characters in Sodor want to be.) The comment in particular was an attempt to run a SQL ...

Continue Reading

From the Dept of Obvious Statements: PCI Not Just for Cardholder Data! standard

Evan Schuman (Storefront Backtalk) wrote on Valentine’s Day that PCI is not just for payments anymore. Hate it or love it, PCI is a great standard for a baseline of security. You can replace Cardholder Data with just about any type of data you want to protect, and you can establish a minimum baseline that will do a reasonable job of keeping that data protected. Security consultants have been pointing this out for a while. I think the part of this that is the most telling is that the security and IT programs in some companies are so bad and so far gone, that PCI is what is standing it up. Again, I still believe that the PCI-DSS is a ...

Continue Reading

People Hacking! standard

Yes, it’s true that part of the reason I was not posting very frequently is because I was running out of ideas. It is also true that I’ve started following Schneier’s blog again. Anyway… He’s got an excellent post with 2 examples of how Social Engineering was successful in the theft of significant sums of money. Security is made up of People, Process, and Technology, and people are almost always the weakest link. Possibly Related Posts: Level Up Cybersecurity with Kasm Workspaces Let’s Encrypt for non-webservers Selective Domain Filtering with Postfix and a SPAM Filtering Service Preventing Account Takeover, Enable MFA! Proofpoint Patches URL Sandbox Bypass Bug

Continue Reading

Hacking Utilities? standard

This week, Bruce Schneier blogged about the CIA’s disclosure of hacking incidents to public utilities. I’ve been wary of utilities ever since I learned about SCADA systems, and their implication on security. I’ve heard about consultants primed with a copy of NMap accidently shutting down large SCADA networks simply because of their age & lack of security. The thing that is scary is that we have come across companies reliant on SCADA systems for their factories or assembly areas that are also subject to PCI. Eek! The good news is that with careful planning and a good network segmentation strategy much of the impact can be reduced. Possibly Related Posts: Level Up Cybersecurity with Kasm Workspaces Let’s Encrypt for non-webservers ...

Continue Reading

Protect Your Internet Traffic! standard

One of our consultants brought a great write up on Dan Egerstad, the Swedish security consultant who set up a series of Tor servers designed to promote anonymous browsing. Unfortunately, the organizations deciding to adopt Tor forget that unencrypted traffic can still be read, captured, and exploited. This brings up an interesting trend though. Why are people still not protecting their internet traffic? I’m not talking about browsing around and picking up the next Super Mario Bros game at Amazon, but using Outlook for email via POP3/IMAP. Compound this with the problem that most people are remiss in using unique passwords for your key accounts, and you can see how a nefarious organization with a little bit of technology could ...

Continue Reading

Blackberry War? standard

Todd Wilkens posted about his personal war against Blackberries this month. As a consultant, it is not only hard to conduct meetings (where we are getting paid by the hour) with customers when this happens, but I have been tempted to do the same thing as well! I think we all tune out at some point when it comes to meetings, especially those after lunch ones. What I’m interested to know is if anyone has ever suffered a breach due to a lost blackberry. With the amount of scrutiny over email these days, I know that some caution is taken. That said, I also know that humans are lazy people and email is very pointy/clicky. I’ve seen executives forward extremely ...

Continue Reading

What will you buy? standard

With numerous retailers putting offers both online and in the store, how many of you are making the rush? Maybe because I can remember hitting the mall VERY EARLY in the morning on Black Friday as a kiddo I have never taken part in this. We also have family things going on that day, so it makes it a little bit harder. My advice to retailers, watch out. As we saw back in July, cards stolen in the TJX breach this year could likely be used on the busiest day of the year. Many years ago, I worked retail and learned to dread the day after Thanksgiving. Even on our busiest times, you could at least walk through the store ...

Continue Reading

What I Don’t Know WILL Hurt Me standard

This one still amazes me every time I see it happen. I would think that by now, people would try to understand what they don’t know so they can deal with it. I am dead wrong. I’d like to reflect back to a conversation I had with an Information Security Director in a prominent company in the transportation industry. The reason why the industry is important here, is we met with this individual after the 9/11 attacks. Most people in the transportation industry were hyper-sensitive to security at the time. We went in and were pitching enterprise security intelligence services–something that might be relevant to this individual. This individual welcomed us into an office, allowed us to talk about this ...

Continue Reading

This is a unique website which will require a more modern browser to work!

Please upgrade today!