Categories ArchivesEnterprise Security

Vulnerability Management with Merge.io standard

I’ve been known to say that vulnerability detection is easy—it’s vulnerability management that’s hard. There are too many tools available today that can tell you everything that is wrong with your security posture. The real work comes in finding the root cause of the issue, permanently eradicating it from your environment (as in changing configuration servers, patching gold builds, dealing with sleeping physical or virtual instances), and validating to everyone who wants to know that you were successful in doing so. Time and time again, my customers complain about the challenges associated with getting clean vulnerability scans. In fact, that might be one of the more challenging things to get right in PCI DSS. If you run a small, relatively ...

Continue Reading

Visa Updates Memory-Parsing Malware Warning standard

Visa released a public update to their Memory-Parsing Malware Warning yesterday bringing forward signatures and IPs from their original alert in April based on recent activity. This very effective technique can present itself leveraging commonly used debugging techniques for software. Essentially, this malware will access a few readily available routines to hook into the memory in a way that allows them to access and export full track data. So all of you folks who told QSAs like me this would never happen in a million years (this was a constant conversation from 2004 to 2009), baZINGA. Now that we have bazinga’d, let’s focus on how to prevent this from happening. Remember that post I did a while back about the ...

Continue Reading

The Art of the Interview standard

Yes, I know. There are some cobwebs around here. Don’t worry, I’m working on clearing those out. I’ve finally taken a position with a company and have been buried with all kinds of great stuff. More on this soon! But in the meantime, I found an article in the ISACA Journal from Tommie Singleton entitled, “What Every IT Auditor Should Know About Using Inquiry to Gather Evidence.” If you are in the information security business and have to deal with assessing or auditing, do yourself a favor and take ten minutes to read this article. This technique is what separates the pros from the newbs in our industry. If you have worked with me in the past, you probably remember ...

Continue Reading

Adventures in Rails standard

It has been quite a while since I did any hardcore coding. Since that time, I have dabbled in various web projects, but programmers who don’t practice tend to get stuck in ruts. Most of the time, I would use my skills to solve small problems using methods and technologies I knew worked. If you want examples of that, go check out Brando Labs. Why do I continually pull tools like Perl, PHP, sed, Bash, and Python out to solve problems? Because I know how they work, and the learning curve to get back into the swing of things is relatively shallow. Back in the Stone days, I ended up taking a week long Java class that had me coding ...

Continue Reading

In Favor of Scenario Planning standard

Harvard Business Review recently published an article by Angela Wilkinson and Roland Kupers called “Living in the Futures.” In it, Wilkinson and Kupers discuss the function of scenario planning at Shell—a practice that has been going on in earnest since the 1960s at the company. There are a number of great nuggets that we can use here in information security to help us plan for inevitable security events. The main goal of scenario planning at Shell is to open up the minds of managers and executives to the possibilities of events in the future. It’s designed to buck the trend of thinking that the future will be much like the present, such that when things happen they are well poised ...

Continue Reading

Fixing the CAs, A New Approach standard

The last few years has been a bit rough for Certificate Authorities (CAs) as hackers have figured out how to obtain certificates in a manner that erodes trust in the system. Not only have they gone after the middle-men in the chain of certificates, but they have gone directly after major CAs effectively compromising the entire system. There have been a few alternatives proposed such as Notary and now the Certificate Authority Security Council (CASC) proposed a new model that leverages OCSP stapling, a technology designed to fix one major issue with the revocation process. Before OCSP and OCSP stapling, we had Certificate Revocation Lists (CRLs). This fail safe is designed to allow for an issued certificate to be revoked, ...

Continue Reading

PCI SSC Releases Cloud Guidance standard

It looks like it’s been a busy couple of weeks for the Council! We saw their release of the eCommerce guidelines, which had some good nuggets while missing the key point of understanding the contracting process for scoping. Now we have the release of the Cloud Guidance, the latest SIG to conclude and publish a report. Read this post, then check out StorefrontBacktalk’s post, then go download the document. First, let’s highlight the good stuff. There are some great charts that attempt to give examples on how responsibilities might be allocated depending on your setup. Go through these as a benchmark, but instead of taking their defaults as gospel, validate them with your CSP using Appendix C. They reference the ...

Continue Reading

Want to learn more about the Research behind the Phoenix Project? standard

So The Phoenix Project has been out for about a month now (read an excerpt here), and it has been the talk of IT and IS professionals all over the place. I’ve been pestering Gene to release some of the underlying research that went into the book for people that want to learn more. The fable is a GREAT place to start, but when you go to implement the concepts in the book, it’s nice to have some of the underlying theory behind it when you go change your operations. So here’s the first installment of the core concepts in The Phoenix Project. If you are affiliated with a university (as a student or alumni) you may be able to ...

Continue Reading

RSA Security Analytics Revolutionizes IS standard

Last week RSA launched their new Security Analytics product that combines a number of capabilities required by today’s security operations professional into one platform. If you have not checked this out, go here to see Art Coviello’s video announcement and check out the virtual kickoff here. Once you see the demo, you will be THRILLED to see what the future of information security tools can be. But don’t believe them, check out what these folks have to say! “The sophistication of advanced attacks and the associated malware is growing every day testing the limitations of existing security analytics tools. The Big Data phenomenon could help address this situation for security professionals making it important for organizations to rethink their choice ...

Continue Reading

Fun Research on Information Flows standard

I am doing some research on inference attacks in advance of one of my RSA Conference sessions and happened across this very interesting piece of research by Roya Ensafi, Mike Jacobi, and Jedidiah R. Crandall from the University of New Mexico’s Department of Computer Science entitled, “Students Who Don’t Understand Information Flow Should be Eaten: An Experience Paper.” Not only is it absolutely true (and frankly, this applies to practitioners too), but it’s another fascinating example of how games (and game theory) can teach us about real scenarios we face every day. One key element to understand in this paper is this is a lab environment that is closely monitored with a tight feedback loop that allowed the game makers ...

Continue Reading

This is a unique website which will require a more modern browser to work!

Please upgrade today!