Categories ArchivesEnterprise Security

The Art of the Interview standard

Yes, I know. There are some cobwebs around here. Don’t worry, I’m working on clearing those out. I’ve finally taken a position with a company and have been buried with all kinds of great stuff. More on this soon! But in the meantime, I found an article in the ISACA Journal from Tommie Singleton entitled, “What Every IT Auditor Should Know About Using Inquiry to Gather Evidence.” If you are in the information security business and have to deal with assessing or auditing, do yourself a favor and take ten minutes to read this article. This technique is what separates the pros from the newbs in our industry. If you have worked with me in the past, you probably remember ...

Continue Reading

Adventures in Rails standard

It has been quite a while since I did any hardcore coding. Since that time, I have dabbled in various web projects, but programmers who don’t practice tend to get stuck in ruts. Most of the time, I would use my skills to solve small problems using methods and technologies I knew worked. If you want examples of that, go check out Brando Labs. Why do I continually pull tools like Perl, PHP, sed, Bash, and Python out to solve problems? Because I know how they work, and the learning curve to get back into the swing of things is relatively shallow. Back in the Stone days, I ended up taking a week long Java class that had me coding ...

Continue Reading

In Favor of Scenario Planning standard

Harvard Business Review recently published an article by Angela Wilkinson and Roland Kupers called “Living in the Futures.” In it, Wilkinson and Kupers discuss the function of scenario planning at Shell—a practice that has been going on in earnest since the 1960s at the company. There are a number of great nuggets that we can use here in information security to help us plan for inevitable security events. The main goal of scenario planning at Shell is to open up the minds of managers and executives to the possibilities of events in the future. It’s designed to buck the trend of thinking that the future will be much like the present, such that when things happen they are well poised ...

Continue Reading

Fixing the CAs, A New Approach standard

The last few years has been a bit rough for Certificate Authorities (CAs) as hackers have figured out how to obtain certificates in a manner that erodes trust in the system. Not only have they gone after the middle-men in the chain of certificates, but they have gone directly after major CAs effectively compromising the entire system. There have been a few alternatives proposed such as Notary and now the Certificate Authority Security Council (CASC) proposed a new model that leverages OCSP stapling, a technology designed to fix one major issue with the revocation process. Before OCSP and OCSP stapling, we had Certificate Revocation Lists (CRLs). This fail safe is designed to allow for an issued certificate to be revoked, ...

Continue Reading

PCI SSC Releases Cloud Guidance standard

It looks like it’s been a busy couple of weeks for the Council! We saw their release of the eCommerce guidelines, which had some good nuggets while missing the key point of understanding the contracting process for scoping. Now we have the release of the Cloud Guidance, the latest SIG to conclude and publish a report. Read this post, then check out StorefrontBacktalk’s post, then go download the document. First, let’s highlight the good stuff. There are some great charts that attempt to give examples on how responsibilities might be allocated depending on your setup. Go through these as a benchmark, but instead of taking their defaults as gospel, validate them with your CSP using Appendix C. They reference the ...

Continue Reading

Want to learn more about the Research behind the Phoenix Project? standard

So The Phoenix Project has been out for about a month now (read an excerpt here), and it has been the talk of IT and IS professionals all over the place. I’ve been pestering Gene to release some of the underlying research that went into the book for people that want to learn more. The fable is a GREAT place to start, but when you go to implement the concepts in the book, it’s nice to have some of the underlying theory behind it when you go change your operations. So here’s the first installment of the core concepts in The Phoenix Project. If you are affiliated with a university (as a student or alumni) you may be able to ...

Continue Reading

RSA Security Analytics Revolutionizes IS standard

Last week RSA launched their new Security Analytics product that combines a number of capabilities required by today’s security operations professional into one platform. If you have not checked this out, go here to see Art Coviello’s video announcement and check out the virtual kickoff here. Once you see the demo, you will be THRILLED to see what the future of information security tools can be. But don’t believe them, check out what these folks have to say! “The sophistication of advanced attacks and the associated malware is growing every day testing the limitations of existing security analytics tools. The Big Data phenomenon could help address this situation for security professionals making it important for organizations to rethink their choice ...

Continue Reading

Fun Research on Information Flows standard

I am doing some research on inference attacks in advance of one of my RSA Conference sessions and happened across this very interesting piece of research by Roya Ensafi, Mike Jacobi, and Jedidiah R. Crandall from the University of New Mexico’s Department of Computer Science entitled, “Students Who Don’t Understand Information Flow Should be Eaten: An Experience Paper.” Not only is it absolutely true (and frankly, this applies to practitioners too), but it’s another fascinating example of how games (and game theory) can teach us about real scenarios we face every day. One key element to understand in this paper is this is a lab environment that is closely monitored with a tight feedback loop that allowed the game makers ...

Continue Reading

Big Data Fuels Intelligence-Driven Security standard

On Tuesday, RSA released a new security brief entitled “Big Data Fuels Intelligence-Driven Security.” Indeed, one of the themes of this blog over the last year or so has been looking for the bad guys hiding in plain sight. Your standard controls won’t catch them—or at least won’t catch them in time. Instead, you will probably rely on poorly constructed logs and expensive forensics to try and piece together exactly what happened. The brief identifies two key shifts are driving the need for behavior-based controls: Dissolving network boundaries whereby legitimate users are probably not doing all of their activity within the physical four walls of the building, and Adversaries are getting much more sophisticated and they surgically attack organizations using ...

Continue Reading

Deceit as a Defense standard

An information security professional’s job is becoming more like military defense every day. We are charged with battling on multiple fronts, typically without enough resources to do the job well. Yet, our creativity can serve us well in defeating any number of attackers before they steal our goods. Now we have another great example of a company taking military defense techniques to a new level and leveraging deception in their daily process. Keep in mind, deception of this level is much different from throwing a honeypot on your network and waiting for a low to mid-level hacker to stumble upon it. This is the kind of deception designed to confuse even the most sophisticated bad guys by using one of ...

Continue Reading

This is a unique website which will require a more modern browser to work!

Please upgrade today!