Categories ArchivesEnterprise Security

“Non-Observables” standard

Security professionals are fraught with crazy obstacles unseen in other parts of the technology space. For example, we are often fighting enemies we cannot see. They out-maneuver us by attacking our partners, informational supply-chain, and even the people. But they are not completely invisible if we know what to look for. There was a recent thread on the SIRA mailing list that discussed the concept of “non-observables,” or elements in the security space that cannot be feasibly observed by defenders. These elements, in theory, would be critical in event detection, thus providing defenders with better capabilities to shrink the window of vulnerability. This is a foolish notion that leads security people into an unnecessary state of helplessness. Consider Locard’s Exchange ...

Continue Reading

The Dissolving Perimeter standard

IT and IS professionals have long acknowledged and lamented the dissolution of the network perimeter amid a global economic crisis and shrinking IT budgets. We must do more with less, be more efficient, and create and leverage economies of scale and scope to achieve all of this. But that doesn’t necessarily represent why the perimeter is dissolving, so what is going on? Businesses are exchanging information in real time (both providing and consuming) over public networks as opposed to frame relay or MPLS links behind the scenes. The number of telecommuters1 in the US grew 61% from 2005-2009. This means more laptops over desktops, and now more tablets or smartphones per worker need to communicate with corporate systems. IT enables ...

Continue Reading

RSA Announces Advanced Cyber Defense Service standard

A very long time ago I worked at a company called Internet America. For those that remember, we were the 1-800-Be-A-Geek company. Back on the early side of the Internet explosion (this is 1996) I remember walking into server rooms in absolute awe of the big machines that powered our customers’ experience and the respect I had for those that ran them. One particular guy I remember is Gordon. Gordon was a typical middle-aged geek (before it was chic) and he had a catch phrase that always made me smile. When you asked Gordon how he was doing, he would say, “The bugs are winning today.” Back then, we had a lot of days like that. Over the last two ...

Continue Reading

PCI Hacks Going Global standard

Looks like non-US based merchants can start to shake in their boots a bit. I know this isn’t the first one outside the US (and not the biggest), but it seems like all we hear about are the ones here at home. So how big was this one? According to Wired, pretty big. 500K cards is not 95 million, but it’s certainly not a handful either. What I find interesting about this particular hack is not the number of cards or the source of the hack, but the fact that it wasn’t really advanced and much different from the majority of the small merchant breaches here in the US. The smoking gun comes from paragraph three: The company’s network used ...

Continue Reading

Guest Post: Different Kinds of Document Destruction standard

The following is a guest post by Andrew Morrell. The general public and businesses alike fret over how to dispose of their sensitive documents. Anything from a personal paper to PII/PCI data to an accounting sheet can be used by competitors or otherwise be a source of ridicule and liability. The difference for a business is that competition for real money is at stake. A large business can have thousands of pages to destroy. The choice is between small office shredders and professional services. While it might surprise some, there are enterprises that offer to haul away waste paper in fairly large trucks and use an industrial shredder. This is one way to dispose and recycle a mountain of business ...

Continue Reading

If I Derive PII/PHI, Does It Make A Sound? standard

The Big Data problem and solution is fascinating. In some respects it is incredibly powerful and has tremendous applications for humanity at large, but other implementations are frighteningly big brother-esque. If you hadn’t heard, Target knows you are pregnant before your family does. They do it by watching your behavior on their website. So the new question that we face is what do we do if we derive or create accurate PII/PHI in the normal course of learning about our customers? I’m worried that companies will recklessly create data about their customers in new ways never before possible, exposing we citizens to many privacy breaches. I’m doing research in this area now, and am very interested to see where this ...

Continue Reading

Can You Trust Email Anymore? standard

I’ve been running my own email server for almost as long as I’ve had an email address. And when you roll your own, you have to figure out your own answer to the onslaught of SPAM that hits you every single day. A quick poll says that my SPAM server (Postini) blocked over 200 emails addressed to me today, and over the last sixty minutes there have been more SPAM than legitimate emails for all of my users. This isn’t surprising. We’ve all been victim to the, “Didn’t you get my email?” question countered by, “Just found it in my SPAM folder.” Postini is fantastic. It’s interface isn’t great (Google has done NOTHING with it), support is spotty, and frankly ...

Continue Reading

Healthcare Security, Where Are You? standard

Information security with electronic healthcare information is often discussed (not here) behind closed doors with lots of whispers. The state of information security in the healthcare space varies, but most insiders agree it is in conflict. Dismal even. Yours truly even took down an entire hospital’s printing network because they were running a super-duper-pooper vulnerable print server that just happened to get popped when doing what should have been innocent scanning. Security in many industries starts with compliance, but even that’s not working. HIPAA has been around for fifteen years—and its follow-up act(s) less than five—but we are constantly playing catchup. The results of a 2006 (yes five years old) survey showed that HIPAA had the lowest compliance rates among ...

Continue Reading

Hospitality Still in the Crosshairs standard

With all the news and information we are pummeled with daily, it’s hard to ignore the significance of cyber security and its role in protecting enterprises and individuals. It’s even pretty easy to ignore until it happens to you. I have written and spoken about the challenges in the hospitality industry before, and they remain a big target for a few big reasons. Many hotels, even ones with a big-brand name on the facade, are owned and operated by individual companies and investors. Joe’s Hotel Group buys the building, hires the employees, and plugs into GiantHotelChain’s reservation and reward system. Many hotels are wide-reaching properties where everywhere you go you have an opportunity to perform a transaction (pay TV, internet, ...

Continue Reading

Security and Compliance in a Virtualized World standard

Are security and compliance hindering your ability to comply with PCI DSS or any other number of compliance initiatives? Check out this BUZZ Talk from EMC World where Paul Divittorio and I talk about how EMC does it, and how you can too! Description of the talk: As you move to adopt virtual infrastructure solutions to reduce costs and improve IT operations, make sure you understand the security implications of virtualization. The good news is—virtual environments can be more secure than their physical counterparts. It’s time to separate fact from fiction. Let’s discuss your experiences and what we’ve learned from EMC IT’s own virtualization story. Watch the video here! Possibly Related Posts: PCI Council Loses $600K in Revenue, PO Population ...

Continue Reading

This is a unique website which will require a more modern browser to work!

Please upgrade today!