Categories ArchivesEnterprise Security

Data as a Gravity Well standard

Las Vegas hosted one of EMC’s premier events, EMC World. While this show is primarily IT focused, RSA (the Security Division of EMC) makes a presence every year. This year was my second to attend, and even though the location was the same, there was a big difference in this year’s average IT attendee—they showed a tremendous interest in Security! In fact, our booth at EMC World was PACKED on Monday evening. We nearly hit our goal of visitors for the whole show on the first day! Security and compliance had a track in the breakout sessions, and if you went to Sanjay’s keynote, you may remember our CISO getting up on stage to talk about some of the security ...

Continue Reading

Where is your first line of defense? standard

I recently attended a fantastic roundtable put on by Financial Times in New York and as I’m sitting listening to a group of folks that specialize in anti-money laundering and fraud, one person stated that people detected the vast majority of fraud or money laundering with tools playing a supporting role. By itself, this seems to be a bit damning toward the technical sector essentially stating that they aren’t any good at detecting fraud. Or at least their tools aren’t any good. But technology has always played a catch-up role when compared to human intuition. It could be simple things like highlighting the right statistical inconsistencies for analysts or complex things like playing chess against the world’s best, but we’re ...

Continue Reading

Why the Public Cloud Shuns Security standard

Did I just use a tactic to get you to click on this? Maybe. It sure is a punchy headline. I bet it stirs up some emotion on both sides of the transaction: cloud providers that are tired of working with auditors and security professionals that are tired of explaining to business analysts why regulated data can’t live inside a public cloud. I spoke at the North Texas Cloud Security Alliance chapter last Friday, and I had a great question from the back of the room. Paraphrasing, if security is a requirement for certain use cases, why do public cloud providers sell services without security controls? Man, that is a question I wish more people would ask. There are two ...

Continue Reading

Big Data vs Social Engineering standard

Some of the discussions we are having over here are brain-wrinklers! I was speaking with some colleagues yesterday about the security implications of big data. Typically I would group them into two separate ares: Using big data as an enabler for predictive security analytics (i.e., deriving security information powered by analytics across big data) Securing the output of big data analytics on the business side (and possibly in infosec too) After talking about some of the uses of Greenplum Chorus, it occurred to me that there was a third area that needs to be addressed: the security problem of using independent but diverse big data sets to arrive at the same conclusion (especially when that conclusion could be part of ...

Continue Reading

Sir, Put Down the Loaded Weapon standard

Sensitive information is sometimes like a loaded weapon someone might randomly stumble upon in a park. For those that have some kind of training with weapons, you can probably think of a dozen things you would and wouldn’t do if you were in this situation. But what if you had never seen this kind of weapon before? Would it become a paperweight on your desk? Maybe a doorstop? Or in an extreme case, earrings? Maybe you see peers treating these weapons the same way and all the sudden it becomes acceptable. Until one goes off. Then everyone flips their lid and its utter chaos. Questions like, “How did this happen?” and “Why isn’t the government protecting us?” start to pop ...

Continue Reading

What’s your Maturity? standard

No, I’m not asking how old you are or if you still laugh at fart jokes, but how mature is your security program? Traditional security isn’t working anymore, and its relevancy erodes as the business moves ahead without it. If you’ve heard me speak about information security maturity lately, you may have heard me compare our industry and function to Maslow’s Heirarchy of Needs. For those of you that may need a refresher, here are the basics (minus a few to stop some search engine hits). In order for a human to realize his full potential, he must have specific needs met. Those are: Physiological: food, water, sleep, movement toward stability Safety: security of body, employment, resources, morality, family, health, ...

Continue Reading

There Are No BYOD Absolutes (You’re Doing It Wrong) standard

Check out this post by VPN Haus that tackles the cost savings aspect of BYOD. They argue that BYOD can be expensive and isn’t always a cost savings initiative. There are a few issues with this article that I’d like to address, starting with the cost issue. BYOD isn’t just about saving money, it’s also about making employees happy. I have not met a knowledge worker that looks forward to getting their new clunky Dell or Lenovo laptop, especially if they travel. Having the ability to empower the worker to bring their own device allows for cost savings in a number of areas, including forcing them to handle their own basic break/fix support. In my case, I don’t call IT ...

Continue Reading

Reducing the Risk of Passwords standard

On Wednesday we discussed passwords and their contribution to the people security problem. At the end of the post, I asked what we could change to take weak passwords out of the equation. If having passwords is a requirement to doing business, what things could we add to the mix that might be able to reduce the risk of using them? Strong Authentication. Obviously, adding an additional factor of authentication can go a long way to improve the risk scores associated with data access. Positives include a significant number of solutions with a few leading their respective packs. Disadvantages can include cost to deploy and manage as well as poor integration with every technology you may use. Risk-based Authentication. Keep ...

Continue Reading

Passwords and the People Security Problem standard

We can only blame people for so long. After all, we traditionally secure access to the critical resources on our network, whether that is customer information, price lists, salary information, or the secret recipe to our best selling product, by requiring users to log on with a username and a password. Usernames allow us to grant authorizations and track activity, and passwords authenticate the username, theoretically providing assurance that the owner is the person using the credential. Over the years, humans have demonstrated their poor ability to create and use strong passwords. We try to teach them about strong passwords, give them examples, set policies to require strong passwords, and yet we still get users with passwords like P@ssword. Our ...

Continue Reading

Top Five PCI DSS Mistakes that Lead to a Breach standard

RSA Conference is over, but that just means that all of those side conversations and meetings that we had will start to make themselves into blog posts! One that is a biggie for me is the top five mistakes that merchants make that lead to a compromise. I often get questions from small merchants asking for the top three to five things they should do to make sure they do not suffer a breach, specifically after they are overwhelmed by SAQ-D. While there is no substitution for complying fully with PCI DSS, there are a few common themes in breaches that businesses should address to avoid one. Keep in mind, while this applies to all setups, the ones getting hit ...

Continue Reading

This is a unique website which will require a more modern browser to work!

Please upgrade today!