Tags Archivesfundamental security

Security Tips for Non-Techies standard

One of the most challenging things that I regularly do is explain my job and career choice to non-techie users. Ask my Mom what I do, and you might get one of the blankest stares you have ever seen thrown right back in your face. In fact, I think this general lack of security knowledge among users contributes tremendously to the success of attacks against consumers. How else do we have millions of drones waiting for commands on unsuspecting users machines? I’ve heard the following from family members before: But I bought an anti-virus program three years ago! Why do I have to pay for it every year? But I had to disable the security settings so I could play ...

Continue Reading

Physical Security begets Infosec Problems standard

Have you ever noticed how the things we do in the electronic security world mirror the things we do in the physical world? We deploy firewalls at our network perimeter like we put fences near our property lines. We make rules in firewalls to allow certain traffic through just like we have guards that allow authorized parties access to physical assets. In the physical world, visible security controls could take the form of an employee with a badge or a visitor that is escorted. It’s remarkably similar. But what about the bad side of security? You know, those dumb things that smart people do to cause incidents? Most corporate networks are incredibly flat and operate more like a university and ...

Continue Reading

What’s the Value? standard

If you were to give someone the task of protecting a room that holds anywhere from $10,000 to $100,000 in cash, the yearly spend to protect that room (in basic risk management theory) should not exceed the Annualized Loss Expectancy (ALE).  ALE is a simple representation that contains an extremely complex portion of applied mathematics called probability. ALE = Impact of the event in Dollars * Probability of that event occurring on an annualized basis1 Why is this complex? How hard is it to multiply a couple of numbers together? Imagine if someone tried to explain the complex dynamics of Football to you by saying, “Well, the person that scores the most wins the game.” That’s, of course, technically correct, ...

Continue Reading

2010 Verizon Business Data Breach Report Released standard

Verizon Business released their 2010 Data Breach report hours ago, and with the combination of Secret Service data for the 2010 report, there is a ton of interesting things in here.  Here are a few of the highlights that I took from the report: Financial & Hospitality Beware: These two categories represent 56% of the groups involved in breaches1.  Those of us in the industry know the ridiculously poor state of security in the hospitality sector.  Now with the economy on its way to recovery, these businesses will once again see an uptick and criminals will see an opportunity to capture valuable data. Medium-Sized Businesses are in the Crosshairs: The grouping of victims had between 1,001 and 10,000 employees. In ...

Continue Reading

PCI Council, How About a Map? standard

When I started writing this post, I was trying to think of a metaphor for a map and a journey of some sort, but everything came out dripping with Cliché Cheese1 or would have made sense only to a limited audience (Shout out to the P1, between the devil and the deep blue sea, and kick the tires and light the fires… as it were). The point I was trying to make, however, was in light of PCI, we seem to be navigating a changing world with a semi-static map.  Like that GPS I bought seven years ago that freaks out every time I drive on a road that was completed four years ago. As I wrote about last week, ...

Continue Reading

Herding Cats July: Back to Basics standard

Have you checked out ISSA Connect yet? The next issue is up there with my column, Back to Basics. This issue’s theme centered on the basics of information security, and what better time to take a step back and really evaluate what we’re doing? Are we actually accomplishing our goals? Or just treading water? And do you want to take away my man card after reading this one? If you are a member, log into ISSA Connect and join the discussion! Interact with great professionals globally as well as the authors that you enjoy reading every month. If you are not a member, sign up today!

Continue Reading

A Facebook Reality Check standard

It has been a pretty tough couple of weeks for Facebook. I find the reaction to the privacy controls and the people leaving Facebook in droves especially entertaining. People get fired over comments they put on Twitter, pictures they are tagged in on Facebook, and content posted online using their employer’s assets, yet we are still shocked when our online profiles are disclosed? The real shock to me is, how have we not figured this out yet? My first internet account was a Netcom shell account in the early 90s. Soon after, I had my very own Linux installation (kernel 1.2.8) running on my school’s network, and not long after that I figured out I could read all of the ...

Continue Reading

Views on Application Security standard

I had an interesting conversation with a client the other day, and while shocking at first, it made a ton of sense long term when looking at how to apply security controls to assets based on risk.  I’ve blogged and written about things like this in the past, but the concept was interwoven as a theme to a different concept, or all together buried under links to YouTube. The conversation was with a customer that wanted to put out a small informational site in support of a minor product feature, but also wanted to have the ability to dynamically update content through a web browser from anywhere in the world as he and some of his less technical staff thought ...

Continue Reading

Getting Support for PCI DSS standard

For the record, I LOVE it when people send in emails requesting a specific blog topic.  I can’t get to them all, but it sure helps set the direction.  The part of the writing process that is sometimes hardest for me is finding a starting point. Thank you for this one (I’ll keep this person anonymous as their email bounced)! In the book we discuss how to manage a project to completion (Chapter 10), and one of the key steps is getting buy in from senior management. A reader emailed me this week asking about how to go about getting this support. Specifically (paraphrased for brevity): How do I make executive management (C-level) aware of the necessity for, and importance ...

Continue Reading

Key Logger Attacks on the Rise (this is no joke!) standard

Visa released a report yesterday on their website (dated March 17) warning merchants about the rising threat of key logger and screen capture attacks.  I went back looking through my archives to see if I’ve written about this danger before, but I think my examples are ones that I typically talk about.  But don’t worry, I’ll put one for you here! This particular alert from Visa targets software key stroke and screen captures.  At the bottom of page two, Visa puts some MD5 sums for various malware probably obtained while investigating merchant breaches.  They also provide eight mitigation strategies to be used as preventative measures for areas that are likely to be targeted for malware installation. My real world example ...

Continue Reading

This is a unique website which will require a more modern browser to work!

Please upgrade today!