Tags Archivesfundamental security

The Social Security Office, an Identity Thief’s Heaven! standard

My wife is not into technology.  Or security.  Or UNIX.  Basically she looks at her Macbook as a way to check email, buy shoes, organize photos and videos, and make checklists for the babysitter.  So when she takes an interest in what I do, I REALLY perk up. She is very attentive to the things I do with our mail and sensitive information, only because she hears me talking about it all the time.  She knows not to give out passwords or personally identifying information.  She shreds expired cards and junk mail. She’s definitely more in tune to security than the average citizen. We recently noticed a reporting error from the Social Security Administration and the only way to clear ...

Continue Reading

Healthcare Letter Follow Up standard

Frequent readers may remember that I sent a letter to a healthcare provider (who is anonymously referred to as Dr. Leo Spaceman) because he used a four digit, numeric PIN to access all of my medical records (assuming that he would also be using that same one for ANY patient).  Well, Dr. Spaceman responded. OK, I’m sure his admin responded, not personally him. But the response is a classic example of someone who has been asked a question like this before and had a pre-canned answer prepped.  I don’t think I’m the only person to observe Dr. Spaceman doing this. Dear Resident1: I have received the letter you sent to our office in regards to our privacy practices with our ...

Continue Reading

Compliance, Easier than Security! standard

My undergrad is in Marketing.  I sometimes call myself a marketing guy, but only right before I rip on one that hypothetically might do something causing a technical guy to lose his weekend.  One of my favorite marketing guys is Seth Godin, and every once in a while he posts something that works not only in the Marketing world, but in our world. On Friday, his post “It’s easier to teach compliance than initiative” reminds me of how our business works.  Isn’t it WAY easier to talk about some kind of security-related compliance versus actually talking about security?  Think about your past interactions with information security.  Did you have a chance to create a 3-5 year plan detailing how you ...

Continue Reading

Satellite Hacking, Not Just for Pros! standard

I found a great article by Stan Shyshkin last week on hacking internet satellites. Satellite networking has always interested me, especially when it comes to learning how to take advantage of foolishly trusted links.  Most of these links manifest as a form of a “carrier grade” link such as MPLS or Frame Relay.  These links are inherently considered private, even though they typically do not take advantage of encapsulated encryption. Fifteen years ago we extended our network footprint through private network links.  Companies extended their WAN in the form of a frame relay in 64-Kbit increments1. These links were rarely (if ever) encrypted partly due to the technology at the time and to inherent trust in telcos. Companies running frame ...

Continue Reading

Healthcare Security, the New Front standard

HIPAA tried to address it, HITRUST and HITECH are the newest entrants into the mix, but health care is just he latest example of an industry’s information technology significantly outpacing its ability to secure it.  If you’ve heard me speak on where I think the next big area that hackers will go after, you’ve heard some stories about what I would do if I were the bad guy. Last week I had a routine doctor checkup, and I watched my doctor type in a four digit password to access all of my records (and presumably any record in the practice).  Any security professional reading this has had a similar experience with someone in authority accessing data with weak credentials, and ...

Continue Reading

New Ponemon Study (and other fun metrics) standard

The Ponemon Institute released its latest analysis on the cost of data breaches, and this year they posit that the cost of breaches is still on the rise.  While new legislation and increased savvy and persistence from attackers is continuing to drive the cost of breaches up, I also believe that this very same legislation is forcing more breaches to be reported.  If anything, managers should take this information as a sobering reminder that the bad guys are out there and they still want your data. I’ve discussed these studies in the past, and I’m not terribly supportive of one of the key metrics that Ponemon analyzes: the cost per breached record.  Non-security managers (and unfortunately some new security managers) ...

Continue Reading

The Yes/No PCI Assessment standard

Chris Mark over at the PCI Answers blog wrote a fantastic post on The Rise of the Defensive PCI Assessment toward the end of last year.  I read it right after he posted it, and knew that I wanted to add to his thoughts.  It’s taken me about this long to get my thoughts together. I’ve been busy! I totally agree with his assessment, and I have run into some situations where this has come up with other QSAs.  Some QSAs have altered their interpretations (or made them more literal, I should say) because they realized that they were interpreting the standard incorrectly, or they priced the assessments so low to get the business that they can’t afford to understand ...

Continue Reading

The Lost Assessment standard

Like many fans of Dan Brown’s character Robert Langdon, I was one of the first to tear through The Lost Symbol last month.  Symbology in ancient and modern cultures is fascinating, and somehow while I was reading the book, I made a parallel between this final lost symbol (no spoilers here, you need to go read the book!) and the quest for security and compliance nirvana. In the book, Mal’akh is searching for what he believes is the final piece to a puzzle that will make him an all powerful, deity like creature.  His quest began while imprisoned in a Turkish prison (yes he HAS seen the inside of a Turkish prison, Clarence) with the son of a prominent 33rd ...

Continue Reading

Dave Ramsey Applied to Security, Baby Step #1 standard

I’ve been on a Dave Ramsey kick lately.  I like his message and his concept of declaring war on debt.  One of his mantras can save people TONS of cash if they would just use basic things they learned in school. “Do the math!” Everyone out there has a brother-in-law, church buddy, or friend of a friend who is “a finance guy.”  We tend to listen to people we consider experts without questioning their motives, simply because we don’t believe we can comprehend the complexity of the question enough to figure the answer out ourselves. For example, several years ago I went to a car dealership to buy my wife a new car.  I had just recently graduated with my ...

Continue Reading

This is a unique website which will require a more modern browser to work!

Please upgrade today!