Netgear (In)Security and their Failed Remote Management standard

I’ve been having issues with some home networking equipment and decided that after a couple of years, I needed to make some updates. I did my research and ultimately settled on the Netgear R8000. Not just because it looks dead sexy or because it’s called the Nighthawk, but because it had really great reviews and I’ve generally been on board with Netgear’s product quality and technology. That is, until today. One of my biggest complaints about today’s networking equipment is that it really wants to be the only router in your house. It wants to be the command center. So if you have a couple of pieces of networking equipment, they both want to be in charge. I get it, ...

Continue Reading

Why I am Skipping the PCI Community Meeting standard

I know, you guys have given me crap for so long. “Suuuure you are going to skip this year. Whatever, Brando, see you in X city at  happy hour.” This has been the discussion over the last few years, and every year I have made my way to the city in question going back to the initial meeting in Toronto, 2007. This will be the first year I will miss. For me, it comes down to two things: content and how the hard questions go unanswered. Content: I looked at the agenda this year. For new people to PCI DSS, there are quite a few great sessions to attend. If you have more than one year experience and perhaps have ...

Continue Reading

My Tea Journey, so far! standard

Many years ago, I started a long journey into the world of tea. I still consider myself a n00b, but a no0b who knows what he likes and is not afraid to try something new. A friend of mine was asking about my tea obsession so I ended up putting together this long email that represents my current thinking around the leaf. After spending all that time, I figured I’d post it here, and possibly update it over time. So, with that, here’s an excerpt of the things I love about tea. Sourcing: I am all over the place with respect to tea sourcing. I am on the constant lookout for quality teas of many varieties and processing methods. What ...

Continue Reading

Just wait, Millennials… Gen-Z is coming. standard

I was at a panel discussion with a large group of Dallas-based executives last Friday when a panelist mentioned a term that many of us cringe at: Millennials. I’m one of those kiddos that is nearly straddling two generations (Gen-X and Gen-Y/Millennials), and identify with both generations as a technologist. Many of my peers that are in Gen-X are not nearly as technically savvy as those of us on the younger side of the generation, but the technology uptake of generation X is not the discussion. Millennials show up all over the place. If you ignore history, you would assume that Millennials present the GREATEST RISK to America’s survival in a competitive world. Don’t believe me? Take a look at ...

Continue Reading

Affective Forecasting Strikes Again! standard

Oh yes, that’s a real thing even if YOUR browser thinks “affective” is not a word and shames it with a red squiggly. Affective forecasting is the act of predicting an emotional reaction to some hypothetical future event. We use it frequently. Have you ever filled out a survey that asked you how likely you would be to refer a friend to some company? That’s affective forecasting. Affective forecasting has great uses, but it has serious drawbacks. In my research on the Consumer’s Attitudes Toward Breaches, we learned that nearly every survey related to the study of breached merchants was flawed. In fact, when you ask someone how they will react to a hypothetical event, societal norms will kick in ...

Continue Reading

Does Age Determine How Quickly Shoppers Return? standard

Here’s another visualization to consider based on demographic data generated from my Consumer Attitudes Toward Breaches research (sponsored by MAC). Did age matter when it came to how quickly shoppers returned to a breached merchant? The data seemed to have a couple of stand-out bumps. Below is a graph that shows, on average, how quickly consumers returned to stores after a breach, grouped by age. The trend seems to be such that, in general, the youngest groups are more likely to return to a breached merchant before the older groups.  The middle two age groups are virtually identical up to the fourth digit past the decimal point—enough to consider them equal. What this means for management, is that younger generations ...

Continue Reading

Secure SSH, Go Beyond the Defaults standard

Secure Shell, or ssh, quickly became the replacement for telnet, rlogin, and rsh once system and network administrators realized how easy it was to capture credentials and modify traffic in flight. It’s the stuff out of movies. An administrator is logging into a system with an elevated account (such as root) while a bad guy is snooping all of the traffic and displaying the stream on his screen. He’s got all the credentials and can see everything that administrator is doing. Or worse, he’s sitting in between the administrator and his equipment and modifying the keystrokes from the administrator before forwarding them to the device. Cue the dramatic music. After its release over twenty years ago, it has seen near ...

Continue Reading

The UCF Common Controls Hub, You Need This Thang! standard

Full disclosure, I was contacted by UCF’s marketing folks and given a demo of the Common Controls Hub, but I did not receive any compensation for this post. These are my thoughts. You get the call from the boss you have been dreading for weeks. “Jimmy, it’s time to add FISMA to our control set, and we need to be compliant in three weeks. GO!” Great, another compliance initiative to work into the alphabet soup of controls-pain that haunts security professionals. More standards means more work to make sure that the standard control set you use in your organization will cover any new requirements you face. Compliance and Security frameworks often overlap, and usually just have a small number of ...

Continue Reading

Two reports, many questions standard

April was a busy month for consumers of information security reports as two highly cited reports released 2016 versions: the Trustwave Global Security Report and the Verizon DBIR. And shortly thereafter, security luminaries start picking them apart for various reasons. One of the challenges with these reports is the datasets have some bias. Early on in the DBIR, the bias was substantial because the only data used in the analysis came from Verizon. As the report gained wider distribution, more datasets were included to reduce the bias. Make no mistake, there is still bias in the data as it only represents a subset of what is actually happening in the industry. You can even tell how different Trustwave’s & Verizon’s ...

Continue Reading

What an IRS Scam Sounds Like standard

Like many of you, I have come to the realization that people not in my contact list who actually use their voices to communicate with me over this texting machine usually want something from me—many times, a sales pitch. I’ve given up on answering most of these calls. For the few that leave a message, I will return it if it’s important. Hopefully people have figured out by now that written communication is preferred in many instances. I recently got one of those robo-dialers to leave me a generic, threatening message (which you can listen to here) that meets many of the requirements of good social engineering. The transcript is below (apologies for the bad copy in two areas, the ...

Continue Reading