Conference Wrap-Up, 2016 standard

As we get ready to close out 2016, there have been quite a few events I have neglected to post here. I know I owe a larger update and more tools soon, but here’s one in the meantime to recap October and November. For this post, I’m taking a cue from Bill Brenner and supplying some mood music. My mood music is a little more fun than his is, though. October and November was a busy month for speaking and writing. Here’s a quick recap. Ever wonder why it might be a good idea to segment your home network? All those smart devices have to connect somewhere. I wrote an article for Tactics and Preparedness that discusses some of these issues ...

Continue Reading

Is Retail Ready for the 2016 Holiday Season? When Toasters Attack! standard

The holiday season is upon us, and the biggest days for retailers to make their 2016 plan commitments is coming. The popularity of online shopping always seems to claim a few retailers every year who did not plan capacity accordingly. We’ve seen both Black Friday and Cyber Monday shut down websites in the past, and even though elastic computing has grown in popularity, we can expect one or two that under planned their capacity for this year. But this post is not about poor IT capacity planning—it’s about the latest string of Distributed Denial of Service (DDoS) attacks that has claimed a number of prominent web properties over the last month. Internet of Things (IoT) devices, when improperly designed, can ...

Continue Reading

Netgear (In)Security and their Failed Remote Management standard

I’ve been having issues with some home networking equipment and decided that after a couple of years, I needed to make some updates. I did my research and ultimately settled on the Netgear R8000. Not just because it looks dead sexy or because it’s called the Nighthawk, but because it had really great reviews and I’ve generally been on board with Netgear’s product quality and technology. That is, until today. One of my biggest complaints about today’s networking equipment is that it really wants to be the only router in your house. It wants to be the command center. So if you have a couple of pieces of networking equipment, they both want to be in charge. I get it, ...

Continue Reading

Why I am Skipping the PCI Community Meeting standard

I know, you guys have given me crap for so long. “Suuuure you are going to skip this year. Whatever, Brando, see you in X city at  happy hour.” This has been the discussion over the last few years, and every year I have made my way to the city in question going back to the initial meeting in Toronto, 2007. This will be the first year I will miss. For me, it comes down to two things: content and how the hard questions go unanswered. Content: I looked at the agenda this year. For new people to PCI DSS, there are quite a few great sessions to attend. If you have more than one year experience and perhaps have ...

Continue Reading

My Tea Journey, so far! standard

Many years ago, I started a long journey into the world of tea. I still consider myself a n00b, but a no0b who knows what he likes and is not afraid to try something new. A friend of mine was asking about my tea obsession so I ended up putting together this long email that represents my current thinking around the leaf. After spending all that time, I figured I’d post it here, and possibly update it over time. So, with that, here’s an excerpt of the things I love about tea. Sourcing: I am all over the place with respect to tea sourcing. I am on the constant lookout for quality teas of many varieties and processing methods. What ...

Continue Reading

Just wait, Millennials… Gen-Z is coming. standard

I was at a panel discussion with a large group of Dallas-based executives last Friday when a panelist mentioned a term that many of us cringe at: Millennials. I’m one of those kiddos that is nearly straddling two generations (Gen-X and Gen-Y/Millennials), and identify with both generations as a technologist. Many of my peers that are in Gen-X are not nearly as technically savvy as those of us on the younger side of the generation, but the technology uptake of generation X is not the discussion. Millennials show up all over the place. If you ignore history, you would assume that Millennials present the GREATEST RISK to America’s survival in a competitive world. Don’t believe me? Take a look at ...

Continue Reading

Affective Forecasting Strikes Again! standard

Oh yes, that’s a real thing even if YOUR browser thinks “affective” is not a word and shames it with a red squiggly. Affective forecasting is the act of predicting an emotional reaction to some hypothetical future event. We use it frequently. Have you ever filled out a survey that asked you how likely you would be to refer a friend to some company? That’s affective forecasting. Affective forecasting has great uses, but it has serious drawbacks. In my research on the Consumer’s Attitudes Toward Breaches, we learned that nearly every survey related to the study of breached merchants was flawed. In fact, when you ask someone how they will react to a hypothetical event, societal norms will kick in ...

Continue Reading

Does Age Determine How Quickly Shoppers Return? standard

Here’s another visualization to consider based on demographic data generated from my Consumer Attitudes Toward Breaches research (sponsored by MAC). Did age matter when it came to how quickly shoppers returned to a breached merchant? The data seemed to have a couple of stand-out bumps. Below is a graph that shows, on average, how quickly consumers returned to stores after a breach, grouped by age. The trend seems to be such that, in general, the youngest groups are more likely to return to a breached merchant before the older groups.  The middle two age groups are virtually identical up to the fourth digit past the decimal point—enough to consider them equal. What this means for management, is that younger generations ...

Continue Reading

Secure SSH, Go Beyond the Defaults standard

Secure Shell, or ssh, quickly became the replacement for telnet, rlogin, and rsh once system and network administrators realized how easy it was to capture credentials and modify traffic in flight. It’s the stuff out of movies. An administrator is logging into a system with an elevated account (such as root) while a bad guy is snooping all of the traffic and displaying the stream on his screen. He’s got all the credentials and can see everything that administrator is doing. Or worse, he’s sitting in between the administrator and his equipment and modifying the keystrokes from the administrator before forwarding them to the device. Cue the dramatic music. After its release over twenty years ago, it has seen near ...

Continue Reading

The UCF Common Controls Hub, You Need This Thang! standard

Full disclosure, I was contacted by UCF’s marketing folks and given a demo of the Common Controls Hub, but I did not receive any compensation for this post. These are my thoughts. You get the call from the boss you have been dreading for weeks. “Jimmy, it’s time to add FISMA to our control set, and we need to be compliant in three weeks. GO!” Great, another compliance initiative to work into the alphabet soup of controls-pain that haunts security professionals. More standards means more work to make sure that the standard control set you use in your organization will cover any new requirements you face. Compliance and Security frameworks often overlap, and usually just have a small number of ...

Continue Reading