Why the Public Cloud Shuns Security standard

Did I just use a tactic to get you to click on this? Maybe. It sure is a punchy headline. I bet it stirs up some emotion on both sides of the transaction: cloud providers that are tired of working with auditors and security professionals that are tired of explaining to business analysts why regulated data can’t live inside a public cloud. I spoke at the North Texas Cloud Security Alliance chapter last Friday, and I had a great question from the back of the room. Paraphrasing, if security is a requirement for certain use cases, why do public cloud providers sell services without security controls? Man, that is a question I wish more people would ask. There are two ...

Continue Reading

Top 10 PCI Requirements for Interpretation standard

OK folks, here’s an opportunity for you all! In advance of the third edition of our book slated for a July release, PCI Compliance, I wanted to offer up a free service to those of you dealing with PCI DSS on a daily basis. I’m going to do a detailed analysis of ten requirements for you! Here’s the best part… You get to pick the ten I analyze! Which requirements give you the most trouble? Which ones do you think are getting a bad rap, or are being interpreted too harshly? Tell me! I’ll take the top 10 that people want interpreted and put a series together over the next few weeks with detailed analysis. Throw your suggestions down in ...

Continue Reading

Fun with Password Managers standard

I actually started following my own advice a couple of years ago and started creating random passwords for each site that I use that requires a login. Yep, no more “Password123!” for me, it’s all random. But that poses another problem. How do I store these things in a way that is secure and readily available since I don’t have an eidedic memory? Enter Apple’s Keychain! Hooray! I’m now able to store these things relatively securely and make them quickly available for me if I need to log in somewhere. In some cases, I memorize the passwords if I have to use them frequently, but in most cases, I just grab it from Keychain. Every time someone asks me to ...

Continue Reading

April 2012 Roundup standard

What was popular in April? We had Facebook all over the news with its billion dollar purchase of Instagram (do the math, $1B with 23 employees = some rich dudes) and IPO announcement, the Call for Papers for RSA Europe opened, and the security conversation seems to be continuing its momentum from RSA US! Here are the five (ignore the first one) most popular posts from last month: RSA Conference 2012, Are You Ready? OK, you guys, for real. I finally figured out why this was the most popular post. Barney Stinson is the reason. Go look at it and you will know why (and the search term that is somehow leading all kinds of unsuspecting people here). So I’m ...

Continue Reading

Mystery Shopper Scams Getting Aggressive standard

Mystery shopper scams are nothing new, but I now have the experience of being personally targeted by one. From my research, most of these scams are carried out in a “pull method,” whereby ads are placed in classified sections asking for applicants for a part time job. I was targeted by someone using the “push method,” whereby a live (fraudulent) check was mailed to me in a haphazardly stuffed envelope with an official looking letter and survey form. Redacted versions of those documents are linked above. One of the first lessons I learned in high school economics was TINSTAAFL. And while I’m pretty far removed from high school at this point, that one came roaring back when I was mailed ...

Continue Reading

Big Data vs Social Engineering standard

Some of the discussions we are having over here are brain-wrinklers! I was speaking with some colleagues yesterday about the security implications of big data. Typically I would group them into two separate ares: Using big data as an enabler for predictive security analytics (i.e., deriving security information powered by analytics across big data) Securing the output of big data analytics on the business side (and possibly in infosec too) After talking about some of the uses of Greenplum Chorus, it occurred to me that there was a third area that needs to be addressed: the security problem of using independent but diverse big data sets to arrive at the same conclusion (especially when that conclusion could be part of ...

Continue Reading

Sir, Put Down the Loaded Weapon standard

Sensitive information is sometimes like a loaded weapon someone might randomly stumble upon in a park. For those that have some kind of training with weapons, you can probably think of a dozen things you would and wouldn’t do if you were in this situation. But what if you had never seen this kind of weapon before? Would it become a paperweight on your desk? Maybe a doorstop? Or in an extreme case, earrings? Maybe you see peers treating these weapons the same way and all the sudden it becomes acceptable. Until one goes off. Then everyone flips their lid and its utter chaos. Questions like, “How did this happen?” and “Why isn’t the government protecting us?” start to pop ...

Continue Reading

What’s your Maturity? standard

No, I’m not asking how old you are or if you still laugh at fart jokes, but how mature is your security program? Traditional security isn’t working anymore, and its relevancy erodes as the business moves ahead without it. If you’ve heard me speak about information security maturity lately, you may have heard me compare our industry and function to Maslow’s Heirarchy of Needs. For those of you that may need a refresher, here are the basics (minus a few to stop some search engine hits). In order for a human to realize his full potential, he must have specific needs met. Those are: Physiological: food, water, sleep, movement toward stability Safety: security of body, employment, resources, morality, family, health, ...

Continue Reading

Herding Cats: A Curmudgeon’s Party Line (April 2012) standard

Have you checked out ISSA Connect yet? The next issue is up there with my column, A Curmudgeon’s Party Line. This month’s topic is quite timely as there have been several new attacks published related to SCADA and industrial systems. This article explores some of the reasons why we might see the marriage of IP-based systems with industrial systems causing issues today and in the future. If you are a member, log into ISSA Connect and join the discussion! Interact with great professionals globally as well as the authors that you enjoy reading every month. If you are not a member, sign up today! Possibly Related Posts: Top Posts from 2015 October 2015 Roundup September 2015 Roundup August 2015 Roundup ...

Continue Reading

There Are No BYOD Absolutes (You’re Doing It Wrong) standard

Check out this post by VPN Haus that tackles the cost savings aspect of BYOD. They argue that BYOD can be expensive and isn’t always a cost savings initiative. There are a few issues with this article that I’d like to address, starting with the cost issue. BYOD isn’t just about saving money, it’s also about making employees happy. I have not met a knowledge worker that looks forward to getting their new clunky Dell or Lenovo laptop, especially if they travel. Having the ability to empower the worker to bring their own device allows for cost savings in a number of areas, including forcing them to handle their own basic break/fix support. In my case, I don’t call IT ...

Continue Reading