Branden R. Williams, Business Security Specialist

What Does IT Provisioning Look Like? standard

The title for this post is only funny if you read it in the voice of Jules Winnfield asking Brett to describe what Marsellus Wallace looks like. If you can get in that mindset (I can’t link to it, you just have to get there on your own), then this will be more effective. Imagine for a second that you are the CIO of a company (Jules Winnfield), and you are trying to build some information security features into the systems you are responsible for keeping up and running. You go to your CISO (Brett), or maybe the sales rep of the infosec vendor, and ask them how their product works in the new model of IT provisioning and operations. ...

Anatomy of an Attack Critical Security Checklist standard

If you have seen me speak over the last couple of months, there is a good chance you heard me talk about advanced threats, sometimes in the context of the RSA breach. Near the end of these talks I either flashed up a slide that had a checklist of things detailing changes we made, or people asked me specifically (like what happened at the Evanta CISO Summit in San Francisco on Monday) what things we did to bolster our security. For those of you who have asked for access to this slide, I’ve gotten permission to post our Security Practices – Critical Checklist here. Enjoy!

November 2011 Roundup standard

What was popular in November? It looks like retail is having a good time, and we added jobs and reduced unemployment while a major airline declared bankruptcy. Here are the five most popular posts from last month: Attack the Humans First. For the second month in a row, this one took the top spot! The attackers are changing, and we’re not changing fast enough to combat them. Check out this post that goes through the human element of information security. Where is your Chaos Monkey? This one is in the top five for the second month in a row as well. Netflix has one, where’s yours? PCI DSS Feedback Period Begins Today! Everyone has an opinion about PCI DSS, so ...

Ditch the Value of Information Equation standard

And now, on to one of the biggest challenges we face while having information risk management discussions: What is the value of information? Information by itself doesn’t have tangible value. It’s value is subjective. Everyone has their own opinion, and many people manipulate the values to serve and twist their message. In fact, the only thing you can really come close to arguing is the value of the medium upon which the information exists. Be it a hard drive, jump drive, or a piece of paper, those things have some kind of agreed-upon value. But the information itself? Imagine for a minute that you are charged with protecting a pile of cash totaling $100,000 ((I stole this idea from Chuck ...

What Does Your Perfect Setup Look Like? standard

The uses and appearances of information technology has changed dramatically over the last ten years. And the ten years prior to that, and the ten prior to that. It’s amazing to think that the devices most of us carry around in our pockets are more powerful than some desktops twenty years ago, and more powerful than rooms filled floor to ceiling with computer hardware forty years ago. The use cases have changed as well—so much so that we have monetized IT to the point where we cannot conduct business without it. Protecting our IT systems isn’t just a “nice to have” anymore, it’s required to protect the investments entrusted to us. Ten years ago phones were phones, and you had ...

22nd of November, 2011
In: Consumer Security, Enterprise Security, SOS
0
1

Collateral Damage is One Click Away standard

Social engineering is now recognized as one of the top threats to enterprise security. I think we all have had side conversations with security leaders inside companies validating this concept for years, but not until recently have we seen it pass other threats in such a public forum. Those same security leaders have struggled with mitigating the threat because they instinctively jump to a Draconian view of information security policy enforcement as the only solution. It certainly would be effective in some ways, but morale would plummet and the creative technophiles would find ways to free themselves from such Athenian legislation. The irony is that many of these controls are not only designed to protect our information assets, but also ...

Man Up MDs! standard

Doctors have been the butt of jokes for years. But this post is no joke. Over the last five years I’ve been exposed to the back-of-house operations in healthcare in ways that helps put the front-of-house issues I observed into perspective. But one thing has always driven me batty, and I’ve never been able to figure out why. I’ve met some extremely talented doctors in my time that absolutely shocked me with their sheer intellect and problem solving abilities. But when it comes to protecting the information of the patients they serve, they just cannot be bothered. Even when they attempt to be bothered, many of them miss the point. MDs must understand that malpractice lawsuits aren’t the only thing ...

8th of November, 2011
In: Consumer Security, Enterprise Security, SOS
0
0

Exploiting Human Trust and Complacency standard

I was speaking with an industry insider a few weeks ago and he started asking questions about supply-chain security. We kicked off a rather awkward discussion whereby I dipped into my SCM educational background and he tried to convey his actual meaning which was much closer to informational supply chains, or better yet, the flow of trusted information. This lead to a great hour of discussion about an attack vector that I call, Exploiting Human Trust and Complacency. I’ve blogged about social engineering and the new perimeter (Sally in Accounting) in the past, and this expands upon that very notion. How do attackers take advantage of this attack surface, and how are they so successful? Before we delve into that, ...

PCI DSS Feedback Period Begins TODAY standard

Remember all that stuff about a three-year life cycle? Well, it’s now officially phase 4, the beginning of the feedback period! What needs fixing in your opinion? What needs clarification? Theoretically, you should have had some time to investigate how the new version impacts your environment, and thought about implementation if not already validated against 2.0 this year. Unless your acquirer tells you otherwise, you will be validating against 2.0 next year. So far, the biggest complaints I have heard from stakeholders is the lack of cloud and mobility as well as confusion around scope. One of my issues (which I am unsure if the Council is willing to solve) is around the sampling methodology and risk assessment thresholds that ...

Where is your Chaos Monkey? standard

Netflix has been in the news quite a bit lately. Regardless of the side you pick on this first world problem, there is something really neat that they do that I wanted to share with a larger audience. If you read Harvard Business Review, you already know what I am talking about. Andrew McAfee published an article entitled “What Every CEO Need to Know About the Cloud.” In this basic primer for business folks, McAfee describes something that Netflix created called the Chaos Monkey, a process largely credited for preparing the company to weather the Amazon ECC outage with minimal issues of their own while others, like Foursquare, experienced problems for days. McAfee talks about this in the section of ...