Trust but Verify: Words to live by! standard

QSAs have to walk a very fine line with customers.  Especially those that are coming back for years two and three on a multi-year contract. I’ve seen it happen to other companies, and it’s happened to me.  The conversation goes something like this: Me: OK, now that we are on logging, please provide me with the logs you pulled from X server in Y environment. Them: Here you go. Me: This is exactly what we need, but I need a set pulled from recent data, not the ones we looked at last year. Them: But you looked at it last year! I’ll give you access to our change control system and you can see nothing changed on that box. Me: ...

Continue Reading

How Much Backup Media do You Have? standard

Disk space is cheap.  Cheaper than it ever has been.  In fact, if you try to purchase small disks for legacy applications, you might be in for an exhaustive or expensive search. For example, I was looking to replace a 20 Gig 2.5″ PATA drive with a 40 Gig one.  Good luck!  Not only did I not find ANY PATA drives at some local big box retailers, but going to Fry’s yielded me two choices: 160 Gig or 250 Gig.  The price of both of those was cheaper than what I could find online in the 40 Gig range. With disk space being so cheap (sub $100 per terabyte) and data storage growing at insane rates, is it easier to ...

Continue Reading

Pwn3d by the Hoffacino standard

Yep, I did it. And WOW what a ride it was. Chris Hoff (@Beaker) started a movement in fueling today’s security professional, and I don’t even know if he realized the animal he’s unleashed on the world.  It’s called a Hoffacino (or Hoffachino), and boy are you in for some fun if you order one.  This ain’t your daddy’s coffee! Before being allowed to consume one of these things, you should have to present passing results from a full physical and psychological examination. The experience of the Hoffacino starts when you order.  I was slightly embarrassed to order such an intricate drink from my neighborhood Barista. I mean, I might see this fine young citizen at the market! I have ...

Continue Reading

Ask the Question! standard

I spoke at the NetDiligence® Cyber Risk & Privacy Liability Forum this morning, on a panel dedicated to advanced security topics.  Now, while these topics were not the same kind of advanced security stuff you would see at Blackhat, they are advanced for the audience.  In fact, we even had a question about Bluetooth security that suggested this audience was relatively unfamiliar with the risks associated with this new fangled stuff. But that’s not the point, the point is that someone asked the question! How many of us have seen companies end up in a bad situation from a security and technology perspective because someone didn’t ask questions until they understood enough about a solution to understand the risks associated ...

Continue Reading

Herding Cats June: In or Out? standard

Have you checked out ISSA Connect yet? The next issue is up there with my column, In or Out?. This issue’s theme centered on security operations, and our industry seems to be going through a transition.  Do you insource or outsource this critical function? If you are a member, log into ISSA Connect and join the discussion! Interact with great professionals globally as well as the authors that you enjoy reading every month. If you are not a member, sign up today! Possibly Related Posts: Level Up Cybersecurity with Kasm Workspaces Let’s Encrypt for non-webservers Selective Domain Filtering with Postfix and a SPAM Filtering Service Preventing Account Takeover, Enable MFA! Proofpoint Patches URL Sandbox Bypass Bug

Continue Reading

May 2010 Roundup standard

What was popular in May? Lots of fun with PCI and Facebook. I’m noticing more and more commenters on my posts… keep it coming! Here are the five most popular posts from last month: A Facebook Reality Check. Even though this was posted on 5/21, it was by far the most popular post last month.  There are a few good comments on the post, and what you DIDN’T see was a rather heated exchange with a reader about some of the opinions in the post.  I would love to get that individual on a podcast to debate the topic as I think both viewpoints are valid. PCI SSC Launches Internal Security Assessor Program. An interesting new concept by the Council ...

Continue Reading

Red Flags Rule Deadline Extended to 12/31/10 standard

The Red Flags Rule is still not going to be enforced. The FTC announced today that the deadline for compliance to the Red Flags Rule has been extended to December 31 of this year. The original compliance date was November 1, 2008—meaning this has now been delayed over two years from the original compliance date. Catch the full press release here. Possibly Related Posts: Level Up Cybersecurity with Kasm Workspaces Let’s Encrypt for non-webservers Selective Domain Filtering with Postfix and a SPAM Filtering Service Preventing Account Takeover, Enable MFA! Proofpoint Patches URL Sandbox Bypass Bug

Continue Reading

Why ISAs are Good for QSAs standard

The PCI Security Standards Council recently announced their Internal Security Assessor program (ISA) ((Side note… everyone seems to dog pile on the Standard when people reference it as a SECURITY standard, but nobody dog piles on the Council for using security in the assessor acronyms?)) and it seems like the response is overall positive.  I have spoken to a few QSAs that are afraid this may contribute to a decline in the business as there is dissension in the ranks of those being assessed ((Quality in QSAs is a current problem being addressed by the Q/A program.)). ISAs are GOOD for QSAs, and as a QSA you should prefer to assess companies that have installed them in their teams. I ...

Continue Reading

A Facebook Reality Check standard

It has been a pretty tough couple of weeks for Facebook. I find the reaction to the privacy controls and the people leaving Facebook in droves especially entertaining. People get fired over comments they put on Twitter, pictures they are tagged in on Facebook, and content posted online using their employer’s assets, yet we are still shocked when our online profiles are disclosed? The real shock to me is, how have we not figured this out yet? My first internet account was a Netcom shell account in the early 90s. Soon after, I had my very own Linux installation (kernel 1.2.8) running on my school’s network, and not long after that I figured out I could read all of the ...

Continue Reading

What Security Professionals can learn from BP Oil Spill standard

One of my favorite things to do is take a case study or real world situation and apply it to our industry or my job.  The first time I did this in earnest, I wrote Data Flows Made Easy. I was inspired by an article published in the Harvard Business Review that described the disconnect between different groups of designers and engineers ((Sosa, Manual E., Steven D. Eppinger, and Craig M. Rowles. “Are Your Engineers Talking to One Another When They Should?” Harvard Business Review, Volume 85, Number 11 (November 2007): 133-142.)).  I was somewhere on a plane (SURPRISED!?!?) and as I read through the article, it struck me that this method could be directly applied to data security and ...

Continue Reading