As we all approach the inevitable chaos of the holidays with shopping, company parties, and client gift lists - all on top of Q4 and 2009 reports and wrap ups - please take care care to protect yourself and your family from possible tragedy due to simple oversight...
According to Sun Tzu, the Tao is the Way – the context that defines how actions are perceived and valued, and management must be able to accurately assess the program in the context of the company’s cultural and political reality. Failure to do this will inevitably create a clash between strategic security plans and the operational activities that enable that vision.According to Sun Tzu, the Tao is the Way – the context that defines how actions are... more
I’m not arguing for an eggshell model of security - crunchy on the outside, squishy on the inside - but it makes things much easier to be able to address an application server’s security requirements without the need to assume that whatever security you implement on an application level is all you will have.I’m not arguing for an eggshell model of security - crunchy on the outside, squishy... more
The seeming inconsistency between the perception of being immune from data breach risks with the rapid growth in data breach incidents, led us to think about whether organizations can actually quantify their level of breach risk. We were somewhat surprised that there is not much available to organizations to help them in scoring their vulnerability.The seeming inconsistency between the perception of being immune from data breach... more
As part of their storage security strategy, enterprises must understand the value of such intellectual property in combination with the risk tolerance of the organization before they can address how to appropriately secure it and store it. Moreover, because the value of information changes over its lifetime, so should its storage.As part of their storage security strategy, enterprises must understand the value of... more
SecurityBinge – a team composed of Chris Martin aka pr4ch, Tim Elrod aka ri0t, and Stefan Morris aka Janus – are forging a video podcast show addressing information security from the hacker’s perspective. Tim and Stefan, the show’s co-hosts, have years of experience both in corporate and hacker circles.SecurityBinge – a team composed of Chris Martin aka pr4ch, Tim Elrod aka ri0t, and... more
Many social media sites are set up so that a participant needs to endorse others in order to gain credibility; however, such endorsements may give the appearance that the company is actually giving the endorsement. Thus, the company has an interest to protect in connection with any social media account used that identifies an employee of the company.Many social media sites are set up so that a participant needs to endorse others in... more
Today, most of our contracts are jurisdiction-based and mostly relate to the location of data. With cloud computing, this is something which can’t be defined. Until laws evolve to accommodate these technological issues in contractual terms, large corporations will find it difficult to migrate quickly to clouds.Today, most of our contracts are jurisdiction-based and mostly relate to the location... more
If you listen to the hype, social media is the answer to all that ails you and your company…if only we could figure out how it all works. Given the omnipresence of social media these days, surely there’s something to it, right?If you listen to the hype, social media is the answer to all that ails you and your... more
Web 2.0 evangelist Stowe Boyd shares his views on the myths, realities and future of web 2.0 and enterprise: Crowd sourcing innovation - drawing on the smarts distributed across the company and outside in the user community - is another big bang that companies need to be exploring.Web 2.0 evangelist Stowe Boyd shares his views on the myths, realities and future of... more
The art of utilizing methods combines know how and how to, cognitive awareness and decision making with the physical abilities tactics require, while under pressure, when risk is high and time is critical.The art of utilizing methods combines know how and how to, cognitive awareness and... more
Here is a scam that is particularly difficult threat to spot. Note the use of a Hallmark email address, Hallmark Logo and the template that was probably lifted from an authentic e-card. What’s the dead give-away that this is scam? Note the fact that the link has an “.exe” which is an “execute” command that will probably run some kind of nasty malware.Here is a scam that is particularly difficult threat to spot. Note the use of a... more
One of the penalties of having a well published email address is that I receive dozens of phishing emails, scam letters, and other nefarious material en masse daily. Most of these are the typical inheritance, lottery, and sweepstakes scams - but then there are the ones that at first glance may seem legitimate. Take for instance the following email I received over the holiday weekend...One of the penalties of having a well published email address is that I receive dozens... more
It is possible that, if such policies exist and were created specifically for HIPAA compliance, your organization is viewing this policy noncompliance as being a HIPAA infraction because of the HIPAA requirements to have security/privacy policies and enforce them.It is possible that, if such policies exist and were created specifically for HIPAA... more
This is the first part of my Black Hat interview with Andrew D. Hayter, Anti-Malcode Program Manager for ICSA Labs. In this installment, Mr. Hayter highlights the challenges businesses face in mitigating malware-related risks.This is the first part of my Black Hat interview with Andrew D. Hayter, Anti-Malcode... more
ANSI Identity Theft Standards Panel webinar “Lessons from the Data Breach at Heartland” by Bob Carr, CEO of Heartland Payment Systems; Carnegie Mellon University Software Engineering Institute Insider Threat Workshop; U.S. Department of Homeland Security Critical Infrastructure and Key Resources; ISAlliance/NIST/DHS VoIP & Unified Communications Automated Security and Assurance Project; IT Sector Coordinating Council Protective Programs and Research and Development (PPRD)…ANSI Identity Theft Standards Panel webinar “Lessons from the Data Breach at... more
Greg Schaffer, Assistant Secretary for CyberSecurity & Communications for the US Department of Homeland Security, sees Trusted Internet Connections, EINSTEIN, and front line defense of the nation’s networks as top cybersecurity priorities for the department.Greg Schaffer, Assistant Secretary for CyberSecurity & Communications for the US... more
Here we focus on methods which are developed and learned based our organizational and individual philosophy, and how that philosophy is emboldened by strong character leadership, which in turn influences our perception and understanding of the climate on the ground, and directly affects the decisions and actions we take in a given situation.Here we focus on methods which are developed and learned based our organizational and... more
QSA’s (auditors) policing the PCI-DSS (credit card data security standards) need to adjust their mindset when auditing virtualized card processing infrastructure…QSA’s (auditors) policing the PCI-DSS (credit card data security standards) need to... more
Any organization should have a simple and brief procedure to treat information carriers for systems that are to be discarded. All that hardware contains a lot of confidential information, and it is essential that such data is properly erased so it cannot be recovered. Here is a brief summary of the crucial information disposal procedure elements.Any organization should have a simple and brief procedure to treat information... more
