The story about the Office of Personnel Management getting hacked this week was, unfortunately, not a big surprise to anyone in the security world. How it got hacked, by phishing, was something that anyone who has been in the security field for any length of time could have predicted. What comes as a surprise to…
DetailsDo you know how Merriam-Webster defines vacation? Believe it or not – this is what it says: – A period of time that a person spends away from home, school, or business usually in order to relax or travel – The number of days or hours per year for which an employer agrees to pay workers…
DetailsIn my last article, I talked about using the 20 Critical Controls as a practical security strategy. I showed how the controls map to a wide variety of international and national standards. I also mentioned a great www site, www.auditscripts.com, where you can download 3 excellent spreadsheets to help you measure your progress in the…
DetailsI frequently talk to myself. I think that this is mostly OK, except when I have an argument. The other day, I asked myself, “Who am I?” and I was surprised with the answer. It turns out that this is not a simple question, especially if the one asking is a computer (of course, they…
DetailsWhy did the chicken cross the road? To add 200 more steps to his daily wearable device count! But did the chicken ever stop to think about the impact to his life if that data were to be breached? I have my doubts. In today’s world with the increasing number of devices that we use and…
DetailsThe recent Sony breach attributed to North Korea is only the latest in a series of Sony hacks that trace back to 2005. Most news stories point to the recent breach as an example of why corporations should take information security more seriously. Sony is being used as a cautionary tale of what awaits companies…
DetailsIt’s now commonplace to read that security means more than checking off boxes on a compliance checklist. A robust approach to security includes trying to fill the gaps between the boxes. I would argue that that argument has mostly been won. In No Book to Be By, I argued that we should extend that argument…
DetailsI’ve been around the computer business for a long time. Way back, before the Web and even before computers, if you wanted to send a secret message to someone, you used a simple substitution code. An example of this was the Caesar cipher. This was a simple rotation or shift of the alphabet. Plain: ABCDEFGHIJKLMNOPQRSTUVWXYZ…
DetailsNowadays, data breaches are a subject of conversation at dinner tables and in boardrooms. Cyber insurance premiums to cover these breaches are skyrocketing. Recent surveys and breach reports have highlighted the challenges with software security. The 2015 Annual Verizon Data Breach Investigations Report points out that applications are the number one attack vector leading to…
DetailsI went to the Educause Security Professionals Conference last week. I have been going to this conference for many years and always take home something useful. This year, James Bamford, best known as an expert on the NSA, gave the keynote address. His talk was about how America has lost control of this secret and…
DetailsThe world of the CISO is becoming an almost thankless job. No matter what you do, how well you present to the Board, how complete your program is, it seems your back is always against the wall. The business complains of the burden security places on operations, the delays it causes, the relationships it destroys,…
DetailsWhile I was unable to attend RSA this year, after reading Chenxi Wang’s LinkedIn post on ‘Booth Babes’, I have to say… It’s about damn time. To briefly recount a personal experience, several years ago, while walking this same Moscone floor, I was quite literally almost run over by a lycra-wearing ‘policewoman’ buzzing around the expo floor…
Details