My Parents Taught Me to Share, So What’s the Big Deal?

President Obama wants private sector companies to share information about cybersecurity threats  with each other – and the government.  That sounds like a novel idea – and some industries already are doing this among themselves. However, the federal government doesn’t share their experiences with us (“National Security!”), but presumably they do share with each other. The…

Details

Audited and Jaded

A company I know was audited some years ago. One of the findings was that there were no Unix server logs. Over the next year server logging was enabled. The following audit noted that nobody was reviewing the logs.  So the company invested in a SIEM solution and reviewed the alerts.  (Of course, no one…

Details

Plight of Passwords

I read an article recently about how a CISO talked his way out of having an internal auditor write up a finding about weak passwords – which eventually lead to a significant and highly publicized breach. The CISO’s argument was that, by implementing strong passwords, users would end up just writing them down, thereby, weakening…

Details

Be Very, Very Quiet – Your Devices May Be Listening

According to Wikipedia, “The Internet of Things (IoT) is the interconnection of uniquely identifiable embedded computing devices within the existing Internet infrastructure. Typically, IoT is expected to offer advanced connectivity of devices, systems, and services that goes beyond machine-to-machine communications (M2M) and cover a variety of protocols, domains, and applications.[1] The interconnection of these embedded devices (including smart objects) is expected to usher…

Details

The Wisdom of the CISO Crowd…In an Era of Security Products and Technologies DELUGE

The list of security products and technologies resulting from searches by even the least sophisticated Internet Search Engines across any of the major security product categories can be quite overwhelming. These categories include ‘firewalls,’ ‘IDS/IPS’, ‘SIEM’ and don’t even mention “Threat Intelligence” since, thanks to the associated market hype-cycle, even vulnerability scanners are now being…

Details

My Security Fantasy

My biggest security problems all start with authentication.  If you look at the major hacks that have taken place in the last year, you can trace most of them back to phishing (or stupid). If I could wave a magic wand and create a system that could verify the identity of the person at the…

Details

Business Continuity Planning, The CISOs Secret Weapon

BCP.  Three little letters that, unfortunately, strike mind-numbing boredom into most CIOS’s.  The truth is, Business Continuity Planning isn’t synonymous with the excitement that is typically found in the Information Security world. There aren’t nation states trying to subvert your controls, or insiders trying to get away with industrial espionage, or some faceless hactivist group…

Details