Audited and Jaded

A company I know was audited some years ago. One of the findings was that there were no Unix server logs. Over the next year server logging was enabled. The following audit noted that nobody was reviewing the logs.  So the company invested in a SIEM solution and reviewed the alerts.  (Of course, no one…

Details

Plight of Passwords

I read an article recently about how a CISO talked his way out of having an internal auditor write up a finding about weak passwords – which eventually lead to a significant and highly publicized breach. The CISO’s argument was that, by implementing strong passwords, users would end up just writing them down, thereby, weakening…

Details

Be Very, Very Quiet – Your Devices May Be Listening

According to Wikipedia, “The Internet of Things (IoT) is the interconnection of uniquely identifiable embedded computing devices within the existing Internet infrastructure. Typically, IoT is expected to offer advanced connectivity of devices, systems, and services that goes beyond machine-to-machine communications (M2M) and cover a variety of protocols, domains, and applications.[1] The interconnection of these embedded devices (including smart objects) is expected to usher…

Details

The Wisdom of the CISO Crowd…In an Era of Security Products and Technologies DELUGE

The list of security products and technologies resulting from searches by even the least sophisticated Internet Search Engines across any of the major security product categories can be quite overwhelming. These categories include ‘firewalls,’ ‘IDS/IPS’, ‘SIEM’ and don’t even mention “Threat Intelligence” since, thanks to the associated market hype-cycle, even vulnerability scanners are now being…

Details

My Security Fantasy

My biggest security problems all start with authentication.  If you look at the major hacks that have taken place in the last year, you can trace most of them back to phishing (or stupid). If I could wave a magic wand and create a system that could verify the identity of the person at the…

Details

Business Continuity Planning, The CISOs Secret Weapon

BCP.  Three little letters that, unfortunately, strike mind-numbing boredom into most CIOS’s.  The truth is, Business Continuity Planning isn’t synonymous with the excitement that is typically found in the Information Security world. There aren’t nation states trying to subvert your controls, or insiders trying to get away with industrial espionage, or some faceless hactivist group…

Details

10 Steps Towards an Information Security Program for Newly Established Companies

It’s not a matter of if your company will be breached but when and for newly established companies or startups the when may be sooner rather than later. Startups are being established across industries and come in many different sizes.  Regardless of whether they are in year 2 or year 5 of their existence, in…

Details

If Not Now, When? If Not Us, Who? – “Tackling The Great Minority Cyber Divide”

In a November 2014 article, Lowell McAdam the CEO of Verizon made the following very bold public statement, “It’s Wrong That in a Room of 25 Engineers, Only 3 Are Women.” Lowell’s very intriguing article went on to quote several other very compelling facts and figures triggering resonance at so many levels, including the prediction…

Details