Security and Privacy are essential in today’s digital economy. 2014 was a year of large-scale security and privacy breaches, leaving everyone asking themselves how much should we trust companies with our sensitive information. Currently, there are more than 80 countries with privacy laws. Violating these laws may result in fines, brand damage, and/or loss of…
DetailsIncessant questioning can reduce the best thinking to no more than a background chorus of “Are we there yet?” But there are still some things that have to be asked. I have spent the past four articles observing how aggregation is emerging as more than just an automated process. I’ve tried to show the following:…
DetailsSony, Sony, Sony. Do you even realize what has just happened to you? Can you even comprehend the ripple effect this event will have not just on your industry, but everywhere? So to begin with, let’s not dig into what happened or who did it. Primarily because there is still an open investigation happening and unlike others,…
Details(UPDATED) CISO’s and their teams are not just producers of risk analyses and assessments. We are also consumers of them. They come from many sources. The main four are: Responses from third parties whose goods and services we are evaluating as part of our due diligence Assessments provided by entities that are targets of mergers, acquisitions,…
DetailsPeople prefer to choose the groups they are in. Even before social media exploited that, there were fan clubs, fraternities, sororities, and many different kinds of groups that people associated themselves with. There are also the groups that people don’t choose but through birth, prejudice, unforeseen circumstances and/or unwanted diagnoses, they find themselves in nonetheless. …
DetailsIn the aftermath of the Target breach, there has been a lot of press on the need for a Chief Information Security Officer (CISO) in the boardroom. The Wall Street Journal, the NY Times, Forbes, and a host of other business publications are calling for a senior information risk executive to have the proverbial ‘seat…
DetailsSome 38 years ago, I started working for the systems group at CUCCA (Columbia Center for Computing Activities). I was fresh out of engineering school (Columbia, by coincidence) and a brand new junior systems programmer. In those days, we actually wrote modifications to the operating system in assembly language – it was a lot of…
DetailsHow do you measure how mature your vendor security risk assessment program is? How do you measure your ability to lead or develop such a program? Would it be safe to say that a majority of breaches are a direct result of vendors and the inability of companies to properly continuously vet and validate their…
DetailsWhen you’re on a roll, ride it out. I’ve been on the “Redux” train for a couple of days. I usually do this when I review our security architecture initiatives at the end of the year. Way back in 2000, I said in a USA Today interview that it wouldn’t surprise me if there were…
DetailsYep, it’s time to use this title again. This time we’re talking about Distributed Denial of Service (DDoS) amplification attacks. One of the lists I monitor posted the following: Christian Rossow has done some great work on DDoS. The two interesting papers are: “Exit from Hell? Reducing the Impact of Amplification DDoS Attacks,” read here. The…
DetailsThe holiday season is filled with opportunities for the Bad Guys to take advantage of people who are filled with the holiday spirit, out and about having a good time and letting their guard down. Since I work at a university, I sometimes get asked to pass along tips to increase the awareness of how…
DetailsFor those contemplating using Amazon Web Services (AWS), their compliance page is quite assuring. With a who’s who of compliance standards from SSAE-16, ISO 27001, PCI DSS, to CSA, MPAA, FEDRamp, FIPS 140-2, HIPAA and more; it’s more than enough to give an auditor a warm and fuzzy feeling. Note that in this article, AWS…
Details