One of the most difficult decisions a CISO has to make is the one that says the organization suffered a data breach. A data breach starts a chain of events that could eventually result in loss of company reputation, financial expenditures for credit monitoring of affected individuals, and possible regulatory and legal fines. Not surprisingly, the…
DetailsLife as a Chief Information Security Officer can oftentimes be hard on the ego. It is surely one career in which it is easy to fall in to an identity crises (which is a different “identity management” than we are used to dealing with). How many times have we heard that the position of a…
DetailsYou almost have to be on some deserted island with no Internet access to have not heard about the OpenSSL Heartbleed vulnerability. This vulnerability is very serious and pervasive because of a few simple reasons: 1) it allows attackers to be able to dump a target’s memory which can include among other things, usernames/passwords, emails…
DetailsThursday, April 18 started out as a normal day (except for all of the Heartbleed hubbub), that was, until we realized that the University had been hit with about 32K of phishing emails. I have to hand it to the phishers, they did a really nice job. An email, signed by one of our help…
DetailsDoing security at a university is both interesting and scary. Because you have to provide both an open environment for research and instruction, and enterprise level security for the business of the university, you really need to think way outside of the boxes that are available on the market. It occurred to me that many…
DetailsThe number of breaches that have occurred in the past 12 months (Target, U of MD, etc.) serve as a warning that traditional defense mechanisms are not working. I ask audiences of security professionals that I address at conferences and other venues if they would let me ping machines inside their net from my site.…
DetailsThere are tellers of tales and debunkers of myths. An organization needs both. An example: the March of Dimes needed people to have the vision of eradicating Polio. Its very transition from being called the National Foundation for Infantile Paralysis to becoming the popularly known March of Dimes needed the contributions of folks who could…
DetailsOne would think that working in a very prestigious university would simplify the job of the security department. All you would have to do is tell people what was required and those people, with very large IQs, would understand and follow these simple (or not so simple) rules: Don’t click on stuff Don’t open attachments…
DetailsYou know you’ve reached a point in your career when you get asked to give a talk on how IT has evolved over the past 10-15 years. I guess it’s a polite way of saying that you’ve been around for some time in the industry. Well, I was asked to do a talk on how IT Security…
Details(This is the sixth installment in an on-going examination of the first principles of data privacy and security. The first installment can be read here. The second installment can be read here. The third installment can be read here. The fourth installment can be read here. The fifth installment can be read here. These principles, often represented in regulations and privacy…
DetailsVA Tech is one of the few institutions in the US that runs a full production, dual stack IPv4/IPv6 network. We’ve been running this dual stack network since 2005. All of Google, Facebook traffic goes out through IPv6 first. We haven’t experienced any major malfunctions in our IPv6 network since we went live with it.…
Details(This is the fifth installment in an on-going examination of the first principles of data privacy and security. The first installment can be read here. The second installment can be read here. The third installment can be read here. The fourth installment can be read here. These principles, often represented in regulations and privacy practices, form the foundation for…
Details