May 13, 2010 - This week, representatives of BP told Congress that the massive Gulf oil spill was not their fault. BP claims the blame should be placed on another company who produced a key safety device that failed. That company, of course, claims yet (continue reading...) Read more
April 30, 2010 - Wait! Read this blog before you spend any money on security. Do you really understand the true risk to your sensitive data and critical systems? If not, it’s time for you to do a little soul searching and find the (continue reading...) Read more
April 20, 2010 - Is California blazing yet another legal Data Protection trail? Information Week just posted a blog on California SB-1186 (not yet signed into law). It essentially adds more prescriptive granularity to the state’s existing SB-1386, which is more or (continue reading...) Read more
April 6, 2010 - The bane of most security assessment products is false positives. Sending security pros on a wild goose chase tied to false positives has a dramatic impact on productivity and morale. This is especially true when vetting detected malware from vulnerability (continue reading...) Read more
March 9, 2010 - Back in October, I wrote about the U.S. Department of Defense (DoD)’s expected guidelines for the use of USB thumb drives following the ban of the removable storage devices. In 2008, DoD temporarily banned the use of thumb drives (continue reading...) Read more
March 3, 2010 - Operation Aurora continues to be a hot topic inside and outside of security circles. At this week’s RSA Conference in San Francisco many conversations are on the topic of the attacks that hit Google and dozens of (continue reading...) Read more
February 25, 2010 - Not content with naming-and-shaming companies who break the HIPAA/HITECH health regulations through the normal press, The U.S. Department of Health and Human Services is now reporting companies who lose control of more than 500 people’s records on their Web (continue reading...) Read more
February 24, 2010 - McAfee Vulnerability Manager was distinguished among several competitive products with the coveted “Five-Star” and “Best Buy” rating in the February edition of SC (continue reading...) Read more
February 10, 2010 - Soon after new vulnerabilities are discovered and reported by security researchers or vendors, attackers engineer exploit code and then launch that code against targets of interest. Any significant delays in finding or fixing software with critical vulnerabilities provides ample opportunity (continue reading...) Read more
February 9, 2010 - Critical Control 9: Controlled Access Based On Need to Know In an environment in which all information is available to all authenticated users, the attacker has a number of advantages when considering which user to take advantage of: 1) The number (continue reading...) Read more
February 9, 2010 - Mobile communications in general—and M-Commerce in particular—are predicated on promises of speed and convenience. But that tends to run counter to robust security so therein lies the inherent conflict between mobile and security. Meanwhile, Facebook stands as the leader of (continue reading...) Read more
February 8, 2010 - Which software can you trust? There’s a lot of good in Web 2.0 technologies that allow rapid development of user-contributed content and applets, but they also bring risk: poorly secured or deliberately malicious software in the form of (continue reading...) Read more
February 8, 2010 - Critical Control 8: Controlled Use of Administrative Privileges The “golden ticket” for attackers is administrative or root privileges on a system. With these privileges attackers have complete control of the machine they are operating on, or even more. The most obvious scenario (continue reading...) Read more
February 7, 2010 - Critical Control 7: Application Software Security When a programmer creates code for a program, their main focus is to ensure they deliver working code on time. They do not take the time to ensure that all of the code is free (continue reading...) Read more
February 6, 2010 - Critical Control 6: Maintenance, Monitoring, and Analysis of Audit Logs The power of logs is that they can potentially tell us what happened on one or more systems at a given time. When attackers compromise systems, those systems can dutifully report and (continue reading...) Read more
February 5, 2010 - Critical Control 5: Boundary Defense Controlling the flow of information is critical to properly protecting critical information. Systems and their respective data must be broken down into trust levels or classifications. Any connectivity between networks of different trust must be through a (continue reading...) Read more
February 4, 2010 - Critical Control 4: Secure Configurations for Network Devices such as Firewalls, Routers, and Switches Most systems are installed with a default installation and not properly hardened for the organization that is using the device. Therefore hardened images need to be created for (continue reading...) Read more
February 3, 2010 - Critical Control 3: Secure Configurations for Hardware and Software on Laptops, Workstations, and Servers Most systems are installed with a default installation and not properly hardened for the organization that is using the software or device. Therefore hardened images need to be (continue reading...) Read more
February 2, 2010 - You know things are bad when you read a security survey that should be startling and uncomfortable and your reaction is a “so what else is new?” shrug. ‘Twas the reaction of quite a few security executives over the last (continue reading...) Read more
February 2, 2010 - Critical Control 2: Inventory of Authorized and Unauthorized Software While we are starting to see some research being done on hardware level attacks (i.e. BIOS level viruses have been proven to be a viable concept), most exploitation of systems revolve around (continue reading...) Read more