Friday, February 16, 2018

Hypervisor Replication for Virtualization Security

Vendors like Bracket & BitDefender are rolling out virtualization security solutions meant for hybrid cloud deployment to negate rootkits & chip-based exploits (Spectre, Meltdown).

However, comprehensive coverage / support seems limited & you would think that the big cloud service providers (CSPs: AWS, MSFT Azure, GCP) have hardened their own hypervisors already.

VMware's partnership w/ AWS could pave the way for hardened hypervisors that can lift & shift among on / off prem deployments.

Wednesday, December 20, 2017

Smart Home / IoT, Threat & Vulnerability Management (TVM) & B2C Delineation for Vendors

As the smart home becomes a reality (https://www.theverge.com/2017/12/20/16799918/homekit-vulnerability-details) so does the need to monitor & patch said smart home.

But, who from a vendor standpoint will own that market / responsibility (ISPs, Utilities, Alarm / Physical Security, AV software vendors, separate vendors: Amazon / Apple / Google / Staples: Geek Squad, B2C MSSPs / SOCs)?

The answer will vary depending on the jurisdiction / age of the house, though this wrestling match is sure to come.

So, wait & see how this shakes out, because change is coming for sure.

Thursday, October 26, 2017

Are mobile app reputation services (MARS) legit?

Should enterprises invest in mobile security solutions explicitly for ranking the trust model of some apps?

It depends on what your use cases, requirements, user base, & relevant jurisdictions are.  However, most orgs should not need a MARS solution as MDM, MAM, & even MTD should be able to handle most threats.

Monday, October 16, 2017

InfoSec Leadership: Initaitive = Enablement

Many CISOs & senior InfoSec leaders catch heat for slowing down processing or saying no to new initiatives due to risk.  

However, when InfoSec leadership takes initiative, embeds SMEs into other teams (at least part time), & partners with the business, then enablement will happen as InfoSec has assisted in the design from a grassroots level.


Now shadow IT will most certainly always be around, & projects / business lines need to be agile, but collaboration is possible via proaction.

Wednesday, September 27, 2017

Equifax: Case Study in Poor Leadership

The former CISO of Equifax has been criticized for her lack of STEM academic background but, forgetting anyone's college major(s), the real issue here is the leadership deficiency blatently running up and down Equifax's management team.

https://www.wired.com/story/equifax-breach-response/

Wired paints a grim picture of Euifax's team, and response, as the article should.  At the end of the day, no one wanted to fall on their sword, and now they all are.  Reminscint of the movie Margin Call, executives want to survive to fight another day, but there are ways to do things in the business world and Equifax did anything but that. 

Sunday, September 17, 2017

Your Third-Party Security Review Process is a Mess

Regardless of the control framework and / or process you utilize, most third-party review processes are poorly designed & inefficient.

On top of that, most orgs ask their vendors to maintain a level of security that said orgs cant follow themselves.

Amidst the Equifax breach, orgs will look to insert more vigor into their third-party review process, though few if any continuously monitor the security of their business ecosystem.

Instead of spending cycles completing matrices / spreadsheets, firms should invest in the following:


  • A vulnerability scan / penetration test (of limited scope) before any legal documents are executed.
    • An agreed upon remediation plan should be agreed upon too.
  • A continuous monitoring / assessment agreement to ensure governance during the course of the contractual agreement.
  • Recurring audits / spot checks on the security governance established / expected.

Tuesday, August 22, 2017

CASE STUDY: Security in Theory versus Security in Practice

Yesterday evening, as I approached my vehicle after a long (Mon)day with dry cleaning in one hand and my laptop bag in the other, I realized that my rear, driver-side tire was as flat as a pancake / crêpe. Fun times, especially since I parked on an incline!
After jacking up that side of the vehicle, and wrestling with the lug nuts, I was introduced to what I now know (thank you Google) is a security lock nut. Yes, I am mechanically challenged! 
After being unable to find anything in my vehicle that resembled a tool capable of removing said physical security safeguard, I called the dealership. Well, said nut (and the ability to remove it) is like a laser key, which is customized to each particular vehicle! Thankfully, a repair shop was across the street.
Research and interviews (e.g., my Lyft driver that evening, blogs) have shown that many drivers have lost or never received the tool(s) to remove a security lock nut, and therefore multiple individuals (such as myself) now ask: why? The answer is that this nut is a physical safeguard to negate stolen tires / rims / wheels. However, flat tires happen and people lose stuff.
So, learn from my experience. Before introducing the next great physical / logical / digital safeguard, think practically and verify whether or not that control is useful in practice / the field. Be pragmatic and kick the proverbial tires!