Monday, February 29, 2016

EU/US Privacy Shield

Privacy Shield Specifics (Starting at Combined PDF Page 21):
-Accountability for Onward Transfer
-Integrity & Purpose Limitation

Big Data for InfoSec & Privacy

Most orgs now have multiple tools and processes to identify findings and to-dos regarding their risks.

However, these tools are often silo'd when compared to the org's policies, controls, and best practices.

With the introduction of RESTful APIs and JSON, the era of the master dashboard is upon us.

Looks for these artifacts to leverage GRC, ECM, EDM, SAST, DAST, vulnerability management, third-party management, and configuration management data moving forward.

Thursday, February 25, 2016

NY State & Upcoming Fin Svcs Cyber Reqs

CISO, AppSec, Vendor Mgmt, CSIRT, & more happiness.......

Wednesday, February 24, 2016

Pen Testing Tool of the Week: Bluto

Tuesday, February 23, 2016

AppSec, WAFs & ESAPI

While a client waits to deploy CDN, WAF, & DDoS services to their edge, we have suggested using OWASP's ESAPI as a stopgap.

She is old and imperfect, yet ESAPI still has a use.

Friday, February 19, 2016

Ransomware & Bitcoin Payoffs

PLEASE stop doing this...invest in a solid DR strategy w/ frequent backups instead....

Debian Linux & ClamAV

Though it is not a silver bullet, ClamAV & Ubuntu go hand-in-hand.

With malware and other nastiness affecting Linux now, it is time to bulk up your Linux security baseline with ClamAV.

NoSQL Overview

Thursday, February 18, 2016

Cloud & Mobile Sockets

Wednesday, February 17, 2016

Linux Malware, Vulnerabilities & Need for Bastion Hosts

Lately with Fysbis (1), glibc (2), and other Linux issues, we have been advocating more now than ever for organizations to use bastion hosts.

Bastion hosts are easier to patch than production servers, and they allow a Linux shop to insulate known Linux hosts / guests from the outside world.

Linux is on the map with malware, so leverage ClamAV, etc. as well as a defense-in-depth security architecture.



Tuesday, February 16, 2016

Contact Center Privacy Compliance

When involving potential PHI and CHD, contact center employees must be trained up on an organization's privacy practices.

To get there, a company must have their act together by naming a Privacy Officer who can launch an effective program with the proper procedures, etc.

Monday, February 15, 2016

Consolidating Data Stores (File Shares, EDM / ECM, Cloud Storage)

2016 seems to be the year of information governance for nControl as more and more organizations (law firms, hospitals, insurance companies, banks, CROs) look to consolidate their data stores.

It is as simple as picking a street from a strategic perspective.  Though harder to execute.

Most organizations want to enable their employees from a workflow perspective, so many go down the using solely cloud storage route.  That is fine as long as safeguards are in place (access controls, SSO, cryptography, retention schedules).

Regardless of whether cloud storage is used or not, it always seems redundant to use both file shares and EDM / ECM (SharePoint, Documentum) systems.  That is why it should be on the road-map of IT management to figure this out in 2016.

Friday, February 12, 2016

Security Appliances & Vulnerabilities

Will these ever end?

No, as threat modeling evolves, and as IT consumers continue to use legacy IT assets, hackers will find a way to exploit them.

It all comes down to dollars.  Vendors want to work on new offerings, while consumers will use legacy systems until it makes financial sense to move on.

Friday, February 5, 2016

Key Mgmt: Build vs Buy

Most orgs these days leverage cryptography for data protections.  However, key management can be a logistical and administrative headache.

Hence, the use of key management systems (KMS) and services.  With that said, orgs need to determine whether they want to build or buy said KMS solutions.

For small shops, a SKM (or SKIMP as I call it) solution may work.  This solution is akin to the LAMP stack for small KMS deployments.

Larger, multinational shops may opt to go w a cloud solutions like AWS's KMS, Azure's Key Vault, or SafeNet's services.

Ultimately, the decision to build vs buy rests on the complexity, budget, and skill-set of an orgs IT shop.  Rest assured, there are options for all types.

Wednesday, February 3, 2016

Non-Western Breaches

Not all breaches happen in the West, and not all breaches (anywhere) are reported.


Tuesday, February 2, 2016

The Real Problem with Mobile App Security

It seems that many organizations outsource mobile application development.  Therefore, it is extremely important to ensure that security is a requirement enumerated in the contract (SLA, MSA, etc.) with said vendor.

Specifically, organizations should provide security requirements (logging, access controls, cryptography, IAM / IdM), perform threat modeling during design, perform static and dynamic analysis testing, as well as execute misuse cases during testing all with said vendor.

Malware in becoming more and more prevalent, especially on devices.  So, organizations beware.

Monday, February 1, 2016

Build vs Buy Decisions w IT Security

In danger of oversimplifying, this post will discuss the potential for building versus buying security solutions.

Some vendors who shall remain anonymous come in awfully high for security solutions.  Due to this, some smaller shops will want to go with building SIEM, GRC, or WAF solutions.  With that said, SMBs must realize that these tools require TLC to remain secure.

Note that an organization may be able to report compliance with PCI, etc. though they may not be able to keep secure.