ISO: In Search Of - cloud infrastructure compliance

ISO: In Search Of - cloud infrastructure compliance

There are more ISO standards for security than we can shake a stick at. Every ISO 27000 series standard is designed with a specific focus, or goal, in mind. If our goal is building an information security practice in our organization and a framework to support it, use ISO 27001. If the goal is to implement controls for that framework, we would use ISO 27002. There are many more examples, but for our purposes, we will begin with the trunk of the tree: 27001 and 27002.

How to Retool What You've Already Got Against the Next Generation of Threats

How to Retool What You've Already Got Against the Next Generation of Threats

The threat landscape is evolving fast. Retooling existing network infrastructure for next-generation security requires less effort than we might think. Minimizing complexity, for example, and focusing on more deeply understanding the basics, such as Layer 2 and 3 switching, centralized identity access management, Unified Threat Management devices and network segmentation, lead us to exponentially more secure environments that we understand better and can both monitor and continue to evolve with greater competency.

Best Practices: AWS Identity Management

Best Practices: AWS Identity Management

Managing who has access to what is important for many reasons, least of which is certainly not risk and compliance best practices. AWS Identity Access Management (IAM) is the tool within Amazon Web Services (AWS) that securely controls access to resources within, using a friendly interface and logical system for how it works. IAM is the gatekeeper that manages access controls and authentication for users and also the “how” as it manages authorization tools, protocols and schemas of permissions that manage access to resources within AWS accounts and services.

Trust vs. Control

Trust vs. Control

Since the dawn of the Internet, the typical perspective of information workers towards users has been "control over trust." From this perspective, users cannot be trusted so their devices are locked down in order to prevent them from installing unwanted software, changing settings and generally putting the enterprise at risk. On the surface, this might appear to make sense.

#PrivacyAwareDay

#PrivacyAwareDay

In anticipation of #PrivacyAwareDay, the smart people (including Jon Callas) at @SilentCircle, in collaboration with @Guardian (journalist Aleks Krotoski), made this rad documentary about privacy and security.

It is worth 30 minutes of your time. Please watch it.

Yes

Yes

Passwords are not enough. Multi-factor authentication (MFA) is a method of computer access control in which a user is only granted access after successfully presenting several separate pieces of evidence to an authentication mechanism - typically at least two of the following categories: knowledge (something they know); possession (something they have), and inherence (something they are).

Scared $**tless

Scared $**tless

Please don't wait for something to happen to make you think about it. The ones we love are like our businesses, part of what powers our livelihood. Why would we ever, even for a moment, risk leaving any of them unprotected?

"Theft"

"Theft"

The context of this word has changed in recent years. Identity theft is sadly becoming more common than 'theft' as we once knew it. 

Types of hackers explained

Types of hackers explained

The word hacker comes with some pretty negative undertones. Not all hackers are created equal, though, and not all of them are inherently bad. Mainstream media has successfully demonized the word, connecting it exclusively to cyber criminals. Hackers, though, can actually be anyone with enough knowledge and skill who uses it to circumvent a device or network's security measures. Hacking itself is not illegal. It is actually necessary in order to understand and protect against would-be-malicious hackers. It is illegal whenever the hacker is compromising a system without the owner’s permission. Companies of all shapes and sizes, including regulated industries and government agencies, actually employ hackers to help them secure their systems.

Watering Hole Attacks

Watering Hole Attacks

Imagine animals in the wild gathering frequently at a watering hole. They are thirsty, tired and often distracted. An opportune time for predators, like the crocodile in the image above, to strike. People do the same thing on the Internet. We gather frequently around many of the same sites, driven by social structure, geography, needs and hobbies. Thus, the name reflects this behavior in our cultures, too: watering hole attacks.

Cloogy acronyms, managing information security and the fitness illusion

Cloogy acronyms, managing information security and the fitness illusion

If we didn't add another single acronym to the technical library of jargon there would already be enough to choke a horse. That there are conflicting ones that mean the same thing doesn't help add any clarity for the layman. Take, for example SEIM or SIEM. One stands for Security Event and Information Management. The other stands for, conveniently, Security Information and Event Management. 

How do we become PCI compliant?

How do we become PCI compliant?

This question comes up a lot. It may be one of the most common ones, especially for business leaders  that have sites with ecommerce shopping carts that collect credit information, even temporarily, for processing sales of goods and services on the Web.

Social Engineering

Social Engineering

More than any other type of attack, social engineering is exponentially more successful in acquiring sensitive information such as logins and passwords. Counter-intuitively, this method has nothing to do with technology. It is carried out by sneakily obtaining information directly from people, most often via interactions that take place face-to-face, via email and over the phone.

ransomeware?!?!?!?

ransomeware?!?!?!?

I recently posted about malware and how insidious it has become. One of the types of malware we are seeing with greater frequency is ransomware, one of the more frightening experiences we have yet seen that's affected businesses of all shapes and sizes and private individuals, too.  

The hero sets off on a journey...

The hero sets off on a journey...

So you’ve started a business! You've mustered a great deal of courage, taken a giant step to put yourself out there and are off to build your future. There is much to learn and some great, character-building days ahead for you and your team. Naturally, I have to ask: Have you protected it from unplanned events? No one wants anything to potentially put your new business' integrity at risk. There are many scenarios that can put revenue and reputation all at risk, scenarios that are otherwise avoidable with some planning. What can you do to protect what you've built in the short term that requires little overhead?

What is "malware" and why should we care?

What is "malware" and why should we care?

The world is suddenly full of new words, some of which are easy to decipher, while others maybe not so much. 

One of these commonly slung around is "malware." Malware is software designed to disrupt normal operation of our computers, tablets and other systems by gathering sensitive information stored on them and worse: such as installing other pieces of software and gaining access to private computer systems that offer more valuable information and access, thereby increasing the liability and risk attached to allowing malware to proliferate. It comes in far too many forms to illustrate in great detail, so the word is used generally to refer to the vast diversity and scope of the hostile and intrusive forms it takes, including viruses, worms, spyware, adware and trojan horses.

E-commerce best practices

E-commerce best practices

Does your business operate an e-commerce website? If you haven't already addressed it, security should be your highest priority. Breaches affecting millions of customers and their private information continue to happen almost daily. Only together, by educating each other and applying best practices, can we make the Web safer for doing business.

Protect the castle using Open Source Tools

Protect the castle using Open Source Tools

During medieval times, intrusion detection was handled by moats, drawbridges, palace guards and fortified structures. Nowadays, we have those, too, they're just - different.

Pragmatic Scoping: the key to success

Pragmatic Scoping: the key to success

The beginning of things is a very delicate time. Setting out to build a thoughtful business continuity strategy works best to be pragmatic, scoping quick and appropriate wins that both protect the business while driving its value forward.  Compliance and other regulated frameworks often drive this planning for organizations but I recommend a different approach.