All businesses watch their bottom line. That’s unsurprising. Those that provide technology to consumers (whether IoT device manufacturers or your local ISP that provides your home router) are particularly careful about balancing product support with ease of use. That can lead to what the inventors no doubt believe is an ingenious method of determining passwords…
Read More
For the past 15 years, American organizations have lived in the shadow of breach disclosure. It all began in California under SB-13861 in 2002, which mandated written notification of victims of privacy breaches of unencrypted personal data. The law covers organizations located in or doing business in California. Because California is the most populous state…
Read MoreThere’s an expression in geekdom called “yak shaving” that refers to doing busywork that appears important but is actually useless. The essence is that yak shaving is easier to do than dealing with the actual problem at hand (which is often complex and hard).1 Too Much Security Awareness Training There’s only so much security training…
Read MoreThe financial trojan TrickBot has been updating its campaigns and targets since F5 malware researchers started following it in September 2016. This is expected behavior because attackers need to continually update their targets and methods to evade detection. Previously, TrickBot, the successor to Dyre, targeted financial institutions in Europe, Australia, New Zealand, and Canada. TrickBot’s May 2017…
Read MoreIt’s been another banner year for leakers. In May, Wikileaks released the CIA’s Vault7 cyberwarfare documentation,1 and the Shadow Brokers released NSA exploit information, including the Windows EternalBlue2 exploit. EternalBlue was quickly weaponized into the WannaCry ransomware that pummeled the Internet for days. The Petya/NotPetya ransomware hitting Eastern Europe is also reportedly using EternalBlue to infect machines.…
Read MoreIn Part I of this blog series, we introduced information modeling as a method to reduce compliance gaps. In this blog, we create a master model of protection based on the business model of a fictitious company called Eclipse Cloud Services (ECS). The master protection model forms the basis of contextualizing access to the infrastructure,…
Read MoreThese hackers lived where the bending and breaking of the rules was just a part of the culture. Both men were astonished at how Americans obeyed traffic rules and smoking restrictions, citing how in their country such rules are ignored. They wanted to go into business for themselves but found it difficult to do so.…
Read MoreOver the past 11 years, I’ve done hundreds of audits for organizations of all sizes around the world. I specialize in audits for SSAE 16/18 (SOC1 and SOC2),1 Sarbanes Oxley,2 and PCI DSS.3 I’ve seen a lot of audit failures, and there are some common themes to them from which other companies can learn. My work…
Read MoreAccording to a 2015 study by Georgia Tech Information Security Center, 40 percent of CISOs reported to the CIO or CTO rather than directly to upper leadership.1 A forthcoming F5 Ponemon CISO research report will show that the trend is shifting away from CISOs reporting into the IT organization. From a legacy point of view,…
Read MoreSeven minutes until his next meeting, Charles Clutterbuck, the CFO of Boring Aeroplanes, had just enough time to answer a few emails. He flopped onto his padded leather chair and tapped out his password. A dozen emails glowed unread at the top of his inbox stack. He skimmed down the list of names and subjects…
Read More