Yesterday, at RSA much press attention was paid to a metric that 41% of all organizations tested needed temporary compensating controls to meet even the minimum security provided by PCI DSS compliance. This led us to this discussion. If so many organizations need temporary controls to do the minimum, then what controls, in your experience, [...]
Egress filtering is one of the most often underestimated defenses today. We continue to see organizations that have not yet deployed strong egress filtering, which is one of the most effective controls in defending against and detecting bot-nets. Without it, outbound connections are usually a mystery to the security team and identification and interception of [...]
Here is a slide deck for a presentation I gave today about a cheap, easy and effective way to test your incident response process. It is a lot like a corporate game of Dungeons and Dragons (IT Manager needs food badly!), except that you get to actually see what your team knows and needs training [...]
There has been a lot of attention lately on the “smart grid” and the coming evolution of the US (and global) power grid into a more robust, information and data-centric environment. Much press has been generated around the security and insecurity of these changes. Currently, NIST and various other concerned parties, are hard at work [...]
We recently received a report of a vulnerability we thought everyone should be aware of. The vulnerability is in the Microsoft IIS 6.0 implementation of the WebDAV protocol. According to Wikipedia, “Web-based Distributed Authoring and Versioning, or WebDAV, is a set of extensions to the Hypertext Transfer Protocol (HTTP) that allows users to edit and [...]
The 2009 version of the Swine Flu has already hit the U.S., and it looks like it could be a bad outbreak. There have already been more than 300 deaths among the 1,600 reported cases in Mexico, and cases of the Flu will undoubtedly turn up in more U.S. States over the next several days. [...]
For a couple of years now, we have been offering our managed service and menu-based service clients flat rate options for all kinds of penetration testing, assessments and application security. By far, though, the best received and most popular service is our focal point penetration testing service. Let me share with you a situation I [...]
We are currently seeking resellers for our HoneyPoint line of products and our professional services. We are open to discussing this with any firms interested in creating a virtual security practice and helping us present our HoneyPoint products to their markets. We have a strong interest in working with partners in South America, Europe and [...]
Wanna be bad at information security? Can you afford it? Various sources, metrics and industry studies put a variety of numbers to data loss, but the general range is around $200-$250 per compromised customer/client/credit card, etc. How many pieces of identity data does you company protect? How many clients do you have? How many employees [...]
You’ve heard this story before. A major credit card company has experienced a massive breach. Tons and tons of data was stolen during the incident. They think they have it under control and are working with law enforcement. You should check your statements. Blah, blah, blah… Once again, though, in this case, the company was [...]