Why Our Firm Loves The Columbus Cyber Security Community

Yesterday, I was doing an interview with one of my mentees. The questions she asked brought up some interesting points about MSI, our history and Columbus. I thought I would share 3 of the questions with the SoS readers:

How Did The Firm End Up In The Columbus Cyber Security Community?

Brent Huston:

“You have to remember that when I founded MicroSolved, back in 1992, there wasn’t a strong commercial Internet yet. Most of the electronic commerce efforts and digital business was done via dial-up or dedicated networks. I came to Columbus in 1988 to go to school and eventually ended up at DeVry. I was working at Sterling Software and doing a lot of experimentation with technology. Somehow, I got completely interested in security, hacking, phreaking and online crime. I took that passion and began to explore building it into a business. There were a few of us starting consulting companies back then, and Columbus was certainly an interesting place to be in the early 90s. Eventually, Steve Romig, from The Ohio State University started putting groups together – meeting at different parks and restaurants. That was the first place I really identified as the beginning of a security community in the city.”

What’s Special About The Columbus Cyber Security Community?

Brent Huston:

“I’ve traveled a lot, and in fact, built a lot of the business of MicroSolved outside of central Ohio. That was primarily because I wanted to have a global business and I always preferred having depth of expertise in a given vertical over having width across multiple focus areas. That said though, the thing to me that is so special about the Columbus Cyber Security Community is the open and friendly nature of the firms involved. Even from the start of the community that I trace back to those days in the Park of Roses, we all treated each other with respect. We competed, to be sure, but I can count on one hand the number of times over the last nearly 30 years when I felt like any members of the community weren’t playing with dignity and respect – and I’d still have fingers left over! You just don’t find that sense of fair play, respect and focus on the clients and community instead of the rush for dollars in many other places. For example, I have several friends in other cities who often tell me about how their competitors are nasty, or how they have a tendency to back stab each other – and that has NEVER been a part of the culture of our community here. To me, the commitment to respect and the way we all focus on making the world a better place for everyone in Columbus, the state of Ohio and beyond is the single thing I love most about this community.”

After 26 Years Of Leading A Columbus Cyber Security Firm, What’s Next For You?

Brent Huston:

“Thanks for asking. I get this question a lot. But, the truth of the matter is this – I love MicroSolved. I love our team and I love being a member of the cyber security community in Columbus. I really get excited every day to hear how the team at MSI have helped clients. I love getting to talk to folks in banking, credit unions, technology, health care, manufacturing and all of the other verticals where the team has a presence. So, for that part, I’m still dedicated to making sure that MSI continues our commitment to each of them – to help make their businesses and clients more secure. With any luck, I still have several years in me – and I intend to spend them with a focus on MSI. I’m not going anywhere. MSI and I hope to be here for another 25 years and we hope to keep earning and appreciating the trust of our clients each and every day!”

Financial Services & BEC – Tales from the field…

Recently, Brent – our CEO – put together a Business Email Compromise checklist. The checklist:

  • Enumerates attack vectors
  • Briefly reviews impacts
  • Lists control suggestions mapped back to the NIST framework model

But, what does that mean for you? Our team put together an educational series based on the checklist, to help security programs at all levels. The next thing we’d like to share are a few war stories – tales from the field in various industries. These are drawn from our security and incident response work in these industries, and call out specific attack vectors and points to consider for these entities.

Continue reading

BEC #6 – Recovery

A few weeks ago, we published the Business Email Compromise (BEC) Checklist. The question arose – what if you’re new to security, or your security program isn’t very mature?

Since the checklist is based on the NIST model, there’s a lot of information here to help your security program mature, as well as to help you mature as a security practitioner. MSI’s engineers have discussed a few ways to leverage the checklist as a growth mechanism.

Part 1 and Part 2 covered the first checkpoint in the list – Discover. Part 3 covered the next checkpoint – Protect. Part 4 continued the series – Detect. Part 5 addressed how to Respond.

Continue reading

Micro Podcast – Business E-mail Compromise – “Identify”

In this episode of the MSI podcast, we begin our series on the business email compromise checklist. While BEC is a significant issue and a common form of compromise leading to fraud, there are several things you can do to combat this form of attack. The first step is to “Identify” the threat at hand.

https://s3.amazonaws.com/MSIMedia/MSIMicro_004_Identify.mp3

If you would like to know more about MicroSolved or its services please send an e-mail to info@microsolved.com or visit microsolved.com.

About the Ohio Data Protection Act

The Ohio Data Protection Act differs from others in the country in that it offers the “carrot” without threat of the “stick.” Although companies are rewarded for implementing a cyber-security program that meets any of a variety of security standards, having a non-compliant program carries no penalty under this act.

The theory is that Ohio companies will be more willing to put resources into their information security programs proactively if a tangible return on their investment is available; like investing in insurance to hedge risk. Alternatively, if there is no threat of penalty for non-compliance, why wouldn’t a business simply adopt a wait and see attitude? After all, most companies do not have big data breaches, and developing and documenting a compliant information security program is expensive.

Continue reading

Incident Response: Practice a Must!

Whether you are trying to comply with HIPAA/HITECH, NAIC Model Laws, SOX, PCI DSS, ISO or the NIST Cybersecurity Framework, you must address incident response and management. In the time I have been involved in risk management, I have seen an ever-growing emphasis being placed on these functions.

I think that one of the reasons for this is that most of us have come to the realization that there is no such thing as perfect information security. Not only are data breaches and other security incidents inevitable, we are seeing that there are more and more of them occurring each year; a trend I don’t expect to change anytime soon. In addition, people are becoming increasingly concerned with their privacy and protecting their proprietary information. In response, regulators are becoming tougher on the subject too.

Continue reading

Get your magnifying glass – time to detect! BEC Series #4

A few weeks ago, we published the Business Email Compromise (BEC) Checklist. The question arose – what if you’re new to security, or your security program isn’t very mature?

Since the checklist is based on the NIST model, there’s a lot of information here to help your security program mature, as well as to help you mature as a security practitioner. MSI’s engineers have discussed a few ways to leverage the checklist as a growth mechanism.

Part 1 and Part 2 covered the first checkpoint in the list – Discover. Part 3 covered the next checkpoint – Protect. Now we’re going to move on to the next point – Detect.

Continue reading

Complex Does Not Equal Strong

Another year, and again, another annual report (this one from SplashData) lists the easy and bad passwords have remained relatively unchanged.

As a domain network administrator, you may not be terribly concerned. You think you have a robust password policy as well as an account lockout policy to prevent brute force attacks. Your users cannot use any of those simple passwords on that list. No simple guessing a password is going to let an attacker into your network. Think again.

Most corporate domain password policies require complex passwords with a minimum password length. Many implement a minimum password length of 7 through 10, and with most password complexity rules, passwords should contain characters from 3 of 4 categories: uppercase, lowercase, numerals and special characters. Often times, the password is also restricted from containing the account name as well.
Continue reading

The mathematician as extortionist: ransomware “smart” contracts

The mathematician as extortionist: ransomware “smart” contracts

Source: https://en.wikipedia.org/wiki/Brazen_head


A few weeks ago I wrote about the “proof of work” concept inherent in the implementation of the blockchain used to support bitcoin.  I have continued down the blockchain path and have been exploring another child of the blockchain revolution:  Ethereum.

Continue reading