File Sharing or Privacy Breaching Service? Beware!

In a perfect world the idea of ubiquitously sharing and using data files from anywhere around the globe is a great idea.Some might even invent an esoteric term for it like Cloud Computing. File hosting services definitely provide...

05/19/2011

Data Loss Prevention: Less Flip this Week

Last week I discussed Data Loss Prevention as a solution in search of a problem. This week I’ll reduce the level of flip and review more detail deliverables of DLP solutions and some DLP vendors.Data leakage prevention technology...

04/13/2011

Data Loss Prevention: Solution in Search of a Problem?

Data loss prevention technology sounds like a no-brainer from the get-go. DLP technology tells us when confidential data is in danger of compromise or when users’ behaviour may lead to the threat of compromise.Pro-active DLP products...

04/06/2011

Debriefing: NERC CIP 011

A few weeks ago I wrote about the anticipated positive aspects of NERC CIP 011. I received comments and questions about timing of approval and implementation, as well as a request to briefly clarify the intent of the current...

03/31/2011

Phase II: Why have I not yet implemented File Integrity Management (FIM)?

Last blog I ran out of time and space. This blog covers how FIM works and where to search for vendors that provide related tools.Here’s how File Integrity Monitoring works. The files of interest are scanned initially to create a...

03/22/2011

Why have I not yet implemented File Integrity Management (FIM)?

If you have not yet deployed FIM perhaps now is a good time to ask “why not”.If your organization is now addressing data loss prevention (DLP) by minimizing the risk of damage by malicious code and by enforcing strict access controls...

03/16/2011

Do you know about Heavyweight NERC CIP 011-1?

Electrical utilities are already challenged with the process of becoming certified for compliance with the NERC CIP standard for IT security.The NERC CIP standard is evolving, thank goodness. Perhaps you haven’t noticed the innocuous...

03/07/2011

Land mines, application audits: Is your audit scope correct?

Doing an application audit is like looking for land mines. If you want to find all the land mines, you have to search every single square inch of real estate you want to ensure is mine-free. Otherwise, what’s the point of looking for...

03/01/2011

Intrusion Detection: Why do I need IDS, IPS, or HIDS?

Intrusion detection technology presents a confusing array of acronyms, abstract concepts, and hazy deliverables. This exacerbates the difficult situation for executives who are asked to pay for these security goodies.In a nutshell...

02/23/2011

What’s the threat? Smart Grid or Dazed Defenders

The Government Accountability Office recently warned that the quick uptake of smart grid infrastructure is likely to result in more cyber attacks. I think what they actually mean is lots of destruction and damage as the result of new...

02/15/2011

Click jacking for Pain and Profit

Click jacking is headline grabbing again as Google released the latest version of its Android mobile operating system on Dec 6. Google has added security features that (they say) will harden Android to click jacking attacks. Click...

12/08/2010

What’s your Pain Threshold for Mobile Phone Identity Theft?

The FBI's Internet Crime Complaint Center (IC3) recently published a warning about Smishing and Vishing. These mobile phone threats are variations of phishing, but smishing uses SMS texts to initiate the scam, while vishing uses...

11/30/2010

Can you Sell these NERC CIP Mitigation Steps to Executive Management?

Last week I described real life SCADA vulnerabilities. My intent was to assist IT security people to dialogue with their executive management about security budgets. This week I will continue by identifying mitigation steps for the...

11/09/2010

Do You Know about these Real-Life NERC CIP SCADA Vulnerabilities?

Most security operations people I’ve spoken with at electrical utilities have a good handle on the security vulnerabilities within their own SCADA environments. Their problem is convincing their management to sufficiently fund...

11/02/2010

Who Needs 2 Factor Authentication?

Who needs two factor authentication? Probably you. It is not news that the privacy, confidentiality, integrity, and availability of corporate and institutional data is at risk to cyber attack. Reducing the risk of unauthorized access...

10/26/2010

Why is NERC CIP Scope Insufficient?

Last week I asked if electrical utilities’ IT security is de facto guaranteed by compliance with the NERC CIP standard.With no disrespect whatsoever intended towards NERC or their CIP standard, I continue my well intended...

10/19/2010

You’ve passed NERC CIP Self Certification but is the GRID secure?

Electrical utilities regularly undergo the NERC CIP self certification (NERC CIP is an IT security standard for real time SCADA monitoring and management technology) but that does not mean they are safe. Why?1. Because their self...

10/14/2010

Can you choose the right Pen Test?

Pen tests may seem like a security test panacea. However they have been known to go terribly wrong and become vastly expensive. Here’s what you need to know to make sure you get the results you want at the price you expect. Pen...

08/16/2010

Do you Need the Ultimate Countermeasure?

Every company I speak with uses some form of IT security monitoring.  Some security operations groups use multiple monitoring tools, some free, some licensed.  Others outsource IT security operations (translation: outsource...

07/26/2010

Are you Using or Abusing Digital Certificates?

Digital certificates were originally designed to help authenticate, provide non repudiation, and to sometimes ensure integrity and confidentiality for written communication.  They of course became the rage for securing Internet based...

06/28/2010

Load More