Owner: Tevora Compliance and Security Blog URL:blog.tevora.com Join Date: Mon, 03 Mar 2008 17:51:05 -0600 Rating:0 Site Description: A blog on Information Security and Compliance Site statistics:Click here
How To Market Your Compliance: ISO 2008-03-03 17:29:45
On
any day of the week, at any time of the day, if you were to attempt a Google search
of the term “ISO compliance,” you will probably find at least one or two press releases
from companies announcing their adherence to this international security standard.
Which
suggests a question – if this many companies have announced their compliance, how
many more companies have also brought their business practices in line with the ISO
standard, and neglected to publicize their status?
More
importantly, how many companies have chosen to ignore ISO altogether?
Compliance
with the ISO data security standard is voluntary – unlike PCI and PABP, there are
no threats of million dollar fines or sending your CEO to Sing Sing to motivate the
IT depar Read more:Market
Making the Case for PABP 2008-01-18 00:02:36
Companies that have already had to contend with the security regulations of Visa’s
CISP, MasterCard’s SDP, American Express’ DSOP and Discover’s DISC, before they were
bundled together as PCI
DSS, may have witnessed widespread rolling of the eyes among managers at the unveiling
of Payment Application Best Practices (PABP). Just what they need
– another spoonful of alphabet
soup to further complicate their lives. >
Ready or not, however, implementation of PABP began as of January 1 of this year,
which means IT executives and senior managers are faced with the task of selling the
need to take action to their management teams.
While "It’s the law" may be compelling enough by itself to induce the necessary measures,
those making the case for PABP should also focus on the
Politics will not Save Us 2007-12-03 10:29:44
Politicians have a vested interest in the security of our personal information. With
compromises and data leakage on the rise, there is surely plenty to be astir over.
We have even seen states begin passing (more are looking) legislation around the security
of consumers. It seems like every time we turn on this news or read a newspaper it
is smashed into our psyche: visions of Paul Revere riding that night and screaming,
"Hide your data, the Hackers are coming! The Hackers are coming!"
Who will save us? The politicians you say?
As I wrote, politicians have a vested interest in our security (digital or otherwise).
Yet, I think we need to clearly understand why that vested interest exists in the
first place.
Simply put, votes.
Think about it logically for a moment; who really wa
SNORT IDS 2007-10-30 13:41:29
SNORT
Snort is an open source IDS solution owned and developed by Sourcefire. According
to Wikipedia:
“Snort
can perform protocol analysis, content searching/matching and can be used to detect
a variety of attacks and probes, such as buffer overflows, stealth port scans, web
application attacks, SMB probes, and OS fingerprinting attempts, amongst other features.
The system can also be used for intrusion prevention purposes, by dropping attacks
as they are taking place."
What Rocks:
It’s
free and amazingly feature rich. I challenge any of the commercial products to match
it in terms of quality of signatures and versatility. Built f
A Better Mouse Trap? 2007-10-07 10:16:49
So, I’ve been thinking quite a bit
about PCI and what it means. Here are a few things I’m willing to put forth as statements.
Of course, I have a few unanswered questions too and I’ll put them out as well…maybe
one of our faithful readers can provide some insight.
Compliance
and Security
Others have well argued the difference
between compliance and security. I shan’t repeat those arguments here- for the interested,
see -security/-
but I believe it is an important foundation to know that there is indeed a difference.
One does not necessarily beget the other although there can be a degree of overlap
in sincere efforts to implement them.
What
is PCI?
At its core, what is PCI about?
I’ve come to believe that PCI is less about com Read more:Mouse
As Grep as it Gets? 2007-10-02 10:14:30
“How many computers do you have?”
“How many servers are in your datacenter?”
“What is the scope of our computer
vulnerability assessment?”
These are frequent questions thrown
out during audits, risk assessments, and penetration
tests. Unfortunately, the answer is not always clear cut. Perhaps the designated
authority is a fresh hire and has yet to gain the requisite knowledge to properly
answer the question. Perhaps there is no asset management program. More so, perhaps
the given answer (count) just does not seem accurate.
When faced with sizing for some
flavor of scope of work, what might be a quick and easy way to get an accurate count?
Here’s a quick and dirty way to
get some empirical answers from a Windows
Let's Get Physical Part 2 2007-09-17 14:00:53
Part 2 of a 2 part series
In the second part of this post I am going to point out a top ten list of ideas and
concepts that should be used to ensure the safety and security of your environment.
Remember that we aren’t just concerned with strangers or outsiders perpetrating crimes
against our organization we must also be vigilant about how we keep our own employees
from turning against us. As Jeff Hayes points out in his blog, Jeff
Hayes’ Security Blog – Practical Security for Growing Companies, “…Disgruntled
employees, ex-employees, disassociated suppliers and partners, unhappy investors,
unhappy customers, ex-spouses/soon-to-be-ex-spouses, immediate family, extended family,
etc. can all pose a threat to an individual, group of individuals or the business
Let's Get Physical Part 1 2007-09-01 12:49:17
Part 1 of a 2 part series
Physical security is probably one of the most misunderstood aspects of a corporate
environment. Physical security is changing just as fast as our logical security
but our attitudes about it aren’t. When people like Kevin Mitnick are able to
perform social engineering attacks with such a high degree of success there are problems
but these problems can be avoided.
I am going to make this a two part series with the top five things that you can do
for outside of your building to make it more secure and safe and a top ten for the
inside. These methods are relatively inexpensive but are not exhaustive.
Let’s start with the outside of the building and work our way in to look at appropriate
measures that can be taken to better enhan
RADIUS VS TACACS+ 2007-08-26 01:46:08
UP UP And Away With AAA
There are a lot of good reasons for implementing a AAA (authentication,
authorization, and accountability) solution in your network - not the least of which
is to make the management of user accounts easier.
The idea behind a RADIUS or TACACS+ server is simple – a
central authentication server that routers, switches, even servers can use to authenticate
logons to. Think of the advantages that a central user directory brings for authentication
auditing and access control in a client server model,, and you have your justification
for Radius or TACACS+ for your networks infrastructure.
RADIUS VS TACACS+
Ok. So what to use? Well in order to make that choice you need
to understand some of th
Sync Me Up Scotty! 2007-08-16 10:12:02
A former work colleague phoned me the other day and asked for some advice regarding
NTP. Here's a quick overview of the problem he faced and what I have done in the past
to move forward in this type of situation.
He has a heterogeneous, distributed environment that is not in Domain mode. He
needs to deploy client-side NTP configurations to Windows XP and Windows NT4 workstations.
Sound familiar? How can this be accomplished?
First, achieving the goal here will take two variations of the same technique: one
for the XP platform and one for the NT4 clients.
For the XP clients this change would naturally be easy via GPO. However, we are in
a distributed topology and not in domain mode. So, at least in my opinion, there is
an easier way to get it done.
Batch script using the Read more:Scotty
The Next thing... 2007-08-15 19:53:09
Tickle Me Security
It seems to me that the security industry releases a new "tickle me elmo" every year. Suddenly its
all that anyone is talking about. Never mind that you have been in business for 40
years without one, but suddenly you are asked why you dont have one by
every auditor and their mother. And of course if thats not enough, every vendor and
"security specialist" will swear up and down how you cant live without it. Suddenly
you feel like the kid without the nintendo....God I hated middle school.
FUD and The Bandwagon
Childhood trauma aside, Its funny but it seems to me that all these cycles of
hype work the same -
3-4 years out - Funding VC fund several companies in
the space
2-3 Years out - FUD (Fear, Uncertainty
How to Market Your Compliance 2008-04-12 23:26:01
On
any day of the week, at any time of the day, if you were to attempt a Google News
(or any other news databank) search of the term “ISO compliance,” you will probably
find at least one or two press releases from companies announcing their adherence
to this international security standard.
Which
suggests a question – if this many companies have announced their compliance, how
many more companies have also brought their business practices in line with the ISO
standard, and neglected to publicize their status?
More
importantly, how many companies have chosen to ignore ISO altogether?
Compliance
with the ISO data security standard is voluntary – unlike PCI and PABP, there are
no threats of million dollar fines or sending your CEO to Read more:Market
Recommend Site To A Friend
