Owner: Tevora Compliance and Security Blog URL:blog.tevora.com Join Date: Mon, 03 Mar 2008 17:51:05 -0600 Rating:0 Site Description: A blog on Information Security and Compliance Site statistics:Click here
How To Market Your Compliance: ISO 2008-03-03 17:29:45
On
any day of the week, at any time of the day, if you were to attempt a Google search
of the term “ISO compliance,” you will probably find at least one or two press releases
from companies announcing their adherence to this international security standard.
Which
suggests a question – if this many companies have announced their compliance, how
many more companies have also brought their business practices in line with the ISO
standard, and neglected to publicize their status?
More
importantly, how many companies have chosen to ignore ISO altogether?
Compliance
with the ISO data security standard is voluntary – unlike PCI and PABP, there are
no threats of million dollar fines or sending your CEO to Sing Sing to motivate the
IT depar Read more:Market
Making the Case for PABP 2008-01-18 00:02:36
Companies that have already had to contend with the security regulations of Visa’s
CISP, MasterCard’s SDP, American Express’ DSOP and Discover’s DISC, before they were
bundled together as PCI
DSS, may have witnessed widespread rolling of the eyes among managers at the unveiling
of Payment Application Best Practices (PABP). Just what they need
– another spoonful of alphabet
soup to further complicate their lives. >
Ready or not, however, implementation of PABP began as of January 1 of this year,
which means IT executives and senior managers are faced with the task of selling the
need to take action to their management teams.
While "It’s the law" may be compelling enough by itself to induce the necessary measures,
those making the case for PABP should also focus on the
Politics will not Save Us 2007-12-03 10:29:44
Politicians have a vested interest in the security of our personal information. With
compromises and data leakage on the rise, there is surely plenty to be astir over.
We have even seen states begin passing (more are looking) legislation around the security
of consumers. It seems like every time we turn on this news or read a newspaper it
is smashed into our psyche: visions of Paul Revere riding that night and screaming,
"Hide your data, the Hackers are coming! The Hackers are coming!"
Who will save us? The politicians you say?
As I wrote, politicians have a vested interest in our security (digital or otherwise).
Yet, I think we need to clearly understand why that vested interest exists in the
first place.
Simply put, votes.
Think about it logically for a moment; who really wa
A Better Mouse Trap? 2007-10-07 10:16:49
So, I’ve been thinking quite a bit
about PCI and what it means. Here are a few things I’m willing to put forth as statements.
Of course, I have a few unanswered questions too and I’ll put them out as well…maybe
one of our faithful readers can provide some insight.
Compliance
and Security
Others have well argued the difference
between compliance and security. I shan’t repeat those arguments here- for the interested,
see -security/-
but I believe it is an important foundation to know that there is indeed a difference.
One does not necessarily beget the other although there can be a degree of overlap
in sincere efforts to implement them.
What
is PCI?
At its core, what is PCI about?
I’ve come to believe that PCI is less about com Read more:Mouse
As Grep as it Gets? 2007-10-02 10:14:30
“How many computers do you have?”
“How many servers are in your datacenter?”
“What is the scope of our computer
vulnerability assessment?”
These are frequent questions thrown
out during audits, risk assessments, and penetration
tests. Unfortunately, the answer is not always clear cut. Perhaps the designated
authority is a fresh hire and has yet to gain the requisite knowledge to properly
answer the question. Perhaps there is no asset management program. More so, perhaps
the given answer (count) just does not seem accurate.
When faced with sizing for some
flavor of scope of work, what might be a quick and easy way to get an accurate count?
Here’s a quick and dirty way to
get some empirical answers from a Windows
Let's Get Physical Part 2 2007-09-17 14:00:53
Part 2 of a 2 part series
In the second part of this post I am going to point out a top ten list of ideas and
concepts that should be used to ensure the safety and security of your environment.
Remember that we aren’t just concerned with strangers or outsiders perpetrating crimes
against our organization we must also be vigilant about how we keep our own employees
from turning against us. As Jeff Hayes points out in his blog, Jeff
Hayes’ Security Blog – Practical Security for Growing Companies, “…Disgruntled
employees, ex-employees, disassociated suppliers and partners, unhappy investors,
unhappy customers, ex-spouses/soon-to-be-ex-spouses, immediate family, extended family,
etc. can all pose a threat to an individual, group of individuals or the business
Let's Get Physical Part 1 2007-09-01 12:49:17
Part 1 of a 2 part series
Physical security is probably one of the most misunderstood aspects of a corporate
environment. Physical security is changing just as fast as our logical security
but our attitudes about it aren’t. When people like Kevin Mitnick are able to
perform social engineering attacks with such a high degree of success there are problems
but these problems can be avoided.
I am going to make this a two part series with the top five things that you can do
for outside of your building to make it more secure and safe and a top ten for the
inside. These methods are relatively inexpensive but are not exhaustive.
Let’s start with the outside of the building and work our way in to look at appropriate
measures that can be taken to better enhan
RADIUS VS TACACS+ 2007-08-26 01:46:08
UP UP And Away With AAA
There are a lot of good reasons for implementing a AAA (authentication,
authorization, and accountability) solution in your network - not the least of which
is to make the management of user accounts easier.
The idea behind a RADIUS or TACACS+ server is simple – a
central authentication server that routers, switches, even servers can use to authenticate
logons to. Think of the advantages that a central user directory brings for authentication
auditing and access control in a client server model,, and you have your justification
for Radius or TACACS+ for your networks infrastructure.
RADIUS VS TACACS+
Ok. So what to use? Well in order to make that choice you need
to understand some of th
Sync Me Up Scotty! 2007-08-16 10:12:02
A former work colleague phoned me the other day and asked for some advice regarding
NTP. Here's a quick overview of the problem he faced and what I have done in the past
to move forward in this type of situation.
He has a heterogeneous, distributed environment that is not in Domain mode. He
needs to deploy client-side NTP configurations to Windows XP and Windows NT4 workstations.
Sound familiar? How can this be accomplished?
First, achieving the goal here will take two variations of the same technique: one
for the XP platform and one for the NT4 clients.
For the XP clients this change would naturally be easy via GPO. However, we are in
a distributed topology and not in domain mode. So, at least in my opinion, there is
an easier way to get it done.
Batch script using the Read more:Scotty
The Next thing... 2007-08-15 19:53:09
Tickle Me Security
It seems to me that the security industry releases a new "tickle me elmo" every year. Suddenly its
all that anyone is talking about. Never mind that you have been in business for 40
years without one, but suddenly you are asked why you dont have one by
every auditor and their mother. And of course if thats not enough, every vendor and
"security specialist" will swear up and down how you cant live without it. Suddenly
you feel like the kid without the nintendo....God I hated middle school.
FUD and The Bandwagon
Childhood trauma aside, Its funny but it seems to me that all these cycles of
hype work the same -
3-4 years out - Funding VC fund several companies in
the space
2-3 Years out - FUD (Fear, Uncertainty
How to Market Your Compliance 2008-04-12 23:26:01
On
any day of the week, at any time of the day, if you were to attempt a Google News
(or any other news databank) search of the term “ISO compliance,” you will probably
find at least one or two press releases from companies announcing their adherence
to this international security standard.
Which
suggests a question – if this many companies have announced their compliance, how
many more companies have also brought their business practices in line with the ISO
standard, and neglected to publicize their status?
More
importantly, how many companies have chosen to ignore ISO altogether?
Compliance
with the ISO data security standard is voluntary – unlike PCI and PABP, there are
no threats of million dollar fines or sending your CEO to Read more:Market
Trick or Treat: What lurks beneath a Public Access Point? 2008-10-17 15:22:01
They
are everywhere from Airports to Starbucks, at every corner, users have access to complementary
free internet. But have you ever wondered what lurks beneath those innocent hotspots?
Companies spend thousands on security every year, for Read more:Access
, Public
, Trick
International Business and Laptop Security 2008-10-16 21:50:36 On more then one
occasion individuals entering the United States have been stopped and the content
of their laptops or other electronic devices has been inspected. Not only inspected
but on multiple occasions had their laptops confiscated. Their files, email,
and pictures searched for any contraband. While this may shock some or enrage
your sense of civil liber Read more:Business
, International
, International Business
, Laptop
Building a Security Tool Chest – Part 1 – The Foundation 2008-10-10 09:50:18
With the seemingly endless number of security products, utilities and information
sites available today the thought of putting together a set of tools to perform routine
security tasks might seem daunting. It can be, but it doesn’t have to be. Over the
next few entries I am going to walk through how someone would put together a security
tool chest that can be used for almost Read more:Building
, Chest
, Foundation
How to Secure your DNS Server 2008-11-07 17:36:14
While conducting most of our penetration
tests, we often find a very common DNS vulnerability. In order for us to
understand this vulnerability, we first need to know what a DNS server is. DNS servers
are responsible for name resolution, converting Name Addresses to IP addresses.
It is true that a company’s DNS server contains records of a variety of objects such
as hosts, server and Read more:Secure
Building a Security Tool Chest - Part 2 - Recon Tools 2008-11-03 00:27:50
The previous
article gave us a base point to begin building our tool chest with two Live CDs
that provide a wide array of security tools. This article is going to cover the first
phase of an assessment: information gathering and reconnaissance. I have put together
a list of the top 10 most useful utilities and websites I use on a daily basis for
security related assessments.
&nb Read more:Building
, Chest
, Recon
, Tools
Trick or Treat: What lurks beneath a Public Access Point? 2008-10-17 15:22:01
They
are everywhere from Airports to Starbucks, at every corner, users have access to complementary
free internet. But have you ever wondered what lurks beneath those innocent hotspots?
Companies spend thousands on security every year, for Read more:Access
, Public
, Trick
International Business and Laptop Security 2008-10-16 21:50:36 On more then one
occasion individuals entering the United States have been stopped and the content
of their laptops or other electronic devices has been inspected. Not only inspected
but on multiple occasions had their laptops confiscated. Their files, email,
and pictures searched for any contraband. While this may shock some or enrage
your sense of civil liber Read more:Business
, International
, International Business
, Laptop
Building a Security Tool Chest – Part 1 – The Foundation 2008-10-10 09:50:18
With the seemingly endless number of security products, utilities and information
sites available today the thought of putting together a set of tools to perform routine
security tasks might seem daunting. It can be, but it doesn’t have to be. Over the
next few entries I am going to walk through how someone would put together a security
tool chest that can be used for almost Read more:Building
, Chest
, Foundation
How to Market Your Compliance 2008-04-12 23:26:01
On
any day of the week, at any time of the day, if you were to attempt a Google News
(or any other news databank) search of the term “ISO compliance,” you will probably
find at least one or two press releases from companies announcing their adherence
to this international security standard.
Which
suggests a question – if this many companies have announced their compliance, h Read more:Compliance
, Market
Making the Case for PABP 2008-01-18 00:02:36
Companies that have already had to contend with the security regulations of Visa’s
CISP, MasterCard’s SDP, American Express’ DSOP and Discover’s DISC, before they were
bundled together as PCI
DSS, may have witnessed widespread rolling of the eyes among managers at the unveiling
of Payment Application Best Practices (PABP). Just what they need
– another spoonful of alphabet
soup to furt
Politics will not Save Us 2007-12-03 10:29:44
Politicians have a vested interest in the security of our personal information. With
compromises and data leakage on the rise, there is surely plenty to be astir over.
We have even seen states begin passing (more are looking) legislation around the security
of consumers. It seems like every time we turn on this news or read a newspaper it
is smashed into our psyche: visions of Paul Revere riding
10 steps to harden Windows Server 2008 2008-12-02 13:45:36
Ever
since it’s debut, Microsoft Windows
2008 Server has awed security and systems administrators with its complex
and innovative features. With threats becoming each day more immanent and efficient,
security system administrators face the tedious task of protecting Microsoft’s new
giant. In this article we compiled some of the industri Read more:steps
Security Event Log Forwarding on Windows 2008 servers 2008-12-01 17:26:28 Security
Event Log Forwarding
on Windows
2008 servers
The
use of a centralized log server has often been highlighted in many of today’s security
best practices. The constant need to collect, retain and protect these sensitive security
event log files sometimes overwhelm security and systems administrators, especially
in large corporate environments. When properly configured, security event
Recommend Site To A Friend
