“The telescreen received and transmitted simultaneously. Any sound… above the level of a very low whisper, would be picked up by it… There was of course no way of knowing whether you were being watched at any given moment.” – Nineteen Eighty-Four by George Orwell, published in 1949
“In Russia, TV watches you!” – comedian Yakov Smirnoff, circa 1984
Be very afraid. Again.
Siri, Apple’s digital assistant program for the iPhone, once had to be explicitly activated before it would listen and accept commands. But in iOS version 8, Siri can be set to an “always listen” mode.
iPhones, iPads, Android phones and Chromebooks can now be configured to listen for an “... read more >
Awareness is NOT Training
My father, a shade tree mechanic, used to say that parts left over after a rebuild just made the car more efficient. Unfortunately, many people in the business world approach their information security programs with a similar mantra. When it comes to security awareness and training, there is a gap in understanding the effectiveness of a robust program. This lack of understanding usually leads to a “let’s just be compliant” approach.
A simple understanding of terminology and some simple practices can make a compliance-driven program into a holistic and effective program.
Awareness is NOT training. Simply put, the point of awareness is to focus attention on a particular issue in an effort to change behavior. In the real world, awareness is typically “one way.” Examples of awareness are posters that explain the importance of strong passwords, email blasts that draw the employee’s attention to a... read more >
Be Your Own Personal Security Expert
Security breaches seem to be all over the headlines these days. In the last year we've seen Anthem, JP Morgan Chase, E-bay, Target and many more have security breaches which have resulted in the disclosure of personal information to unknown groups and people.
What do you do in that situation? Call the breached company and complain? It's too late for that. You need to protect yourself and your information.
Step 1: Change your password(s)
I don't mean change your password from 'password' to 'Password1'. I don't mean take a random password and apply it to all of the websites you use. I mean, replace the password with a strong password on any site that used a password even remotely similar to the one you used with the breached entity. Hopefully you had a strong one in place to begin with. Entropy doesn't forgive you for not wanting to remember random strands of... read more >
What You Need to Know to Run a Successful Information Security Program
What do you really NEED to know in order to run a successful information security program? As a professional security geek, I somehow end up in conversations like this a lot.
Throughout the ages, many smart people have uttered phrases to the effect of “knowledge is power.”
But knowledge about what?
The security of your organization is a complicated beast. And, as is true with any complicated beast, the more information you have, the better.
I think Sun Tzu stated it well in The Art of War when he said,If you know your enemies and know yourself, you will not be imperiled in a hundred battles; if you do not know your enemies but do know yourself, you will win one and lose one; if you do not know your enemies nor yourself, you will be imperiled in every single battle.
If Sun Tzu is correct, while you may have the greatest advantage if you know your enemy well, you are in the greatest peril if you do not know... read more >
Setting Up Effective Intrusion Prevention Rules
Martin Roesch needed something quick and easy to look at data packets as they were going across the wire. In 1998, he created Snort, a free and Open Source Network Intrusion Detection System (NIDS) and Network Intrusion Prevention System (NIPS). Snort changed information security and given us visibility of real-time traffic in, out and around the networks.
In addition to network intrusion detection and prevention systems, there are next-generation firewalls, runtime analysis platforms, and web and mail content filters. With all this technology and ability to see into a network why are we not stopping security events from happening versus just detecting them?
I understand that balancing the confidentiality, availability and integrity triad is a delicate act, but I think it's time to... read more >
By now, most everyone has heard of the malware boogeyman known as ransomware. This is a type of malware that an end-user finds on a system after clicking a link with a malicious program or Trojan horse. Ransomware makes no secret of its presence on your machine. Similar to keystroke loggers, the focus is on you and your data.
How does ransomware work?
Ransomware restricts access to an infected computer and, as the nomenclature suggests, demands a ransom payable to the program creator in order to release control of the computer back to the... read more >
Protecting Credit Card Data and Meeting PCI DSS Requirements
Have you ever walked into a grocery store and found the milk on a shelf next to the mustard? Or while walking the seemingly endless aisles of a supermarket and seen the ice cream next to ice scrapers?
Unless some mischievous kids were having fun, the answer is “of course not.” There's an almost perfect order to the retail store layout, even if it is a bit overwhelming.
Does this look like segmentation?
Not only are the dairy products kept in a somewhat contained area, they are also refrigerated and protected. Do you think it's a coincidence that high-value items like jewelry and electronics are in central locations with lots of lights and minimal visual barriers?
Of course not.
This is done by design. These valuable items are prone to theft so they require an elevated level of visibility and additional protection to safeguard them. Many items are locked away and can only be accessed by... read more >