Getting Security Buy-in from Everybody

|
Buy-in of Information Security projects / initiatives / “we should just be doing it” is a tricky thing.   While support from senior leaders in the organization is key for resources (i.e. $$$$) and using their name in vain (i.e. “this is a top priority of Mr. Big Pants” or “this ... Read More

What Should Information Security Be Responsible For?

|
In the Enterprise environment it seems there is always a battle around who should be responsible for what in IT.  And there is always some manager or director that complains (or his people do it for him / her) that Information Security seems to be over-stepping their bounds.   Where is ... Read More

Is the problem local admin or change?

|
Welcome back. "...back after {an} exclusive three year tour of Europe, Scandinavia and the sub continent" (Cab Calloway in the Blues Brothers). Ok, not really, I never left the city for more that a week at a time and that was for training. However, you may be asking yourself, where ... Read More

Threat Modeling and Security Assessments

|
Over the last several months, in creating a threat evaluation model / process and performing a security evaluation, I have come to several conclusions.In creating a threat model, you must create a process that is repeatable, yet has some flexibility in it to meet different situations.  For example, evaluating threats ... Read More

Creating an Action Plan from a Security Review

|
After all the work of performing a security review of an organization, it is time to create an action plan.   This plan must be something the client can use, so it must be.…..actionable. How do you classify the threats and vulnerabilities that need to be addressed?   Do you do it ... Read More

Threat & Vulnerability Mitigation – Asset Identification

|
No matter what you all your program (I call mine Vulnerability Management) to manage threats and vulnerabilities as they apply to your network and processing environment you must know what you have for assets.  Assets ---equipment, operating systems, virtual environments, applications, infrastructure parts and pieces --- need to be identified ... Read More

How, What, and When to Patch

|
How an enterprise decides to manage patch administration probably varies based on who is doing it, the maturity of the Vulnerability Management program, and the business’ tolerance of maintenance windows.  In my opinion patching should be broken into four categories: (1)  Infrastructure.  This would be servers, devices, applications that are ... Read More

Vulnerability Sites —- revisited

|
Several weeks ago I posted a list of sites and links where threat and vulnerability information can be gathered from.   Since then I have again had the privilege of running a number of scenarios through my threat process model and want to up you on the applicability of the links ... Read More

Controlling Privileged Access

|
First, I define privileged access as anything above what the standard user would get?  How do you control privileged access?   Do you allow your Linux system administrators to have the root password?   Do you Windows administrators have the password for a system account with admin privileges?  Or maybe they have ... Read More

Data Protection at all Levels

|
We all know that we need to protect the employee and customer data from unauthorized access.  We also are aware that there are many rules around the storing and transmitting healthcare and credit card data.  Most of us have went to great lengths to put security controls in place on ... Read More
Loading...