Our Thinking

Steve Levinson

Recent Posts

Is there “Life After End-of-Lifed” systems and applications?

Posted by Steve Levinson on Jul 14, 2017 3:54:38 PM

In the course of performing hundreds of risk and PCI assessments, we occasionally come across a client who is running an obsolete version of a system, application, or device. Normally, when a system has reached “end-of-life,” it is no longer supported. On the surface, this would appear to be a security risk and also a violation of PCI DSS requirement 6.1: “Ensure that all system components and software are protected from known vulnerabilities by having the latest vendor-supplied security patches installed. Install critical security patches within one month of release.” Organizations must determine the ideal strategy to address risk associated with using obsolete systems/applications. Short of replacing/upgrading the offending system, there may be more creative means to offset this risk.

Read More

We all WannaCry – Here’s How to Shed Less Tears

Posted by Steve Levinson on May 15, 2017 4:53:06 PM

Someone once asked Willie Sutton why he robbed banks, to which he responded, “that’s where the money is.” With the increased sophistication and ease of ‘scalable exploitivity,’ ransomware is not only here to stay, but it will continue to become the most pervasive threat to our systems, networks, and data. The latest WannaCry ransomware that hit thousands of computers last week was the perfect storm, formed by taking advantage of a known vulnerability and combining it with human fallibility, which made it wildly successful and most likely yielded a bankload of money for the attackers.

Read More

Topics: Security

What color is your security assessment parachute?

Posted by Steve Levinson on Apr 7, 2017 12:07:02 PM

As Virtual CISO and Security Trusted Advisor to many of our clients, we are often asked “what framework would you use to perform a security assessment?” Since this question is asked so often we wanted to provide a primer to help you select the right security assessment framework or standards. Keep in mind, there is no ‘one size fits all’ answer and it is highly possible that you need to use more than just one framework in order to get a complete picture. The reality is that the answer to the question will also change with time as the nature of your business continues to evolve, along with business, regulatory, and risk landscapes.  

Read More

Topics: Security

Cyber Risk is no board game – you need to know when to accept, mitigate, or transfer risk to a 3rd party

Posted by Steve Levinson on Feb 9, 2017 3:57:45 PM

The risk landscape continues to evolve with each and every passing day. Yesterday’s secure platform has now become today’s weakest link. Every moment, your organization faces some degree of security risk. The boardroom is ultimately responsible for having an inherent understanding of the various risks to the organization, and therefore is challenged with determining the ideal strategies to address the risk. Once a threat or vulnerability becomes publicly known*, the fuse is lit; and business leaders need to be prepared to make prudent decisions to protect their organizations.

Read More

Topics: Security

Delta is Ready When You Are...But Are Their Systems?

Posted by Steve Levinson on Aug 11, 2016 10:49:33 AM

By now you have likely heard about, or worse yet, been impacted by the glitch that crippled Delta Airline’s network and reservations system on Monday that forced them to cancel about 1,000 flights worldwide. Delta has stated that a power control module malfunctioned, causing a surge that cut off power to their main computer network. Normally, the systems would switch to backup computer systems almost instantaneously, however in this case something didn’t go right. Confidentiality, Integrity, and Availability (CIA) are the foundational cornerstones of information security, and in this case, availability was on the wrong flight path. It is safe to say that this problem, which will ultimately cost the airline millions of dollars, could have been avoided through scenario planning.

Read More

Topics: Security

Shanty or Fortress? How Application Development is Like Building a House

Posted by Steve Levinson on Jul 25, 2016 3:12:12 PM

If you’ve ever gone through the process of building a new home, or know someone who has, you know that it’s a major process. It’s something that you hope to live with (and in!) for a long time. And in the case of application development, you might even have possibly millions of visitors!

Read More

Topics: Security

PCI DSS 3.2 Standard Released – Here’s What you Need to Know

Posted by Steve Levinson on Apr 28, 2016 5:03:40 PM

The PCI Standards Council typically releases a major version of the PCI Data Security Standard (DSS) every three years. The 2016 was released today; this new standard “Version 3.2” comes, with some relief, as a minor update to Version 3.0 instead of a major update to Version 4.0!

Read More

Topics: Security

Stop Falling for Phishing Attacks – 4 Tips

Posted by Steve Levinson on Mar 28, 2016 1:22:53 PM

Can you tell the difference between an authentic email and a phishing message? Even for security professionals who live and breathe Information Security, it has become harder and harder to decipher phishing messages from authentic emails.

Read More

Topics: Security

5 Concepts: Making PCI Compliance Less Painful

Posted by Steve Levinson on Mar 16, 2016 1:25:28 PM

While the Federal Trade Commission (FTC) is stepping in to gain a better understanding of the state of PCI DSS assessments, it’s a good time to evaluate your own assessment quality and compliance policies.

Read More

Topics: Security

Is PCI Broken? Why is the FTC Stepping in?

Posted by Steve Levinson on Mar 11, 2016 5:44:16 PM

The Payment Card Industry world felt some very interesting shockwaves this week as the Federal Trade Commission (FTC) issued a news release announced that they would be issuing orders compelling 9 QSA (PCI Qualified Security Assessor) companies to provide information to the FTC on how they conduct PCI assessments. This order was made as the FTC attempts to gain a better understanding of the state of PCI DSS assessments.

Read More

Topics: Security

Our Thinking - The Online Blog is a source for insights, resources, best practices, and other useful content from our multi-disciplinary team of Onliners.

Subscribe to Blog Updates