Our Thinking

Steve Levinson

Recent Posts

The Lowdown on Security Policies - Part Two

Posted by Steve Levinson on Sep 28, 2017 3:29:23 PM

In Part One of my blog series aimed at breaking down each section of Online’s security policy, we looked at some general best practices surrounding the development of a security policy. This included answering the question of “why develop a security policy?” and went into detail about developing the scope of content contained within. Now let’s take a look at the roles needed to implement an effective policy.

The intercom at the airport speaks the truth as it periodically repeats the mantra “Security is Everyone’s Responsibility”. If security is everyone’s responsibility then even the best written security policy is nearly worthless if it doesn’t include a section pertaining to roles and responsibilities.

Read More

The Case of the Unfortunately Titled Spambot "Onliner" and the Real Onliners Fighting It

Posted by Steve Levinson on Sep 1, 2017 11:56:21 AM

Earlier this week a new spambot emerged, targeting no less than 711 million email addresses. Basically, the spambot delivers malware called Ursnif into the victim's inbox and is capable of stealing personal information such as login details, passwords, and credit card data.

The name of this spambot, “onliner”, is a touch disappointing, a bit ironic, and of course has no relation to us whatsoever. At Online, our team (our employees) are known as Onliners.

Read More

Topics: Security

Changes to Industry Certification Requirements for QSAs

Posted by Steve Levinson on Aug 29, 2017 4:25:01 PM

The PCI Security Standards Council sent out a communication to all Qualified Security Assessors (QSAs) this past week saying they are raising the number of industry certification requirements for QSAs from one certification to two (effective 2019). While I have been in strong favor of almost everything that the council has done to evolve the PCI standard and program, I have concerns with this change for QSAs and what they will mean to our clients. 

Read More

Topics: Security

The Lowdown on Security Policies – Part One

Posted by Steve Levinson on Aug 22, 2017 4:58:12 PM

Online infuses the right amount of security into everything we do – I like to refer to this approach as our “special sauce.” Security is not just important to our Risk, Security, and Privacy (RSP) practice (which lives, breathes, eats, and sleeps security), it’s important to our entire company. We have built security in to our development processes, our service management practice, our customer/digital experience offerings, our internet of things (IOT) offerings, and our cloud-based (AAS) service offerings. 

Read More

Topics: Security

Is there “Life After End-of-Lifed” systems and applications?

Posted by Steve Levinson on Jul 14, 2017 3:54:38 PM

In the course of performing hundreds of risk and PCI assessments, we occasionally come across a client who is running an obsolete version of a system, application, or device. Normally, when a system has reached “end-of-life,” it is no longer supported. On the surface, this would appear to be a security risk and also a violation of PCI DSS requirement 6.1: “Ensure that all system components and software are protected from known vulnerabilities by having the latest vendor-supplied security patches installed. Install critical security patches within one month of release.” Organizations must determine the ideal strategy to address risk associated with using obsolete systems/applications. Short of replacing/upgrading the offending system, there may be more creative means to offset this risk.

Read More

We all WannaCry – Here’s How to Shed Less Tears

Posted by Steve Levinson on May 15, 2017 4:53:06 PM

Someone once asked Willie Sutton why he robbed banks, to which he responded, “that’s where the money is.” With the increased sophistication and ease of ‘scalable exploitivity,’ ransomware is not only here to stay, but it will continue to become the most pervasive threat to our systems, networks, and data. The latest WannaCry ransomware that hit thousands of computers last week was the perfect storm, formed by taking advantage of a known vulnerability and combining it with human fallibility, which made it wildly successful and most likely yielded a bankload of money for the attackers.

Read More

Topics: Security

What color is your security assessment parachute?

Posted by Steve Levinson on Apr 7, 2017 12:07:02 PM

As Virtual CISO and Security Trusted Advisor to many of our clients, we are often asked “what framework would you use to perform a security assessment?” Since this question is asked so often we wanted to provide a primer to help you select the right security assessment framework or standards. Keep in mind, there is no ‘one size fits all’ answer and it is highly possible that you need to use more than just one framework in order to get a complete picture. The reality is that the answer to the question will also change with time as the nature of your business continues to evolve, along with business, regulatory, and risk landscapes.  

Read More

Topics: Security

Cyber Risk is no board game – you need to know when to accept, mitigate, or transfer risk to a 3rd party

Posted by Steve Levinson on Feb 9, 2017 3:57:45 PM

The risk landscape continues to evolve with each and every passing day. Yesterday’s secure platform has now become today’s weakest link. Every moment, your organization faces some degree of security risk. The boardroom is ultimately responsible for having an inherent understanding of the various risks to the organization, and therefore is challenged with determining the ideal strategies to address the risk. Once a threat or vulnerability becomes publicly known*, the fuse is lit; and business leaders need to be prepared to make prudent decisions to protect their organizations.

Read More

Topics: Security

Delta is Ready When You Are...But Are Their Systems?

Posted by Steve Levinson on Aug 11, 2016 10:49:33 AM

By now you have likely heard about, or worse yet, been impacted by the glitch that crippled Delta Airline’s network and reservations system on Monday that forced them to cancel about 1,000 flights worldwide. Delta has stated that a power control module malfunctioned, causing a surge that cut off power to their main computer network. Normally, the systems would switch to backup computer systems almost instantaneously, however in this case something didn’t go right. Confidentiality, Integrity, and Availability (CIA) are the foundational cornerstones of information security, and in this case, availability was on the wrong flight path. It is safe to say that this problem, which will ultimately cost the airline millions of dollars, could have been avoided through scenario planning.

Read More

Topics: Security

Shanty or Fortress? How Application Development is Like Building a House

Posted by Steve Levinson on Jul 25, 2016 3:12:12 PM

If you’ve ever gone through the process of building a new home, or know someone who has, you know that it’s a major process. It’s something that you hope to live with (and in!) for a long time. And in the case of application development, you might even have possibly millions of visitors!

Read More

Topics: Security

Our Thinking - The Online Blog is a source for insights, resources, best practices, and other useful content from our multi-disciplinary team of Onliners.

Subscribe to Blog Updates