Security

What color is your security assessment parachute?

As Virtual CISO and Security Trusted Advisor to many of our clients, we are often asked “what framework would you use to perform a security assessment?” Since this question is asked so often we wanted to provide a primer to help you select the right security assessment framework or standards. Keep in mind, there is no ‘one size fits all’ answer and it is highly possible that you need to use more than just one framework in order to get a complete picture. The reality is that the answer to the question will also change with time as the nature of your business continues to evolve, along with business, regulatory, and risk landscapes.  

Read More
By Steve Levinson on Apr 7, 2017 12:07:02 PM
Security

Cyber Risk is no board game – you need to know when to accept, mitigate, or transfer risk to a 3rd party

The risk landscape continues to evolve with each and every passing day. Yesterday’s secure platform has now become today’s weakest link. Every moment, your organization faces some degree of security risk. The boardroom is ultimately responsible for having an inherent understanding of the various risks to the organization, and therefore is challenged with determining the ideal strategies to address the risk. Once a threat or vulnerability becomes publicly known*, the fuse is lit; and business leaders need to be prepared to make prudent decisions to protect their organizations.

Read More
By Steve Levinson on Feb 9, 2017 3:57:45 PM
Security

Delta is Ready When You Are...But Are Their Systems?

By now you have likely heard about, or worse yet, been impacted by the glitch that crippled Delta Airline’s network and reservations system on Monday that forced them to cancel about 1,000 flights worldwide. Delta has stated that a power control module malfunctioned, causing a surge that cut off power to their main computer network. Normally, the systems would switch to backup computer systems almost instantaneously, however in this case something didn’t go right. Confidentiality, Integrity, and Availability (CIA) are the foundational cornerstones of information security, and in this case, availability was on the wrong flight path. It is safe to say that this problem, which will ultimately cost the airline millions of dollars, could have been avoided through scenario planning.

Read More
By Steve Levinson on Aug 11, 2016 10:49:33 AM
Security

Is PCI Broken? Why is the FTC Stepping in?

The Payment Card Industry world felt some very interesting shockwaves this week as the Federal Trade Commission (FTC) issued a news release announced that they would be issuing orders compelling 9 QSA (PCI Qualified Security Assessor) companies to provide information to the FTC on how they conduct PCI assessments. This order was made as the FTC attempts to gain a better understanding of the state of PCI DSS assessments.

Read More
By Steve Levinson on Mar 11, 2016 5:44:16 PM
Security

SSL/TLS Migration Time - Don’t get caught SSLeeping

The PCI Data Security Standard continues to evolve gracefully to address the ever-changing threat landscape. In April 2015, the Payment Card Industry (“PCI”) Security Standards Council issued the “Migrating from SSL and Early TLS” Information Supplement which serves as a guideline pertaining to deprecated SSL/TLS protocols. The document served as basis of the changes to the PCI standard from version 3.0 to 3.1. In December 2015, the PCI Council released a blog post providing an update and further clarification. Our team has participated in dozens of discussions with our clients and peers pertaining to this change. In short, SSL and early TLS (version 1.0) can no longer be used as a mechanism to protect data in transit because the protocol is now considered cryptographically unsound. These compromised protocols allow attackers to potentially launch man-in-the-middle attacks to decrypt the supposedly encrypted message. The deadline to eradicate old SSL/TLS versions is June 30, 2016, with some flexibility to extend as late as June 30, 2018, with compensating controls.

Read More
By Steve Levinson on Feb 12, 2016 12:46:59 PM
Security

Gone in 60 Seconds – Lessons Learned and Pointers from my Smash-and-Grab

It’s probably because I insulted the city of Oakland by saying in a recent Facebook post that the Oakland Coliseum was post-apocalyptic, that karma came knocking at the door, or to be more exact, came smashing through the rental car window and stealing my backpack (which had my laptop) during the time it took to purchase my coffee at Starbucks. Since I’m pretty paranoid about these things – after all, it’s something I do for a living – I figured I’d parley this experience into something that may help you either avoid the situation – or at least minimize the impact.

Read More
By Steve Levinson on Nov 2, 2015 9:58:48 AM