Heidelberg, Hörsaal in der Universität

The Lowdown on PCI DSS and Two-Factor Authentication

With the big security breaches from last year on our minds and with little new information available, there’s still plenty to puzzle over. One aspect of the Target breach that left security observers scratching their heads was the ease with which the hackers were able to gain access to the internal network by just swiping…

Continue Reading

What's the difference between hacking and phishing

What’s the Difference between Hacking and Phishing?

Because I’ve boldly assigned myself the task to explain hacking and phishing, I feel compelled to define both terms concisely because, as Einstein’s been quoted countless times, “If you can’t explain it simply, you don’t understand it well enough.” Simply put, in my opinion: Hacking is using exploits to gain access to something you do…

Continue Reading

Peace is our profession

The NSA’s Other Security Factor: Two-Factor Authorization

We’ve already written about how Snowden took advantage of holes in the NSA’s porous security controls.  Sure, he gamed the system by either faking someone else’s credentials or by using his admin account to adjust existing user profiles. This allowed him access to documents requiring a higher security-level clearance than he’d been given. But one…

Continue Reading

What You May Have Missed

What You May Have Missed

1. Can a CEO lose his job over a data breach?  Earlier this month, the board of directors at Target replaced its chief executive after a massive data breach that ultimately hurt the company’s bottom line. For a legal analysis of why the board had no choice, read this piece on the importance of having…

Continue Reading

Digital StillCamera

Ultimate Security Wisdom From Verizon’s DBIR: Limit, Control, and Monitor

For those in IT too busy to read the 60-page Data Breach Investigations Report, Verizon provides the shorter executive summary. And to summarize the summary, they’ve come up with seven tips based on their analysis of over 60,000 security incidents. If I had to condense this list into a simple one sentence security mantra it…

Continue Reading

Privacy-Practices-2

Meanwhile Back at the EU: Google Runs into Fundamental Privacy Rights

There’s been a long standing dispute between the EU regulators and Google over whether it could be forced to remove links from its web search results.  Today, the European Court of Justice issued a final ruling against Google. While this is being billed as a “right to be forgotten” victory, actually these words don’t appear…

Continue Reading

What You May Have Missed

What You May Have Missed

1. In the unregulated world of social media, the FTC has become the de facto enforcer of privacy. Snapchat is the photo sharing service that promised customers their photos and videos would automatically self-destruct. On Thursday, they admitted to the FTC that photos don’t actually disappear forever. As part of the FTC settlement, Snapchat agreed to be monitored by an independent auditor for the next 20 years.

Continue Reading

How to Best Apply SANS Critical Security Controls to Unstructured Human-Generated Data

The SANS Top 20 Critical Security Controls (CSC) have become a widely accepted strategy for protecting organizations against the most common security risks. They take a practical view of security that’s based on protecting against real-world threats—“offense informs defense”. Developed and maintained by an international group of organizations, government agencies, and security experts, the controls…

Continue Reading

tc-disrupt-2014

Privacy Becomes a Focus at TechCrunch Disrupt NY

When launching software in the get-it-out-the-door world of consumer apps, companies often give security and privacy a lower priority. Understandable, of course. It’s not that this isn’t considered, but it’s hard for many embryonic startups (and even some larger players) to implement privacy-by-design concepts when also having to deal with everything else. With that in…

Continue Reading