Archive for 'Controls' Category
Bill Burr admits security advice actually created more vulnerable passwords. An article review. If you’ve ever angrily questioned some seemingly arbitrary rule when creating a new password, there is some vindication for you: the former government official whose password security suggestions became the basis for many organization’s own standards now says he regrets writing the […]
For the sake of user comfort, new draft document calls for an end to mandatory password changes, and other requirements. An article review. Long-time readers may remember Dan’s Password Manifesto, originally published in the Hoosier Banker Magazine in 2008, where he spoke out against the “conventional wisdom” requiring frequent password changes, advocating instead other mitigating factors […]
When it comes to paying a ransomware demand, there’s no one-size-fits-all policy…
Questions from vendor management to mitigating controls covered in the new document. An article review. The FFIEC released a document earlier this month covering some of the most frequently asked questions surrounding the Cybersecurity Assessment Tool (CAT), and it’s certainly worth taking a look at as many of their answers are eye-opening! Many have wondered […]
“Mal-Configured Secure E-Mail . . .” A new risk arises as Secure Messaging Enters the Late-Majority Adoption Phase! Another one of those Dan’s New Leaf Posts, meant to inspire thought about IT Governance . . . . So we’re auditing a bank and they send us files using their shiny new “Secure E-Mail System” and guess […]
An article review. Taking a turn at the breach steering wheel In May 2014, CareFirst BlueCross BlueShield learned that one of their information systems had been infected with malware, so they got rid of it. Or so they thought. The malware was never fully eradicated, leading to a substantial hacking incident a few weeks later. […]
Dan’s reminding us that the manifesto, Sometimes Say Never, has the word “sometimes” in it.
An article review. Beware of buzzwords Our friend and associate Joe Cychosz sent us this article a few days ago, and we thought it was worth sharing. This brief article highlights an alarming trend within the InfoSec world, where security vendors are hyping and spinning their offerings to the point of untruth! Now this may […]
But “test” is an action verb! and your approach could “Turn Awareness Inward.” Another one of those Dan’s New Leaf Posts, meant to inspire thought about IT Governance . . . . “With all we have going on, our auditors are not letting us abandon the Awareness Training Thing. They aren’t treating it as a “one-off.” We […]
Should we see Information Security as a normal technology adoption and, if so, do we want to be laggards if we’re in an unregulated industry?