Category: Risk Management

Why Some Merchants Should Not Worry About PCI Part II

Yesterday, I wrote a post saying that the lady who cuts my hair needs to comply with 100% of the PCI standard. This was based on my experience in PCI in corporate environments, some of which do not actually store

Posted in Dialogue, Risk Management, Standards Tagged with:

Why Some Merchants Should Not Worry About PCI

When I had my hair cut today, I got to thinking about what level of responsibility this small business should have to protect my credit card data. This is not some big chain. It’s one lady with a couple of

Posted in Dialogue, Risk Management, Standards Tagged with:

Breaking Down the Advanced Persistent Threat

Sometime when I wasn’t paying attention, a bunch of marketing folds must have gotten together to come up with a new, catchy acronym. I imagine the meeting must have gone something like this: Joe: We’re not selling enough of our

Posted in Computer Crime, Incident Response, Intrusion Detection, Risk Management Tagged with:

The Security Diplomat

I have a dirty little secret. It doesn’t have anything to do with the NSA, a leaked memo or pink leotards. But it’s a secret just as earth-shattering, just as awe-inspiring and just as potentially devastating as any other well-hidden

Posted in Dialogue, Risk Management, Secure Administration, Secure Design

Logging in the Cloud: A Primer for Success

It was inevitable. Cloud services are popping up everywhere and it was only a matter of time before log-based services started to appear. But does that mean the cloud is the right place for your logs? What are the key

Posted in Log Analysis, Log Management, Risk Management, Secure Design, Standards Tagged with:

The Cost of Security

When I went searching for a better interest rate for my emergency fund, I ran across a bank that offered over 5%, with relatively few restrictions. I thought this might be a good bank to work with. So I set

Posted in Dialogue, Personal Liberty, Privacy, Risk Management

2WoO Day 3: Abusing OSSEC–the Countermeasures

Yesterday, I blogged about how we could beat OSSEC up, or, to put it more accurately, the people and protocols behind it. Today, we’re going to discuss how we can fight back against the bullies. For this post to make

Posted in Computer Crime, Ethics, Intrusion Detection, Log Analysis, Log Management, Risk Management Tagged with:

2WoO Day 2: Abusing OSSEC

No discussion about the effectiveness of a security monitoring tool would be complete without exploring ways to defeat that tool. While this may seem self-defeating, it is my belief that an honest perspective about strengths and weaknesses of the tools

Posted in Computer Crime, Ethics, Intrusion Detection, Log Analysis, Log Management, Risk Management Tagged with:

On Acceptance of Risk

There are four or five responses to risk, depending on who you ask. They are: mitigate, accept, transfer, reduce, and sometimes, ignore. Ignoring a risk is just a lame way of burying your head in the sand and pretending it

Posted in Dialogue, Log Analysis, Risk Management