Recent Breach Highlights Differences in IDaaS Approaches

As I talk to customers who are looking into leveraging cloud Identity services and are thinking about issues around how and where user data is stored and processed, I sometimes come across a customer who throws up their hands and says something like “the identity data is already in the cloud anyway –at the service…

Information Assets: Knowledge is Power

Sir Francis Bacon is attributed with the quote, “Knowledge is Power”.  There have been many variations on this phrase but I want to add one more twist around information assets. I presented at a conference last week where the session was dedicated to discussing the risks and remedies of ransomware, which are the practices and technologies used by…

The Perils of Consumer Single Sign-On

From social media to gaming sites, every headline of a new breach makes me groan, “Time to change my password.”  It’s a begrudging task, but I still have not been pwned.  Aside from the risks associated with the common problem of password recycling among consumers, there are far too many online websites that enable consumers…

How do you create a Zero Day vulnerability every day?

The answer is easy, don’t correctly manage the people you let into your business! I have been working in Identity and Access Management for over 10 Years, both as the leader of the Identity Services team at JP Morgan Chase and as an Identity Management Architect at RSA. I’ve had countless discussions with customers about…

Context in Risk-Based Threat Patterns

Risks come from various sources that are not always possible to identify and subsequently prevent and mitigate in advance. With the growth in cloud, social, mobile and “bring your own device” computing, the size of the attack surface is greater than ever. Many attack scenarios are possible mainly due the complexity of the network’s topology and…

Major Events and Hacktivism #OpOlympicHacking

Introduction As anyone who tracks attacks on the internet can tell you, Activists using hacking activity, aka “Hacktivists”, have discovered that a relatively basic hacking approach, with buy-in from disenfranchised groups of people, can have significant effects on online businesses. With names like #OpISIS, #OpParis, #OpMonsanto, #OpWhales, #OpKillingBay, #OpKKK, and #OpTrump, you can easily see…

Playing Pokemon Go? Read this.

Hands up those who would leave their front door unlocked and all their personal information like passports, identity cards, bank details, their children’s details and even passwords left out for cybercriminals to exploit? Not many of you? Well, you will be surprised because that’s exactly what Pokemon Go players are doing.  If you sign up…

Tales from the BlackHat NOC: Learning from the right people

The week I spent in the BlackHat NOC was great exposure to both new and evolving technology and new people. As a team member of the RSA team in the BlackHat NOC I tried to approach my time there by learning as much as I could about not only the data on the network, but how our products function…

Tales from the Black Hat NOC: The Stages of Security Adolescence (Part 2)

In Part 1 of “Tales of the Black Hat NOC: The Stages of Security Adolescence,” I discussed the maturation process of the Black Hat NOC, and security strategies in general.  In the blog post below – you can see the adjustments we made and additional steps we took towards optimizing our NOC at Black Hat. …

Your Step-Up Authentication Compass… NIST & SMS – Finding North

An estuary is the area where a river meets the sea (or ocean), where fresh water from the river meets salt water from the sea. The fresh draft of the NIST Digital Authentication Guidance (NIST SP800-63B) has been let loose into the salt waters of the public and certainly provoked some conversation of late around…