Identify Risk in a Heartbeat

By now, you most likely have heard of the announcement of the Heartbleed vulnerability in versions of OpenSSL. Actually, by this time, your executives, your front line managers and your mother-in-law have probably heard of the Heartbleed vulnerability given it has hit every major new source (WSJ, CNET, CNN) While this ubiquitous software is a foundation for many web applications, most people will relegate this as “someone else’s problem”. However, many companies utilize OpenSSL within their own infrastructures to secure internal applications. Even if you aren’t affected by this specific vulnerability, the noise created by Heartbleed should again prompt you to think about your own vulnerability management program.

What You need to Know About Heartbleed

The world has been talking about a new security buzzword and that buzzword is “HeartBleed”.  What is Heartbleed? Heartbleed is the nickname given to the vulnerability known as CVE-2014-0160, which is a flaw in the TLS/DTLS heartbeat extension implementation in certain versions of OpenSSL.  In plain English, this vulnerability allows an attacker to use a…

Stop the Bad Guys With Proactive Defense

You may be familiar with the colloquialism “shutting the barn door after the horses escape.” It basically refers to the futility of trying to stop something from happening after it has already happened—a concept that defines the traditional approach to network and computer security. Deterrence is about taking a proactive approach that prevents the event from happening in the first place.

RSA Conference 2014: Shared Intelligence Takes a Step Forward

You may have expected that the RSA Conference 2014 would involve lot of discussion about the shared intelligence tensions between government (which has a mission to secure the Internet, but also a need to exploit it) and individuals (who want to be kept safe, but also have expectations of privacy and civil liberties)—especially given recent headlines involving the NSA

Alarm Fatigue

Can alarm fatigue be a problem for the security world? You bet. Security IS a world of beeping flashing lights. Security teams are faced every day with the “properly working beeping devices and the improperly working beeping devices” problem.

The Inherent Conflict Between Security and Privacy

For families, companies, and even nations, there is a struggle between security and privacy. While an individual may have some expectation of privacy or right to safeguard his or her identity, ensuring security relies on monitoring and assessing all activity on a given network or endpoint in order to determine if there is anything suspicious or malicious going on. The question is whether or not we can find a workable equilibrium that provides enough security and privacy at the same time.

Passwords Are Overloaded, Not Dead

During the course of a ” Future of Authentication” panel at the 2014 RSA conference, an all-star team of identity experts discussed current issues with passwords and whether other password authentication technologies might someday replace them or become equally ubiquitous.

How to Reduce Risk Through Good ‘IT Hygiene’

Like many of you while growing up I frequently heard the quote “Cleanliness is next to Godliness” from my mother (usually when she wanted me to clean my room). As I matured I started to learn how messy the real world is, and I started to believe more in the corollary “Cleanliness is next to impossible”. This tends to be especially true in the context of things like identity and access management.

Social Engineering and Online Dating

I have blogged on the topic of online dating in the past, and how it’s not much different than phishing and other forms of online fraud. While it was meant to mock my personal experiences of dating in the 21st century, identity theft is no laughing matter. In the last year, I had my debit card replaced three times due to potential compromise and had to change my password on numerous accounts after several major breaches were reported that put millions of email addresses and passwords at risk.