Have you had your Security Wellness Check?…

/0 Comments/in , , , , , , , , , , , /by

So you think your organization is secure . . . think again! IBM X-Force 2013 mid-year report says that many of the breaches recently reported were a result of “poorly applied security fundamentals and policies and could have been mitigated by putting some basic security hygiene into practice.” Covering the basics is exactly what we help companies achieve through our “SecurePath” 16 domain rapid security assessment. In one week we can review your security posture, cover all your bases and help you prioritize the big security gaps in your environment.

Ingestible Computers

/0 Comments/in , , , /by

Today I had the opportunity to be a guest on over a dozen Fox News Radio affiliates around the county to discuss the topic of the “password pill.”

These tiny, ingestible “smart pills” may be making their way to a pharmacy near you as early as next year.  These traveling sensors are in the form of pills which are swallowed and then powered on by stomach acid.  They transmit low frequency signals to a wearable patch and then a smart phone app.  The pill passes through the body in about 24 hours and can then be recycled!  Eeww!  Several companies are making these in various forms including a consumer version that would send information to your cell phone.

The technology is already FDA approved.  In fact, astronauts have been using these for years to help monitor vital health indicators.  We can expect the technology to be main stream for consumers by next year.

For medical applications, this would enable sending real-time data about health conditions and effectiveness of medications directly to your doctor.

For password or authentication applications, the “password pill” can act as a form of strong authentication where YOU become a form of a password.  This provides stronger security than something you know or something you have (and can be stolen or misplaced). Read more

Got Bot?

/0 Comments/in , , /by

The world of malware (literally bad software) has some interesting terminology. Botnets and Zombie networks sound like they should be different, but they are basically the same thing. The imagery of masses of robots (ala I Robot) or hordes of Zombies from Night of the Living dead is surprisingly a relatively accurate description. Botnets or Zombie Nets are collections of computers that have been infected with a specific class of malware that is managed by an external ‘Controller’. Ok, Zombie hordes are not easy to manage, but the robot masses are. I’ll use the term botnets to refer to both.

Botnets can be used for many different illegal purposes such as distributed denial of service (DDoS) attacks, mass spam mailings, illegal data collection and more. Like the domestic robots in the movie I Robot, malware bots establish themselves unobtrusively in your network through the same types of mechanisms as a virus, worm, Trojan or other malware. In fact, Trojans, malware that masquerades as legitimate software, are often used to distribute ‘Bot’ malware. That ‘swimware calendar’ program you downloaded may look nice, but underneath there may be some malware silently doing bad things to your computer. Read more

Strengthening the Authentication of Your Users

/0 Comments/in , , , , , /by

They say a chain is only as strong as its weakest link.  In the world of IT systems, you don’t want that weak link to be user authentication.  Once a hacker gains access to a system as a valid (potentially high level) user, the amount of damage they can do is unlimited.  There are different ways to validate a user’s identity and they have different levels of security.  Using the three little pigs as an analogy, let’s take a look at the options:

1)      The straw house – This is what we call single factor authentication.  This just involves something you know or have.  An example for physical security is a badge that is tapped on a door reader to gain access.  If someone gets hold of the badge, that’s all they need to walk into the building.  Another in the IT world is the familiar user ID and password.  It’s what a majority of users use to gain access to their computer’s OS and applications. This has the potential to be fairly secure, but often times isn’t due to poor password choice.  Users frequently pick passwords that are easy for them to remember which means they are easy for hackers to crack. Once they know the password they have total access to the system/application.  Read more

The Importance of Hiring an Experienced, Qualified Security Assessor for Your PCI-Compliance Audit

/0 Comments/in , , , , , /by

With the stiff penalties associated with failure to meet standards set by the PCI Security Council, ensuring that your company remains compliant and avoids security breaches requires regular PCI compliance audits. Hiring qualified security assessors can help you avoid a number of potential pitfalls associated with audits. Opting to hire the most experienced candidates offers a number of benefits, including:

  • Getting it Done Right
    In 2004, CardSystems Solutions was hacked, resulting in 263,000 stolen credit cards and roughly 40 million compromised. This breach occurred despite their security auditor giving them a clean audit just three months prior. Hiring experienced PCI compliance auditors to perform your audits lessens the likelihood of potentially costly mistakes.
  • Continued Security
    Experienced PCI compliance auditors not only understand current standards, but they understand the areas in which the current standards fall short. This allows you to proactively anticipate security risks and protect your customers’ data. Understanding the current problems, as well as the next generation of threats, allows you to remain in compliance and prevent costly security breaches. Read more

Leveraging Centralized Log Management in a PCI DSS Environment

/1 Comment/in , , , , , /by

Enterprise environments generate vast amounts of log data on their own before even being required to meet PCI DSS section 10 logging requirements. When taking into account the volume of logs from the large variety of sources across a network it is important to find an effective and efficient manner to address this data. IT departments could easily dedicate one full time employee to this task alone when logs are decentralized across the organization and need to be reviewed, at times, on a daily basis. Admins also face the daunting task of having a working knowledge of the vast array of system interfaces used to access and review this data where it is stored by default. Obviously this configuration is highly inefficient as well as impractical. The only logical solution to meet the PCI DSS required logging volume as well as the review requirements is a centralized log management system. PathMaker Group offers such a solution, built on a SaaS platform, that can provide the necessary functionality, usability, and reporting that PCI DSS requires. Read more