I read a good article a few weeks ago, by Tom Mendoza of NetApp called 6 Powerful Ways to Embrace Change. It’s worth the short read. It got me thinking about how the Information Security industry is really in the business of change management. Change management seems a business term for “doing everything you can to avoid embracing change”. I’m going to take Tom’s 6 ways and rewrite them from an information security perspective. 1) Don’t look back Unfortunately, in the information security industry, not looking back is a sure key to failure. If you don’t continue to address the risks presented by your legacy system which no longer gets security patches, or pay attention to information that was long[…]

I saw this article come across my news feed today, and I thought to myself “what a great idea for an article!” The title is The Petraeus Affair: Human Nature Beats IT Security Every Time. I was thinking the article was going to be how General Petraeus and Paula Broadwell out-foxed the IT security measures in place at their various organizations to engage in (what they thought was) clandestine electronic communication. I figured the CIA would block access to GMail for security reasons, and yet these individuals were so determined to communicate they would have found a way. After all, most security controls can only defend against those willing to play by the rules. Reading the article disappointed me because it[…]

We are working with a security policy that treats two passwords of equivalent strength: 8 character password with two character sets represented (pick two of upper/lower/number/symbol) 6 character password with three character sets represented (pick three of upper/lower/number/symbol) The question arises, how equivalent (or not) are they? Well, it’s time to do some math. Total Possible Passwords One way to measure password strength is in the total number of passwords that one might be able to generate that meet that criteria. More would be better. There are 26 uppercase, 26 lowercase, 10 digit, and 33 ASCII-printable symbols available on the average keyboard (totaling 95 options). If we simply asked how many possible 6 character passwords are there, you can multiply 95 for[…]

An attack on the South Carolina Department of Revenue exposed 3.6 million social security numbers, and about 387,000 credit and debit card numbers of South Carolina residents. Data breaches like this are so common, they are barely newsworthy… and we certainly try not to cover every single data breach event on this blog. However, today’s followup to the story is what made it interesting. Governor Nikki Haley went on the record in a press conference trying to defend their lack of good practices. I’ve embedded the video below and hopefully it will start at the good part, 12:43 into the video: This is a really good example of sending the wrong kind of message. I understand her desire to defend[…]

You might have heard that LinkedIn had its password database breached, and news of it is trickling out today. There are a number of write-ups about it in most of the usual places, and Martin McKeay has a post with links to some of the better ones. The reason I’m writing about this is not to alert you, or that I’m annoyed I have to change another password. Two things really bother me about this. The first is the eerie similarity between this event and the Gawker password breach I wrote about almost exactly eighteen months ago. Both of these events made news because they were leaks of unsalted password hashes. And, although I didn’t write it in my blog post that day, two[…]

This morning, I heard a commercial on the radio which left me with a bad taste in my mouth. I don’t want to quote the exact commercial, but you’ve heard the type. I’ve created a semi-fictional ad based on the one I heard below: <alarm sound>How do you stop cyber threats <second, more urgent alarm sound in addition> when they’re constantly evolving? <third, even more urgent alarm>  Our organization stops threats by <alarms cease, replaced by typing sounds> integrating solutions, building partnerships with business, academia, and government, as well as preparing the cyber professionals of the future. OK, so what have we learned from this 30-second radio clip? Not much. It seems that in order to stay ahead of evolving threats,[…]