Guy Wright’s piece titled Internet Security: We were worried about the wrong things is a bit old but it’s an important point. Security is a moving target. It’s always a moving target. I disagree, however, with the assertion that SSL (and its successor, TLS) were a waste of time.
Every year around this time, Verizon releases its Data Breach Investigations Report, referred to in the trade as simply the “DBIR.” Verizon is one of two companies you call if you’ve been breached and you really want to get to the bottom of what happened and try to keep it from happening again. (Mandiant is […]
This week, Google published a vulnerability in Windows 8.1 after a 90-day countdown timer automatically expired. Microsoft has not yet released a patch. Controversy ensued. Obviously, yes, an unpatched, well-known vulnerability in Windows is troubling. But the alternative is worse.
So the other day I got blindsided with a question at work: What are we doing about Winshock. Winshock, I asked? I had to go look it up, and I found that’s what they dubbed what I’ve been calling MS14-066, the vulnerability in Schannel, which is Microsoft’s implementation of SSL/TLS for Windows. Based on that, […]
New details emerged on the Home Depot attack that left 56 million consumers with compromised credit cards. The interesting thing in the new details is that it could have been much worse, but maybe not for reasons immediately obvious.
My tips for using Sysinternals’ Du.exe were well received last week, and my former coworker Charlie mentioned a GUI tool called Windirstat that I had completely forgotten about. For the command-line averse, it’s an incredibly useful tool. But there’s one thing that Du.exe does that makes the CLI worthwhile. It will output to CSV files for […]
IT jobs are getting scarce again, and I believe it. I don’t have a cure but I have a suggestion: Specialize. Specifically, specialize in security. Why? Turnover. Turnover in my department is rampant, because other companies offer my coworkers more money, a promotion, or something tangible to come work for them. I asked our CISO […]
Some revolutionary advice surfaced this past week–stop patching everything. And while I understand the argument that people need to stop letting the difficulty of patching everything paralyze them and cause them to do nothing–as I’ve seen some organizations do–and I agree that some patches are more critical than others, as someone who once had to […]
I had a couple of discussions this week about compliance, and the traps of plain old check-the-box compliance, and how to get started in it when regulatory compliance suddenly gets sprung on you. The key is working backwards. Start with the very reason regulatory compliance exists.
Windows XP users, and those running something older than IE9 on newer versions of Windows need to apply this fix immediately.