security

Three things to remember from Verizon’s Data Brach Investigations Report

Dave Farquhar security , , , , , , ,

Every year around this time, Verizon releases its Data Breach Investigations Report, referred to in the trade as simply the “DBIR.” Verizon is one of two companies you call if you’ve been breached and you really want to get to the bottom of what happened and try to keep it from happening again. (Mandiant is the other.)

My CISO hates this year’s edition because of its Joy Division-inspired cover and some of the cutesy writing. But it still makes some valid points that I wish everyone would take to heart–and those points remind me why so many people in my field of work listen to Joy Division.

Read more

Keeping your NAS off Google

Dave Farquhar security, Servers and Networking ,

I read in a couple of places the last few days about search engines picking up data stored on poorly configured consumer routers acting as a NAS. This isn’t a case of being evil; rather it’s a case of people accidentally posting stuff in public where search engines will find it. Finding difficult-to-find data is what search engines do for a living, so I don’t fault any of the search engine companies for this. Keeping your NAS off Google is probably something you want. Here’s how to do it.

The solution is to know what you’re doing when you need to access your data both at home and on the road. I apologize for the snark, but there are consumer-friendly ways to do it, like using a cloud provider.

Read more

The new firewall

Dave Farquhar security , , ,

Monthly patches and upgrades don’t always go well, but getting them down is increasingly critical, especially for applications like Flash, Reader, and the major web browsers. This week I called it “the new firewall.”

Twenty years ago, home users almost never bothered with firewalls. My first employer didn’t bother with them either. That changed in the late 1990s, when worms exploiting weaknesses in Microsoft software devastated the nascent Internet. Firewalls soon became commonplace, along with some unfortunate hyperbole that led some people to believe firewalls make you invisible and invincible, a myth that persists in some circles even today.

For this reason I’m a bit hesitant to declare anything a new firewall, but firewalls are necessary. So is protecting key software.
Read more

The problem with open source, especially security

Dave Farquhar security

Security-minded open source software has taken a beating in the last year, as numerous projects have had holes exposed, or, in the case of Truecrypt, got audited heavily. This fanned the flames of the old debate whether open or closed source software was more secure.

This past week I heard a plausible theory about the state of open source security: It’s all about the money.

Read more

How to make it harder for a scammer to file your taxes for you

Dave Farquhar security , , , ,

Tax fraud is one of big payoffs from data breaches. But there’s a simple thing you can do to make it harder for a scammer to file your taxes if your employer or health insurance provider gets breached and your social security number is one of the ones that gets stolen.

Change your social networking profile.

Read more

Data breaches don’t cost anything–so here’s why they matter

Dave Farquhar security , , , , ,

What seems like a million years ago, when Sony Pictures got breached, some pundits were predicting that was the end of the company. I always thought that was hyperbole, but I have to admit I never went to the extreme of saying breaches are nearly harmless, which seems to be the current popular thinking.

Indeed, a financial analyst went on the Down the Security Rabbit Hole podcast and said breaches are an investment opportunity. Just buy the dip.

Read more

In defense of Anthem declining the OIG audit

Dave Farquhar security ,

Anthem recently refused to allow the Office of Personnel Management’s Office of Inspector General (OIG) to perform an audit of its networks. Coming on the heels of a large breach, there’s been a bit of an uproar about it.

There are a few things to keep in mind, the first being that this isn’t driven by law enforcement–it’s a customer requesting an audit.

Read more

Hillary, hackers, threats, and national security

Dave Farquhar security , , ,

I got a point-blank question in the comments earlier this week: Did Hillary Clinton’s home-made mail server put national secrets at risk of being hacked by our enemies?

Depending on the enemies, maybe marginally. But not enough that any security professional that I know of is worried about it. Here’s why.

Read more

Don’t e-mail yourself a list of all your passwords and bank account numbers to yourself from work

Dave Farquhar security, War Stories , , , , , , ,

So my buddy, we’ll call him Bob, runs Data Loss Prevention (DLP) for a big company. DLP is software that limits what you can do with sensitive information, in order to block it from going out of the company. The NSA wasn’t using DLP back when Ed Snowden was working for them; they probably are now.

Sometimes DLP blocks people from sending their own personal information. Doing so is their right–it’s their information–but from a security point of view, I’m really glad DLP kept them from e-mailing their entire life around in plaintext.

Read more

Books every infosec professional needs to read

Dave Farquhar security ,

Firewall maker Palo Alto Networks is sponsoring the Cyber-Security Canon, a sort of Hall of Fame of timeless, classic information security books.

I have to say I haven’t read every book on the list, by a long shot, but the books I have read that made the cut were, indeed, very good indeed. So I think I would be willing to recommend anything on this list without looking any further. Indeed, I probably need to buy a few of these books that I haven’t read and get reading myself.