security Archives

Home » security » Page 44

Beyond compliance: Maturity models

Dave Farquhar security January 2, 2014December 22, 2013Advance Auto Parts, CVS, KIM, passwords, Phoenix Project, Regulatory compliance, Two-factor authentication

A lot of organizations equate security with regulatory compliance–they figure out what the law requires them to do, then do precisely that.

Forward-thinking organizations don’t. They see security as a way to get and maintain a competitive advantage, and rather than measure themselves against regulations that are often nearly out of date by the time they’re approved, they measure themselves against a maturity model, which compares their practices with similar companies in similar lines of work so they can see how they measure up. Read more

Dave Farquhar

David Farquhar is a computer security professional, entrepreneur, and author. He has written professionally about computers since 1991, so he was writing about retro computers when they were still new. He has been working in IT professionally since 1994 and has specialized in vulnerability management since 2013. He holds Security+ and CISSP certifications. Today he blogs five times a week, mostly about retro computers and retro gaming covering the time period from 1975 to 2000.

dfarq.homeip.net

Gene Kim on scheduled maintenance

Dave Farquhar security December 31, 2013December 21, 2013hp, Kansas City, KIM, laserjet, New York, Phoenix Project

The excellent book The Phoenix Project has a choice quote that stuck with me.

In this scenario, the Yoda-like character asks the hero to imagine a company that makes deliveries. If the trucks break down, the deliveries stop, right? So you change the oil, since not changing the oil causes trucks to break down.

“Metaphors like oil changes help people make that connection. Preventative oil changes and maintenance policies are like preventative vendor patches and change management policies. By showing how IT risks jeopardize business performance measures, you can start making better business decisions.”

Dave Farquhar

dfarq.homeip.net

Cutting through the fluff around the Target PIN breach

Dave Farquhar security December 27, 2013AES, breach, cable tv, Debit card, IBM, NSA, PR, Target Corporation

OK, so Target is back in the news, and it’s nowhere nearly as bad this time but there’s some posturing and some fluff in the news, so I’ll take it upon myself to demystify some of it. Some of it’s PR fluff, and some of it’s highly technical, so I’ll cut through it.

I’m just glad–I guess–to be talking about this stuff outside of a job interview. Like I said, this time the news isn’t nearly as bad as it could be. Read more

Dave Farquhar

dfarq.homeip.net

What I’m doing to protect myself after the Target data breach

Dave Farquhar Saving money, security December 23, 2013December 22, 2013breach, christmas, Data breach, Debit card, Discover Card, Fraud, Missouri, Target Corporation

As you’ve probably heard, Target had a bad month. Between the days of 27 November and 15 December, about 40 million credit card numbers were stolen, making it one of the biggest breaches of its kind in history. As far as we know, the card number and security code were stolen, but debit-card PINs and addresses were not.

Target says they have contained the breach and are cooperating with credit card companies and authorities. Cringely has some analysis, but it has more for people like me to think about how we do things at work than it does for consumers.

And, well, as luck would have it, I shopped a lot at Target between the days in question. And I used both my credit and debit card during that time. Here’s what I’m doing, some of which may be counter-intuitive.

Dave Farquhar

dfarq.homeip.net

The NSA’s disaster aversion by keeping BIOSes safe for the free world

Dave Farquhar security December 19, 2013November 30, 20181990s, amd, antivirus, apple, CIH, intel, MELTDOWN, NSA, random data

This weekend, CBS ran a story about how the NSA foiled a sinister plot to brick millions of PCs and cause a financial meltdown. At least they didn’t say MELTDOWN.

My opinion is that this is a puff piece. A source managed to scare a journalist with a threat that sounded credible enough, and make something routine sound big and threatening.

Dave Farquhar

dfarq.homeip.net

A quick security improvement: Change your IP range

Dave Farquhar security, Servers and Networking December 18, 2013October 28, 2021d-link, VPN

As you may know, lots of D-Link routers have serious vulnerabilities. Some are patched, some aren’t, and many are being exploited by Javascript on web pages. (See, routers don’t make you invincible.)

The right thing to do is patch. But most exploits will assume that your router lives in the 192.168.0.x or 192.168.1.x space, whatever the factory default is. So you can get a degree of protection even against future vulnerabilities by moving your IP space somewhere else. Read more

Dave Farquhar

dfarq.homeip.net

Hacker chasing, circa 1987

Dave Farquhar Retro Computing, security December 12, 2013October 3, 20241980s, 1990s, android, computer security, IBM, irony, Nook Simple Touch, NSA, unix, vulnerability

I’m catching up on reading. Next on my reading list is The Cuckoo’s Egg, (Amazon link), Clifford Stoll’s memoir of chasing down a computer hacker in the late 1980s. In it, he describes a very different world, ruled by mainframes and minicomputers, where Unix was something special, IBM still made PCs, but desktop PCs and Macintoshes only received occasional mention, and academia and the military owned the Internet, almost literally. And, oh, by the way, the Cold War was still raging.

The remarkable thing about this book is that it’s an approachable spy thriller, written in 1989, that explains computer security to an audience that had never seen or heard of the Internet. You don’t have to be a security professional to appreciate it, though it’s a classic in the computer security world–many people read it in the late 1980s and early 1990s and decided to get into the field. Read more

Dave Farquhar

dfarq.homeip.net

Why the government (and others) still deal in floppy disks

Dave Farquhar security December 11, 2013April 19, 2023

The revelation that the Federal Government still relies on floppy disks for some of its business is making it the butt of some jokes this week. And although that will serve as confirmation for some people that the government is completely backward, there are actually multiple good explanations for it.

From a security standpoint, using floppy disks isn’t a bad idea at all. Read more

Dave Farquhar

dfarq.homeip.net

The Phoenix Project: A must-read book for anyone who aspires to IT leadership

Dave Farquhar security December 9, 2013November 30, 2018CIO, CISO, journalism, Office Space, Phoenix Project, Windows Control Panel

After a bad day at work last week, I went home and ordered The Phoenix Project (or here it is on Amazon), started reading it, and felt better. Like Office Space, but there’s more to learn from it.

Phoenix is more realistic. Every problem every shop I’ve ever worked in is in that shop, plus some I’ve (luckily) only heard about. But unlike Office Space, it has solutions beyond burning the building down. Read more

Dave Farquhar

dfarq.homeip.net

Things to do for your relatives’ computers this Christmas

Dave Farquhar security December 5, 2013November 30, 2018antivirus, christmas, Classic Shell, firewall, Microsoft Security Essentials, new hardware, New Year, oracle, psi, windows 7, windows 8, Windows XP

I wish I’d posted this last week, since many of us see one set of relatives at Thanksgiving and a different set at Christmas (and perhaps New Year’s). Here are things you can do as preventative maintenance for relatives whose computers could use a little help. Read more

Dave Farquhar

dfarq.homeip.net