Monthly Archives: May 2010

Attack Surface Reduction – An often overlooked element of web application security

Posted on May 30, 2010 by John Reno in Main | Leave a comment

In industry surveys ranging from the Symantec Threat Report to Gartner analyst reports, application security is constantly cited as the most significant area of risk for enterprises and the most prevalent threat vector for cyber crime. It certainly makes sense, why bother to spend time on reconnaissance when the front door is wide open? Many organizations have begun to spend a great deal of energy and money to secure applications. Popular approaches include code review, threat modeling, source code analysis and black box …

Defcon CTF Qualifiers

Posted on May 25, 2010 by jhaddix 1 Comment

Every year the hacking community, both black and whitehat, come together in Las Vegas for the annual Blackhat and Defcon conferences. We discuss new attacks, show interesting research, release tools, and let loose a bit. Defcon in particular centers around a number of great competitions, the most prestigious of them being the Defcon Capture The Flag. Hacker teams from all over the world participate in the CTF qualifiers. This year 535 teams registered, 265 of which scored points. The top …

IT Network Securty – How much security is enough?

Posted on May 22, 2010 by John Reno in Main | Leave a comment

In discussions with customers over the past few weeks the question of how much security is enough for a given organization has been raised repeatedly. Contrary to the opinion of some in the industry, this really is not a mysterious issue. To understand what is enough security requires understanding an acceptable risk level for a company. Building that understanding is the heart of a risk management process. At a high level, an enterprise must understand business drivers, business requirements, regulatory …

Social Media Information Security – Pay Attention to Social Networks

Posted on May 14, 2010 by John Reno in Main | Leave a comment

Social networks have become part of the cyber crime fabric. Recently a security researcher has provided a tool that simplifies the process of building bot armies that take their marching orders from specially created Twitter accounts. TwitterNet Builder offers script kiddies a point-type-and-click interface that forces infected PCs to take commands from a Twitter account under the control of attackers. Bot herders can then force the zombies to carry out denial-of-service attacks or silently download and install software with their …

Cloud Security – New Worries or the Same Old Stuff?

Posted on May 12, 2010 by John Reno in Main | Leave a comment

Cloud service based deployments have become commonplace in industry segments ranging from financial services to healthcare. I have discussed in earlier posts how the cloud services model will come to dominate important areas such as healthcare information exchanges. The economic model is highly attractive across a broad range of business problems. Several years ago as the business models and technical foundations for cloud computing were taking shape I helped form the cloud security alliance. One area of frequent debate was …

Economics, HIE’s, and Information Security

Posted on May 5, 2010 by John Reno in Main | Leave a comment

Do economics, HIE’s and information security seem like a strange set of words to find together? I’ve been spending a lot of time recently talking with folks at healthcare providers and healthcare IT vendors, and they have found the relationships among these words fascinating. What I have encountered is a quite different set of viewpoints, that form an interesting contrast with the stories related to ARRA funding, state HIE initiatives and breach notification penalties that have been filling the mainstream …