skip to Main Content
Talk to a Security Expert Now: (800) 721-9177

IT Security Blog

Independent research and articles on IT security, healthcare security, and hacking techniques.

Contact Us

More Cyber Criminal Activity

This morning the Washington Post once again reported a widespread and ongoing set of attacks sponsored by a cybercriminal organization based in Eastern Europe. Amit Yoran of Netwitness was quoted as saying, "The traditional security approaches of intrusion-detection systems and…

Read More

Dealing with cyber crime

CSO magazine recently released the 2010 Cyber Security Watch survey of over 500 respondents from both the public and private sector. In reading through the answers I was not surprised to find several results that set off a cause for…

Read More

A Tale of Two Citi(bank)s

It was the best of security, it was the worst of security. This story is not about Citibank, nor London or Paris for that matter, but two anonymous regional financial institutions that characterize an interesting aspect of security. Their IT…

Read More

The Gear Myth: does more gear = more security?

AKA: Are you building a house of cards?

The gear myth is the mythical view that investing in more technology will inevitably make an enterprise network more secure. While there is a tremendous amount of new gear available to help make networks more secure, our perspegear-myth1ctive is that more gear, in fact,  may not only fail to achieve your security goals, but it may even add risk.

First let me visually explain the gear myth, then I’ll discuss why layering additional technology into a network can be counterproductive.

Initial state: we have some security risk, lets address it by deploying some new technology.

The image at left is a graph that shows how someone, say an IT manager, might view their level of security for a specific component of their IT environment. The scale shows that the level of security is very low.  Based on this assessment the IT department deploys some new technology.

The new gear is installed: everything is fine, no risk…. right?

After deploying some new gear, which in many cases is limited to buying expensive technology and lobbing it into the data center, the perceived level of security is much higher.

Read More

Vendor Management: are your vendors secure?

If you ask the 50 banks that recently had customer data exposed when their accounting firm lost a number of their audit laptops to theft, the answer is no. Incredibly, the accounting firm’s lost laptops apparently did not utilize data encryption even though they contained sensitive customer information. This left the banks in the un-welcomed position of having to notify customers of a data breach.

Anecdotally, our experience doing security audits across many industries indicates that much (maybe even most) of the risk of sensitive data loss in an enterprise is associated with their vendor’s lack of adequate security controls.

Ironically, when a company outsources a service they are also outsourcing much of the security risk. For example,

Read More
Back To Top