BlueHat is Microsoft’s internal security conference, similar to our own SecCon. This year the conference was held Oct. 14-15, consisting of two full days of great content in a lecture theater environment. As part of their community outreach and Secure Development Lifecycle (SDL) collaboration I was invited to travel to Redmond for a few days to attend. The theme this year was Security Odyssey; I don’t know if you have seen the movie 2001, but there were references to HAL everywhere. BlueHat v10 Talks was a combination of internal and external sessions — with no NDA’s.
Though I spent much of my time in the speaker lounge, here are a few talks I had a chance to hear (with a little bit of Space Odyssey humor).
Read More »
When you access your email each day, do you do so at a distance of 15 paces because you’re just not sure what might jump out of that inbox? You can just about anticipate an email detailing how another user has caused a “blip” that will stretch your capabilities to protect both the user during their online engagements and the assets of the company? Or perhaps, there will be an email asking to set up a meeting of all-concerned to discuss how the employees in the sales department believe your information security policies are standing between them and their ability to do their job. Whose responsibility is it to keep the user engaged, informed, and compliant with company policy? Odds are, information technology leads will find their constituents asking how to accomplish something that wasn’t anticipated when the policies were created.
In a previous blog “When Your Employee Doesn’t Want to Come to the Office,” I shared my thoughts on the mobility aspects of the employee who wishes to work remotely. Today Cisco released part two of the Cisco Connected World Report and confirmed my hypothesis above: email inboxes are overflowing and IT departments are racing to catch up as the consumerization of the work place continues. Reading part two of the report, I was encouraged to see that more than 80 percent of IT department respondents noted they had an IT policy. What I found disheartening was the results from the end user, which detailed that ~24 percent of respondents didn’t know a policy existed, let alone where to find it. If that is the case, the escalation of policy collision isn’t going to occur.
Read More »
Tags: Cisco, Cisco Security, Connected World Report, Consumerization, IT Policy, security, Security Thought Leadership, social media, Social Network, Technology News
SecCon 2010 Banner
SecCon is Cisco’s internal security conference aimed at raising security awareness within the company’s development community. On Oct 4th – 7th we completed the third Cisco SecCon and it was a big success. At this year’s conference we had well over a thousand attendees, with representatives from almost every job function. Thank you to all the participants and speakers!
Read More »
Tags: CSDL, security
The last two years seem dominated by PDF vulnerabilities. As far as the specification and its various readers are concerned, there is likely more sour fruit yet to be uncovered; it’s simply too complex and full of dangerous “features.” But a few blogs have recently hinted that there may be a new vector emerging with surprising popularity. Brian Krebs suggests that exploit crimeware packages have begun reporting significant success rates with Java exploits; data collected by the Microsoft Malware Protection Center (MMPC) seems to agree. After taking a look at what Cisco ScanSafe had to share on the topic, it seems clear that the threat landscape appears to be shifting under our noses.
Read More »
Tags: java, ScanSafe, security
PCI DSS, the Payment Card Industry Data Security Standard, is a set of standards that, more than many regulatory and compliance efforts, has real world relevance. PCI compliance can earn merchants tiered interchange rates and protection from fraud losses, while a lack of compliance can result in monthly fines of thousands or tens of thousands of dollars per month. Unlike some compliance efforts with relatively small penalties that are unlikely to be applied, PCI compliance has significant financial implications with a high probability of impact.
PCI DSS 2.0 is being released today. Earlier, we took a look ahead at some issues around PCI in a piece that you can read here.
So, now that we are on the cusp of a new set of standards, what’s new? Read More »
Tags: pci, pci-dss, security, standards