Last summer I needed a slide deck for a little "lunch & learn" on how to manage TLS server certificates in infrastructure components, and why. To me, being able to manage certificates in a resilient and secure manner implies that you need to be familiar with the underlying crypto basics. Certificate trust, chains, and signing … Continue reading Certificates, Public Key Infrastructures, and SSL/TLS
OWASP Austin threw a Crypto Party this week. We had five presentations on different topics, including VPNs, TOR, disk encryption, and secure voice calls. I had the task of explaining PGP to folks in 10 minutes, and decided it would be more useful to explain the concepts rather than giving a demo. (I have run … Continue reading (Open)PGP – An Appetizer
I gave a talk at LASCON 2014 the other day titled "Multi-Factor Authentication -- Weeding out the Snake Oil". Rather than providing a catalog of selection criteria, this turned into a review of scenarios where throwing additional authentication factors at a problem might or might not make sense. Combined with examples of different solutions currently … Continue reading Multi-Factor Authentication at LASCON 2014
Introductory Musings This doesn't have to do too much with enterprise security, but since I did the research I figured I might as well write it down. I haven’t worked as a PCI assessor for the past three-or-so years (and obviously never in Europe ;-)), but some questions about EMV cards of the more technical … Continue reading EMV ― How Does the Crypto Work in Chip-Based Payment Cards?
I gave a presentation to the Central Texas chapter of the ISSA last Thursday, entitled "Comparing NIST's Cybersecurity Framework with Best Practice". When I sat down to put the actual slides together, I struggled with defining what "best practice" actually means. I believe the term has different connotations for different people. To me, it typically … Continue reading Compliance, Best Practice, and Risk
I gave a talk at the BSides Austin conference yesterday. We looked at a number of authentication factors and did some threat modeling, with the attendees helping me to estimate the attack potential necessary to exploit certain vulnerabilities by voting on pre-defined adversary types. This included taking a look at how Steve Gibson's SQRL scheme works, possibly … Continue reading Attacking Authentication Credentials — BSides Austin 2014
This week, NIST published Version 1.0 of its Framework for Improving Critical Infrastructure Cybersecurity (aka Cybersecurity Framework). I reviewed the last draft for the framework here on the blog a while ago, and also sent some minor comments back to NIST. (Along with the major one to not try and reinvent the wheel. ;-)) Now that Version … Continue reading Comparing NIST’s Cybersecurity Framework with ISO/IEC 27001