Certificates, Public Key Infrastructures, and SSL/TLS

Last summer I needed a slide deck for a little "lunch & learn" on how to manage TLS server certificates in infrastructure components, and why. To me, being able to manage certificates in a resilient and secure manner implies that you need to be familiar with the underlying crypto basics. Certificate trust, chains, and signing … Continue reading Certificates, Public Key Infrastructures, and SSL/TLS

Multi-Factor Authentication at LASCON 2014

I gave a talk at LASCON 2014 the other day titled "Multi-Factor Authentication -- Weeding out the Snake Oil". Rather than providing a catalog of selection criteria, this turned into a review of scenarios where throwing additional authentication factors at a problem might or might not make sense. Combined with examples of different solutions currently … Continue reading Multi-Factor Authentication at LASCON 2014

EMV ― How Does the Crypto Work in Chip-Based Payment Cards?

Introductory Musings This doesn't have to do too much with enterprise security, but since I did the research I figured I might as well write it down. I haven’t worked as a PCI assessor for the past three-or-so years (and obviously never in Europe ;-)), but some questions about EMV cards of the more technical … Continue reading EMV ― How Does the Crypto Work in Chip-Based Payment Cards?

Compliance, Best Practice, and Risk

I gave a presentation to the Central Texas chapter of the ISSA last Thursday, entitled "Comparing NIST's Cybersecurity Framework with Best Practice". When I sat down to put the actual slides together, I struggled with defining what "best practice" actually means.  I believe the term has different connotations for different people. To me, it typically … Continue reading Compliance, Best Practice, and Risk

Attacking Authentication Credentials — BSides Austin 2014

I gave a talk at the BSides Austin conference yesterday. We looked at a number of authentication factors and did some threat modeling, with the attendees helping me to estimate the attack potential necessary to exploit certain vulnerabilities by voting on pre-defined adversary types. This included taking a look at how Steve Gibson's SQRL scheme works, possibly … Continue reading Attacking Authentication Credentials — BSides Austin 2014

Comparing NIST’s Cybersecurity Framework with ISO/IEC 27001

This week, NIST published Version 1.0 of its Framework for Improving Critical Infrastructure Cybersecurity (aka Cybersecurity Framework). I reviewed the last draft for the framework here on the blog a while ago, and also sent some minor comments back to NIST. (Along with the major one to not try and reinvent the wheel. ;-)) Now that Version … Continue reading Comparing NIST’s Cybersecurity Framework with ISO/IEC 27001