I gave a talk at LASCON 2014 the other day titled "Multi-Factor Authentication -- Weeding out the Snake Oil". Rather than providing a catalog of selection criteria, this turned into a review of scenarios where throwing additional authentication factors at a problem might or might not make sense. Combined with examples of different solutions currently … Continue reading Multi-Factor Authentication at LASCON 2014 →

Introductory Musings This doesn't have to do too much with enterprise security, but since I did the research I figured I might as well write it down. I haven’t worked as a PCI assessor for the past three-or-so years (and obviously never in Europe ;-)), but some questions about EMV cards of the more technical … Continue reading EMV ― How Does the Crypto Work in Chip-Based Payment Cards? →

I gave a presentation to the Central Texas chapter of the ISSA last Thursday, entitled "Comparing NIST's Cybersecurity Framework with Best Practice". When I sat down to put the actual slides together, I struggled with defining what "best practice" actually means.  I believe the term has different connotations for different people. To me, it typically … Continue reading Compliance, Best Practice, and Risk →

I gave a talk at the BSides Austin conference yesterday. We looked at a number of authentication factors and did some threat modeling, with the attendees helping me to estimate the attack potential necessary to exploit certain vulnerabilities by voting on pre-defined adversary types. This included taking a look at how Steve Gibson's SQRL scheme works, possibly … Continue reading Attacking Authentication Credentials — BSides Austin 2014 →

This week, NIST published Version 1.0 of its Framework for Improving Critical Infrastructure Cybersecurity (aka Cybersecurity Framework). I reviewed the last draft for the framework here on the blog a while ago, and also sent some minor comments back to NIST. (Along with the major one to not try and reinvent the wheel. ;-)) Now that Version … Continue reading Comparing NIST’s Cybersecurity Framework with ISO/IEC 27001 →

Nearly all compliance regulation and standards addressing aspects of information security (aka cyber security ;-)) contain a mandate for IT risk assessment (or analysis) and management. Most often, these requirements are fairly generic. They do not prescribe a specific methodology for risk assessments, and they do not mandate a specific depth (level of detail) for … Continue reading How Much Risk Assessment Is Enough? →

I wrote a white paper on risk-based authentication: Download it as a PDF: dissecting_risk-based_authenticationDownload At conferences and trade fairs, I have run into the term risk-based authentication a lot recently. There is really nothing new to implementing authentication measures that are commensurate in effectiveness with the value of the information to be protected. (Iris scanners … Continue reading Dissecting Risk-Based Authentication (White Paper) →

Bring Your Own Device (BYOD) is a hot topic in security management circles these days. This blog post provides some guidance on implementing a framework that allows users to access corporate assets from their privately owned devices. In writing this, we assume that your organization does not already use third party solutions for managing user-owned … Continue reading Bring Your Own Device (BYOD) – Strategy and Best Practice →