Last summer I needed a slide deck for a little "lunch & learn" on how to manage TLS server certificates in infrastructure components, and why. To me, being able to manage certificates in a resilient and secure manner implies that you need to be familiar with the underlying crypto basics. Certificate trust, chains, and signing … Continue reading Certificates, Public Key Infrastructures, and SSL/TLS
(Open)PGP – An Appetizer
OWASP Austin threw a Crypto Party this week. We had five presentations on different topics, including VPNs, TOR, disk encryption, and secure voice calls. I had the task of explaining PGP to folks in 10 minutes, and decided it would be more useful to explain the concepts rather than giving a demo. (I have run … Continue reading (Open)PGP – An Appetizer
Multi-Factor Authentication at LASCON 2014
I gave a talk at LASCON 2014 the other day titled "Multi-Factor Authentication -- Weeding out the Snake Oil". Rather than providing a catalog of selection criteria, this turned into a review of scenarios where throwing additional authentication factors at a problem might or might not make sense. Combined with examples of different solutions currently … Continue reading Multi-Factor Authentication at LASCON 2014
EMV ― How Does the Crypto Work in Chip-Based Payment Cards?
Introductory Musings This doesn't have to do too much with enterprise security, but since I did the research I figured I might as well write it down. I haven’t worked as a PCI assessor for the past three-or-so years (and obviously never in Europe ;-)), but some questions about EMV cards of the more technical … Continue reading EMV ― How Does the Crypto Work in Chip-Based Payment Cards?
Compliance, Best Practice, and Risk
I gave a presentation to the Central Texas chapter of the ISSA last Thursday, entitled "Comparing NIST's Cybersecurity Framework with Best Practice". When I sat down to put the actual slides together, I struggled with defining what "best practice" actually means. I believe the term has different connotations for different people. To me, it typically … Continue reading Compliance, Best Practice, and Risk
Attacking Authentication Credentials — BSides Austin 2014
I gave a talk at the BSides Austin conference yesterday. We looked at a number of authentication factors and did some threat modeling, with the attendees helping me to estimate the attack potential necessary to exploit certain vulnerabilities by voting on pre-defined adversary types. This included taking a look at how Steve Gibson's SQRL scheme works, possibly … Continue reading Attacking Authentication Credentials — BSides Austin 2014
Comparing NIST’s Cybersecurity Framework with ISO/IEC 27001
This week, NIST published Version 1.0 of its Framework for Improving Critical Infrastructure Cybersecurity (aka Cybersecurity Framework). I reviewed the last draft for the framework here on the blog a while ago, and also sent some minor comments back to NIST. (Along with the major one to not try and reinvent the wheel. ;-)) Now that Version … Continue reading Comparing NIST’s Cybersecurity Framework with ISO/IEC 27001
How Much Risk Assessment Is Enough?
Nearly all compliance regulation and standards addressing aspects of information security (aka cyber security ;-)) contain a mandate for IT risk assessment (or analysis) and management. Most often, these requirements are fairly generic. They do not prescribe a specific methodology for risk assessments, and they do not mandate a specific depth (level of detail) for … Continue reading How Much Risk Assessment Is Enough?
Dissecting Risk-Based Authentication (White Paper)
I wrote a white paper on risk-based authentication: Download it as a PDF: dissecting_risk-based_authenticationDownload At conferences and trade fairs, I have run into the term risk-based authentication a lot recently. There is really nothing new to implementing authentication measures that are commensurate in effectiveness with the value of the information to be protected. (Iris scanners … Continue reading Dissecting Risk-Based Authentication (White Paper)
Bring Your Own Device (BYOD) – Strategy and Best Practice
Bring Your Own Device (BYOD) is a hot topic in security management circles these days. This blog post provides some guidance on implementing a framework that allows users to access corporate assets from their privately owned devices. In writing this, we assume that your organization does not already use third party solutions for managing user-owned … Continue reading Bring Your Own Device (BYOD) – Strategy and Best Practice