Compliance, Best Practice, and Risk

I gave a presentation to the Central Texas chapter of the ISSA last Thursday, entitled "Comparing NIST's Cybersecurity Framework with Best Practice". When I sat down to put the actual slides together, I struggled with defining what "best practice" actually means.  I believe the term has different connotations for different people. To me, it typically … Continue reading Compliance, Best Practice, and Risk

Attacking Authentication Credentials — BSides Austin 2014

I gave a talk at the BSides Austin conference yesterday. We looked at a number of authentication factors and did some threat modeling, with the attendees helping me to estimate the attack potential necessary to exploit certain vulnerabilities by voting on pre-defined adversary types. This included taking a look at how Steve Gibson's SQRL scheme works, possibly … Continue reading Attacking Authentication Credentials — BSides Austin 2014