Last year I decided to look at security more from a defensive angle and switched jobs. I work in a team of Internal Investigators now analyzing fraud, corruption and bribery. It is well known that most inquiries start with a tip usually from an insider. Since many of such insiders fear for their job security … More Whistleblowing – an odd name
When I heard about the latest data loss in a well-known hotel chain, I was not enthused. It was more than 10 years ago that I joined the hotel’s guest program and I have stayed in many different places within their chain mostly on business travel though. Let me share my experience. I learned about … More Data Loss at a major hotel chain – sharing my experience
Is there an after one seems to wonder? Although the major hardware vendors have shipped fixes or new chips closing these vulnerabilities, new findings seem to appear every so often. One also wonders how the hardware vendors closed these vulnerabilities as some cases required a major architectural change, which could only be accomplished with new … More After Spectre and Meltdown – what now?
There is so much talk about cyberwar and advanced persistent threats. One can get really scared. However, if you look at the facts, you only have to follow the money. Or in other words answer the question, where can an attacker make the most bang for the buck. It is true that cyberwar has become … More Do we all WannaCry – or which threats should we expect?
At least when your company is in California, a state that has been quite at the forefront lately when implementing and enforcing new laws, rules or regulations in regards to IT security and data privacy. And they seem to continue to be up and at them… The linked article quotes a report by the Californian … More Will legal consequences improve security? – If you have not implemented critical security controls, soon your negligence could cause legal consequences.
I have noticed lately that more and more customers start asking questions about how to implement X.509 certificates for authentication and Single Sign-On. What an interesting development!?! X.509 certificates were invented as digital identities to secure web applications, but did never really take off, because you need to set-up a quite intensive and costly administration in … More X.509 certificates are back
If you’re thinking about a decision methodology on which security measures to implement, one thought should be to look at Ease of Use versus security strengths and determine where in the down below picture your implementation fits. Unfortunately the easier the use of a security measure the less secure it ease. The more secure the … More Ease of use versus security strengths – the inversely proportional relationship
In this linked article where an NSA employee gives advice on how to keep your systems secure, it should become crystal clear that you have to keep your security patching up-to-date. According to the quotes in the article even security vulnerabilities that existed only for hours on a system can be exploited by adversaries. So … More How to keep your systems secure? – Always implement the latest security patch as soon as possible
In a recent meeting with a customer group on security topics, one of the attendees asked everybody else whether they had implemented system-to-system encryption behind the firewalls in their internal landscape. Only one attendee said yes. And it applied only for one system deemed extremely critical. To my astonishment nobody considered this strange or negligent. … More Encryption of communication paths – it’s so easy but often not implemented
Authorization Management is one of the unsolved problems of IT security. The problem is not that there are no access management capabilities in regards to authorizations. On the contrary, there are too many. No unifying standard or tool has materialized which is due to the fact that technologies are different and thus the underlying authorization … More Authorization management unsolved – or the continuos role access management inflation