InfoSec Blog

Politicians are not addressing the real problem with consumer security. Instead of legislating security as an afterthought politicians should be focused on advertising awareness.

If PCI says, “Don’t store these types of information” and so much of the security deals with those information types, then why does the information exist in the first place?

When faced with sizing for some flavor of scope of work, what might be a quick and easy way to get an accurate count? Here’s a quick and dirty way to get some empirical answers from a Windows computer without being intrusive and without using any non-native utilities.

A former work colleague phoned me the other day and asked for some advice regarding NTP. Here's a quick overview of the problem he faced and what I have done in the past to move forward in this type of situation.

Section 10.2 of PCI DSS requires “…implementation of audit trails for all system components”. Sections 10.2.1 through 10.2.7 detail what specific actions need to be covered in the audit trail. Naturally, the first thing that caught my attention here are the System Object requirements, being specifically “creation and deletion of system level objects”. My reaction during both reviewing these specifications and also during implementation of the necessary technical controls has been: how does require logging in this fashion actually help detect an intrusion? Is the PCI DSS approach sound from a business perspective? Is it sound from an applied science perspective?

I think of it as catapulting data...and it is a push technique. In this type of scenario, I hesitate to install any type of server on the Windows computer since a) I know it already exists on the Unix side most likely and b) I do not typically like to increase management overhead and adding any such server to the Windows computer will most likely do so.

The one question I continually come back to in my thinking is, "why does security fail?" Sure, there are a multitude of foes where blame could be (and, in some cases, should be) placed. Some are real, some are fantasy: faulty technology, faulty policies and procedures, faulty awareness. Superior adversaries. But, for me, such arguments are straw man fallacies. Colloquially, they are just trimming branches. Let's hack at the roots, shall we?

Ever get to an authentication challenge in a client application and have that feeling of being rooted? I know I have on several occasions. Here is an example of how I might try to bypass the authentication challenge.

My friend and former colleague called me again. He was grateful to have an active and operational NTP architecture, however he had now encountered a slight issue.