Recommendations

Google and Business Data Privacy

Jan
26

As just about everyone who reads the news knows, Google announced on Tuesday, January 24, 2012 that it would merge the data it collects from individual users across all of its properties starting March 1, 2012. Basically, Google will be able to better anticipate how to direct individual user activities to best serve their needs, building a grand database of all user activity and behaviors. The question that few are asking, though, is what the impact will be on businesses. That's where things get really complicated.

Posted By Michael Figueroa read more

Solving the Cybersecurity Puzzle

Nov
07

Check out this article, "Analysis: Cybersecurity puzzle is a tough one to solve," from Federal Computer Week. While it provides some well-reasoned perspective on the lack of cybersecurity effectiveness in U.S. Government systems, I think that the conclusions of the analysis are misdirected.

Organizations have a lot of cybersecurity challenges and the Federal government probably has it worst than most. It represents a highly visible target, presents a huge attack surface, and maintains some of the most valuable information on the planet. To the modern hacker (state-sponsored or otherwise), U.S. government systems look collectively like a huge walled-off fresh water lake in a desert full of thirsty people.

Having spent nearly my entire IT career supporting the Federal government, I would argue that cybersecurity is only a tough puzzle to solve when your trying to force the pieces into the wrong places. Rather, in my experience, the government tends to be deluded into seeing the cybersecurity picture as something different than reality. That's not to say that there are no good people in government cybersecurity. There are. But, those people lack the tools and access to make much more than baby steps in progress, and are often supported by security practitioners who depend too much on ineffective practices that they defend as "leading."

Posted By Michael Figueroa read more

EHRs Need More than Standard Security

Oct
27

I attended a series of web meetings over the past two weeks for the Federal Advisory Committees (FACAs) under the HHS Office of the National Coordinator for Health Information Technology. After listening in to the public Privacy and Security standards working group, I became a bit frightened by how legacy thinking around information security continues to leave us vulnerable to general mischief. The IT industry needs more innovation than we're receiving, especially with regards to the protection of our personal information.

Posted By Michael Figueroa read more

Preparing for SEC Cybersecurity Disclosure

Oct
25

Last week, I presented an argument for why the new SEC cybersecurity disclosure guidance is really a big deal for the information security community. If my prediction is right, then publicly-traded companies in the U.S. are going to start facing auditor requests for more cybersecurity information by late next year. Companies need to start preparing for those requests now to prevent potential negative shareholder action in the future.

Posted By Michael Figueroa read more

Vampiric Security - Dead and Loving It

Oct
11

In my posting How Hacker Targets Become Victims, I implied a little secret about the information security industry regarding the tools that we've come to believe are absolutely necessary. They are not as effective as you typically think they are. In fact, many are slowly sucking us dry without providing much valued in return.

Posted By Michael Figueroa read more

How to Earn $175K in One Day

Oct
07

In my previous post How Hacker Targets Become Victims, I examined a common Man-In-The-Middle attack that hacker organizations are using today to steal from various types of organizations. An "Attacker" gains control of a target computer system, and then hijacks the web browser once the target logs into the account, without alerting the target to the problem. It's an amazing attack because it completely bypasses most of the controls that the banks put in place to protect business accounts. The attack vector renders standard and multifactor authentication controls irrelevant and makes bank efforts to authenticate the computer system useless. What would happen if all of the sudden your organization were unable to make payroll because a hacker wiped the bank account clean the night before? As many of these organizations found out, the organization would likely be left to cover the loss themselves.

Posted By Michael Figueroa read more
Subscribe to RSS - Recommendations

InfusionPoints, Your Independent Trusted Advisor

We founded InfusionPoints to be our clients' first choice for an independent trusted partner to build secure systems that protect their employee's, partner's and customer's data