Increasing Security With Chroot Jails

In the world of information security, you have to assume that hackers will get into your network. Whether using a zero-day exploit, sending malicious emails to your employees or taking advantage of poor coding in use on your webpage, attackers are coming for you. Your job as an administrator is to make it as difficult as possible for an attacker to gain access as well as being able to detect and mitigate an attack after it occurs. This is why practicing “defense in-depth” must be an essential part of your everyday thought process. When deploying new services, devices, or applications, you should think to yourself: “If this were compromised, how could I mitigate the risk of an attacker advancing further into my network?” In come chroot jails.


Read the rest on our new blog site:
http://blog.securestate.com/post/2011/01/03/Increasing-Security-With-Chroot-Jails.aspx

Read more!

January 5th, The Most Stressful Day of the Year – But It Doesn’t Have To Be For You And Your Information Security Program!

Recently I read an article stating that January 5th is the most stressful day of the year. This is based on a number of factors including the holidays ending, work resuming, cold gloomy weather, etc. While I can’t attest to whether this is true, I can share a few thoughts if information security is adding to your stress level!


Read the rest on our new blog site - http://blog.securestate.com/

Read more!

New SecureState Blog

Check out our new blog site here!

Read more!

Do Your Homework

Every one of our competitors says they perform penetration testing. We’ve found that what they call penetration testing often times is nothing more than a vulnerability scan with automated tools.

Read more!

Why You’re Probably Not Ready for DLP Software

Data Loss (or Leakage) Protection (DLP) has been a hot topic for a while now, and while as a concept DLP has a lot of merit, most organizations are not ready to implement.

Read more!

Reassess Your PCI Scope: Virtual Terminals

At the annual PCI Community Meeting in September, the PCI Security Standards Council (SSC) made it clear that interpretation of the standard and requirements has not been performed in the same manner throughout the industry. Some of the goals of the new standard are to improve verbiage in order to clarify the intent of individual requirements and understanding how to scope your cardholder data environment. From my review of the Payment Card Industry (PCI) Data Security Standard (DSS) version 2.0, things are definitely clearing up.

Read more!

A (quick) theorem on the symbiosis of Risk Management, Security, Operations, and Audit in a mature Security Program -or - How I Learned to Stop Worrying and Love the Venn

Recently I had a conversation with a colleague about the relative symbiosis among organizational divisions and how it always plays a huge role in the effectiveness of a given process. We agreed that this is particularly true when that process involves securing information that is critical to the business. Because of the importance of segmenting responsibilities between groups, the protection of information brings about many unique challenges that can call into question divisional roles. For example: Who within the organization defines what information is critical? Who within the organization is responsible for the actual implementation of security controls? Who confirms compliance to agreed-upon standards? Who is in charge of accepting risk for the organization? And perhaps most importantly, how should these groups or individuals align and interact with one another?

Read more!