Category: Uncategorized

I’ve been trying to get back into a workout routine (a regular one that is) so I pushed myself to go to the gym. One particular aerobics class, Zumba, caught my attention. It seemed fun. I decided to wait an hour till that class started. If they could make exercise fun, I was in! Let me tell you I had a soaking wet BLAST! The class is only offered once a week and I’m laughing at myself because I cannot wait to go back to exercise. Can you imagine?

Thanks to all that were able to attend our webinar last Friday on Examiner Hot Security Topics 2010. Also thanks to Eric Kitchens, our resident security guru, who did a wonderful job covering such a big hitting topic. We also had a question from one of our attendees that we will be posting tomorrow.

There has been much discussion in the security world about the timing of Hartland’s announcement of the breach, waiting until Inauguration Day to disclose that millions of transactions had been compromised and the overall sense of “spin” being the primary objective of Heartland’s handling of the situation to date. Worse yet is Heartland’s pointing to shortcomings of the Payment Card Industry Data Security Standard as the scapegoat for their lack of security. Don’t get me wrong; the PCI DSS is more like The Great Oz’s proclamations than sound security doctrine, but the information that has been disclosed about how the attacks were perpetrated indicate that end to end encryption through the DSS would not have helped the lack of a secure environment at Heartland. Press releases from Heartland themselves admit that the breach was perpetrated through malware that had made it past their firewalls, namely a keylogger and network sniffing software.

It’s been a little quiet on the blog lately, but there’s a good reason – we’ve been swamped! The consultants have been going non-stop for several weeks now, and they’re still going strong. For all their hard work, Brad surprised them with something they’ve been wanting for a while now:

I’ve been studying for the CISA (Certified Information Systems Auditor) exam recently, for several reasons (mostly just to pick up chicks, though). I started studying thinking that this certification was going to be highly examiner oriented. In other words, thinking that this certification was going to suggest I make tons of security recommendations that would not add any value to our clients and hindering operations with documentation or adding red tape to otherwise efficient processes.

(more…)

Not surprisingly, you can draw parallels between this and organizational behavior. Many of the organizations we work with operate in much the same way. Some recognize a need for help, and some don’t. The kicker… if you ask me… is that we all need help in some form or fashion. Those who recognize it and look for it end up better off in the end. Organizations are the same way. Which kind of organization are you?

Most banks in America have one serious problem. Customer information flows in and out of the bank in clear text e-mails. Millions of dollars a year are spent to properly protect and destroy documents, protect networks from threats and vulnerabilities. But what does all of this matter if customers and bank employees still send sensitive information through e-mail. E-mail is very insecure because it flows over the internet in clear text. Employees are encouraged to not use CD’s and USB drives to take information home, but what if employees are emailing information to a personal account to use at home. Anyone with a sniffer and malicious intent can do some serious damage by monitoring bank web traffic. Nobody wants to see fraud or identity theft increase because customer information is so easily accessible by e-mail sniffing. This article from Bank Technology News has some good information about the insecurity of banking emails.