Entries by Paul Hill

Network Access Control (NAC)

Controlling access to the network is fundamental security control. For shared networks, the capability of users to connect to the network should be restricted. Well known security frameworks such as ISO 27002, Information technology – Security techniques – Code of practice for information security management, includes this control as a recommendation. And the Payment Card […]

Impact of a Data Breach on a Small Business

While our main focus is as a provider of IT compliance and security consulting services, we have been called in to help a few small businesses handle security incidents and data breaches. These calls come to us after the client has discovered there’s been a security incident or data breach and as a result is […]

Important Sources of Threat Intelligence for Security Teams

The goal of threat intelligence (TI) is to recognize indicators of attacks as they progress and act upon those indicators in a timely manner. TI is not a mature area for most organizations. While tools to automate TI exist and are evolving, most organizations are still using informal ad hoc mechanisms or a small number […]

Cybersecurity Responsibilities for SMBs

Cybersecurity is a topic that many small and most medium-sized businesses care about due to all of the news stories about data breaches, identity theft, and ransomware that have appeared in the last several years.  Some small and medium-sized businesses have realized that having a strong cybersecurity program can be a strategic asset for their […]

DNS: How it Works and Best Practices to Defend Against DNS-based Threats

The Domain Name System (DNS) is a central element in the addressing and routing of all communication over the Internet. Many enterprise IT security professionals don’t always know how DNS works, or how attackers might use it to compromise their data. Following is a discussion about recent attacks and exploits that use DNS and some […]

Encryption Implementation: Is It the Cure-all for Cybersecurity Woes?

Based on the science of cryptography, encryption is the process of coding and decoding messages to keep them secure, and is often touted as the silver bullet for cybersecurity woes. But is it really the cure-all? The classic model of information security starts with the triad of Confidentiality, Integrity, and Availability. Cryptography is critical to providing confidentiality […]

So You Had a Security Breach – Now What Do You Do?

A great way to start out the New Year is to review your company policies and procedures in the event of a security breach. Following is a checklist to help you get started: Document company policy, plans and procedures. Make sure the plans and procedures are fully tested well before a breach occurs so that […]

Windows Hello Biometrics: how well do the security options work, what to look out for and when are they appropriate

Many security pundits have been saying passwords must go for years, and biometrics are an alternative to passwords, but not all security professionals believe biometrics are the best alternative to passwords. Microsoft Windows 10 provides native support of biometric authentication and as result many people are  making a new look at the viability of biometric authentication. Windows […]

IT Security Industry Predictions for 2016

While it is impossible to predict the future (since I don’t really have a crystal ball) I can offer the following predictions for security trends to watch for in 2016: We will continue to witness large scale data breaches that could have been prevented if only well established security practices had actually been applied. Companies […]

BYOD Security and the Mobile Market

BYOD security is a frequent topic among IT security experts. This, my third BYOD post this year, focuses on the mobile market. (Post one, Always-on Access Brings Always-Threatening Security Risks, June 25, 2015; Post two, Device Settings that Help Prevent Unauthorized Information Disclosure, July 13, 2015.) The mobile market continues to be very dynamic. Just […]