Entries by Paul Hill

Security Risks Created by Emerging Technologies

In a recent Q&A session, Joe Clapp and I were asked to address the security risks that the continuing technological change in cloud data center poses. Following are our responses to the most common risks associated with cloud data center change and our recommendations how to safeguard data given these considerations. Data and data handling […]

Securing Data Backups – On-site and in the Cloud

The security of backups is multifaceted. Factors to be considered include encryption at rest, encryption during transmission if applicable, security of shipping if applicable, physical security, environmental controls to prevent damage, and record keeping in order to prevent loss, and to ensure that data is destroyed once the retention period has expired. In situations where confidentiality is of importance, […]

How to Avoid Bug Management Mistakes

I was recently asked to comment on some of the most common bug management mistakes enterprises make and how to avoid these issues. I have found that one of the most common mistakes is the failure to track vulnerabilities that have been deemed an acceptable risk and left unpatched. There are many reasons why an […]

Device Settings that Help Prevent Unauthorized Information Disclosure

Following up on my recent post (“Always-on access, brings always threatening security risks”) I’d like to continue the conversation and discuss other device settings that help prevent unauthorized information disclosure. Many organizations overlook the risks posed by Bluetooth. The security of Bluetooth has been slowly increasing over the years.  When it first appeared many devices […]

Always-on Access Brings Always-Threatening Security Risks

Always-on access to work for employees comes with always-threatening security risks One of the controls that appears in ISO 27002, titled Information technology – Security techniques – Code of practice for information security management, suggests  that limiting the period during which connections to computer services are allowed reduces the window of opportunity for unauthorized access. […]

Security Questions to Ask a Cloud Service Provider

Ericka Chickowski of Dark Reading recently asked security experts to contribute key questions to ask a cloud security provider. While I’m please that two of my questions were included in the article , I have three additional questions you should ask to help you assess the risks of cloud services. 1) What security compliance programs […]

Key Steps Enterprise IT Can Take to Safeguard its Operations

IT systems pervade enterprises.  Systems are increasingly complex; enterprises constantly seek more rapid deployments.  And enterprises are increasing the volume and diversity of the data collected and analyzed. All of these factors mean that enterprises cannot rely on a small set of steps to safeguard its operations. Well established security frameworks such as PCI, HIPAA, […]

What Happens After the Breach — Especially for SMBs

SMBs are the least likely to survive the costs associated with a breach that involves data that fall under the Payment Card Industry umbrella. There are several types of cost including those associated with reputation damage, the time and efforts required to repair the breach and return to normal operations, the time and expense of […]

Why Securing Only the Network Perimeter is the Wrong Approach

Every time I encounter an organization that focuses on perimeter security while ignoring best practices on the internal network I think of Gary Larson’s Far Side cartoon where two polar bears are on either side of an igloo and one says to the other, “Oh hey! I just love these things!…Crunchy on the outside and […]

Data Leak Prevention Tools: Biggest Mistakes Companies Make

I was recently asked to comment on mistakes companies make in purchasing and implementing data leak prevention tools (DLP). Although we have been talking about DLP for quite some time,  it continues to be a challenging issue for many companies. In my experience, the mistakes companies make fall into the following categories:  inadequate risk analysis prior […]