Vendor-Neutral Security Videos and Whitepapers
Media Sanitization Guide (White paper, 2019)
Protecting sensitive information requires attending to where the information is located and used throughout its lifetime. This document guides how to manage sensitive information when the media on which it resides is no longer used for that purpose. These management processes are collectively known as media sanitization.
Media comes in several forms: magnetic, paper, solid-state, and optical. I address sanitization across all of these media types, including how to meet associated data erasure challenges. Further, this guide provides steps and considerations needed to implement and manage media sanitization policies and procedures.
DNS Basics (Video)
This video explains and demonstrates how DNS works. This is helpful to prepare for my papers on DNS security.
Watch video at YouTube
DNS Cache Poisoning
There are several facets to DNS security. In this paper we focus on one of the most dangerous types of attack – DNS cache poisoning. To provide a complete picture of this threat, we’ll explore how DNS works, two ways crackers facilitate cache poisoning, what impact this type of attack can have on your organization, and steps you can take to protect your information assets
DNS Tunneling Identification and Defense (White Paper, 2019)
Domain Name Service (DNS) traffic freely travels across network perimeters and internal
network segments. Organizations cannot arbitrarily block this UDP port 53 traffic because
doing so would break most, if not all, network communication. Malicious actors (MA) know this
and have found ways to exploit DNS for their purposes.
One example of how MA exploit DNS is tunneling. DNS tunneling enables command and
control (C2) and data exfiltration traffic for which most organizations do not look or are unable
adequately to detect.
This paper helps organizations understand the threat and available defense solutions.
Strengthen Security with an
Effective Security Awareness Program
You’ve developed a world class security program. Your technology-based defenses are
cutting edge. Your security team is well trained and ready to handle anything that comes
its way. So you’re done, right? Not quite. One of the most important pieces of an
effective information asset defense is missing – employee awareness.
In this paper, I define security awareness, list the objectives of an effective awareness
program, and I step through a process to build, implement, and manage on-going support
of the program
Fundamentals of Storage Media Sanitization
One of the most fundamental principles of information security is that it’s all about the
data. Data in transit or at rest is the primary focus of administrative, physical, and
technical safeguards. Security professionals are doing better every day when it comes to
protecting information in static production environments. But what happens when
magnetic, optical, or semiconductor media is repurposed or retired?
In this paper, I define media sanitation and how it fits into an overall security program.
Next, I examine how attackers can extract information from electronic media—even after
it’s been overwritten. Finally, I explore ways you can protect your organization from
attacks—both casual and highly motivated.
Keystroke Dynamics: Low Impact Biometric Verification
Biometrics has long been one of the solutions touted by security vendors to meet multifactor authentication objectives. However, user acceptance and cost issues often prevent
organizations from adopting biometrics as a solution. This isn’t to say that other multifactor solutions are any less cost prohibitive. The capital expenditure and on-going
maintenance costs of token-based systems are often higher than those for biometrics.
Solutions based on keystroke dynamics might help meet these business challenges.
In this paper, I look at biometrics in general. This includes success factors for
implementation and user acceptance. I also look at how the effectiveness of biometric
solutions is measured. This is followed by an examination of keystroke dynamics
technology, including its history, how it works, and why it may be the answer for
organizations with people or cost issues.