Alchemy Security

Alchemy Security Announces Hosting of “Mile High Security” B-Sides Event

Joe Bonnell — Thu, 22 Apr 2010 22:08:20 +0000

Alchemy Security is proud to announce that we’ll be hosting a Security B-Sides “Mile High Security” event at our corporate headquarters here in Denver on June 18th. To learn more or to attend the event you can check out the details here.

Peter Schawacker to Present at ISSA Ottawa Chapter

Joe Bonnell — Thu, 08 Apr 2010 03:30:13 +0000

Mark your calendars. Peter Schawacker, Managing Principal SOC Services, will be sharing his latest thoughts on the subjects of Agile Security & SOC at the Ottawa Chapter of ISSA April 29th.

Peter Schawacker to present on Agile SOC at UNIX Users Association of Southern California- LA Chapter

Joe Bonnell — Tue, 26 Jan 2010 20:15:33 +0000

Peter Schawacker, Principal Consultant SOC Services will be presenting at the UNIX Users Association of Southern California- LA Chapter on May 6 to discuss Agile SOC practices used to build world-class security operations centers.

Damon Cortesi to Present At Seattle Chapter of National Information Security Group (NAISG)

Joe Bonnell — Tue, 26 Jan 2010 20:07:43 +0000

Damon Cortesi, Principal Consultant at Alchemy Security will present on common security failures associated with Social Media Web Applications such as Twitter, Facebook, and other online web sites at the Seattle chapter of NAISG.

Peter Schawacker Presents on Agile Security at UNIX Users Association of Southern California

Joe Bonnell — Tue, 26 Jan 2010 19:57:57 +0000

Peter Schawacker, Principal Consultant for our SOC Consulting group discusses how Agile Security techniques can be used to better secure environments at the UNIX Users Association of Southern California.

Damon Cortesi to Present at Security BSides Las Vegas

Joe Bonnell — Tue, 21 Jul 2009 16:04:17 +0000

Principal Consultant Damon Cortesi will be presenting at Security BSides Las Vegas. Damon’s talk will cover security considerations within social networking sites such as Twitter, as well as web-application related challenges organizations face in the web 2.0 space.

PCI Compliance Becomes Scorecard for CSOs

Joe Bonnell — Mon, 20 Jul 2009 21:44:01 +0000

Companies recertifying for the second or third year of PCI compliance are having a rough go of things as of late. A combination of the latest clarifications within the revised PCI DSS standard, along with the recent scoring matrix that compels assessors to ensure they have done a thorough job as part of the review, have caught an unfortunate number of CISOs flat footed. Anyone who thinks they are about to go through a “check box exercise” could find themselves with small to large remediation efforts that are forcing many to miss their renewal dates. These challenges are being exacerbated by the fact that assessors are getting better at their job, and security budgets are getting hit like everything else. These dynamics are generating some painful realities for those chartered to maintain compliance to this very thorough and rigorous standard. Unfortunately for most CISOs, the subtleties of why they are missing compliance dates and risk potential fines and/or change of compliance status for service providers, is lost on executive leadership. Based upon some things we’ve observed over the years, leadership changes aren’t necessarily a bad thing, but it doesn’t serve anyone’s interest to throw the baby out with the bathwater.

What is a CEO to do?
Meanwhile, CEOs are struggling to drive the business forward in a historically difficult operating environment, and often view the Infosec team as being an impediment rather than an enabler to the business. An ill tempered CEO who thinks his CISO isn’t getting the job done does not bode well for our industry as playing a game of musical chairs merely slows down security initiatives, thus defeating what were certainly good intentions. What makes this decision more difficult is that the CEO has little tangible insight as to whether organizational risk is trending up or down. Graph charts depicting a downtrend of critical findings from Nessus scans surely don’t tell a CEO much about how much risk has been mitigated. Fact is, based upon our observations there are very few CISOs who even know what they are protecting outside of PCI related assets.

Getting beyond the PCI scorecard
Within the current operating landscape, it’s incumbent upon CISOs (or equivalent in responsibility), to position within the organization that compliance is a shared problem between all parts of the business including IT operations, Security Operations, Human Resources, Legal, and Executive Leadership. It should further be made clear what exactly each part of the business is responsible for implementing, and hold all accountable. Finally, bringing effective communications supported by meaningful metrics to the subject are critical to help communicate throughout the leadership chain that residual risk is being appropriately managed and mitigated.

As for your next PCI assessment, unless you’ve consulted with your QSA to discuss changes made within the standard, it is wise to set expectations with varying levels of leadership that there will likely be findings that weren’t issues within previous years and to anticipate resource requirements accordingly.

The Way Forward for Information Security

Peter Schawacker — Mon, 20 Jul 2009 16:55:12 +0000

Every system has within it the limitation that it cannot exist unto itself. The big problems of Information Security will remain intractable as long as industry participants continue to focus inward.

For the past year or so, I have noticed that, at the same time that security technologies are reaching a certain degree of maturity, security projects remain highly prone to failure. Information Security seems to have struck a ceiling in its development. The tools that we have at our disposal – authentication, monitoring, etc. – seem to be adequate when properly implemented. But proper implementation does not happen enough of the time.

Some time ago, I started taking excursions into the world of Project Management. Certain colleagues of mine had encouraged me to look into PMI’s PMP certification and so I did. What I found astounded me. No one that I have encountered in the Project Management world (I visit lots of meetings PMI and Agile professionals) had a clue about Information Security. My knee-jerk reaction was to deride the PM’s for their naïveté. But then I recalled conversations with InfoSec people about Project Management. Their attitude was not merely one of ignorance, but of distain for the Project Management as a whole! Let me qualify this statement by saying that there exist a few InfoSec experts who appreciate the value of Project Management, and even a few who actually know how to manage projects. But generally, my conversations and research in both worlds, PM and InfoSec reveal that these two communities are almost entirely unaware of each other.

The tools now exist; the craftsmen are capable and ready to build great security. But the plans elude them. Worse yet, the craftsmen usually insist that planning is to be avoided. If we, as a profession are to advance our effectiveness throughout the industry , we must extend our understanding into fields of knowledge that will allow us to create those plans.

In the days and weeks ahead, I will present one way forward for Information Security, from dependence upon tools and individual experts, toward managing teams that achieve results that exceed what has been left to individuals.

Twitter Confidential Information Compromised Via Weak Password

Joe Bonnell — Fri, 17 Jul 2009 05:15:24 +0000

As noted, poor password management trumps strong security technology every time. Any bets on how long before google *requires* strong passwords? Both are victims, both share blame. A side note about this hack is that it highlights the trust relationships (and residual risk) that business partnerships impart upon each other.

Preparing for your PCI-DSS v1.2 assessment

Joe Bonnell — Thu, 16 Jul 2009 20:19:20 +0000

A number of dynamics are at work that have made attaining PCI compliance a more difficult proposition over previous years. The guidance assessors are receiving from the PCI Council is that evidence must be provided that demonstrates your Infosec program is in place and functioning as designed. Expect to respond to requests for multiple change records that cover the gamut of firewall rule changes, architecture changes, code changes, etc. Further anticipate providing evidence of daily log analysis and how alerts are managed, how in scope web-applications are being properly reviewed, proof an annual risk assessment was performed (and to answer the question..No, the PCI assessment doesn’t count!), quarterly scans that demonstrate clean scan results, servers that match configuration standards, and an ability to prove that if a file containing cardholder data is being monitored by FIM for unauthorized copying, alerts are generated and actioned accordingly. In short, this is the year that many multi-year certified organizations will need to prove in ways that they may have not in previous years that the people, processes, and associated technologies matches policy. This is no small feat, particularly for those companies who were unfortunate enough to have had weak previous assessors who either let things slide or simply missed major areas of cardholder data flow (we’ve observed both on multiple occasions.)

I’m held accountable for maintaining PCI compliance, what should I do?

The first thing we recommend to all who own compliance is to be prepared. For those that have not had a gap analysis against the latest version of the standard, expect findings and ensure enough time & budget is set aside to deal with them.
The second recommendation we consistently make is to ensure that your program is fully operationalized and well documented. Nothing sets an assessors mind at ease better than well organized documentation and associated observations that demonstrate the rubber is clearly meeting the road.
The third item we suggest is to put yourself in the assessors shoes. They have very little time relative to the job at hand, are feeling the pressure of doing an adequate job, and are being subjected to lawsuits when companies they assess are later breached. If you could switch sides at the table, how would you respond to what you are hearing?
Finally, we recommend that a new approach to PCI compliance be adopted. Compliance failures are rarely attributed to technology limitations, but rather a breakdown in the required resources and/or associated methodologies required to truly operationalize requirements. It was this realization that prompted Alchemy Security to embrace project management methodologies such as Scrum. Scrum was originally designed to support agile software development, and what we realized is there is little difference between Agile Development and Agile Security. Borrowing concepts and metaphors from lean manufacturing frameworks, Scrum supports “just enough” project management to ensure a nimble process is in place to ensure ongoing compliance. Based upon our observations in the field, the Infosec community could greatly benefit from adopting more of these ideas to make compliance processes manageable, and the goal of remaining compliant between yearly audits attainable.