• Home
• About
• Contact
• Applied Trust

The Barking Seal

• Enlightening the Confused Deputy

  09Mar
  Author: zack Categories: Infrastructure, Security Comments: 0

  
  One of the most interesting (in other words, “dangerous”) vulnerabilities that almost every existing web application falls victim to is cross-site request forgery (CSRF – “sea-surf”). CSRF is a type of malicious attack vector whereby unauthorized commands are transmitted from a user that the website trusts. It is an example of the confused deputy problem. This is different than the widely-known cross-site scripting (XSS) in that CSRF exploits the trust that a site has in the user’s browser, and XSS exploits the trust a user has for a particular web site.

  Read more »

  Tags: cross-site request forgery, cross-site scripting, csrf, Security, XSS

• Why do we do Social Engineering exercises, anyway? They seem so far-fetched sometimes.

  04Mar
  Author: terry Categories: Security Comments: 0

  Frequently during the course of a security assessment, we get asked about social engineering. People want to know if it is really worth the time it takes, and what is the point, anyway? Well, the bottom line is that the access an intruder can achieve either by physically walking into an office or data center, or by convincing an employee to click on a link or divulge information over the phone, can be one of the quickest ways to a data breach. In fact, according to the FBI data security survey in 2009, non-malicious insiders (folks that just make mistakes such as the ones listed below) are a much bigger problem than malicious insiders. In fact, 16% of respondents reported that nearly all of their losses were due to these well-meaning insiders.

  Read more »

  Tags: applied trust, security assessment, social engineering

• PCI-DSS Compensating Controls

  25Feb
  Author: randy Categories: Security Comments: 0

  Applied Trust recently achieved Payment Card Industry (PCI) Qualified Security Assesssor (QSA) status. Most companies that pursue this credential do so solely for the purpose of being able to perform QSA-certified audits as defined by the PCI standards council. The PCI standard requires that an organization is 100% compliant across all requirements. For requirements that cannot be exactly met, PCI allows the use of compensating controls. For a variety of reasons, we think that this area is an important aspect of our PCI compliance practice.

  When real-world conditions present challenges to compliance with the PCI standard as written, we work with our clients to identify, document, and evaluate appropriate alternatives. These compensating controls are not a get out of jail free card – there are specific rules as to when and how they may be applied. Specifically:

  Compensating controls may be considered for most PCI DSS requirements when an entity cannot meet a requirement explicitly as stated, due to legitimate technical or documented business constraints, but has sufficiently mitigated the risk associated with the requirement through implementation of other, or compensating, controls.

  Compensating controls must satisfy the following criteria:

  Read more »

  Tags: compliance, Security

• Pursuit of Happiness

  16Feb
  Author: zack Categories: IT Management, Ramblings Comments: 0

  

  In a recent study conducted by The Gallup-Healthways Well-Being Index, Boulder received top honors as the overall happiest, healthiest, and most optimistic city in the United States. The study surveyed more than 350,000 Americans across the country and assessed their lives based on a variety of pre-defined categories. While Boulder did not sweep every category looked at by the researchers, it did get the highest rank in the “Work Experience” arena. At Applied Trust we have always known this was true, but it is nice to get some nationwide visibility for it.

  We care about having a good work and life balance for everyone that works here. That’s why the ATE Employee Canon is so important to us. Having this realization and making conscious, proactive maneuvers to maintain it is a key component to fostering a positive “work experience” like the one discussed in the survey. The section measured job satisfaction, ability to use one’s strengths at work, trust and openness in the workplace, and whether one’s supervisor treats him or her more like a boss or partner. These metrics align very closely to how we view work and how we want to spend our time there.

  Read more »

  Tags: applied trust, boulder, Recruiting

• PCI DSS-driven assessment

  15Feb
  Author: ned Categories: IT Management, Security Comments: 0

  

  The PCI DSS (Payment Card Industry Data Security Standard) sets a number of expectations for IT assessment.  Activities, from scanning for rogue wireless access points to reviewing vendor contracts, are scattered throughout the PCI Data Security Standard document.

  Below is an attempt to assemble those requirements into a single schedule.  Where the standard didn’t specify a frequency, I used reasonable “best practices” values.  I hope this is a useful starting place for organizations working toward compliance, but it is definitely not a holistic IT security plan!  There are lots of other security activities that should be taking place at every organization – this is just a summary of those discussed in the PCI DSS.

  See anything that I missed?  Did I get something wrong?  Let me know in the comments and we’ll work toward an accurate sample schedule together!!

  Read more »

  Tags: assessment, compliance, PCI DSS, regulations, Security

• HITECH business associate deadlines looming

  10Feb
  Author: ben Categories: IT Management, Security Comments: 0

  

  We wrote about the HITECH act and its impact on business associates a little less than a year ago. By February 18, business associates are required to:

  • Comply with the HIPAA security and privacy rules
  • Provide medical information breach notifications
  • Work with the Department of Health and Human Services to perform compliance audits as requested
  • Train employees on HIPAA and its requirements for business associates

  BAs, I hope you’re taking note. Violations can incur fines for as much as $1.5 million per year and, in the most serious circumstances, may include prison time. According to HITECH, DHHS audits are also mandatory beginning 2/18/2010. (See sections 13410 and 13411).

  Most of the associates that I’m familiar with haven’t made many changes in the past year to improve HIPAA compliance. So what should any self-respecting business associate, now subject to these somewhat draconian and certainly expensive rules, do to avert heavy fines and lost productivity? Avoid becoming a business associate at all costs.

  First, re-evaluate whether the business truly qualifies as an associate, for one. In the past, BAAs had very few directly applicable requirements, and those that were in place were rarely or never audited and enforced. Businesses should no longer haphazardly sign BAAs when they aren’t strictly necessary.

  If the business has determined that they are indeed an associate, what can be changed to eliminate that status? If there isn’t a dire business need for access to medical records, but they’re being collected incidentally, eliminate that dependency and escape the compliance game. Of course, most health care organizations don’t freely distribute health records, and most organizations don’t want them unless they need them.

  If the business is resigned to being an associate subject to HIPAA courtesy of HITECH, it’s time to get to work. Start at www.hipaasurvivalguide.com, an excellent resource for learning the regulation and applying its teachings.

  And never forget the old proverb (that I’m making up right now): more regulation always improves security. Emphasis added.

  
  Tags: Compliance series, HIPAA, regulations, Security

• Five things network and system administrators can learn from Agile

  15Jan
  Author: ned Categories: IT Management, Infrastructure Comments: 1

  IT infrastructure work is certainly not the same as software development, but the Agile methodologies offer some good advice to us system and network administrators. In general, Agile has grown from a Manifesto about software development to a full-blown project management methodology. Powerful tools are available to help manage projects according to its tenants. Although Agile is based on lessons learned implementing complex software projects, its principles apply equally well to IT infrastructure projects and operations. Agile’s concept of “self-organizing teams” is particularly appealing to me, since Applied Trust is managed as a “company of peers”.

  I’ve picked five of the Principles behind the Agile Manifesto that are particularly applicable to our field – read on to see how they look from an IT infrastructure perspective:

  1) Our highest priority is to satisfy the customer through early and continuous delivery of valuable infrastructure.
  2) Welcome changing requirements, even late in deployment. Agile processes harness change for the customer’s competitive advantage.
  3) Business people and developers must work together daily throughout the project.
  4) Simplicity–the art of maximizing the amount of work not done–is essential.
  5) Continuous attention to technical excellence and good design enhances agility.

  Read more »

  Tags: agile, Infrastructure, ITIL

• Exploring your NIC for fun and profit

  12Jan
  Author: ben Categories: Infrastructure Comments: 0

  

  I know, you love your network card. You installed Linux, the NIC was autodetected at first boot, and everything “Just Worked.” Your server has been happily providing services over the network ever since.

  But what do you really know about your network card? Is it the culprit of slower performance for your CPU-intensive application? Could you benefit from any of its advanced capabilities? Today’s network interface cards offer a number of hidden gems to the savvy administrator. In this article we’ll learn some of the most important tricks to understanding your NIC in Linux. Read more »

  Tags: linux, networking

• New Year’s Resolutions for IT (and free T-Shirt offer!)

  01Jan
  Author: trent Categories: IT Management, Ramblings Comments: 0

  Ok, I admit it – I’m generally not a fan of New Year’s Resolutions.  I believe that folks should always be looking for ways to make positive changes, and shouldn’t need a specific day/event as a trigger.  That said, it does make a nice marker date for an annual evaluation of the state of things.

  Last year, I posted an end-of-year IT checklist, which I again encourage all IT folks to take a quick look at — this is a great time to evaluate and update a number of key IT areas.  At the very least, don’t forget to update your copyright dates!

  I’m hoping 2010 can be a year of positive change for IT.  In that light, as a community let’s make a few resolutions:

  Read more »

  Tags: preventative maintenance

• Wake up AT&T: Prayer is not an effective capacity planning and service assurance method

  20Dec
  Author: trent Categories: Ramblings Comments: 1

  I’ve watched with amusement these past few weeks as the marketing folks at Verizon finally figured out what I’ve personally known for the last year, and captured it in their “coverage maps” campaign.  In summary, Verizon coverage is awesome while AT&T coverage completely sucks. Way-to-go Verizon marketing geniuses!

  I know this, because in September 2008 Applied Trust moved all of its staff onto the iPhone platform as our corporate mobile communications device.  I am the first to admit that my iPhone plays music really well… Apple-quality well.  And I do like that.  And I guess having an iPhone somehow makes me “more cool.”  But as a functional cellphone for business communications, it’s a nightmare. Oh, and sometimes SMS messages arrive a day or two late, missing the typical SMS 60-second SLA by 2+ orders of magnitude.

  Read more »

  Tags: performance capacity