Roger Halbheer on Security
In my last post we looked into why Zero Trust is not this huge revolutionary vision but something reflecting today’s reality. Technology is ready to go –technology is ready for you to embark on a journey and start to align your security architecture and investments with this approach. The biggest change when implementing Zero Trust…
DetailsDuring these days with a lot of people in their Home Office, discussions around Zero Trust are more important than ever as this journey enables scenarios like we see today. There are different resources, which might be interesting for you to look at: Microsoft Zero Trust assets These are links to currently available assets. We…
DetailsZero Trust is definitely not new but around for something like 16 years if you look at it. This is, when the Jericho Forum was formally established and Network Access Control architectures started to get deployed (or at least designed). It definitely got some tailwind 10 years later with Google’s work on BeyondCorp (as a…
DetailsAs you might know, I am part of the Cybersecurity Advisory Board of the Swiss Academy of Engineering Sciences here in Switzerland. In this capacity I had the opportunity to publish an article at Inside IT: SATW insights: Zero Trust – Sicherheit in Zeiten von Homeoffice (in German).
Enjoy!
During the Global CISO Summit we ran this week, one theme was high on the list for a lot of CISOs: Zero Trust. Besides, what is out there, we just released different material how we think about it and how you can approach it: A landing page with a lot of great material: Zero Trust…
DetailsThe Dutch TV broadcaster VPRO made a great video (about 50 minutes) about zero-days and security leaks for sales.
It raises really good social questions about the role of governments and citizens. Really worth looking at.
Roger
Yes, it is true: There is somebody who publically put known PINs on the Internet. I bet yours is there too: http://www.positiveatheism.org/crt/pin.htm
Roger
In certain areas, getting security right can seem to be very easy. But, hmm, let’s look at this: Poorly anonymized logs reveal NYC cab drivers’ detailed whereabouts. They used MD5 to anonymize the license plate numbers of the taxi drivers – and they did not use any salt. So, it is fairly easy to run…
DetailsWell, I know DOS, I know DDOS, but I never knew PDOS until today: there seems to be a new way to attack systems using the firmware update mechanism and generating a Permanent Denial of Service (actually damaging the hardware)…. I was involved in a Ciritical Infrastrucutre Protection workshop about 2 years ago and one…
DetailsYou might have seen several reports that MS09-008 does not protect you from the vulnerabilities. We reviewed these claims and customers who have deployed MS09-008 are protected from the four vulnerabilities. If you want to have the details, you should consult our Security Research & Defense Blog, where we posted MS09-008: DNS and WINS Server…
DetailsYes, you are still on the right blog. Things change and one of these is my blog design (the rest I will communicate in due time).
Roger
I got some questions on my blog post that you should not by a Wii at the moment. The key question was about whether this is just a teaser. Well, look at the demos they did at E3. You find them here:
Roger
I am a fan of simple and easy to read policies. I do not think that policies consisting of several thousand documents to any good nor will they be followed.
In this context I found a noteworthy blog post: 5 Tips on Writing Security Policies
Roger
Before I start here: Let’s be clear that I will not say (and will never say) that if a customer was infected with Conficker he had a poorly managed network! I had a lot of discussions over the course of time about the reasons for customers being infected. We all know the attack vectors of…
DetailsI know I have been very, very quiet over the last two weeks. The reason was, that the worldwide Chief Security Advisor met at our HQ in Redmond for four days to discuss community related questions as well as the future of certain products.
DetailsUnfortunately, we do not see too many women in security – even though there are huge opportunities irrespective of the gender. Over the years, I had the pleasure to work with great women in this business. We will run an event on Thursday, April 28, 2016 at 6.30pm at the Accenture Office in Zurich with…
DetailsTo be clear upfront: After support for Windows XP will end, the world will still exist – at least I hope. However, over the course of the last few months I read numerous articles with speculations, what is going to happen, once we stop support of Windows XP. The key problem is, that we do…
DetailsFresh out of press (ok, it is out since beginning of April but I just saw it now): Brian Komar, the well-known author of several PKI books on Windows Server just released a new book called Windows Server 2008 PKI and Certificate Security. If you are planning a Windows Server 2008 PKI, this is a…
DetailsThat’s new: We have Windows Server 2008 Hyper-V Common Criteria EAL 4+ certified. The new thing is that we certified it in Germany by the BSI (Bundesamt für Sicherheit in der Informationstechnik). You can find the report here: https://www.bsi.bund.de/cae/servlet/contentblob/612768/publicationFile/35487/0570a_pdf.pdf
Roger
A result of a study by Kasperski lab is fairly promising – even though it shows the problem being raising up the stack: For the very first time in its history, the top 10 rating of vulnerabilities includes products from just two companies: Adobe and Oracle (Java), with seven of those 10 vulnerabilities being found…
Details
