I heard a question the other day that caught me off guard. “Why do you guys even sell IPS (Intrusion Prevention Systems), is there even value in that anymore? Shouldn’t you just recommend patching vulnerable systems?” 

Our nation’s state and local law enforcement agencies have looked to the FBI’s Criminal Justice Information Services (CJIS) Security Policy for many years to set the standard for security requirements in the industry. The CJIS Policy dictates the minimum level of security requirements while providing guidelines and agreements for organizations to protect the transmission, storage…

The big security news last week was Shellshock, a vulnerability that affects the Bash shell on *nix operating systems (including Macs). So good news, Windows admins, you get to sit this one out. For the rest of the world, the impact of Shellshock is still unclear and perhaps that’s what is making it most unsettling….

We are in the middle of security conference season. Therefore, it’s not entirely unexpected to see headlines from Black Hat and other conferences discussing “grave” security threats, and what they mean to our ability to protect our organizations and ourselves.

Good risk assessments tend to include at least three distinct assessment components of varying complexity, followed by a good reporting system with internal and external checks and balances. While specifically designed for the Health Insurance Portability and Accountability Act (HIPAA), this general methodology could be used for any assessment project with a compliance component. For…

The recently publicized “Heartbleed” SSL/TLS bug has received a tremendous amount of media coverage and, deservedly, a significant amount of concern amongst the IT security community. Rather than rehash the same information that has been shared repeatedly, I would like to offer some philosophical commentary, concise guidance, and additional resources to the IT community as…