I heard a question the other day that caught me off guard. “Why do you guys even sell IPS (Intrusion Prevention Systems), is there even value in that anymore? Shouldn’t you just recommend patching vulnerable systems?” 

Our nation’s state and local law enforcement agencies have looked to the FBI’s Criminal Justice Information Services (CJIS) Security Policy for many years to set the standard for security requirements in the industry. The CJIS Policy dictates the minimum level of security requirements while providing guidelines and agreements for organizations to protect the transmission, storage…

The recently publicized “Heartbleed” SSL/TLS bug has received a tremendous amount of media coverage and, deservedly, a significant amount of concern amongst the IT security community. Rather than rehash the same information that has been shared repeatedly, I would like to offer some philosophical commentary, concise guidance, and additional resources to the IT community as…

One of the great things about being on the security assessment team is the ability to work with companies to truly improve their overall security posture. Sure, it’s interesting to talk about zero-days and exotic exploits against systems they don’t have, but in most cases, it doesn’t hold particular relevance.

Healthcare IT (HIT) Security is garnering greater attention among healthcare organizations, though most HIT execs indicate they are not fully prepared. In fact, a recent report by the SANS Institute indicates that healthcare organizations are being compromised at an “alarming” frequency. Given the hefty average cost of an incident coming in at a whopping $800,000,…

The Problem Bring your own device (BYOD) means something different to everyone you talk to. Is it company issued mobile devices, is it the employee’s mobile devices, or is it employees bringing their personal laptops to work?