Category Archives: News and Info

CISSPs… Lend me your ears…

Art of Information Security endorses Dan Houser for (ISC)² Board of Directors

The CISSP is undoubtably one of the most, if not the most, important professional certifications in Information Security. Many organizations and practitioners rely on it as evidence of a solid foundation and track record in Information Security. But the CISSP is only one of the many ways that the (ISC)² attempts to fulfill its mission of developing the Information Security profession.

Board membership is a role of governance, guidance, and passion. Let’s briefly explore how Dan’s track record and past contributions demonstrate his qualification for this post, and possibly your vote.


Dan is someone who has a passion for promoting and developing the talent needed to continue to grow and mature our profession. Anyone who has seen Dan speak at conferences, local chapter meetings, or in one of his classes knows how passionate Dan is! But anyone who takes the time to approach him knows that he is no ideologue or zealot; Dan is always interested in improving his own understanding, and then sharing that knowledge with others.

Dan has a long track record as a contributor – as a “giver” – to the profession. In addition to teaching over a dozen CISSP review courses, he has also served on multiple (ISC)² committees, is one of the authors of the ISSAP Body of Knowledge (cryptography), and has published primary research on professional certifications. He is also the founder of the monthly Columbus, Ohio Information Security MBA (Masters of Beer Appreciation) meeting – a professional roundtable that attracts practitioners from across the state.

Governance and Guidance 

In addition to past experience serving on (ISC)² committees, which I assume led to the current board’s nomination, Dan has served on numerous Boards of Directors including local and regional community organizations, ISSA chapters,and several Toastmasters clubs. 

Personal Experiences

I have known Dan for almost three yeas. Dan and I have collaborated on a number or projects, including a half-day Cryptographic Controls Seminar and a full-day Identity Management Architecture class. It is my feeling that when you collaborate, work closely, and travel with someone, you really get to know them. You get to do more than hear about their College Sweethearts (which, for Dan, is Rebecca, his wife of 21 years), but you also get to understand their ethics, how they really conduct themselves, how they deal with stress, etc.

Given the entire picture, the understanding that I have of Dan Houser, I can think of no one better suited to representing, guiding and developing the (ISC)². I have voted for Dan, and I hope that you will consider doing the same.

Here is the voting link for (ISC)²:

Cheers, Erik


Number One WordPress Security Step

So, what is the most important step you can take to keep your WordPress blog secure?

  • Keep the software up-to-date

This may sound almost patronizingly obvious, but hold on a second. Every day hackers use unpatched servers or services of one kind or another as the bread and butter of their trade (stealing data, creating Bot networks, selling hacked server access to phishers, etc.).

So, why are there so many unpatched (or under-patched) servers and services?
  • Lack of awareness that a patch or update is available or needed
  • Lack of urgency regarding maintenance
  • Attitude that you are immune to these types of problems, and don’t need to worry about them

The good news is that the WordPress community has resolved the first two problems.
(Folks with the last issue are the reason there will always be script kiddies…)

Here is the quick and dirty path to keeping your blog up-to-date:

(1) Subscribe to the WordPress Development Feed
If you log into your WordPress blog’s administrative interface, you will be notified if a new version is available. But if you are in a low-activity time with your blog, you still want to know when maintenance is needed. The best way is to subscribe to the WordPress Development Feed in your RSS feed reader (You may also want to subscribe to the RSS feeds for the plug-ins you are using.).

(2) Install and Use the WordPress Automatic Update Plug-in
I have two blogs, and have used this plug-in for my last three software updates (including the move to 2.5 yesterday), and have been very happy with how well the plug-in works. Now, I do automated daily backups of my blog db and files. So, I would recommend that you perform your own backup before using the script so you know you can recover if the unthinkable happens (Always make sure you are using the latest version of the plug-in before starting an update.).

(3) WordPress 2.5 Now Includes Built-In Plug-in Updates
I do not think that your site will yet email you when your plug-ins need to be updated (2.5.1 please?), but with 2.5 you can 1-click update your plug-ins, if they are registered with

Step four would also be to make sure that your operating system is up-to-date. Automating that is almost always possible, but is dependent on what operating system you are using. Google “X automated security update”, where X is your OS.

BTW, I found the jump to 2.5 very smooth and have encountered no problems – Thanks, WordPress!

Cheers, Erik

Blended Attacks and “The Tiger Team”

The following caught my eye during a review of the Cisco 2007 Annual Security Report, on page 16:

Blended Attacks Targeting Both Physical and IT Domains
In 2007, criminals demonstrated their evolving ingenuity by employing blended attacks to obtain sensitive information and evade detection. The most significant example of this trend was a string of attacks on Stop & Shop supermarkets in Rhode Island. Attackers broke into and vandalized supermarkets, leading police to believe the events were largely petty crimes. But during the break-ins, attackers tampered with the stores’ card readers to collect credit card information.

Of course, upon reading this there was a stream of attack ideas that occurred to me such as using a break-in as a cover for things like installing WIFI access to networks, card skimmers, key loggers, etc. Shortly after reading the Cisco report, I ran into a post on Black Bag (a physical security blog) about a TV show called Tiger Team. The TV show is about a team of penetration testers who (in addition to being very impressed with themselves) test complex physical security systems. I reviewed the first two episodes (which I have to confess I enjoyed), which are available via streaming video.

Interestingly, in the first two episodes (which is all I have watched so far…) the team always used a blended attack. There is a social engineering and digital attack as a prelude to the actual ‘theft’ in both episodes.

I think few people will face attackers of this sophistication, but the series is interesting nonetheless.

Cheers, Erik

What do you want to know about Cryptography in the Enterprise ?

I am working on a presentation entitled “Lessons Learned Deploying and Managing Enterprise Cryptosystems“. I will be presenting this at Information Security World 2008. In the 45 minutes I have for the presentation, it is my goal to touch on several key lessons learned in my work with cryptographic controls over the past several years. Cryptosystems is a broad topic, and can include not only techniques (encryption, digital signatures, timestamps), but also key management and implementation issues. There is a lot of material that I have available to draw from, and I want to make sure that the presentation includes the most valuable and relevant points that it can. After giving a presentation, there is almost nothing more disappointing than reviewing the feedback forms only to find out what people really wanted to know. This is especially disappointing if it is material you could have easily included…

I would love to know what kinds of questions you have and would like to see addressed.

In addition to your question, please provide a little context, such as:

– What are the drivers for your use of cryptographic controls (data protection, compliance, etc.)?
– Will your deployment be externally audited?


Cross posted on Linked In.

Art of Information Security Episode 002: GTAGs and Safe Harbors

Art of Info Sec 002: GTAGs and Safe Harbors


The Institute of Internal Auditors has been releasing a white paper series on issues related to IT Risk Management and Information Security. The paper’s are titled as GTAGs, which is an acronym for Global Technology Audit Guidance. The project is very ambitious, trying to break down major technical topics, the IT risks associated with them, and the controls that are available in a concise format accessible to senior risk executives.

Of the nine that have been released to date, several caught my eye. Here are the ones I would like to highlight:

  • Auditing Application Controls
  • Change and Patch Management Controls
  • Identity and Access Management
  • Information Technology Outsourcing
  • Managing and Auditing Privacy Risks
  • Managing and Auditing IT Vulnerabilities

You can find the library of papers at The IIA’s GTAG portal. New materials are released regularly.

In Other News…

Earlier this month I participated in a Webinar titled “Getting More Encryption for Less”. At the end of the call there were a few interesting questions during the Q and A session, one of which I wanted to recap here…

Question: Will Federal Privacy Regulations include Cryptography Standards for “Safe Harbors” ?

  • Discuss what a Safe Harbor is, using California Security Breach Information Act (SB-1386) as an example
  • Introduce NIST, FIPS, and FIPS 140-2

Cheers, Erik

Get Rich Quick at FakeChecks.Org – N O T

While I was checking the weather via the internet last night, I saw a banner ad for (click here), which turns out to be an anti-check fraud website sponsored by the National Consumers League . Check fraud has been around almost as long as checks themselves (I am sure it took a week or two for someone to try to steal cash using the newly invented check… 😉 ), but the anonymity and long distance communications capabilities provided by the Internet are reviving old scams and creating new ones.

A key component in a lot of fraud and scams is Social Engineering of one kind or another. Social Engineering is also a a huge threat to Information Security controls of all kinds. The tool to combat it is user awareness. I applaud for their efforts.

Cheers, Erik

Episode 2 and Beyond – A Few Teasers…

It has been one month since the release of Episode 1, and it has been downloaded over 215 times and FeedBurner is reporting over 80 subscribers to the feed (RSS and Podcast combined). This is much more attention than I expected Episode 1 to generate. Thanks !

But don’t think I am going to ‘rest on my laurels’…

The last month has been incredibly busy, and I have a ton of content that I want to work on but I keep getting pulled in different directions. Episode 2 is going to be an audio only podcast which I hope to have released over the weekend…

I have a number of topics that I am mulling over for Episodes 3 and beyond, which include:

– Basics of Information Security and Risk Management series

– Quick intro to some of the open source host protection tools I have been working with

– Discussion of my favorite open source security tool… (openSSL)

– and I am dying to start discussing some real world cryptography topics…

(Just to name a few…)

What I would really like to do is find out what topics you are interested in, so that Art of Information Security can have relevant and compelling content. To address this need I have created a feedback section on the site, located in the main menu bar (or click here). Also, your comments, posted either on Art of Information Security or via email, are always welcome.

BTW: Last week I participated in a webinar entitled Getting More Encryption for Less with Paul Stamp (Forrester Research), Jim Porell (Chief Architect IBM System z), and Paul Turner (VP, Product and Customer Solutions, Venafi). (Click here to listen to a replay.) Also, I will recap the Q & A portion of the webinar in Episode 2.

Best regards, Erik