Sister CISA CISSP:

Security Devices


May 21, 2009  6:19 PM

A Free Tool for Testing Your Firewalls and Routers



Posted by: Arian Eigen Heald
firewalls, routers, Security Devices, Tools & Tricks of the Trade, Tools for Auditing and Security

I see a LOT of firewall configuration files and router configuration files. It's the bane of my auditor's existence to read through a PIX firewall config (up to 500 pages of a text file). After the 35th page of text, you could drive a truck through that firewall while I tried to wake up. Plus,...

April 15, 2009  7:01 PM

The Beginning of the End for PIN Codes



Posted by: Arian Eigen Heald
Automatic Theft Machines, Data Breaches, PCI DSS, Security Devices

Yesterday Wired released a story that reveals a startling detail about the TJMaxx data breach: hackers were able to cash in on stolen debit cards because they had a way to crack PINS. This "minor detail" was buried in an affadavit...


April 1, 2009  12:45 AM

Making it Easy For Hackers



Posted by: Arian Eigen Heald
Data Breaches, information security, Security Devices

How many rules do you have in your firewall? How many rules allow access directly into your network? How many rules allow ANY/ANY? The more rules you have in your firewall rulebase, the higher your risk of allowing attackers in. I'm not talking about opening access to your webserver in the...


December 28, 2008  3:14 PM

Securing the Security Devices



Posted by: Arian Eigen Heald
"How Do You Know?", Admins and Auditors, Compliance, Hardware & InfoSec, IT audit, Security Devices, TCM (Truly Clueless Management), Tools & Tricks of the Trade, Tools for Auditing and Security

OK, so you've bought the glow-in-the-dark, meets all the compliance requirements and looks really shiny "security solution" from a vendor (one or many). Or maybe your management has bought it and presented it to you as a fait accompli. (Hope I'm spelling that fancy French right!) And of course...


December 11, 2008  5:27 PM

More on ATMs – The Daily Store Owner Log



Posted by: Arian Eigen Heald
Automatic Theft Machines, DataManagement, Hardware & InfoSec, Identity theft, Security Devices, Stupid Technology

Did you know that a store that puts in an ATM for customer use also provides a daily log of transactions to the owner? The log includes the Bank name, last four numbers of the account, the customer name, and the transaction. So if I do an account balance request, that comes up in the log. ...


September 23, 2008  3:15 PM

Host vs. Network IDS



Posted by: Arian Eigen Heald
Admins and Auditors, IT audit, Microsoft Windows, Security, Security Devices, Tools & Tricks of the Trade

I've noticed a definite tendency for organizations to move to monitoring network traffic with their Intrusion Detection Systems. It's a lot easier than trying to update a host IDS service/agent and keeps the increased CPU at the monitor, where it belongs. Also, host agents are limited by what the...


August 25, 2008  6:33 PM

European Hotel Chain Has Their Customer Data For the Past Year Accessed



Posted by: Arian Eigen Heald
Data Breaches, Database, Database security, Identity theft, Security, Security Devices

Visited Europe in the last year and used a Best Western Hotel? Your credit card, expiration date, the company that employs you, your name, address and future bookings may be in the possession of a Russian Mafia website. An enterprising Scottish newspaper, the Sunday Herald, noticed on Thursday...


August 5, 2008  4:46 PM

ATMs – Automated Theft Machines



Posted by: Arian Eigen Heald
Automatic Theft Machines, Eigen's Rules of Thumb, Hardware & InfoSec, Identity theft, Security, Security Devices

It's absolutely fascinating (in a nerve-wracking sort of way) to read about how many different ways there are to use ATMs to capture (and steal) accounts and PIN numbers. From there, it takes very little time to create a fraudulent card and spend what you can before the bank catches up. It's a...


May 29, 2008  1:44 PM

Firewalls Part IV – Quis custodiet ipsos custodes?



Posted by: Arian Eigen Heald
Admins and Auditors, Compliance, IT audit, Security, Security Devices, Steps to an Easy Audit, Tools & Tricks of the Trade

Who guards the guardians? Good IT governance mandates oversight of all IT functions. The firewall tends to be neglected, because it appears to be such a back-office function that only engineers or admins actually see and work on. However, it is one of the most critical pieces of the IT...


May 26, 2008  12:05 PM

It’s Not Your Mother’s Firewall Anymore – Part III



Posted by: Arian Eigen Heald
Admins and Auditors, Compliance, IT audit, Security, Security Devices, Steps to an Easy Audit

When all is said and done, a configuring a firewall comes down to creating a set of rules. Firewalls are bi-directional - they control traffic going out (outbound) to the Internet (or the DMZ) and they control traffic coming in (inbound) to the network or the DMZ. You are configuring for WHO,...