Information Security Leader, Author, Instructor and Speaker

Best Practices for Securing the Federal Cloud

Agencies continue to turn to cloud computing solutions, benefiting from increased flexibility, reliability and lower overall costs.

Security is still top of mind for federal technology leaders as they leverage the cloud to transform government computing environments. As agencies choose cloud partners, they must understand the shared responsibility model of cloud computing and how they can best protect government data through strong encryption.

Read the full story: Best Practices for Securing the Federal Cloud

Published 7/24/2015 in FedTech Magazine

Posted in Articles | Tagged , | Leave a comment

Digital Detectives: Following the Computer Forensics Trail

From hipsters in lab coats to gun-toting crime solvers, television programming is full of depictions of computer forensics as a fast-moving, action-packed career where analysts routinely interface with law enforcement and often confront perpetrators with evidence of their crimes in dramatic courtroom showdowns. Is that really the case?

As with any television dramatization, this depiction of digital forensics certainly glamorizes the field, but there are grains of truth behind the flashy Hollywood embellishments. Computer forensic technicians do often uncover critical evidence that solves crimes and they do testify in court about their findings. However, the reality is that forensic analysis is painstaking work that requires great attention and tremendous expertise. Successful forensic analysts have many lucrative career opportunities in both the public and private sectors.

Read the full article: Digital Detectives: Following the Computer Forensics Trail

Published July 21, 2015 in Certification Magazine

Posted in Articles | Tagged , | Leave a comment

Get Ready for PCI DSS 3.1!

Get ready, everyone – the next version of PCI DSS is on the books! If it seems like you’re hearing that news fairly often, you’re not alone. In April, the Payment Card Industry Security Standards Council (PCI SSC) officially released version 3.1 of PCI DSS with an immediate effective date. This is actually a few months before the final phase-in date for the PCI DSS 3.0 requirements occurs on June 30, 2015.

The most significant change found in PCI DSS 3.1 is the removal of SSL and early versions of TLS (version 1.0 and some implementations of version 1.1) from the list of approved encryption standards.   This is a direct response to last October’s discovery of the Padding Oracle On Downgraded Legacy Encryption (POODLE) vulnerability in SSL. Following industry best practices, PCI SSC is now dramatically curtailing the use of outdated encryption technology with an eye toward a complete ban in the future. Other changes in the new version of the standard are minor updates to clarify language and testing procedures for existing requirements.

Read the full article: Get Ready for PCI DSS 3.1!

Published July 2015 on SearchSecurity.com

Posted in Articles | Tagged , , , | Leave a comment

New Wave of State Compliance Mandates

Are we on the verge of a new wave of cybersecurity regulation? For many years, organizations involved in healthcare, financial services and other industries that deal with sensitive information built compliance programs around federal laws governing their activities. Recent cybersecurity regulatory moves by New York State may foreshadow a new trend toward state cybersecurity regulations that have many IT compliance experts worried.

IT compliance experts are already quite familiar with the alphabet soup of federal regulations. HIPAA, SOX, GLBA, FERPA, HITECH and other acronyms already produce countless hours of assessments and documentation. Even the vaunted PCI DSS has national status, even though it may not be federal law. Until now, the states haven’t done much outside the limited scope of data breach notification laws.

Read the full article: New Wave of State Compliance Mandates

Published July 2015 on SearchSecurity.com

Posted in Articles | Tagged | Leave a comment

Big Data is both burden and blessing to IT security personnel

Big Data is one of the “biggest” buzzwords to hit both businesses and IT shops over the past decade. Analysts and researchers predict that Big Data analytics will contribute toward significant challenges, ranging from curing disease to assessing market trends. At the same time, Big Data will pose challenges and opportunities for information security professionals. Security personnel who embrace this trend early will find themselves well positioned to manage Big Data as a strategic asset for both the business and its IT personnel.

Information security teams should plan to address two significant questions related to Big Data operations. First, what security implications does the use of Big Data by the business raise? In many cases, IT security professionals will bear primary responsibility for securing the data sources and analysis tools used by Big Data operations.

Read the full story: Big Data is both burden and blessing to IT security personnel

Published June 19, 2015 in Certification Magazine

Posted in Articles | Tagged | Leave a comment

Adobe Common Controls Framework: Does it stand up to established compliance frameworks?

One of the toughest compliance challenges facing organizations is how to build a compliance program that efficiently handles all the controls of multiple compliance mandates without overlap. Adobe recently released a white paper detailing its Common Controls Framework (CCF) and how it helps meet important standards. While vague, the white paper emphasizes multi-standard compliance from the perspective of a company that makes a software product that also must comply with standards.

Read the full story: Adobe Common Controls Framework: Does it stand up to established compliance frameworks?

Published June 2015 on SearchSecurity.com

Posted in Articles | Tagged , | Leave a comment

Shared Security Responsibility in the Public Cloud

Organizations of many different sizes and across many different industries are moving technology services to the cloud at a rapid pace. The flexibility, cost efficiency and agility of cloud solutions is extremely appealing to organizations, particularly those who wish to avoid the large capital investments associated with traditional IT infrastructure. Organizations making these moves must fully understand the security risks associated with cloud computing and embrace the shared responsibility model that splits security responsibility between cloud service providers and the organization itself.

Read the full story: Shared Security Responsibility in the Public Cloud

Published June 1, 2015 in Certification Magazine

Posted in Articles | Tagged , | Leave a comment

Healthcare and Internet of Things Security

There are now more things connected to the Internet than people on the planet, and the number is growing rapidly: within five years, according to Strategy Analytics, there will be four devices for every person. The Internet that once consisted of only computers, smartphones and tablets, now includes connected blood pressure monitors, smoke detectors and washing machines. Experts predict this trend will only continue, doubling the number of devices over the next five years. That’s a tremendous number of devices, generating a tremendous amount of data.
Where will all this data go? How will individuals and service providers protect the confidentiality, integrity and availability of sensitive information generated by the Internet of Things (IoT)? What about when that data includes personal health information? The staff of the Federal Trade Commission (FTC) tackled these questions in a workshop and released its findings in a report entitled, Internet of Things: Privacy and Security in a Connected World.

Read the full story: Healthcare and Internet of Things Security

Published 5/28/2015 on SearchSecurity.com

Posted in Articles | Tagged , | Leave a comment

Ransomware: Your Data Held Hostage

“Your personal files are encrypted!” glares the headline on a red pop-up window. The text that follows warns the user that all of the photos, videos and documents stored on the computer were encrypted with a secret encryption key. Unless they pay a $500 ransom, the virus would destroy those files permanently.

Words like this must have struck fear into the hearts of IT administrators at the Midlothian, IL police department when they came up on a police computer in January 2015. Lacking any solid technical alternative, the department paid a $500 ransom to unknown attackers to restore access to critical files.

Read the full story: Ransomware: Your Data Held Hostage

Published May 14, 2015 in Certification Magazine

Posted in Articles | Tagged , , | Leave a comment

Optional No More: Five PCI DSS Requirements Become Mandatory June 30th

If you reviewed the impact of the PCI DSS 3.0 changes on your organization two years ago, you might recall a set of requirements marked “Requirement X is a best practice until June 30, 2015, after which it becomes a requirement.” If your response was “Oh, good, we can handle that later!,” you may be realizing that “later” is about to arrive!

When the PCI SSC released the final PCI DSS 3.0 standard in November 2013, they realized that five particular requirement modifications would have an outsized impact on organizations. They provided merchants and service providers with a 20-month grace period to slowly adapt to those changes. Let’s take a look at the five optional requirements that are about to become mandatory and their impact on your organization.

Read More: Optional No More: Five PCI DSS Requirements Become Mandatory June 30th

Published April 30, 2015 on SearchSecurity.com

Posted in Articles | Tagged , , | Leave a comment

Mike Chapple, CISSP, Ph.D.

Mike is an IT leader, information security professional, author, speaker and trainer with over fifteen years of experience in the field.

Full Biography

@mchapple