Tag Archives: featured

QSA’s are friendly… As long as you pick the right one… (Part 2)

QSA Partner. Continuation from Part 1…

Selecting a QSA partner

Back to the joys of selecting a QSA partner!  I know when I contact them they are all going to want to know a lot of details about my business, including technical configurations.  This is because of a PCI audit like many other audit frameworks needs to verify the policy and configuration details of just about, every component of your business and networks to properly scope the amount of work for your environment.  This includes standard server images hardening process to firewalls, antivirus, change management, software development, physical access, visitors, vendors, policies, etc.

read more

NIST 800-171 requirements for contractors

Meeting NIST Requirements while using SaaS Software.

December 312017, Organizations who process, store, and transmit Controlled Unclassified Information (CUI) need to comply with NIST Special Publication 800-171.  The question organizations need to consider is what does it mean for their SaaS Applications? How do you do it in the “bring your own cloud,” (BYOC) world we live in? I am going to walk you through critical things you need to think of for SaaS applications about as you go through this.

read more

QSA’s are friendly… As long as you pick the right one… (Part 1)

It’s that time again. Yes, time to find this year’s auditor.  You’d think that after 10 years of contacting, meeting with, planning and doing in-depth level 1 audits for multiple customers per year, for ZZ Servers a managed private cloud provider for PCI & HIPAA businesses, finding a Qualified Security Assessor (QSA) to work with would be easy.  Maybe it would be especially easy because, before ZZ, I was a PCI QSA doing the level 1 audits/code reviews/penetration tests myself!

read more

Assessing Big Picture Risk Through the Lens of the Equifax Breach

Authored by: Joshua Marpet – COO, Red Lion & Janice Paulson – Data Scientist, Red Lion

Disclaimer

Red Lion has no intimate knowledge of why or how the Equifax breach occurred. Red Lion was not involved in the security planning, implementation, or strategy for Equifax, nor have we been consulted for the incident response, crisis communications, or any aspect of Equifax’s security, compliance, security testing, etc.

Your Personal Data and Privacy

Equifax holds information about the bulk of all Americans who participate in common banking and credit transactions. They gather this information from your credit applications such as mortgage paperwork, car loans, and credit cards. They buy information about your address, family members, and other personal information from various sources, and re-sell, along with their assessment of your credit worthiness to banks and other lending institutions.

You consent to this every time you participate in the banking or credit lending system.

read more

How Technologists and the Business don’t communicate.

Initially released February 6, 2017 for MISTI – Business for Technologists – Technologists are the bedrock of IT and IT security. They innovate, create, build, implement, maintain, and decommission the most amazing software and hardware systems ever compiled. Even something as simple as a file server, which is only supposed to store and backup files, has to deal with firewall rules, authentication, authorization, travel across VPN’s, backup/restore, and monstrous amounts of other factors.

Why do technologists not understand business?

Why do technologists struggle to become entrepreneurs? And when they’re embedded in a corporation, why do they have issues getting budget allocated to handle the problems that they, the techie, can clearly see will cause massive issues in the future? Why does senior leadership not understand the problem from the techie’s perspective?

Because business is not tech. Corporations these days look at technology as a cost center unless the business is either a bank or an information security company. Sure they may spend money on the new shiny “next-gen” equipment, but does it really enhance operations? The answer is emphatically “No.”

Tech is not business unless you are in the business of tech

The structural elements of technology are the pieces that support revenue generation, but they don’t actually generate any revenue on their own. It is the people and other intellectual resources within an organization that make the business run (and generate revenue), with direction from senior leadership.

Yet we see the technologists as the “Entrepreneur-Revolutionaries.” Elon Musk, Mark Zuckerberg, Bill Gates. All techies, all disruptive innovators, all amazing! There’s a catch.

Very few serious technologists are business people

Notice the three entrepreneurs mentioned above? Why do you think there are so few of those types of names that are also household names? Because there aren’t many of them. Like God, Cher, and Superman, there aren’t many immediately recognizable super-beings, super-music, or super-heroes.

“But I have a great idea!!! It solves a big problem I have! I should make a billion dollars!” say more entrepreneurs than we can count. “Who else has that problem? Are there enough of them with enough spend that we can make a billion dollars?” asked every angel investor and VC firm ever.

Technologists spend time thinking about problems and solutions. It’s massively important! But business people, unlike technologists, think about their product or service in terms of who will buy it, who will support it, who will maintain it, and how much it will cost to acquire a customer. There are other considerations too: How to market it, how to brand it, how to protect the intellectual property, and how to raise enough money to get the cash flow working in the corporate favor rather than burning right through all the funds.

Selling a product is just as hard as developing the product

Most technologists don’t realize that there are sales leads that need to be generated, contacts that need to be cultivated, and supporting business purchases that need to be made (insurance, legal services, copiers, accounting software, anyone?). All of this under the mountain of paperwork that needs to be completed to ensure that one party does not take unfair advantage of the other during the process. If that’s not enough to think about, all of this must meet the goals of the business and be tied to the direction of senior leadership.

Business needs to learn how to interface with technologists

Business people can work with technologists to learn how to think about solving technology problems, and how to understand the terminology and thought processes of a technology buyer. To sell the solution properly, discuss it intelligibly, and sustain growth, business people must learn these skills.

The end game

Technologists generally have massive issues seeing the bigger picture, just as business people have massive issues understanding the complexities of the technology solutions built. These different ways of thinking are not failures on anyone’s part; in fact, they are learning experiences waiting to happen. Technologists can work with business people to learn how to implement, sell, market and brand a given solution, and then learn how to grow a business based on that solution. Next, they can architect solutions to make it easier for business.

Ultimately, communication is the answer.

 

About the Authors: Joshua Marpet and Scott Lyons can be found presenting at InfoSec World, and other MISTI conferences, as well as Security BSides Delaware, Derbycon, Defcon, Shmoocon, etc. Ask them business, entrepreneurial, and technology questions. But be ready to get a long answer. Have a drink with you. You’ll need it.

read more

Business Development – The best non-four letter dirty word in infosec.

Business Development is not a dirty word.

Everyone today wants to start their own business. I mean Dave Kennedy did it, how hard could it be? (Love you, Dave!) So you gather your team.  You can do the pen-testing and Jimmy over there can handle Incident Response, right? So what’s the big deal? Why aren’t customers knocking down my door? Don’t they know how awesome we are?  Business Development.

No, it’s not a dirty word. BUSINESS DEVELOPMENT is how you make money. It’s how you put food on the table and a roof over your head. You can do the work. Cool! Where’s the work coming from? You know, those things called customers?

Let’s address the mysteries of business development. We will take you from the initial meeting in the boardroom, through identification of stakeholders, getting the Statement of Work hammered out and signed, finding the ideal employee, and getting the job done all while effortlessly making the money.

We will also cover what happens when you screw up each and every single step of the process, as well. (Trust us, you will! We did!) 🙂

We’ll discuss the differences between a product based business and a service based business, explain the process, the funnel, the problems, the success stories. And it’s all real.

Bottom line: Starting a business is easy! Keeping the doors open? Not so much. If it was easy, everyone would do it!? – Albert Einstein, or maybe Abraham Lincoln

Watch a pre-Red Lion Scott Lyons (CEO) and Josh Marpet (COO) present another one of their Business for Technologists talks at Derybcon 6.0 in Louisville, KY below.

[embedyt] https://www.youtube.com/watch?v=Mo4L6-vI8bE[/embedyt]

read more

NEMA – Electro Industry

 

Read the full magazine below. Our article starts on page 11:

[pdf-embedder url=”http://blog.redlion.io/wp-content/uploads/2017/04/EI_Jan17.pdf”]

read more

AIDE – Appalachian Institute Of Digital Evidence

Posted from: AIDE Website

The legal, IT, business, military, and intelligence communities struggle to keep pace with this flood of technology and to adequately understand the nuances of digital evidence. To serve the public good, practitioners in a variety of disciplines must cooperate and keep current when it comes to technology and the law.

The Appalachian Institute of Digital Evidence is a regional not-for-profit organization dedicated to serving the legal, technical, public sector, and business professionals for whom digital evidence is part and parcel of their work. The AIDE exists to help network administrators, digital forensics practitioners, law enforcement, and legal professionals survive – and even thrive – in the ever-changing landscape where technology and the law meet. Fostering collaboration among practitioners, students, and academics, AIDE aims to improve access to information, develop solutions to practical problems, and narrow the gap between the accessing and use of digital evidence and traditional physical evidence in the law.

Lawyers, judges, digital forensic examiners, network security professionals, and law enforcement personnel are all stakeholders when it comes to digital evidence. AIDE, comprised of three sub-groups (Digital Forensics, Information Security, and Electronic Discovery) is here to serve them.

If digital evidence is a critical part of your profession or field of study, we invite you to join us. AIDE is in its infancy. Help us build a progressive, active, professional organization.

More information about AIDE working groups:

Digital Forensics | Information Security | Electronic Discovery

Josh Brunty, from Marshall University, talks about network forensics at AIDE 

read more