Quick Review – ASIS Mobile Show App

Posted in Technology Evaluation, Physical Security Infrastructure on September 24th, 2017 by Rodney

Mobile devices provide value at trade shows.  Having the information available on the show floor can be a great tool to improve your use of precious time on the floor.  Unfortunately, like anything else on your mobile device, it introduces another potential place to be attacked.  And like most mobile apps, it’s actually made by some 3rd party developer you weren’t really aware you were trusting.  We don’t really need 10,000 physical security professionals wandering around a convention center in Dallas bleeding their too-overused favorite passwords onto the public internet.   Read more »

Fall 2017 Metrics Update

Posted in Uncategorized on September 11th, 2017 by Rodney

How bad is it?  How would you describe a “woops” – a security incident?  We have a new metric now.  If Brian Krebs calls your security incident response a dumpster fire then you probably really screwed up.  This is not a new term.  The Wall Street Journal documented it in 2016.  IIRC it’s not been used for cyber, before now.

Unannounced Vendor Remote Access? Is that really a good thing?

Posted in Uncategorized on September 10th, 2017 by Rodney

The vendor remotely updated owners’ vehicles.  No warning, no announcement, no text messages.

Is that really a good thing?  Is it ok if your vendor just logs into your site and starts tweaking things?



But will we see cyber listed as a feature in medical advertising?

Posted in avoidable vulnerabilities on September 10th, 2017 by Rodney

Another place vulnerabilities are published.  I wonder how it’ll go with crossover items.  “Linux kernel flaw bricks insulin pump?” Read more »

Equal Expectations for Equal (Non-Person) Entities

Posted in avoidable vulnerabilities, Physical Security Infrastructure on September 6th, 2017 by Rodney

I don’t hate robots. I think that any new technology that tries to show up today has to be built with some by this time fairly obvious cyber defenses. This means, first, that the vendor has to get it that we might care. We the customers have a right to have an expectation of thorough well-tested well thought out technology solutions.

Especially if you’re gonna let that thing drive itself around my shopping mall. Or my parking lot. Or deliver drugs to the other end of my pharmaceuticals facility.

It’s 2017. You want to put a device on my network, operating within my risk responsibility, that’s mobile and at least partially outside my controlled perimeter. With credentials to access my security command center. And you want a purchase order for that?

Yeah, I expect the product to have some cyber awareness. Read more »