Truvantis Blog

Social Engineering in the Retail Industry

The retail industry is one of the most crucial pillars propping up the United States’ economy. Without it, approximately 42 million Americans—a quarter of the entire US workforce—would be unemployed. Not to mention the fact that its demise would mean no more Christmas sweaters or Roombas: a slightly less dire but nonetheless devastating loss.

Read More

Topics: CISO, Security Program

WPA3 for WiFi is here! Almost.

Choosing the correct form of encryption will always be a game with moving goalposts. Encryption algorithms and associated transport protocols are found to have weaknesses or computing flaws as new power becomes available to brute force the hard math that encryption is generally built upon.

We are now stepping into the next stage of cryptography for both personal and enterprise level wireless networks. WPA3 is the latest evolution in the family and offers several unique features that address known issues with its predecessors that may allow it to stand the test of time.

Before addressing its new developments, it is important to have some concept of the history of Wi-Fi encryption. It all started with WEP (Wired Equivalent Privacy) in 1999: a form of encryption that's name explains its sole purpose. WEP provides the same level of security that you would get through an Ethernet connection. This method did not last very long; POC breaches were available by 2001, and by 2005, WEP was considered trivially hackable.

Thus, in 2003,  WPA (Wi-Fi Protected Access) was born. WPA provides a better software security component for Wi-Fi enabled devices, but it had a fundamental flaw. In order to be deployed to existing hardware that was built for WEP, WPA's encryption was initially TKIP (Temporal Key Integrity Protocol): an algorithm designed for backward comparability with such hardware. TKIP was ultimately found to be similarly ineffective. Even when using the newer AES crypto instead of TKIP, WPA still has weaknesses—one of which is a sister protocol for making the configuration of devices to work with an access point easier. Exploiting WPS is one of the most popular ways for WPA to be breached.

In 2006, the current, state-of-the-art WPA2 arrived. WPA2 migrated the best of both worlds by updating the software and hardware components. AES must be available, but TKIP can be used as a fall back. Direct attacks against WPA2 are obscure and require that you already have access to gain unauthorized further access.

The biggest problem with WPA2 is that it still supports WPS which can be breached in a few hours.

Read More

Topics: Security Program

How much of your Information Security function can you safely outsource?

Outsourcing is now very common among technology companies. Sometimes a whole function is delegated externally such as accounting, HR, marketing. Even R&D can be delivered by remote teams, often in other countries.

So what about information security?

Read More

Topics: PCI DSS, SOC2, vCISO, HIPAA, CIS Controls, Security Program

7 Advantages of using a "virtual CISO" (vCISO)

A growing trend in the world of Cyber Security is the outsourcing of some or all of the Information Security team.

This can be just a small part - vulnerability management; vendor risk management; responding to customer questionnaires. It could be just the leadership function, a virtual CISO or vCISO. Or it could be the entirety of the Information Security team.

As you evaluate the pros and cons of in-house vs. outsourced, consider the following.

Read More

Topics: PCI DSS, SOC2, CISO, vCISO, HIPAA, CIS Controls, Security Program

How Do I Reset the Master Password?

In my time in enterprise-level support, I was often asked how to reset the master password on various devices after the existing password had been lost for one reason or another.

Read More

Topics: Security Program

Controls are Needed on Recoveries from Backup

Some organizations completely ignore important aspects of the backup recovery and validation process. This creates a significant ongoing data security vulnerability.

Read More

Topics: Security Program

What Time is It?

PCI DSS v3.2, section 10.4 requires all critical assets to be synchronized for time, and recommends using one of the authoritative time sources such as ntp. That requirement, however, only begins to scratch the surface of what controls time in a computing environment.

Read More

Topics: Security Program

Subscribe to Email Updates

Recent Posts

Contact Us