Posted on by Steve Levinson

For the longest time, when people discussed “Social Engineering” in the IT security arena, it was equated to schmoozing your way past the guard, or calling the Helpdesk to get a password. Social Engineers like Kevin Mitnik have been amazingly successful in working these angles to get inside hundreds, if not more, of applications and systems. But that was so 20th century – it didn’t scale well. As our connectivity to Everything Internet has become ubiquitous, there’ been a dramatic …

Continue reading →

Posted in Uncategorized | Leave a comment


Posted on by Steve Levinson

This blog post is a culmination of dozens – no, hundreds – of discussions with clients, partners, and above all else, my awesome colleagues about the magic behind successful consulting. While some of these topics apply primarily to the art of security consulting, many of them transcend industry boundaries and apply to life in general. They are not presented in any particular order as some musings will resonate differently with each reader. There’s no sheet music. The beauty of the consulting …

Continue reading →

Posted in Uncategorized | Leave a comment


Posted on by Steve Levinson

I’ve had dozens of discussions with our clients over the past decade to help them determine if they are doing a reasonable job in evaluating risk in their PCI environment (note – you can replace “PCI” with “any data/critical assets that you care about”). Over the course of participating in hundreds of PCI assessments, we have noticed that many companies’ risk assessment processes have been maturing nicely. Many moons ago, it was rather common for clients to ask, tongue in …

Continue reading →

Posted in Uncategorized | Leave a comment


Posted on by Steve Levinson

In the Internet we Trust. At least we used to. Given today’s announcement that the “Heartbleed” bug exposes vulnerabilities in the mechanisms that we’ve relied upon for protecting sensitive information on the web (think passwords, credit card numbers, ANYTHING that is entered on a website), it is cause for immediate concern. In layman’s terms, this vulnerability allows for an attacker to parse (capture) the memory of the web servers running particular versions of OpenSSL, a cryptographic software library, potentially exposing …

Continue reading →

Posted in Uncategorized | 5 Comments


Posted on by Steve Levinson

As most folks know, Microsoft’s flagship operating system, Windows XP, is going end-of-life as of April 8. Given the fact that about one out of every three computers runs this OS, there may be some strong ramifications for those who opt for the “do nothing” alternative. If you are running this operating system, you may not be vulnerable the day that it goes end-of-life, but as soon as there is a known vulnerability and if you HAVEN’T done anything to …

Continue reading →

Posted in Uncategorized | Leave a comment


Posted on by Steve Levinson

As most of the world is aware by now, the recent credit card breach at Target (between November 27 and December 15) netted the attackers 40 million credit and debit cards, as well as personal information, such as phone numbers and addresses, of as many as 70 million more. For a few very long weeks, there was scant information about the attack vector and the malware involved with the attack. This posting is a follow-up to my recent posting where …

Continue reading →

Posted in Uncategorized | Leave a comment


Posted on by Steve Levinson

As most of the world is aware by now, the recent credit card breach at Target netted the attackers over 40 million credit cards between November 27 and December 15. This is the largest reported breach of a merchant since the TJX breach in 2006. Thus far, Target and the forensic community have been pretty tight-lipped about this breach. We’ve reached out to dozens of our peers to try to cobble together how the breach occurred, but at this point, …

Continue reading →

Posted in Uncategorized | 1 Comment


Posted on by Steve Levinson

Visa has always been on the forefront of the payment card industry, often being the first out of the gate to provide sage wisdom to the payment community at large. Some of my favorite people at Visa, Tia Ilori and Ingrid Beierly, have put together a great presentation to address the most recent security trends and breaches. The presentation will soon be posted at www.visa.com/cisp. We are all aware of some of the grocery store breaches from this year which were …

Continue reading →

Posted in Uncategorized | Leave a comment