East of Eden

The latest in Windows 10, end user devices and services, cyber security, data center & cloud, and all things IT.

Blog Feature

Data Center & Cloud | Cyber Security | Publications & Resources

Protect Your Security Infrastructure: Observe Proper Segregation of Duties

By: Andy Sherman
March 9th, 2016

The following excerpt has been taken from our ebook, The Ultimate Guide to Protecting Your Security Infrastructure in the Broader Data Center. Observe Proper Segregation of Duties System administration and security administration are not the same job, and those functions should be done by different people.

Read More

Share

Blog Feature

Data Center & Cloud | Cyber Security | Publications & Resources

Protect Your Security Infrastructure: Isolate Security Services

By: Andy Sherman
March 4th, 2016

The following excerpt has been taken from our ebook, The Ultimate Guide to Protecting Your Security Infrastructure in the Broader Data Center. Isolate Security Services on a Protected Network While the subject of proper network security design over the entire data center will be the subject of a future article, we still need to consider the special needs of security infrastructure here.

Read More

Share

Planning for Windows 10 Starts Now

Planning for Windows 10 Starts Now

Develop a transition strategy for a successful Windows 10 upgrade, and make this migration your best.

Blog Feature

Data Center & Cloud | Cyber Security

Data Loss Prevention in 2016 and Beyond

By: Andy Sherman
December 21st, 2015

Digital Guardian asked a bunch of security experts (including me) for their predictions on where the Data Loss Prevention (DLP) market was going in 2016 and beyond.

Read More

Share

Blog Feature

Data Center & Cloud

SSL, Again

By: Andy Sherman
November 4th, 2014

Let's start with a story. We recently were estimating the effort to fix up a client's audit findings, when I read "update web server configurations to upgrade SSL support from SSLv2 to SSLv3." To be fair to the auditor, the findings were probably reported before the vulnerability I will describe below (POODLE) was announced. However, SSLv3 was already viewed with suspicion, and had to be disabled if a system needed to be FIPS 140-2 compliant. While not every system needs that, it's indicative that SSLv3 is disallowed from the standard. (By the way the auditor was correct that SSLv2 needed to be disabled. In addition to its many weaknesses, SSLv2 is not compliant with either FIPS 140-2 or the PCI DSS.) Moral: the fact that one version of a protocol is bad doesn't make the next version acceptable. A recent announcement of a new vulnerability in SSLv3 (CVE-2014-3566) when using ciphers operating in cipher block chaining (CBC) mode. Because of how SSLv3 handles the block structure and padding out plain text to the block size, it is possible to construct attacks that manipulate padding to disclose plain text.

Read More

Share

Blog Feature

Data Center & Cloud | Cyber Security

Dropbox: The Hack That Probably Wasn't

By: Andy Sherman
October 14th, 2014

There is a lot of attention on the posting of Dropbox user name and password combinations on Pastebin. The posters claim that the 400 accounts posted are just the first installment of almost 7 million that they hold. Spot checking by security researchers indicate that they are genuine (although a follow dump as not). Dropbox has issued a statement their servers were not hacked:

Read More

Share