BrianMusthaler

About Brian Musthaler

Brian Musthaler is a principal consultant with Essential Solutions Corp. He directs the firm’s evaluations and analysis of enterprise applications, with a particular focus on security and compliance tools. Brian has wide-ranging strategic and tactical expertise in internal controls assessment; business process design, implementation and improvement; and aligning IT strategic plans with corporate goals and objectives. Brian shares his insights as a contributing writer for the Network World IT Best Practices newsletter which is distributed to more than 30,000 subscribers worldwide.

Posts by Brian Musthaler

The National Computer Forensics Institute Trains U.S. Law Enforcement Professionals on Digital Evidence

In 2011, young mother Casey Anthony went on trial for the murder of her two year old daughter Caylee. You may recall some of the lurid details from the case. In June 2008, the mother reported her child as missing. Caylee’s skeletal remains were found by a utility worker in December 2008. Prosecutors felt they had enough evidence to charge...

Read more

PCI-DSS 3.0: Will it Successfully Address Compliant Insecurity?

I and many others have been saying for a long time that being compliant with a regulation or industry mandate does not make a computing environment secure. There are numerous reasons this is true, ranging from “the check list approach” to “not understanding the actual intent of specific compliance controls.”  This is...

Read more

Store Systems Security: Preparing for the Retail System and Security Paradigm Shift

I was in an Office Depot the other day. There was one person in line at the checkout counter and another customer approaching the line. Then a sales clerk intercepted the person heading toward the line and said, “I can help you right here, sir.” The clerk had a mobile device in her hands. She swiped the customer’s credit card,...

Read more

Moving from Compliance to Risk-Based Security – Part 2

In my previous post, Moving from Compliance to Risk-Based Security - Part 1, I mentioned that I would share my discussions with two security executives who feel strongly about this topic. Both of them participated in the Wisegate CSO peer discussion documented in the report Moving From Compliance to Risk-Based Security. These experts clearly...

Read more

Moving from Compliance to Risk-Based Security, Part 1

After 10 years of managing an IT audit function for an international energy company, I had the opportunity to head up their IT Strategy group that was charged with creating Organizational IT Security and Risk profiles and plans. The charge of this function was to annually evaluate organization-wide internal and external risk as it relates to...

Read more

ISACA Advanced Persistent Threat Survey Shows Some Eye-opening Findings

Advanced persistent threats (APTs) have been in the headlines over the past couple of years for affecting some high profile enterprise networks. Many thought these attacks were limited to government networks. However, in January 2010, the source code and intellectual property of Google and at least 20 other companies in the high-tech industry and...

Read more

Preparing for the Top IT Security Threats of 2013

Many times in their daily jobs, IT operations and information security (infosec) professionals get so immersed in “the trees” (i.e., the hot issues of the day) that they sometimes lose sight of “the forest” (the broader challenges that impact our businesses as a whole). While every organization has its trees, however...

Read more

NetWars Tournament of Champions Tests the Skills of the Nation’s Top Cyber Security Practitioners

Sometimes, life imitates art, and vice versa. Consider the Tom Clancy’s Net Force series of novels created by Clancy and Steve Pieczenik, and written by Steve Perry. The storyline of these books centers around a special division within the FBI tasked with combating crime on the Internet and protecting the country from untold cyber threats....

Read more

When it Comes to Controls and Compliance, Fix Once and Comply with Many

Fix once and comply with many! This is the holy grail of both controls and compliance for organizations that need to comply with multiple regulations and standards. For example, a large enterprise might have to assure that it’s fully in compliance with SOX, HIPAA, COBIT, PCI and ISO 27001. Determining and implementing the proper controls and...

Read more

Who let the data out? Careless workers, that’s who

Frequently we see headlines about high profile data breaches where cyber criminals break into corporate computer systems and steal customer lists, credit card numbers or other sensitive information. These high profile breaches are certainly clear and present dangers to both the companies charged with protecting this data and the consumers whose...

Read more

Incident response planning: Are you ready for the Big One?

Do you remember the Sony PlayStation Network hacking last spring? An attacker gained access to personal information stored on both the PlayStation Network and the Qriocity online music and video service. The breach affected the accounts of 77 million people worldwide. When the breach was discovered, Sony took both services offline for more than a...

Read more

Heart-stopping research: Hacking from pacemakers to autos

Technology has become so pervasive in our lives today that we are almost completely dependent on it. It makes you wonder, how easily can these technologies that control everything from pacemakers to cars be hacked? The answer to that question is surprising and even scary. Avi Rubin, professor of computer science at Johns Hopkins University and...

Read more

PwC survey: Preparation, not prediction, is key to weathering security storm

At the beginning of every year, experts  feel compelled to make predictions about the kinds of security threats we’ll see in IT in the year ahead. While predictions can be interesting, they typically are little more than an extension of recent security threat trends. As long as the trends continue, the prognosticators look pretty...

Read more

Spotting and, perhaps, stopping the malicious insider

Do you know this person? He is currently employed, between the age of 35 and 40, holds a technical position, and has a new job offer at a competing company. He very well could be working next to you right now. And he’s someone every company should be concerned about. Who is this person? It’s is the “malicious insider,”...

Read more

From SSAE 16 to SAS 70 (Part II): SOC reporting and certification

In my previous post (From SAS 70 to SSAE 16, what does it mean?), I outlined the similarities and differences between SAS 70 and SSAE 16 audits. Now, I will go into more detail about the reporting options available with SSAE 16 and the additional auditing/reporting facilities the American Institute of CPAs (AICPA) has developed for the world of IT...

Read more

From SAS 70 to SSAE 16 (Part I): What does it mean?

(This is the first of two reports on SSAE 16, which replaces SAS 70 as the audit standard for service providers) I’m an old IT audit guy. I spent over a dozen years digging into enterprise data centers and business processes to find the weaknesses in controls and pointing out vulnerabilities so my clients could mitigate the risks before...

Read more