The Law Offices of Mary N. Chaney, P.L.L.C.
The Cyber Security Law Firm of Texas

Mary's Blog

The Breach Whisperer

About Mary....

Mary N. Chaney, Esq., CISSP® is a former Special Agent for the FBI where she investigated cybercrime, a seasoned corporate executive that built and operated information security teams and now a cybersecurity attorney.

As a self-described “Breach Whisperer” our firm can train your company to properly prepare for your eventual breach!

The overall goal of our firm is to use our wealth of knowledge and expertise to help support, translate and advise, Boards of Directors, CIO's, CISO's and General Counsel's on how to legally protect their company from cyber related risk.

Blog Entries


 

Code changes? Who’s Watching?

See Article Here

Newegg, an online retailer, was specifically attacked by hackers who successfully inserted about 15 lines of Javascript code on it’s check out page that skimmed payment card details off each transaction. As I read this article I thought, who’s from the security team is watching for this? Application Security teams, have historically been very rare, in response some organizations train their Application Developers to understand how to code securely. It’s a challenge because App owners are focused on delivery, and the next feature, not necessarily looking backward at what was done previously. I am almost certain some tool out there exists that will alert on changes to code on a website, so that the security team can investigate, however in a DevOps type of environment how feasible is it to investigate all changes? Who determines what is significant? I don’t believe I have ever seen a escalation tree that included the App Dev team.

Hey, I think Newegg did a good job, 30 days dwell time, I.e. the time between when a hacker successfully breaches your system and when the security team detects and eliminates them, is good when compared to the 100 plus day industry average.