Time management expert Alec McKenzie once said what could be the most profound statement ever that applies directly to what we do (or don't do) in information security:
"Errant assumptions lie at the root of every failure."
How's your security program looking today?
Tuesday, June 4, 2013
Friday, May 24, 2013
Quoted in the Wall Street Journal this week
I was quoted in the Wall Street Journal (Tuesday May 21 edition)...it's a piece written by Gregory Millman talking about how senior executives are often at the root of information security problems. Check it out:
Corporate Security's Weak Link: Click-Happy CEOs
Top Bosses, Exempt From Companywide Rules, Are More Likely to Take Cyber-Attackers' Bait
As I've written in the past, this is a big problem in businesses both large and small based on what I see in my work:
The BYOD Security Loophole
What to do when the CIO gets in the way of enterprise IT security
Corporate Security's Weak Link: Click-Happy CEOs
Top Bosses, Exempt From Companywide Rules, Are More Likely to Take Cyber-Attackers' Bait
As I've written in the past, this is a big problem in businesses both large and small based on what I see in my work:
The BYOD Security Loophole
What to do when the CIO gets in the way of enterprise IT security
Tuesday, May 21, 2013
The next time you're feeling bullied...
Ever have a psychopathic executive (in IT or otherwise) try to force you to do something you simply can't support, railroad you down the wrong path, or attempt to make you feel inferior? You're not alone - I see and hear about this a LOT. There are many people pretending to be leaders who are simply insecure in their jobs so they try to flex their muscle to put up a "strong and capable" facade. Ironically it does just the opposite.
Well, when it happens to you, listen intently (people love that) but keep this bit from Henry Wadsworth Longfellow in mind:
"He that respects himself is safe from others; he wears a coat of mail that none can pierce."
Much of what we do in IT and infosec is merely playing the game of politics. If you understand people and why they act the way they do (it's all based around self esteem), you can simply play along and attain some semblance of peace at work.
Well, when it happens to you, listen intently (people love that) but keep this bit from Henry Wadsworth Longfellow in mind:
"He that respects himself is safe from others; he wears a coat of mail that none can pierce."
Much of what we do in IT and infosec is merely playing the game of politics. If you understand people and why they act the way they do (it's all based around self esteem), you can simply play along and attain some semblance of peace at work.
Saturday, May 18, 2013
Web security answers are changing - a frustrating, challenging, and humbling journey
In reading one of Brian Tracy's books, Brian discusses a story of Albert Einstein and an exam he gave to his graduate physics class at Princeton University. After the exam, Dr. Einstein was approached by a student who asked: "Dr. Einstein, wasn't that the same exam that you gave to this physics class last year?" Dr. Einstein replied "Yes, it was the same exam as last year." The student then asked "But Dr. Einstein, how could you give the same test two years in a row?" Dr. Einstein replied "Because, in the last year, the answers have changed."
This story illustrates the complexities around web application security: how much it changes, how complex it can be, and, most certainly, how no one has all the answers.
I've been fortunate to have the opportunity to test the security of many websites and web applications over the past decade. It's what I love doing the most in my work because every new site/application is a new experience. Of course, some of the security flaws are the same across the board but every new project brings unique challenges. The enormity of the matter is very humbling.
The things that defined web application security flaws (and fixes) last year may not be true this year. The answers are continually changing. Given these factors, I wanted to share with you some of my recent experiences and ideas on how you can get a better grip on this ever-changing target:
Your Scanning Experience Determines Your Scanning Success
What can Developers do to Better Protect PII?
Finding Web Flaws is not Point and Click
Responding to DoS attacks at the web layer
Should you Test Development, Staging or Production?
This story illustrates the complexities around web application security: how much it changes, how complex it can be, and, most certainly, how no one has all the answers.
I've been fortunate to have the opportunity to test the security of many websites and web applications over the past decade. It's what I love doing the most in my work because every new site/application is a new experience. Of course, some of the security flaws are the same across the board but every new project brings unique challenges. The enormity of the matter is very humbling.
The things that defined web application security flaws (and fixes) last year may not be true this year. The answers are continually changing. Given these factors, I wanted to share with you some of my recent experiences and ideas on how you can get a better grip on this ever-changing target:
Your Scanning Experience Determines Your Scanning Success
What can Developers do to Better Protect PII?
Finding Web Flaws is not Point and Click
Responding to DoS attacks at the web layer
Should you Test Development, Staging or Production?
Thursday, May 2, 2013
Is your approach to application security based in reality?
I know I say this a lot here - I've been so busy writing that I've been remiss in posting my actual content. So...I've got some content on web and mobile application security and penetration testing this time around.
You see, there are so many researchers, theories, and academic approaches to web and mobile security that it's simply overwhelming. Much of it doesn't apply to what businesses really need to be addressing anyway. Taking the 80/20 approach, what do you really need to focus on that's going to provide the highest payoffs?
Well, in the spirit of my book Hacking For Dummies (be sure to check out the new 4th edition), here are some tips I've written for my friends at TechTarget and Acunetix on some important web and mobile application security issues you need to be tuned in to beyond all the noise that's out there:
Don’t Let Problems Stop You From Carrying Out Web Application Testing (before 'Too Scared to Scan' was cool ;-)
Mobile app software: Avoid the perpetual cycle of insecurity
Hybrid security: Beyond pen testing and static analysis
Mac Malware Underscores Why You Can’t Ignore Web Security Threats
Do You Scan with Network Security Controls Enabled or Disabled?
Take Care in Handling the Results of Your Web Application Testing
Much more to come on web and mobile security testing...It's what I love doing and I've learned a tremendous amount while doing it over the past decade.
In the meantime, check out my website for links to all of my other information security-related content.
Cheers!
You see, there are so many researchers, theories, and academic approaches to web and mobile security that it's simply overwhelming. Much of it doesn't apply to what businesses really need to be addressing anyway. Taking the 80/20 approach, what do you really need to focus on that's going to provide the highest payoffs?
Well, in the spirit of my book Hacking For Dummies (be sure to check out the new 4th edition), here are some tips I've written for my friends at TechTarget and Acunetix on some important web and mobile application security issues you need to be tuned in to beyond all the noise that's out there:
Don’t Let Problems Stop You From Carrying Out Web Application Testing (before 'Too Scared to Scan' was cool ;-)
Mobile app software: Avoid the perpetual cycle of insecurity
Hybrid security: Beyond pen testing and static analysis
Mac Malware Underscores Why You Can’t Ignore Web Security Threats
Do You Scan with Network Security Controls Enabled or Disabled?
Take Care in Handling the Results of Your Web Application Testing
Much more to come on web and mobile security testing...It's what I love doing and I've learned a tremendous amount while doing it over the past decade.
In the meantime, check out my website for links to all of my other information security-related content.
Cheers!
Friday, April 26, 2013
Clueless in the cloud - think before you act
A recent Network World piece about an RSA 2013 panel that covered cloud forensics and whether or not your cloud providers will be able to come through for you in the event of a lawsuit or breach bringing some critical pitfalls of cloud computing.
Two things are certain:
I can't stress this enough: unless you want to appear foolish, think through the security, legal, and business aspects of cloud computing before you fall for the marketing hype and jump on the bandwagon.
I've written pieces with more insight and prescriptive cloud advice here. Take it slow and good luck.
Two things are certain:
- If you're lucky enough for your business to be around for the long haul, odds are that it'll ultimately be hit with a lawsuit or a breach in some capacity, some way, that will involve a cloud provider. And...
- Your cloud providers won't be prepared to help you out. At least in the foreseeable future.
I can't stress this enough: unless you want to appear foolish, think through the security, legal, and business aspects of cloud computing before you fall for the marketing hype and jump on the bandwagon.
I've written pieces with more insight and prescriptive cloud advice here. Take it slow and good luck.
Tuesday, April 23, 2013
Wednesday (early) morning's webcast: State of Cyber Security 2013
ISACA and TechTarget are putting it on...It starts tomorrow (Wednesday) morning at 7:45am ET.
Several thousand people will be in attendance...it's the largest crowd I've ever spoken to.
It'll be engaging. It'll be informative. You'll hear what I really think about Obama's Cybersecurity mandates.
You can't miss it.
I'll be kicking things off with the keynote...then I'll be followed by some true information security experts:
Would love to see you there. You can register here.
Thanks a ton for Kara Gattine, Rachel Shuster, Chris Bent, and all the other fine folks at TechTarget for making this happen.
Several thousand people will be in attendance...it's the largest crowd I've ever spoken to.
It'll be engaging. It'll be informative. You'll hear what I really think about Obama's Cybersecurity mandates.
You can't miss it.
I'll be kicking things off with the keynote...then I'll be followed by some true information security experts:
- Theresa M. Grafenstine, Inspector General U.S. House of Representatives
- Dr. Ron Ross, senior computer scientist and information security researcher, National Institute of Standards and Technology (NIST)
- Jack E. Gold, founder and principal analyst at J.Gold Associates
- Chenxi Wang, former vice president, principal analyst serving, Forrester Research Inc.
Would love to see you there. You can register here.
Thanks a ton for Kara Gattine, Rachel Shuster, Chris Bent, and all the other fine folks at TechTarget for making this happen.
Saturday, April 6, 2013
Must-have Thunderbird to Outlook conversion tool
I recently decided to convert my Thunderbird email to Outlook and didn't have a lot of luck finding a tool that actually worked. Maybe it's because I have a pretty complex Thunderbird configuration with emails dating back to my first messages I sent/received using Netscape Mail (remember that from the 1990s?) .
I came across a tool that was a perfect fit what I needed: Aid4Mail Professional by Fookes Software. It seemed too good to be true but it actually worked! Aid4Mail was relatively quick and I ended up with a .pst file that I could use in Outlook. What I appreciated just as much as the software was the service. I ended up needing some extra help and Julian was very prompt in his replies.
If you're going to buy it, pay the $20 extra and get the 1-year license rather than the 1-time use license. My decision to purchase the latter was part of why I had to bug Julian several times but he ended up geting me out of the bind I was in. I'm probably going to need to acquire another license (1 year this time!) because I still have some work to do but at least I now know what tool to use for this purpose.
Definitely a tool worth checking out if you're one of the prideful few like myself who is still using Thunderbird or any of the other old-school email clients that Aid4Mail supports (i.e. Windows Mail, Apple Mail, Eudora, Pegasus, etc).
I came across a tool that was a perfect fit what I needed: Aid4Mail Professional by Fookes Software. It seemed too good to be true but it actually worked! Aid4Mail was relatively quick and I ended up with a .pst file that I could use in Outlook. What I appreciated just as much as the software was the service. I ended up needing some extra help and Julian was very prompt in his replies.
If you're going to buy it, pay the $20 extra and get the 1-year license rather than the 1-time use license. My decision to purchase the latter was part of why I had to bug Julian several times but he ended up geting me out of the bind I was in. I'm probably going to need to acquire another license (1 year this time!) because I still have some work to do but at least I now know what tool to use for this purpose.
Definitely a tool worth checking out if you're one of the prideful few like myself who is still using Thunderbird or any of the other old-school email clients that Aid4Mail supports (i.e. Windows Mail, Apple Mail, Eudora, Pegasus, etc).
Wednesday, April 3, 2013
Regardless of the subject, people see what they want to see
Here's a great quote by Jay Abraham that resonates with IT, information security, politics - you name it:
"An amazing thing, the human brain. Capable of understanding incredibly complex and intricate concepts. Yet at times unable to recognize the obvious and simple."
"An amazing thing, the human brain. Capable of understanding incredibly complex and intricate concepts. Yet at times unable to recognize the obvious and simple."
Thursday, March 28, 2013
The idiocy of gun control summarized in a single graphic
I reference "heads in sand" quite often regarding information security but no subject better summarizes this concept than people's willingness to let the government tell them when and where they can defend themselves and their families from criminal thugs. This graphic (source unknown) says it all:
Ask anyone who's against self-defense, personal responsibility, and free will if they'd consider putting a sign in their yard or on their door that says "This is a gun-free home" and watch their response. Complete and utter idiocy.
The politicians are going to get what they want...eventually. And one day, Americans will wake up and say "What happened!?".
Heads in sand indeed.
Ask anyone who's against self-defense, personal responsibility, and free will if they'd consider putting a sign in their yard or on their door that says "This is a gun-free home" and watch their response. Complete and utter idiocy.
The politicians are going to get what they want...eventually. And one day, Americans will wake up and say "What happened!?".
Heads in sand indeed.
Monday, March 25, 2013
Default to F.U.D. and everything'll be okay
If you can't convince them, confuse them.
That's what Harry Truman once said and it reminds me of many IT and information security professionals. They struggle to communicate effectively so they just take the lawyer route and attempt to make things even more confusing...and we wonder why many people outside of IT don't take us very seriously.
That's what Harry Truman once said and it reminds me of many IT and information security professionals. They struggle to communicate effectively so they just take the lawyer route and attempt to make things even more confusing...and we wonder why many people outside of IT don't take us very seriously.
Thursday, March 7, 2013
Got Compliance? Here's my way of reducing your pain just a bit.
It's been a while and the content is stacking up, so here's the first of many upcoming posts on new content I've written. This time up, it's a set of tips I've written for Ben Cole at SearchCompliance.com about that dreaded subject...you guessed it....compliance.
Enjoy!
Considering a career in compliance? Heed these warnings first
Audits, maintenance crucial to business continuity policy success
Control, visibility essential to records management and compliance
Beware the perils of organization-wide compliance policy involvement
The sometimes-harsh realities of information security and compliance
Security considerations around enterprise content management
Five corporate compliance program traits you need to prevent breaches
As always, check out principlelogic.com/resources for links to all of my information security whitepapers, podcasts, webcasts, books, and more.
Enjoy!
Considering a career in compliance? Heed these warnings first
Audits, maintenance crucial to business continuity policy success
Control, visibility essential to records management and compliance
Beware the perils of organization-wide compliance policy involvement
The sometimes-harsh realities of information security and compliance
Security considerations around enterprise content management
Five corporate compliance program traits you need to prevent breaches
As always, check out principlelogic.com/resources for links to all of my information security whitepapers, podcasts, webcasts, books, and more.
Friday, March 1, 2013
Got WordPress? You'd better secure it.
If you use WordPress, take note. My colleague Robert Abela, one of the foremost experts on WordPress security, has a new course at Udemy.com on Securing a WordPress Blog or Website for Beginners that you should check out.
The course costs $15. When you use the coupon code OnWheels, you'll receive a $5 (33%) discount.
Don't let your guard down because "it's just a marketing site". WordPress-based sites can have tons of security flaws that can be used against you and your business, so be careful.
The course costs $15. When you use the coupon code OnWheels, you'll receive a $5 (33%) discount.
Don't let your guard down because "it's just a marketing site". WordPress-based sites can have tons of security flaws that can be used against you and your business, so be careful.
Thursday, February 28, 2013
Mobile app security assessments
I wrote recently about performing source code analysis for mobile apps. I'm seeing some crazy stuff that I didn't think I'd see in mobile apps (but I'm not really surprised) related to session manipulation, hard-coded cryptographic keys and the like which underscores the importance of the exercise.
But there's another side to mobile app security assessments - it's simply manual analysis. That is poking around with the apps and the mobile devices using good tools and proper techniques to find and demonstrate security and forensic-related flaws that aren't uncovered in traditional user, functional, and QA testing. In recent application assessments, I've found things like:
Like I say about a lot of things related to information security...do it yourself, allow me to help, or hire someone else - just do something.
But there's another side to mobile app security assessments - it's simply manual analysis. That is poking around with the apps and the mobile devices using good tools and proper techniques to find and demonstrate security and forensic-related flaws that aren't uncovered in traditional user, functional, and QA testing. In recent application assessments, I've found things like:
- login-related weaknesses
- information mishandling
- insecure interactions with external applications/systems
- exploits in general functionality that put PII at risk
Like I say about a lot of things related to information security...do it yourself, allow me to help, or hire someone else - just do something.
Subscribe to:
Posts (Atom)
Posts
