Here are my latest information security articles covering policies, internal threats and employee monitoring, and (when all else, fails) incident response. Enjoy!
Security policy oversights and mistakes we keep making
The real deal with internal security threats
Monitoring user activity with network analyzers
Lack of incident response plan leaves hole in compliance strategy
Incident response – the often overlooked component of business continuity
As always, be sure to check out www.principlelogic.com/resources.html for all of my information security articles, whitepapers, podcasts, webcasts, videos, Twitter updates, and more.
Friday, February 5, 2010
My new trade rag column
I've got a new monthly column in Security Technology Executive magazine called Get with IT you may want to check out. It's a real gem of a magazine!
Looking past Layer 7 - Web security is more than the app
Here's a bit I wrote on why we need to look deeper than the application when testing our Web security:
Looking past Layer 7
...it's the little, often overlooked, things that'll get you.
Looking past Layer 7
...it's the little, often overlooked, things that'll get you.
Tuesday, February 2, 2010
What part of No Truck Crossing do you not understand?
Check out this wild video of a train crash yesterday. It's a great example of the fact that just because you have a policy (i.e. the no truck crossing sign) doesn't mean that people will abide by (i.e. the dummy driver who probably thought "Aw, I can make this."). Some people just believe that they are exempt from certain things.
Keep this in mind for your information security matters...you can't save people from themselves all the time (like in this case) but you've got to set people up for success whenever you can.
Keep this in mind for your information security matters...you can't save people from themselves all the time (like in this case) but you've got to set people up for success whenever you can.
Monday, February 1, 2010
Deep thought of the day
All we have are our knowledge and our time and we don’t have a grip on managing our day-to-day tasks and projects we’ll let both go to waste and drive ourselves crazy. Get to know the basics of time management soon. This knowledge will do wonders for your career.
Relying on users to wipe out wimpy passwords??
I just came across this Dark Reading bit by Adrian Lane on wiping out wimpy passwords. Adrian says that user training is needed so people know how to create strong passwords. I'm not picking on you Adrian however this has become a downright ridiculous approach, one that's been proven time and again not to work.
My take is if you have to set your users up for success and, therefore, have to MAKE them create strong passphrases. It's as simple as enabling minimum password complexity policies in the OS and building in strong passphrase requirements within Web applications so that they don't have the option to take the path of least resistance.
Just like anti-lock brake systems in automobiles, circuit breakers in home electrical panels, and seat belt requirements on airplanes, we have to build in security controls that set our users up for success. Period. Unless and until we do, we're going to continue having the same old ridiculous password issues we've always had.
My take is if you have to set your users up for success and, therefore, have to MAKE them create strong passphrases. It's as simple as enabling minimum password complexity policies in the OS and building in strong passphrase requirements within Web applications so that they don't have the option to take the path of least resistance.
Just like anti-lock brake systems in automobiles, circuit breakers in home electrical panels, and seat belt requirements on airplanes, we have to build in security controls that set our users up for success. Period. Unless and until we do, we're going to continue having the same old ridiculous password issues we've always had.
Tuesday, January 26, 2010
Webinar on database security this week
Here's a webinar put on by Application Security, Inc. that I'm participating in this Thursday (1/28/10) in case you're interested...should be enlightening.
Five Burning Questions Series: 2010 IT Security Auditor’s Roundtable
Five Burning Questions Series: 2010 IT Security Auditor’s Roundtable
Friday, January 22, 2010
What are your thoughts on Web hosting / colo providers?
Better think things through when giving up the reigns and letting a third-party Web hosting or colo provider run the show:
When using a Web hosting provider can be bad - really bad - for your business
You'd think Network Solutions would have better security controls in place.
When will people pull their heads out of the sand? Maybe never??
Speaking of this specific vulnerability, here's a recent bit I wrote on Acunetix's blog about on looking past layer 7 and fixing all Web-related issues.
When using a Web hosting provider can be bad - really bad - for your business
You'd think Network Solutions would have better security controls in place.
When will people pull their heads out of the sand? Maybe never??
Speaking of this specific vulnerability, here's a recent bit I wrote on Acunetix's blog about on looking past layer 7 and fixing all Web-related issues.
My latest information security content
Here are my latest information security articles and a podcast focusing on Web security and document security. Enjoy!
First, my Web security articles:
Changes coming to the OWASP Top 10 in 2010 (read the comments too, I stirred the puddin' with this piece!)
Free Web proxy tools you need to get to know
Securing Web servers in Windows environments
...and a document security podcast (this is a really interesting story if you haven't heard about it)
Document redaction and the recent TSA leak
You know the drill - as always, be sure to check out www.principlelogic.com/resources.html for all of my information security articles, podcasts, webcasts, videos, Twitter updates, and more.
First, my Web security articles:
Changes coming to the OWASP Top 10 in 2010 (read the comments too, I stirred the puddin' with this piece!)
Free Web proxy tools you need to get to know
Securing Web servers in Windows environments
...and a document security podcast (this is a really interesting story if you haven't heard about it)
Document redaction and the recent TSA leak
You know the drill - as always, be sure to check out www.principlelogic.com/resources.html for all of my information security articles, podcasts, webcasts, videos, Twitter updates, and more.
Wednesday, January 20, 2010
Twitter - how about some capacity planning?
Keep getting the Twitter is over capacity this morning. Good sign they're popular...still not good for business.
Friday, January 15, 2010
I'm featured in the new issue of Entreprenuer Magazine
Check this out. I'm featured in the January 2010 issue of Entrepreneur Magazine's Ask A Pro section where I talk about employee monitoring:
Entrepreneur Magazine, January 2010. © 2010 By Entrepreneur Media, Inc. All rights reserved. Reproduced with permission of Entrepreneur Media, Inc.
In this piece, it may not be clear whether or not I support monitoring of employee email so let me clarify. I'm not for micromanagement and Big Brother but I am on the side of business when it comes to the issue of employee monitoring of email, social media, general browsing, or whatever which ultimately leads to improved information security.
Employees are there to provide some type of expertise, sweat labor, or other service in exchange for money. If people occasionally send/receive personal emails and surf the Web that's fine. You can't reasonably prevent that. However, if goofing off or otherwise putting your network and information at risk is most of what they do, huh uh. You wouldn't believe what I see (and the studies back it up) on the typical network: 50%+ network bandwidth consumed by streaming audio and video, majority of Internet browsing sessions going to Facebook, Twitter, etc.
This is not only a matter of people goofing off, being unproductive, and ultimately providing limited value to their employers but it's also creating a negative impact on the network - ultimately on IT. It's also creating security issues. Not only the malware threats but also the risk of sensitive information leaking out of the network. If employee Internet and computer usage are not being proactively monitored - regardless of the protocol or media - it's merely a free-for-all and a no doubt data breach in the making. The lesson here: know your enemy (hint: he's on your network right now) and do something about it.
Speaking of the internal threat, here's a new article I just wrote on what I believe is the real deal with the insider threat that you may be interested in.
Entrepreneur Magazine, January 2010. © 2010 By Entrepreneur Media, Inc. All rights reserved. Reproduced with permission of Entrepreneur Media, Inc.
In this piece, it may not be clear whether or not I support monitoring of employee email so let me clarify. I'm not for micromanagement and Big Brother but I am on the side of business when it comes to the issue of employee monitoring of email, social media, general browsing, or whatever which ultimately leads to improved information security.
Employees are there to provide some type of expertise, sweat labor, or other service in exchange for money. If people occasionally send/receive personal emails and surf the Web that's fine. You can't reasonably prevent that. However, if goofing off or otherwise putting your network and information at risk is most of what they do, huh uh. You wouldn't believe what I see (and the studies back it up) on the typical network: 50%+ network bandwidth consumed by streaming audio and video, majority of Internet browsing sessions going to Facebook, Twitter, etc.
This is not only a matter of people goofing off, being unproductive, and ultimately providing limited value to their employers but it's also creating a negative impact on the network - ultimately on IT. It's also creating security issues. Not only the malware threats but also the risk of sensitive information leaking out of the network. If employee Internet and computer usage are not being proactively monitored - regardless of the protocol or media - it's merely a free-for-all and a no doubt data breach in the making. The lesson here: know your enemy (hint: he's on your network right now) and do something about it.
Speaking of the internal threat, here's a new article I just wrote on what I believe is the real deal with the insider threat that you may be interested in.
Subscribe to:
Posts (Atom)
Posts
