You can't secure what you don't acknowledge.SM

Friday, April 11, 2014

Heartbleed - the biggest Web security problem ever???

I just came across this piece from NewsFactor: Is Heartbleed the Biggest Web Security Threat Ever? and couldn't help but chime in. Contrary to popular hype, I don't think the biggest web security issue we face (now or ever) is a technical problem...instead, it's something with hair on top like I talked about here.

As with the hype over the Target breach and the gloom and doom over Windows XP's end of life, it's never the hard-to-find, technical stuff that many people believe is at the "heart" of our security woes. Instead, this issue, like most others in life, can be distilled down into a much more basic form. We're our own worst enemies...

P.S. Wouldn't it be weird if the NSA is somehow tied to this vulnerability...? ;)

Wednesday, April 9, 2014

Windows XP: Goodbye my love...well, not really.

Windows XP...ah, the memories!

I wrote many of my books including the first two editions of Hacking For Dummies and the first edition of The Practical Guide to HIPAA Privacy and Security Compliance originally on Windows XP - not to mention countless articles, security assessment reports and more over a 7-8 year span.

It was nice working with you XP!

I waited to write this post today, the day after all the Windows XP end-of-life hype, so as to not get caught up in that mess from yesterday. What's interesting to me about this whole Windows XP story is that every analyst, IT vendor marketing rep, journalist, auditor, and consultant is an "expert" on the doom and gloom that will be brought upon society with all of the businesses and consumers not upgrading their operating systems.

Looking at the headlines, still today, it's kind of funny (and sad):
"Vital industries exposed to risk"
"Isn't safe to use anymore"
...blah, blah, blah.

Apparently Windows XP is still being run on 25% of PCs. Will we hear stories about Windows XP systems being drywalled into oblivion like we've heard about Novell NetWare? Probably not. I do suspect it's going to be around for years to come. And, sure, vulnerabilities will discovered - especially on systems that have scant security controls to begin with. IT's elite will clamor about their amazing exploits. Management will still have their heads in the sand. Life goes on. 

The funny thing about Windows XP is that the OS itself is not where the real risk is in most network environments. [Oh gosh, did I say that out loud!? I'm going to have some "researchers" all over me...shudder.] Real-world experience tells me that much of the risk is all the other stuff people are installing and IT is not patching that's creating the real problems...the latest study shows that 76% of vulnerabilities are NOT Microsoft's issue. I've seen higher numbers in the past.

Microsoft Corporation is being treated like some of the big social/political issues like "global warming", gun control, and income "inequality" because they're expedient, convenient, and intangible enough to get people riled up.

Here's the real issue that we're still not hearing: I know without a doubt that many of the people preaching fire and brimstone about Windows XP are the same people who continue to ignore the critical basics I'll rant about until the day I retire such as:
  • Network shares full of sensitive files made available to everyone with a login
  • Mobile devices with ZERO security controls
  • Minimal - and grossly reactive - system monitoring
  • Firewalls with default passwords
  • Laptops storing tens of thousands of credit card numbers and SSNs with no hard drive encryption
  • Open wireless networks for "easy guest access" that provide full access into the back end network
  • Database servers with no passwords
  • Operating systems with weak passwords
  • Numerous cloud services being used without IT's consent or knowledge
  • Physical security control systems with ZERO security controls
  • etc...
Unless and until these people have helped themselves and the others who depend on them fix this low-hanging information security fruit, I'm going to say: Got XP? No problem!

Tuesday, March 25, 2014

68% of workers do this...and we wonder why we have security problems!

I've always believed that information security is a people problem that goes deep into the psychology of how we think. Here's a great example...starting at 0:24:

This is the basis for why our so-called leaders rise to power, why there's a gap between the haves and have-nots, and why so many "ailments" afflict society. Many people simply don't believe in themselves and have no desire or motivation to get any better.

Are you going to let this drive your information security program!?

Is this as good as you're going to get or are you going to get any better?

As Og Mandino said, Use wisely your power of choice

Thursday, March 13, 2014

HIPAA compliance lip service

Here's an example of the lip service (security theater) people give to compliance and information security found on display at one of those giddy-over-regulations retailers:

Really, who's certified? How are customers to know what this means?

Checkbox checked...all that matters.

Good stuff.

Monday, March 3, 2014

Interesting sights at #RSAC 2014

I attended the RSA Conference last week...there was a lot of the same security nonsense (see my posts below) but a very good show nonetheless. You should attend next year, especially if you've never been. With 25,000+ attendees and more vendors than you can ever imagine in this space, it's a spectacle.

Speaking of "vendors", one thing that struck me as interesting - what government employee was ballsy enough to use our tax dollars for this fancy setup on the expo floor?:

And, interestingly, right around the corner was this company:

Too funny! Perhaps a thumb in the eye to our national spies? Someone, somewhere had a sense of humor - good to see in an industry that takes itself too seriously most of the time.

What I really want to know is, who was ignorant enough to let anyone at either of these vendor booths scan their badges! Well, not that the NSA weasels don't already have that information. [On a somewhat related note, NSA: what'd you think about that breakfast I just had?? Yummy!]

On a (slightly) more serious note, here are 3 of the 4 blog posts I wrote for my friends at while at the show you might be interested in:

RSA keynotes highlight information security mistakes

The ridiculous emergence of 'cybersecurity' (thanks to the federal government)

Security topics that have come of age (that you need to keep on your radar)

Have a great week!

Wednesday, February 19, 2014

Step up or step aside, somebody needs to fix your security woes

I just got off of phone call with some friends/colleagues where we were discussing the latest security trends. After talking it occurred to me that we're basically going backwards in time with information security. It seems with the Target breach, stupid passwords people are still using in 2014, and even today's new SANS-Norse healthcare security report, it just keeps piling up as if nothing works.

But it can work - if people would get out of their own way.

Looking at it from a psychological perspective (a great way to view security trends/challenges), it's really about the choices people are making - or not making - about security:
You've heard the adage, "if you lie about something long enough and consistently enough, pretty soon people will start believing the lies as the truth." So many people are thinking that IT and security problems are just getting too hard to handle...that the bad guys are just getting "badder". The government can fix things with whatever "cybersecurity" nonsense they're going to shove down our throats. To the cloud so we can wash our hands of all this.

Too many people are acting as if everything is out of their control, like low-information voters at the ballot box.

Like I talked about in this new guest blog post for Rapid7, don't let history repeat itself so that you get burned. Step up or step aside - somebody needs to fix this stuff.

Tuesday, February 4, 2014

The power of how we *think* about information security

Here's a good piece on coping with stress - something all of us in IT know all too well.  One thing in particular caught my eye that meditation expert Jon Kabat-Zinn said - it's something that may help explain the common approach many people take to information security..He said:

We may find ourselves resisting innovation and change and becoming overly protective of what we have built because we feel threatened by new ideas or requirements or by new’s not what you know; it’s what you are willing to know you don’t know.

The article goes on about how Kabat-Zinn uses the example of how you may be working and working on something, banging your head against the wall and unable to find a solution. Only when you stop and clear your head does the answer come to you. I talked about this concept in this video and it really does work!

So, the way I understand it, we're all too busy caught up in our thinking and our own rigid belief systems and aren't open to other things that might able to help us in our jobs. It may be time to step back and change our approach and, especially, our thinking about information security.

Friday, January 31, 2014

Some stuff you need to know about Windows 8.x, Internet Explorer, BYOD/MDM, and malware removal

My goodness, I've let a lot of my articles on Windows 8, 8.1, patching, malware, and related desktop security topics stack up! Check these out:

Don't ignore Windows 8 security when reviewing desktop vulnerabilities
IT can tackle Windows configuration with a well-planned desktop audit
Windows Server Update Services weaknesses you may not know about <=this is BIG, seriously!
Why a Windows security scan is not enough to protect your workstations

Five steps to successful bot removal from enterprise desktops
Whitelisting can complement Windows 8 malware removal and prevention
Malware detection questions for IT to answer for desktop security

New Windows 8.1 features can boost mobile device management
Don't ignore mobile security effects on enterprise desktop management
IT needs to keep up with workers who use desktop cloud backup
Enterprises can't afford a half-baked mobile security strategy
Windows Phone 8 security should be part of any mobile device strategy

Locking down Internet Explorer settings with Group Policy in IE 11
Beat bad browser behavior by troubleshooting IE 10
Microsoft Office 2013 crackable, so look to Office password recovery

What you need to know about the Windows Security Accounts Manager
Bring some control to cloud file sharing with Windows 8.1 Work Folders

Be sure to go to for links to hundreds of security resources I've written/developed over the past decade+.

Monday, January 13, 2014

How do you exercise your "power" in IT?

My new favorite quote I came across recently is the following from Ayn Rand:

"Economic power is exercised by means of a positive, by offering men a reward, an incentive, a payment, a value; political power is exercised by means of a negative, by the threat of punishment, injury, imprisonment, destruction. The businessman's tool is values; the bureaucrat's tool is fear."

...interestingly, her quote applies directly to IT and security by simply tweaking the first word:

"IT power is exercised by means of a positive, by offering men a reward, an incentive, a payment, a value; political power is exercised by means of a negative, by the threat of punishment, injury, imprisonment, destruction. The businessman's tool is values; the bureaucrat's tool is fear."  

If you truly want people to "get" you and your IT/security initiatives you'll focus as much on your communication skills as you do your technical or business skills...People respect and want to do business with those whom they like and trust. Why not make developing this area of your career your top priority for 2014...? More on IT and information security careers and being a good businessman here.

Friday, December 13, 2013

Remembering the guy who has made a huge impact: Richard Carlson

I read this week's blog post from Kristine Carlson - wife of the late Richard Carlson, author of the Don't Sweat the Small Stuff books - that outlined more about his passing, seven years ago to this date. It's an uplifting post yet sad story.

I often quote Richard when I write and speak. It's odd that I'm able to use the ideas from such a prolific author on self-help and living a peaceful life in my messages about IT and information security. Yet as I grow older, and presumably wiser, I'm realizing that all of this stuff is tied together in ways that cannot be explained.

As Richard said, it is as it is.

I wanted to give a big thanks to Richard on this day for helping me become more emotionally and spiritually intelligent. I've got a long way to go but it's great to know I have such good content to fall back on. I read - and then re-read - his books practically year round. I read his messages on my daily calendar. It's amazing stuff. Thank you Richard.

And thank you Kristine for helping to carry on Richard's legacy. It's difficult, even eerie, to read the things Richard has written about being present, staying healthy, and even our own mortality in his books knowing that he's no longer with us. I can't imagine how it has been for you. Please keep up the great work. Know that I, like many others, am still listening to and am inspired by your messages.

Friday, November 22, 2013

A great infosec quote

The late (and great) Jim Rohn once said:

“If you really want to do something, you'll find a way. If you don't, you'll find an excuse.” 

Oh many information security tie-ins.


Wednesday, November 13, 2013

Reaver Pro: a simple tool for cracking WPA on a LOT of wireless networks

If wireless security testing is on your radar, you need to get Reaver Pro. As I outlined in this Hacking For Dummies, 4th edition chapter, Reaver Pro is a great tool for cracking the WPA pre-shared key on all those consumer-grade wireless APs/routers that everyone installs in the enterprise.

The latest version of Reaver Pro is very simple to use. No live CDs or VMs to boot. You simply connect the device into your test system's Ethernet port, connect the power adapter, browse to, login, and you're ready to roll. Here is a quick video overview and here is a screenshot showing its interface:

Terry Dunlap with Tactical Network Solutions (the company that created and sells Reaver Pro) has a great team of sharp guys...and they've been very responsive when prompted with my mostly dumb questions.

If anything let Reaver Pro be a reminder of two things:
  1. WPA is a proven wireless security control that's only as good as the weakest link on your network
  2. Consumer grade wireless APs and routers don't have a place in a business setting - although on practically every network I see.
It seems to me that with the advent of WPA, WPA2, and enterprise-grade wireless security controls that people have let their guard down a bit with wireless security.

Don't be that guy.

As I like to say, you can't secure what you don't acknowledge! WPS is enabled by default in most situations. It's broken. Even if you have the option to throttle PIN requests, you need to find WPS and disable it (even on your home wireless). The convenience factor it provides is just not worth the risk of someone gaining full access to your wireless (and likely wired) network.

Tuesday, November 12, 2013

Low information users and the challenges they create

Thanks to the political elite and the dumb masses they inspire, you've probably heard the term low information voter…In a nutshell, this term refers to people making a critical decision without knowing all the facts.  As Winston Churchill once said “The best case against Democracy is a five minute conversation with the average voter.”

Interestingly, this concept and quote make me think of information security and why we need to prepare ourselves for today’s threats. Have a five minute conversation with an average user on your network. Talk to them about what they do and don’t do, the decisions that they’re making regarding their computer usage, and so on and it will likely become clear that we have a problem that we must solve.

If you're looking for answers to this human psychology challenge, here is a piece I wrote with tips for getting (and keeping) users on your side with IT and security.

Check out a related piece I wrote for Rapid7's blog:
Why business execs know more about security than you do

Best of luck! Keep in mind that sticktuitiveness is the key to all of this.