Tuesday, January 31, 2012

Where's your information security focus?

You cannot change facts (i.e. the industry your business is in, the regulations it's up against, the type of sensitive information you're responsible for managing, etc.) but you can change problems (i.e. user behavior, wayward goals, management not on board with security, etc. ).

As the philosopher James Burnham once said:
"If there is no alternative, there is no problem." 

In the case of information security, there are tons of alternatives to the issues we face. It's up to us to focus on what counts so we can eventually make a difference.
Posted by Kevin Beaver at 9:55 AM 0 comments Links to this post
Labels: , , , ,

Friday, January 27, 2012

You cannot multiple security by dividing it - Infosec's relationship with Socialism

I'm not much into urban legends and the like but came across this bit the other day and it really made me think. What a great analogy that impacts all of us both personally and professionally with some interesting information security and compliance tie-ins that I see all the time:

An economics professor at a local college made a statement that he had never failed a single student before, but had recently failed an entire class. That class had insisted that Obama's Socialism worked and that no one would be poor and no one would be rich, a great equalizer. 

The professor then said, "OK, we will have an experiment in this class on Obama's plan". All grades will be averaged and everyone will receive the same grade so no one will fail and no one will receive an A.... (substituting grades for dollars - something closer to home and more readily understood by all). After the first test, the grades were averaged and everyone got a B. The students who studied hard were upset and the students who studied little were happy. As the second test rolled around, the students who studied little had studied even less and the ones who studied hard decided they wanted a free ride too so they studied little..The second test average was a D! No one was happy. When the 3rd test rolled around, the average was an F. 

As the tests proceeded, the scores never increased as bickering, blame and name-calling all resulted in hard feelings and no one would study for the benefit of anyone else. To their great surprise, ALL FAILED and the professor told them that Socialism would also ultimately fail because when the reward is great, the effort to succeed is great, but when government takes all the reward away, no one will try or want to succeed. It could not be any simpler than that. Remember, there IS a test coming up. The 2012 elections. 

These are possibly the 5 best sentences you'll ever read and all applicable to this experiment: 
  1. You cannot legislate the poor into prosperity by legislating the wealthy out of prosperity. 
  2. What one person receives without working for, another person must work for without receiving. 
  3. The government cannot give to anybody anything that the government does not first take from somebody else. 
  4. You cannot multiply wealth by dividing it! 
  5. When half of the people get the idea that they do not have to work because the other half is going to take care of them, and when the other half gets the idea that it does no good to work because somebody else is going to get what they work for, that is the beginning of the end of any nation. 

Not that the big government Republicans are a lot better...The reality is we Americans had better wake up, smell the "change" we're stepping in and learn that no politician, Democrat OR Republican, can make our lives better...only WE can make that happen.

Be it information security, compliance or your personal live....as Og Mandino once said (favorite quote of all time): "Use wisely your power of choice."
Posted by Kevin Beaver at 8:26 AM 0 comments Links to this post
Labels: , , , , , , , ,

Thursday, January 26, 2012

Evanta CISO event and why St. Jude's has it right

This week I had the opportunity and privilege to serve as a panelist on mobile security at the Evanta CISO Executive Summit in Atlanta. What a neat event...it wasn't just another infosec show. It was unique in its focus and well run by Corrine Buchanan and Mitch Evans who always seemed to have a smile on their faces - something we don't see enough of at these types of shows.

Another thing was a St. Jude's Children's Hospital video they played featuring Marlo Thomas talking about her father's work with the hospital. She said something about the hospital regarding its mission that stuck in my mind: "Don't just treat kids. Let's try to figure out what makes them sick."

Great approach with an interesting information security tie-in: Don't just throw technologies and policies at security...find out what's actually at risk. Indeed, we have to be smart in using the resources we're given.
Posted by Kevin Beaver at 3:16 PM 0 comments Links to this post
Labels: , , , ,

Wednesday, January 25, 2012

Complacency, meet APT – How basic oversights lead to complex malware infections

Low-hanging fruit – that is, the missing patches, default passwords, lack of full disk encryption and so on present in practically every environment – is something I’ve ranted about time and again because there’s no reason to have it on your network. Why? Well, for one thing, rogue insiders may just exploit it for ill-gotten gains. But even worse, low-hanging fruit can be the target of malware exploitations that you’re not prepared to take on. You see a few missing patches and unhardened endpoints combined with users gullible enough to click whatever’s placed on their screens and you’ve got yourself the recipe for disaster.

Low-hanging fruit can turn from “Yeah, I need to get to that stuff…” to “Oh crap, all of our workstations are being controlled by someone on the other side of the world”.

Recent shifts in IT like consumerization, mobility and the desire for instant gratification when it comes to computer and Internet access have made these threats even more formidable. Users are indeed going to do what they want to do. In many cases, management will proudly back them up – even if they have no clue about the long-term impact to the very business they’re responsible for running.

Built-in security controls provide an opportunity for us to save time, effort and money keeping our systems in check without having to spend a dime more than we need to. That said there are certain security controls that operating system and hardware vendors haven’t mastered. One in particular is security controls designed to help with APTs and advanced malware. It’s just not possible to get the specialized protection out of the box from the mainstream vendors that you’re going to get with a the niche technologies I talked about my recent paper The Malware Threat Businesses are Ignoring and How Damballa Failsafe Fits In.

It’s no different than how I buy special tires and brake pads for my race car. When there’s a specific need, odds are the stock equipment just won’t cut it.

One of the most damaging misconceptions about malware is that the big anti-virus vendors are going to keep endpoints safe. It’s this very mindset that’s gotten businesses into hot water recently. I saw it when working on an incident response project that falls under the Operation Shady RAT umbrella. I think it’s safe to say that traditional anti-virus vendors come nowhere close to protecting your network – especially if such an attack is targeted. In fact, the entire concept of APTs and advanced malware is not very well understood by the IT and information security community as a whole.

How are you supposed to protect against something like this? It's not simple. You’ve got to have the right tools, the necessary documentation and, perhaps most importantly, management that gets it.
Posted by Kevin Beaver at 2:03 PM 0 comments Links to this post
Labels: , , , , , ,

Monday, January 23, 2012

Are your high-tech devices enslaving you?

The late Richard Carlson, author of Don't Sweat the Small Stuff, said:

"It's important to see when your high-tech communication devices actually limit your freedom, enslaving you instead of providing new opportunities for growth."

Wow...How true that is!

Have you ever tried to not look at your emails or answer phone calls when you're out and about with  your family or taking some time to yourself? It's pretty darned difficult but it can be done, if you make it so.

Try it out over the next couple of weeks and you'll see what Dr. Carlson was talking about. You'll give your mind a break and be able to focus on the things that truly matter in life.
Posted by Kevin Beaver at 3:05 PM 0 comments Links to this post
Labels: , , , , ,

Friday, January 20, 2012

My articles & webcasts on hacking, incident response, compliance & IAM

I wanted to share with you a few new pieces I've written for TechTarget and Cygnus on incident response, compliance for systems integrators and the not-so-sexy but all-too-important technology,  identity and access management:

The importance of incident response plans in disaster recovery

Regulatory compliance requirements for security solutions providers

Identity Management’s great bang for the buck

Also, here are some webcasts I recorded for TechTarget, Information Week/Dark Reading and SecurityInfoWatch.com that you may be interested in:
Managing network security threats with an ERM strategy

How Security Breaches Happen and What Your Organization Can Do About It

Building and deploying secure video and access control systems (a.k.a. ethical hacking tips and tricks for video and access control systems)

Enjoy!

As always, be sure to check out www.principlelogic.com/resources.html for links to all of my information security whitepapers, podcasts, webcasts, books and more.
Posted by Kevin Beaver at 12:29 PM 0 comments Links to this post

Executives could learn a lot from Supernanny

We all have a lot to learn from Jo Frost, the Supernanny. In particular, when it comes to information security, IT management, employee computer usage and so on, business executives could benefit a ton. Here's how it'd go:
  1. Create a set of rules.
  2. Enforce your darned rules!
Posted by Kevin Beaver at 8:41 AM 0 comments Links to this post
Labels: , , , , ,

The role of IT in fighting today’s malware

It seems ever since I wrote my paper The Malware Threat Businesses are Ignoring and How Damballa Failsafe Fits In I’m seeing more and more vendors jump on the bandwagon. Today’s malware impacts everything from the network infrastructure to the endpoint and everyone wants a piece of the pie. I know the market is growing so I can’t blame people for wanting to capitalize on the opportunity.

Vendors aside, what is it that you as an IT professional need to be doing about the threat outside your network and the vulnerabilities inside your network? Being an independent information security consultant and seeing things from an outsider’s perspective, it’s clear to me that most IT shops are, in a grand way, woefully unprepared to fight this threat…much less respond in a mature and professional fashion when a breach and subsequent outbreak occurs.

As I write this post, I’m listening to a song on satellite radio with a chorus that says “If we don’t do it, nobody else will.” Wow, that hits the nail on the head – in a spooky kind of way. Indeed, if you don’t address the advanced malware threat today, indeed, nobody else is going to. Executives on mahogany row won’t. Nor will HR. Software developers are doing their own thing. Even your compliance officer and legal counsel aren’t going to understand the real impact of advanced malware.

You, the IT/information security professional, are going to have to step up and make the case that your business can be – and quite likely is – a target. This means taking the proper steps to:

1. determine your risks
2. get management on board
3. document reasonable policies and an incident response plan
…and, most importantly (and often the missing link):
4. enforcing with the right technologies

Don’t give the bad guys a chance. Do something now. Nobody else will.
Posted by Kevin Beaver at 7:52 AM 0 comments Links to this post
Labels: , , , , , , ,

Thursday, January 19, 2012

My interview in Hackin9 magazine

If you subscribe to Hackin9 magazine, check out this issue where they feature an interviewed with me about how the information security landscape has changed over the past decade, how you can get started in information security, my take on compliance and more.

If you don't subscribe to Hackin9, it's a great trade rag for technical security pros and (especially?) non-technical IT, security and compliance pros...Putting the occasional typographical errors aside, it's a must-read if you want to stay current on the latest information security trends, exploits and so on.
Posted by Kevin Beaver at 4:39 PM 0 comments Links to this post
Labels: , , , , , ,

Quoted in today's SC Magazine feature story on Symantec

Stephen Lawton wrote today's SC Magazine feature news story on the Symantec source code breach in which I'm quoted.

I provided these quotes late last night and it was interesting timing because I was speaking at local university's AITP chapter yesterday evening and I told my audience that no one is immune from hacking - not even IT and security pros...and obviously not information security companies.

It's a crazy world out there. We have to do our best to prevent the issues but also be prepared in the event something does happen.
Posted by Kevin Beaver at 1:02 PM 0 comments Links to this post
Labels: , , , , ,
Subscribe to: Posts (Atom)

ShareThis