Friday, November 20, 2009

I need your help *today* Friday Nov 20th

You may already be aware of TechTarget's IT Knowledge Exchange. It's a great place to ask questions and/or establish yourself as an expert.

Anyway, I just realized that today's the last day to nominate another member [subliminal message]Kevin Beaver
[/subliminal message] for their Panasonic 42" TV giveaway. Someone you know [subliminal message]Kevin Beaver[/subliminal message] is in the running and could really use your help.

So what's in it for you? When you nominate someone
[subliminal message]Kevin Beaver[/subliminal message], you get a chance to win one of five $20 Amazon gift cards they're giving away. Hardly anyone has voted so your odds of winning are really good! And, by signing up you can become part of a good community of folks - good for networking, good for your career.

Thanks!

"Computer glitch" always to blame for someone's bad choices

Here's my two cents on the people failure - I mean "computer glitch" - at Atlanta's Hartsfield airport yesterday. Gotta blame something...

Hartsfield outage: "Computer glitch" or FAA "people failure"?

Thursday, November 19, 2009

I could've sworn we had this thing called HIPAA

Remember way back in April of 2005 when the HIPAA Security Rule went into effect? Well apparently some healthcare providers didn't get the memo. Big blow to Health Net.

So, no reasonable security controls to meet the HIPAA requirements much less no encryption of mobile storage devices? Seriously people: what is it going to take to encrypt mobile drives!!??

I'm not a fan of BitLocker in the enterprise and not sure how big Health Net is but, heck, they could've at least considered it!

Golly...I think I get so fired up about this stuff because it affects us all so personally. Furthermore it's, um, common knowledge that big security breaches will and do occur on a daily basis.

Monday, November 16, 2009

So, certification is what's best for your career, huh?

Per Microsoft Learning's director: "We see the trend increasing that individuals are making the decision that what is best for their careers is to be certified"...Completely disagree. Read the news column...Can you see the hidden message?

Here's what's best for your information security career...substance, not certification. Ooh, maybe I should trademark that. ;-)

BitLocker and Windows 7 – Things you need to consider

I was recently asked to write a whitepaper on considerations for Bitlocker in Windows 7. While doing my initial research I learned a lot about BitLocker and discovered some new ideas and approaches for managing sensitive data. In this whitepaper I cover:
  • Why data encryption matters
  • BitLocker’s new features in Windows 7
  • Operational concerns you need to think about
  • Usability issues that can create problems
  • Potential compliance and security gaps you don’t want to overlook
…and more.

We know the security threats we’re up against. We understand the value of data encryption. And odds are Windows 7 is going to be the next big operating system at the desktop. Taking these things into consideration, we’ve got a long way to go in order to get our arms around protecting sensitive data – especially on mobile devices such as laptops, netbooks, and external drives.

Knowing how the marketing beast tries to pull us in one direction and seemingly critical technical issues in the other, we often overlook which way is best for the business. After all, that’s what security decisions need to be based on. You have to look at your business operations, politics, staff expertise and so on with a critical eye and ask yourself what’s going to be the best data encryption solution overall.

I’m a big advocate of using what you’ve got before you go out and spend even more money on third-party security products to gain the control and visibility you need. I see it all the time. Managers complain that security’s too difficult or expensive all the while they’re not even using their built-in operating system controls – controls that can go a long way towards keeping things in check. But just because something is built in and “free” doesn’t mean it’s the best fit or suitable for the business.

I’ve come to the conclusion that many businesses – arguably the majority – are not anywhere close to being where they need to be with security and especially data encryption at the workstation. Microsoft isn’t necessarily coming to the rescue with BitLocker in Windows 7 either.

Some good old-fashioned research and planning is in order if you’re going to get your arms around data encryption and truly minimize your business risks in this compliance-driven world we work in. This means understanding the facts and thinking long term about how your decisions on emerging technologies will impact your business both now and down the road. My whitepaper Considerations for BitLocker in Microsoft Windows 7 will help you get the ball rolling.

Wednesday, November 11, 2009

Responsibility becoming a thing of the past?

Here's a great post from Neal Boortz regarding holding people responsible for their choices. It's very simple to blame something inanimate instead of fixing the real problems. Like blaming malware for security breaches...

Practically everything in life and business can be traced back to choice - that's why we have to use it wisely.

Tuesday, November 10, 2009

M-W's Word of the Day very fitting

I subscribe to Merriam-Webster's "Word of the Day" and saw today's word is rectify. Here's the example sentence they used:

"The night before the Web site was to go live, the programmers worked frantically to rectify several unresolved security problems."

Too funny! ...and sadly, all too common. Hey, at least they were working to fix the security issues before it went live! ;-)

Monday, November 9, 2009

Have you thought about business continuity metrics?

Either way, here's a good set of business continuity metrics worth checking out. Something that's sorely missing from many plans...that is, where plans even exist.

Sunday, November 8, 2009

The real deal with the SSL/TLS flaw

Over the past few days Twitter, security blogs, and news columns have been going crazy with the newly-discovered SSL/TLS flaw. Man, you'd think it's the next WEP exploit discovery. The security sky is falling...we must retreat.

Seriously, is this thing a big deal? Not in my opinion - at least not in all but 99.9% of any given situation. But what do I know? I'm just the security guy that sees network shares sharing out entire drives full of sensitive files, firewalls with default configurations and no passwords, smartphones without a trace of security enabled, laptops with supposedly "nothing of value" that end up having thousands PII records yet no semblance of drive encryption, database servers without passwords, physical security cameras and data center control systems with default passwords that anyone on the network can mess around, operating systems missing critical patches that are easily-exploited using free tools, Web sites/apps with gobs of XSS and weak authentication controls, and on and on and on and on.

If you want to pick nits and chase the rabbit down the infinite path of limited return, sure, it's a big deal. Otherwise, chances are you've much bigger issues on your hands.