You can't secure what you don't acknowledge.SM

Tuesday, June 10, 2014

Pitching your ideas in IT

If you work in IT, your communication and selling skills are more important than anything you can ever do technically. This includes "pitching" your ideas to your audience - typically management and users. As a speaker, I often struggle with new approaches for pitching my ideas.

Here's a good Success.com Q&A with Shark Tank's Daymond John to help remind us of what people are looking for. I especially like where Daymond says: "There are no new ideas ever in the world." ...so true, even in our field.

Wednesday, June 4, 2014

More Web security vulnerability assessment, audit, and pen testing resources

I've been busy in the world of Web security testing - both with work and with writing. Check out these new pieces on the subject. I suspect I'll tick off a "researcher" or two given my business angle and 80/20 Rule-approach of focusing on the most problematic areas of Web security...Still, I hope that these are beneficial to you and what you're trying to accomplish in your organization:

Key Web application security metrics

Taking politics out of the Web security equation

Getting back to basics with Web security

Core causes of Web security risks and what you can do about them

Security Considerations When Using AWS Cloud Services

The Big Security Oversight When Using Amazon Web Services
Don't forget to check out all of my other information security content at www.principlelogic.com/resources. - See more at: http://securityonwheels.blogspot.com/#sthash.hRUYP9DQ.dpuf
Don't forget to check out all of my other information security content at www.principlelogic.com/resources. - See more at: http://securityonwheels.blogspot.com/#sthash.hRUYP9DQ.dpuf

By the way, with the continued banter/debate around vulnerability assessments v. audits. v. pen tests, here's my two cents on the subject:
Is it a pen test, an audit, or a vulnerability assessment?

Don't forget to check out all of my other information security content at www.principlelogic.com/resources

Wednesday, May 14, 2014

Web security vulnerability testing and management resources you need

Here are some recent pieces I've written that can make or break your success in information security: - See more at: http://securityonwheels.blogspot.com/#sthash.YEhOcnEF.dpuf
Here are some recent pieces I've written that can make or break your success in information security: - See more at: http://securityonwheels.blogspot.com/#sthash.YEhOcnEF.dpuf
Here are some recent pieces I've written that can make or break your success in information security: - See more at: http://securityonwheels.blogspot.com/#sthash.YEhOcnEF.dpuf
Here are some recent pieces I've written that can make or break your success in information security: - See more at: http://securityonwheels.blogspot.com/#sthash.YEhOcnEF.dpuf
Here are some recent pieces I've written that can make or break your success in information security: - See more at: http://securityonwheels.blogspot.com/#sthash.YEhOcnEF.dpuf
 
 
Here are some recent pieces I've written that can make or break your success in information security: - See more at: http://securityonwheels.blogspot.com/#sthash.YEhOcnEF.dpuf
From scanners to compliance to software development and beyond, here are several Web security pieces I've written for the folks at Acunetix that I thought you might like:

The Role Of An Automated Web Vulnerability Scanner In A Holistic Web Security Audit

How Your Web Presence is Throwing You Out Of Compliance

The disconnect between IT audit and software developers

Top 10 Insider Threats and How to Protect Yourself

Top 5 Information Security Trends

Top 5 network security vulnerabilities that are often overlooked


Don't forget to check out all of my other information security content at www.principlelogic.com/resources.

Be sure to check out the hundreds of security articles, webcasts, and more I've written/developed over the past 12 years at principlelogic.com/resources. - See more at: http://securityonwheels.blogspot.com/2014/04/things-that-impact-careers-in.html#sthash.zTjCeszI.dpuf

Be sure to check out the hundreds of security articles, webcasts, and more I've written/developed over the past 12 years at principlelogic.com/resources. - See more at: http://securityonwheels.blogspot.com/2014/04/things-that-impact-careers-in.html#sthash.zTjCeszI.dpuf

Thursday, May 1, 2014

Running vulnerability scans over VPN connections

If you haven't yet, you'll likely run into a situation where you need to run vulnerability scans over a VPN connection (i.e. for remote office networks). Well, certain scanners won't scan over "raw sockets" - the underlying communication method for certain VPN connections. Other scanners can't even connect to a remote network at all because they're caught up in their own little virtual machines that you cannot add a VPN client to.

If you're faced with this situation, check out GFI LanGuard (currently in version 2014). LanGuard works like a charm over various VPN connections. I have found that when performing unauthenticated scans LanGuard typically doesn't find as many relevant vulnerabilities as other scanners but its authenticated scans of Windows and Linux systems are very good. I have some clients that use LanGuard for patch management with positive results as well. Definitely a worthy tool!


Wednesday, April 30, 2014

Things that impact careers in information security

Here are some recent pieces I've written that can make or break your success in information security:

Open your eyes and you’ll see the light

Steering your career as a desktop admin in the mobility age

The mindset of everyday employees and their impact on security

Why a CIO's relationship with enterprise IT security is important

Be sure to check out the hundreds of security articles, webcasts, and more I've written/developed over the past 12 years at principlelogic.com/resources.
Be sure to go to principlelogic.com/resources for links to hundreds of security resources I've written/developed over the past decade+. - See more at: http://securityonwheels.blogspot.com/#sthash.PLfJQfID.dpuf

Be sure to go to principlelogic.com/resources for links to hundreds of security resources I've written/developed over the past decade+. - See more at: http://securityonwheels.blogspot.com/#sthash.PLfJQfID.dpuf

Tuesday, April 22, 2014

6 reasons information security causes global warming

In keeping with the divorce and everything Capitalist or conservative causes "global warming" movement, how about this:

Information security causes global warming (or cooling, or whatever it needs to be called today)
I really believe we have a "crisis" on our hands and here's why:
  1. The need for IT security controls is a negative side-effect of Capitalism - man bettering himself if you will. If we didn't have computers and the Internet, the advancement of mankind, and greedy corporations trying to make profits, this wouldn't be a problem.
  2. Security policies are often distributed to employees in hard copy form which requires cutting down trees which requires manufacturing, and more jobs, and more people commuting to work, and fuel usage for shipment....
  3. Information security clauses lengthen business contracts contributing to the same paper manufacturing and delivery problems as above.
  4. Firewalls, IPSs, and anti-virus software require manufacturing, and more jobs, and, well, more carbon dioxide and Capitalists getting their way.
  5. Added security controls require more power and space in data centers thus impeding the "green" data center movement we're seeing a lot of.
  6. When criminal hackers' and malicious insiders' attacks are blocked by our non-environmentally-friendly security controls, it hurts their feelings and makes them feel less about themselves and their jobs which leads to lower productivity at work which leads to more snack and smoke breaks which lead to overflowing landfills and, of course, increased carbon dioxide in the sky.
Finally! Managers and executives now have a valid excuse for not buying into information security...How could anyone in their right mind possibly support anything that causes "global warming" anyway..?? 

I know, I know, my approach seems flawed, but so is the "logic" and the "facts" behind the religion of "global warming". If it were only this easy to push information security initiatives in an emotional fashion in the name of something that has no basis in fact and without having to present the real side of the story!

Now I've got to go figure out how I'm going to offset the "carbon emissions" pouring from my race car's open exhaust and my daily driver's big V8. I'm confident a government bureaucrat will guide me along the way.

Here's why:

  1. The need for security controls is a negative side-effect of Capitalism - man bettering himself if you will. If we didn't have computers and the Internet, the advancement of mankind, and greedy corporations trying to make profits, this wouldn't be a problem.
  2. Security policies are often distributed to employees in hard copy form which requires cutting down trees which requires manufacturing, and more jobs, and more people commuting to work, and fuel usage for shipment....
  3. Information security clauses lengthen business contracts contributing to the same paper manufacturing and delivery problems as above.
  4. Firewalls, IPSs, and anti-virus software require manufacturing, and more jobs, and, well, more carbon dioxide and Capitalists getting their way.
  5. Added security controls require more power and space in data centers thus impeding the "green" data center movement we're seeing a lot of.
  6. When malicious hackers' and rogue insiders' attacks are blocked by our non-environmentally-friendly security controls, it hurts their feelings and makes them feel less about themselves and their jobs which leads to lower productivity at work which leads to more snack and smoke breaks which lead to overflowing landfills and, of course, increased carbon dioxide in the sky.

    And finally...
  7. Managers and executives now have a valid excuse for not buying into information security...How could anyone in their right mind possibly support anything that causes "global warming" anyway..??
I know, I know, my logic is flawed, but so is the logic and the facts behind the religion of "global warming". If it were only this easy to push information security initiatives in an emotional fashion in the name of something that has no basis in fact and without having to present the real side of the story. We'd be gagillionaires!

'Nuff said - I just had to get this off my chest. Now, I've got to go figure out how I'm going to offset my big SUV's "carbon emissions" for 2008. We're in a crisis you know... ;-)
- See more at: http://securityonwheels.blogspot.com/2007/12/seven-reasons-information-security.html#sthash.dBiLAmpe.dpuf

Friday, April 11, 2014

Heartbleed - the biggest Web security problem ever???

I just came across this piece from NewsFactor: Is Heartbleed the Biggest Web Security Threat Ever? and couldn't help but chime in. Contrary to popular hype, I don't think the biggest web security issue we face (now or ever) is a technical problem...instead, it's something with hair on top like I talked about here.

As with the hype over the Target breach and the gloom and doom over Windows XP's end of life, it's never the hard-to-find, technical stuff that many people believe is at the "heart" of our security woes. Instead, this issue, like most others in life, can be distilled down into a much more basic form. We're our own worst enemies...

P.S. Wouldn't it be weird if the NSA is somehow tied to this vulnerability...? ;)

Wednesday, April 9, 2014

Windows XP: Goodbye my love...well, not really.

Windows XP...ah, the memories!

I wrote many of my books including the first two editions of Hacking For Dummies and the first edition of The Practical Guide to HIPAA Privacy and Security Compliance originally on Windows XP - not to mention countless articles, security assessment reports and more over a 7-8 year span.

It was nice working with you XP!

I waited to write this post today, the day after all the Windows XP end-of-life hype, so as to not get caught up in that mess from yesterday. What's interesting to me about this whole Windows XP story is that every analyst, IT vendor marketing rep, journalist, auditor, and consultant is an "expert" on the doom and gloom that will be brought upon society with all of the businesses and consumers not upgrading their operating systems.

Looking at the headlines, still today, it's kind of funny (and sad):
"Vital industries exposed to risk"
"Isn't safe to use anymore"
...blah, blah, blah.

Apparently Windows XP is still being run on 25% of PCs. Will we hear stories about Windows XP systems being drywalled into oblivion like we've heard about Novell NetWare? Probably not. I do suspect it's going to be around for years to come. And, sure, vulnerabilities will discovered - especially on systems that have scant security controls to begin with. IT's elite will clamor about their amazing exploits. Management will still have their heads in the sand. Life goes on. 

The funny thing about Windows XP is that the OS itself is not where the real risk is in most network environments. [Oh gosh, did I say that out loud!?...now I'm going to have some "researchers" all over me...shudder.] Real-world experience tells me that much of the risk is all the other stuff people are installing and IT is not patching that's creating the real problems...the latest study shows that 76% of vulnerabilities are NOT Microsoft's issue. I've seen higher numbers in the past.

Microsoft Corporation is being treated like some of the big social/political issues like "global warming", gun control, and income "inequality" because they're expedient, convenient, and intangible enough to get people riled up.

Here's the real issue that we're still not hearing: I know without a doubt that many of the people preaching fire and brimstone about Windows XP are the same people who continue to ignore the critical basics I'll rant about until the day I retire such as:
  • Network shares full of sensitive files made available to everyone with a login
  • Mobile devices with ZERO security controls
  • Minimal - and grossly reactive - system monitoring
  • Firewalls with default passwords
  • Laptops storing tens of thousands of credit card numbers and SSNs with no hard drive encryption
  • Open wireless networks for "easy guest access" that provide full access into the back end network
  • Database servers with no passwords
  • Operating systems with weak passwords
  • Numerous cloud services being used without IT's consent or knowledge
  • Physical security control systems with ZERO security controls
  • etc...
Unless and until these people have helped themselves and the others who depend on them fix this low-hanging information security fruit, I'm going to say: Got XP? No problem!

Tuesday, March 25, 2014

68% of workers do this...and we wonder why we have security problems!

I've always believed that information security is a people problem that goes deep into the psychology of how we think. Here's a great example...starting at 0:24:

http://johnmaxwellteam.com/industrious/

This is the basis for why our so-called leaders rise to power, why there's a gap between the haves and have-nots, and why so many "ailments" afflict society. Many people simply don't believe in themselves and have no desire or motivation to get any better.

Are you going to let this drive your information security program!?

Is this as good as you're going to get or are you going to get any better?

As Og Mandino said, Use wisely your power of choice


Thursday, March 13, 2014

HIPAA compliance lip service

Here's an example of the lip service (security theater) people give to compliance and information security found on display at one of those giddy-over-regulations retailers:



Really, who's certified? How are customers to know what this means?

Checkbox checked...all that matters.

Good stuff.




Monday, March 3, 2014

Interesting sights at #RSAC 2014

I attended the RSA Conference last week...there was a lot of the same security nonsense (see my posts below) but a very good show nonetheless. You should attend next year, especially if you've never been. With 25,000+ attendees and more vendors than you can ever imagine in this space, it's a spectacle.

Speaking of "vendors", one thing that struck me as interesting - what government employee was ballsy enough to use our tax dollars for this fancy setup on the expo floor?:


And, interestingly, right around the corner was this company:


Too funny! Perhaps a thumb in the eye to our national spies? Someone, somewhere had a sense of humor - good to see in an industry that takes itself too seriously most of the time.


What I really want to know is, who was ignorant enough to let anyone at either of these vendor booths scan their badges! Well, not that the NSA weasels don't already have that information. [On a somewhat related note, NSA: what'd you think about that breakfast I just had?? Yummy!]

On a (slightly) more serious note, here are 3 of the 4 blog posts I wrote for my friends at SearchSecurity.com while at the show you might be interested in:

RSA keynotes highlight information security mistakes

The ridiculous emergence of 'cybersecurity' (thanks to the federal government)

Security topics that have come of age (that you need to keep on your radar)


Have a great week!

Wednesday, February 19, 2014

Step up or step aside, somebody needs to fix your security woes

I just got off of phone call with some friends/colleagues where we were discussing the latest security trends. After talking it occurred to me that we're basically going backwards in time with information security. It seems with the Target breach, stupid passwords people are still using in 2014, and even today's new SANS-Norse healthcare security report, it just keeps piling up as if nothing works.

But it can work - if people would get out of their own way.

Looking at it from a psychological perspective (a great way to view security trends/challenges), it's really about the choices people are making - or not making - about security:
You've heard the adage, "if you lie about something long enough and consistently enough, pretty soon people will start believing the lies as the truth." So many people are thinking that IT and security problems are just getting too hard to handle...that the bad guys are just getting "badder". The government can fix things with whatever "cybersecurity" nonsense they're going to shove down our throats. To the cloud so we can wash our hands of all this.

Too many people are acting as if everything is out of their control, like low-information voters at the ballot box.

Like I talked about in this new guest blog post for Rapid7, don't let history repeat itself so that you get burned. Step up or step aside - somebody needs to fix this stuff.

Tuesday, February 4, 2014

The power of how we *think* about information security

Here's a good piece on coping with stress - something all of us in IT know all too well.  One thing in particular caught my eye that meditation expert Jon Kabat-Zinn said - it's something that may help explain the common approach many people take to information security..He said:

We may find ourselves resisting innovation and change and becoming overly protective of what we have built because we feel threatened by new ideas or requirements or by new people...it’s not what you know; it’s what you are willing to know you don’t know.

The article goes on about how Kabat-Zinn uses the example of how you may be working and working on something, banging your head against the wall and unable to find a solution. Only when you stop and clear your head does the answer come to you. I talked about this concept in this video and it really does work!

So, the way I understand it, we're all too busy caught up in our thinking and our own rigid belief systems and aren't open to other things that might able to help us in our jobs. It may be time to step back and change our approach and, especially, our thinking about information security.