You can't secure what you don't acknowledge.SM

Friday, September 19, 2014

Resources to get up to speed with the latest HIPAA security requirements

Here are some pieces I've written recently that can bring you up to speed on the latest HIPAA security requirements:

HIPAA Security Compliance - From the Past to the Present

What HIPAA Security Compliance is Really About

Minimizing the impact of a HIPAA security breach

Obtaining and maintaining a state of HIPAA security compliance

Want more? Check out the newly-revised second edition of the book I just finished co-authoring with Rebecca Herold that's due out October 21st:
HIPAA security privacy compliance book
Be sure to check out my other IT security compliance resources on my website. Enjoy!

Wednesday, September 17, 2014

What if The Home Depot looked to their own store policies for help with infosec?

If The Home Depot's management were as strict with information security as they are with store policies I'm confident they could've avoided their data breach.

Have you heard their policy monger guy on their intercom system while shopping?? He sounds like that guy we've seen in those disturbing Allstate commercials. A bit creepy. It's also quite uninviting - certainly doesn't make you feel welcome in their stores.

At least they've covered their bases if some kid crashes into a moving forklift while scooting about on his shoes with wheels...

Here are some more thoughts I have on the HD breach in case you're interested.

Wednesday, September 10, 2014

Magnasphere and the physical security vulnerability you may not know about

If you have an alarm system that's dependent on the decades-old reed switches like the one pictured below, you should know they can be easily defeated with a mere compass and a magnet. It's pretty eye-opening...

Certainly a good reason to have two, three, or (depending the country you live in and your stance on self-defense) more layers of security in your building or home! :-)

A good option for beefing up your security and preventing this type of physical breach is offered by Magnasphere. I was recently introduced to the Magnasphere wireless door/window security switches (MSS-RFS-100). It's a great technology, especially if you have a need for a wireless security sensor configuration. They make standard security contacts as well. Either way, it's worth a look-see if this is in your line of work.

Tuesday, September 2, 2014

Bits & pieces on the 2014 Home Depot data breach

The news of the new Home Depot credit card breach combined with me being based in Atlanta as well, I feel compelled to share some links to some of the recent pieces I've written about point-of-sale and retail information security in hopes that a nugget or two might prove beneficial to someone out they are:

The Target Breach – Can It Be Prevented?

Six endpoint management lessons from POS security breaches

Security Watch: Retail Cybersecurity

...and a ~2 year old discussion:
Roundtable: The State of Retail Security

Thursday, August 28, 2014

The latest Android / Gmail security flaw & why people don't take IT & security seriously

You may have heard about the recently-discovered Android exploit that makes Gmail vulnerable to criminal hackers. I read it over and realized that I have to use this opportunity share an example of what I talk about when "researchers" claim that all is bad in the world because of the latest and greatest exploit impacting whatever software or device they've discovered.

This Android/Gmail finding in particular is a great example of yet another one of those the sky is falling security "flaws" that I've been calling out for years...and they won't go away...and we wonder why people outside of IT and security don't see us as credible business professionals

Let me explain.

The AJC story states that:
"Security researchers have uncovered a major flaw in mobile operating systems which could give hackers easy access to personal information. Here's the scary bit: The exploit can hack into your Gmail account with a 92 percent success rate." 

Wow...scary indeed. That's a great success rate that shows all IT and security departments need to drop everything they're doing and put this exploit at the top of their priority lists. Something tells me that there's not a fix...

Yet it goes on to say:
"A Greenbot writer notes actually using this vulnerability is pretty complicated. "First, you have to download a malicious app to start monitoring your activity. Then, the attack has to happen at the exact moment you are entering sensitive information. ... The malicious app has to inject a phony, look-alike login screen without the user noticing. That means the fake screen has to be precisely timed."

Oh, so it's not really that bad. In fact, so many variables have to magically line up that most people and businesses will never be impacted? Whew...

And, finally: 
"...the best advice researchers have for avoiding these attacks is not to download sketchy apps in the first place." 

Perfect...I won't. Good to confirm there is no solution to fix a problem that may or may not be creating security risks in any given environment. 

This leads me back to the security basics that people keep avoiding and then go on to wonder they keep getting hit. It's a perpetual cycle of ignorance brought on by research unvetted by the media and, like most things, made into a bigger deal than it needs to be.

I'm glad there are folks out there (who are way smarter than me) finding such flaws and keeping vendors honest. But you can't follow their lead. 

Want to know the real secrets avoiding security incidents and data breaches? Know your environment, understand your unique risks, and follow the proven security essentials that have been around for decades. Don't fall for the IT geek speak that likely has no bearing on your business. These are the things that will keep what's important in check - and very likely keep your users' Gmail passwords more secure - than anything else possibly could.

Wednesday, August 27, 2014

My new webcast on securing your Web environment against denial of service attacks

I saw a recent study that found that distributed denial of service attacks are getting larger and larger.

The thing you need to be thinking about is how you're going to prevent and respond when your Web presence becomes a target.

Well, good timing, because I just recorded a new webcast for my friends at on this very topic...In Proven Practices for Securing Your Website Against DDoS Attacks, I have a one-on-one discussion with Dyn's expert Andrew Sullivan on DoS attacks impacting your Web presence including how they work and what you can do about them...

Check it out if this is on your radar...I think you'll like it!

Tuesday, August 19, 2014

CommView for WiFi - a great option for wireless network analysis

Several years ago I wrote about the neat WEP/WPA recovery tools offered as part of TamoSoft's wireless network analyzer called CommView for WiFi. Well, those tools are no longer available but CommView for WiFi is as relevant as ever. I've been using it for years. It seems that it hasn't changed a ton other than some UI and packet analysis enhancements - probably just oversights on my part since I don't use it every day.

I've featured CommView for WiFi in my book Hacking For Dummies but wanted to tell you about it here as well. It's an enterprise-ready tool by itself but when you add on the remote agent and TamoGraph Site Survey, it's everything you'll likely need in terms of wireless network analysis, monitoring, as well as site surveying for new wireless deployments and troubleshooting.

The following are screenshots showing CommView for WiFi's main interface and its packet generator tool:

CommView for WiFi also has tab called Latest IP Connections that's really neat. In order to protect the infected, I chose not to show this, however, in the few minutes I had the tool loaded to write this blog post, CommView for WiFi detected outbound communication sessions with several interesting hosts including one in Russia. Yet another reason to get control of BYOD and mobile security!

I see that CommView for WiFi's reviews aren't stellar over at CNET but I think that's because of the junk adware wrapper code that CNET includes with its downloads. No worries, just download it directly from TamoSoft and you should be good to go. Michael Berg at TamoSoft is continually updating the program and is very responsive when questions arise.

Yet another great "you get what you pay for" network/security tool.

Monday, August 18, 2014

A resource to help with PCI DSS 3.0's penetration testing methodology requirements

PCI DSS has been getting a lot of buzz lately and the latest version 3.0 will continue gaining momentum until the many small and medium-sized businesses get their arms around the new requirements. Of particular interest is the updated requirement 11.3 (below) which is much more prescriptive on how to find the actual security flaws that matter.

I've always believe that you can't secure what you don't acknowledge...PCI DSS 3.0 now mandates a formal methodology for security testing that:

• Is based on industry-accepted penetration testing approaches (for example, NIST SP800-115)
• Includes coverage for the entire CDE perimeter and critical systems
• Testing from both inside and outside the network
• Includes testing to validate any segmentation and scope-reduction controls
• Defines application-layer penetration tests to include, at a minimum, the vulnerabilities listed in Requirement 6.5
• Defines network-layer penetration tests to include components that support network functions as well as operating systems
• Includes review and consideration of threats and vulnerabilities experienced in the last 12 months
• Specifies retention of penetration testing results and remediation activities results.

These updates are no doubt an evolution of the realization that many people were simply performing basic vulnerability scans of network hosts or hiring fly-by-night "pen-testers" to seek out one or two easy wins in the cardholder data environment rather than performing a more in-depth security assessment that looks at everything that matters.

I suspect many people (especially those working in SMBs with limited resources) will migrate towards the NIST standard similar to how many people have jumped on the "cybersecurity" bandwagon. There's also the resourceful Open Source Security Testing Methodology Manual (OSSTMM) that's been around quite some time.

The important thing you need to know is that none of these standards will be a best-fit, end all be all solution for your organization. Similar to exercise and diet programs for individuals and strategic corporate plans for businesses, every person/organization has their own unique needs when it comes to information security testing. The interesting thing to be in many of these standards, and just general popular belief, is that open source tools are all you need to perform an effective security assessment. I've said time and again, in all but a handful of scenarios, you're going to get what you pay for with your security testing tools. Outside of the awesome Metasploit tool and a few mostly forgettable others I've used over the years, I've yet to find any open source tool that works a fraction as well as the commercial alternatives.

With PCI DSS 3.0, or whatever requirement, your information security test tools and methodologies will absolutely define your testing outcomes and ultimately your business risks. Before going down yet another confusing path in the name of security and compliance, everything you need to know to get started - and darn near master - your penetration testing is outlined in my book Hacking For Dummies...I hope this helps and best of luck:

Tuesday, August 5, 2014

Are you stuck in this information security rut?

Here's a new post I wrote for Rapid7's blog that I think you might like...

There’s nothing really new in the world in which we work. Every problem you face in information security has already been solved by someone else. Why not use that to your advantage? There’s no time for baby steps in security. Sure, you need to “walk before you run” by thinking before you act. That comes in the form of knowing your network, understanding your risks, and getting the right people on board. But not taking the time to learn from other people’s mistakes and developments in information security is downright bad for business...{read more at}

Tuesday, June 10, 2014

Pitching your ideas in IT

If you work in IT, your communication and selling skills are more important than anything you can ever do technically. This includes "pitching" your ideas to your audience - typically management and users. As a speaker, I often struggle with new approaches for pitching my ideas.

Here's a good Q&A with Shark Tank's Daymond John to help remind us of what people are looking for. I especially like where Daymond says: "There are no new ideas ever in the world." true, even in our field.

Wednesday, June 4, 2014

More Web security vulnerability assessment, audit, and pen testing resources

I've been busy in the world of Web security testing - both with work and with writing. Check out these new pieces on the subject. I suspect I'll tick off a "researcher" or two given my business angle and 80/20 Rule-approach of focusing on the most problematic areas of Web security...Still, I hope that these are beneficial to you and what you're trying to accomplish in your organization:

Key Web application security metrics

Taking politics out of the Web security equation

Getting back to basics with Web security

Core causes of Web security risks and what you can do about them

Security Considerations When Using AWS Cloud Services

The Big Security Oversight When Using Amazon Web Services
Don't forget to check out all of my other information security content at - See more at:
Don't forget to check out all of my other information security content at - See more at:

By the way, with the continued banter/debate around vulnerability assessments v. audits. v. pen tests, here's my two cents on the subject:
Is it a pen test, an audit, or a vulnerability assessment?

Don't forget to check out all of my other information security content at

Wednesday, May 14, 2014

Web security vulnerability testing and management resources you need

Here are some recent pieces I've written that can make or break your success in information security: - See more at:
Here are some recent pieces I've written that can make or break your success in information security: - See more at:
Here are some recent pieces I've written that can make or break your success in information security: - See more at:
Here are some recent pieces I've written that can make or break your success in information security: - See more at:
Here are some recent pieces I've written that can make or break your success in information security: - See more at:
Here are some recent pieces I've written that can make or break your success in information security: - See more at:
From scanners to compliance to software development and beyond, here are several Web security pieces I've written for the folks at Acunetix that I thought you might like:

The Role Of An Automated Web Vulnerability Scanner In A Holistic Web Security Audit

How Your Web Presence is Throwing You Out Of Compliance

The disconnect between IT audit and software developers

Top 10 Insider Threats and How to Protect Yourself

Top 5 Information Security Trends

Top 5 network security vulnerabilities that are often overlooked

Don't forget to check out all of my other information security content at

Be sure to check out the hundreds of security articles, webcasts, and more I've written/developed over the past 12 years at - See more at:

Be sure to check out the hundreds of security articles, webcasts, and more I've written/developed over the past 12 years at - See more at: