You can't secure what you don't acknowledge.SM

Wednesday, April 15, 2015

Don't get blinded by the "small stuff" that's hard to notice

One of the core challenges you face in information security is getting so caught up in the minutiae of your network environment and day-to-day work that you end up not being able to see the bigger picture: what's really going on, what really needs attention, and what really matters. I've been writing about this for over a decade and I've yet to stop spreading the's just too important a topic to ignore.

Not seeing the forest through the trees impacted me and my family recently. It's about our dog, Lady. As you can see, Lady was a beautiful girl who was also smart, loyal, and a determined guard dog, weighing over 50 pounds in her prime. As Lady grew older, she had health problems that we were aware of, yet didn't fully understand. These issues started several years ago when she was diagnosed with a spinal problem that affected her ability to walk/run and stay balanced - something called degenerative myelopathy. Thanks, in large part, to the Help'EmUp dog harness, we learned to manage this condition. It just became part our daily routine.

Then dementia set in. Lady's behavior was marked by endless pacing around the house, not connecting with us mentally/spiritually/emotionally like dogs do with their families, and a slowly diminishing appetite. We knew the problems were there but didn't "get" how bad they were becoming...In recent months, everything started moving very quickly. After witnessing her immobility and dementia getting worse and worse, along with some great guidance from my friend and fellow racer, Dr. Alan Cross, we knew it was her time.

Here's the shocker: once we took took Lady to the vet to end her suffering, we realized that she had lost 15 pounds from her peak...! We had no clue it had gotten that bad. Sure, we knew she wasn't well and was looking skinny, but we certainly weren't prepared to hear that she had lost nearly a third of her body weight in such a short period. Any doubts about what we were doing vanished when we learned this. We felt badly, yet blessed. Lady is now in a better place. God bless her soul.

I wanted to share this story with you because being blinded by what's going on under your very nose can (and will) impact you if you're not careful - especially in information security. Don't let security problems sneak up on you to the point where someone else (i.e. a criminal hacker or rogue insider with ill intent) shows you how bad they really are. It happens to the best of them and it can happen to you. Be proactive. Know the facts. Do something about your weaknesses sooner as opposed to later.

Lady, you're dearly missed. Cheers to having wonderful pets that make a difference in our lives!

Tuesday, April 7, 2015

A core reason why security challenges go unresolved

Constantly dealing with information security issues in your organization? It's really about dealing with management, peers, and subordinates. Here's some motivation:

"The ability to deal with people is as purchasable a commodity as sugar of coffee, and I will pay more for that ability than for any other under the sun." -John D. Rockefeller

If you're in search of other ideas on how to get (and keep) people on board with security, here are some pieces I've written on the subject.

Tuesday, March 10, 2015

Using Checkmarx CxSuite to outline "the rest of the story" regarding application security

When it comes to Web application and mobile app security, can you honestly say you know where everything American radio personality Paul Harvey used to proclaim -  the rest of the story?
You can run Web vulnerability scans, perform manual mobile app analysis, and the most in-depth penetration testing possible. You can look at things from the perspectives of unauthenticated attackers, trusted users, and all the angles in between using Web proxies, forensics tools, and network analyzers. Still, that's not everything.

You haven't looked at the entire picture if you haven't looked at your application's source code using an automated source code analyzer such as Checkmarx's CxSuite. Why? Source code analysis helps paint the entire picture of where your applications are vulnerable and how they might stand up - and fall down - against the threats they face.
Note that I emphasize "automated" source analysis because no security professional of value has time to perform manual analysis on all the applications that matter.
The following screenshot of CxSuite shows the summary findings in an Android mobile app:

Interestingly, here are the findings in the same app written in Objective C for the super secure iOS platform:

There are a dozen more low-priority findings that you can't see in this screenshot. These differences in Android and iOS code are reason enough to perform source code analysis...

The CxSuite report shows prioritized findings (to be reviewed and re-prioritized by you as necessary) as well as source code examples so developers can understand how to fix the issues.

If you're an IT administrator, security manager, compliance auditor, developer, or consultant responsible for finding weaknesses in your organization's (or your client's) Web applications and mobile apps, you really need to look at the source code...eventually. And by "eventually" I mean at some point in the next year. Not the next five years. Not when you get around to it. If you don't, odds are good that someone else will find the flaws for you and try to make you look bad. Then what's it going to cost? Ten, twenty, many a thousand times more than it would've cost to perform the proper testing in the first place.

Don't end up here or fall into the group of people who find out about vulnerabilities and breaches from third parties that we keep hearing about. Perform a proper automated source code analysis soon and do it periodically. There are several source code analyzer options. Whether you're super technical or you're not, of the source code analyzers I've used over the years, I've found CxSuite to be a great option. 
In a future post I'll walk you through the steps required to perform a typical source code analysis. It's much easier than most people think.

Monday, February 9, 2015

Back to basics in information security? Proven year after year but (apparently) unattainable for many.

I'm often wrong about many things in life...just ask my wife. However, I'm feeling a bit vindicated regarding my long-standing approach to information security: address the basics, minimize your risks.

You see, more and more research is backing up what I've been saying for over a decade. It what was uncovered in the new Cisco 2015 Annual Security Report. [i.e. "Less than 50 percent of respondents use standard tools such as patching and configuration to help prevent security breaches."...among many other things.]

The new Online Trust Alliance report found the same things.

CyActive had similar findings as well in their new study. ["Some of the worst attacks of this year could have been avoided, saving companies, governments and consumers millions of dollars" ... "Unfortunately, reactive defense remains the common denominator today, despite the overwhelming evidence of reused and recycled components seen in the most notorious attacks."]

The brand-new Trustwave State of Risk Report backs up this reality, and does so every year. [i.e. "60% run external vulnerability scans on critical systems (third-party hosted) less frequently than every quarter. Meanwhile, 18% never perform penetration tests." I'll venture to guess that 80+ percent of organizations are not looking at all of their systems that count...]

The same goes for the Verizon Data Breach Investigations Report.

Ditto for the Chronology of Data Breaches...on a daily basis.

These results combined with what I see in my work and I'm even more convinced that if we focused on the basic principles of information security such as the ones I listed here six years ago, what I wrote for in 2004, many of the concepts we learn during CISSP training...not to mention the ones listed in these two publications:

What gives!? What's it going to take to fix our security problems?

No thanks, Øbama, we don't need your approach to continued government growth that'll fix information security no more than your "healthcare" law has fixed healthcare.

I'm not convinced we need a federal data breach law, either (thanks anyway, American Bankers Association). I believe we have enough laws on the books for now...

What we're seeing in information security (i.e. people who ignore the basics and end up perplexed by why bad things keep happening) is not unlike what society does with social issues. Every generation has their own ideas on how to fix the world's ills (namely passing more laws and redistributing more wealth) but we're still not focusing the essentials that have proven to work across generations (i.e. free markets, lower taxes/regulation, coaching people to believe in themselves, etc.) and, thus, the problems continue.

As Jim Rohn once said: Success is easy, but so is neglect.

The title of this recent SC Magazine piece on the subject says we need a new approach. I respectfully disagree. We need discipline.

What we need to fix the security challenges we face are people willing to stop buying into the hype brought forth by vendors and analysts, especially those who stand to make money off of their shiny new products or services - not to mention the self-proclaimed security ninjas and cyber warriors who know everything about security, in their own minds. We then need these people to acknowledge that merely 20 percent of their security vulnerabilities are creating 80 percent of their problems. Finally, we need people who are willing to be leaders and step up do something about these weaknesses....

Otherwise, step aside and let someone else do what needs to be done.

I know it's not that difficult. I see plenty of organizations who are successful in security. The problem is that most are not.

As Ayn Rand, author of Atlas Shrugged said, You can avoid reality, but you cannot avoid the consequences of avoiding reality. The time to start recognizing history and learning from other people's woes is now. Use your power of choice...Don't be a dodger. Confront the issue, fix it, and get this behind you once and for all.

Tuesday, February 3, 2015

Great quote about making changes in infosec

Here's something that the founder and CEO of FedEx, Fred Smith, said that ties-in nicely with what we do (and see) in information security:

"You are the way you are because that's the way you want to be. If you really wanted to be any different, you would be in the process of changing right now."

Pause for a moment and ask yourself what you're doing to make some changes in information security today, this month, and the rest of the year so that your organization doesn't end up here.

Wednesday, January 21, 2015

Øbama knows more about information security than we do

I know it's painful to listen to our Ruler wax poetic about how great things are in America and how he's going to continue transforming society for the just in case you missed last night's State of the Union and proposed initiatives, his regime wishes to "better secure" the Internet and our networks by making changes to the Computer Fraud and Abuse Act (CFAA). Here are some good reads to get you up to speed: (written by Rob Graham who knows a thing or two about this stuff - he was the co-founder/inventor of the awesome BlackICE personal firewall software before security was cool)

Are you ready to share your security event information with the Feds? Ready to go to jail for sharing your passwords with others or clicking links to see interesting information? You'd better start writing your government representatives.

Stay tuned...In the meantime, check out some more of my thoughts on how our Imperial Federal Government wants to force "cybersecurity" down our throats - some stuff dating back to 2009.

Friday, January 9, 2015

Core human psychology principles are what hold us back with security

2015 marks my 26th year working in IT and my 20th year focusing on information security. I'm so fortunate to work in such an amazing field and even luckier to have gained some wisdom over the years that has allowed me understand the true challenges we face with information security!

As much as the vendors, researchers, and criminal hackers want us to believe it's the threats that cause all the problems, I'm convinced otherwise. Across the millennia of human existence, people with ill-intent have been a given - a fact that cannot be changed. Threats, both large and small, will always exist in the physical and digital realms. What can change is our approach to the threats we face, especially in the digital world.

You know the saying "It's not what happens to you but how you react to it that matters." That's nearly 2,000-year-old wisdom from Greek philosopher Epictetus. And it still applies to our world today! 

What's most important with information security is not just we "react" but how we "respond" and minimize the impact when things go awry. This can only be done through well thought out plans which, in turn, requires seeing the bigger picture and "getting" security.

I've written a few pieces recently on how human psychology impacts information security - both positively and negatively - such as:

Fortunately, I'm not alone in this thinking. One of the sharpest minds I know in security is Rob Lewis (@Infosec_Tourist) and I wanted to share with you a couple of recent posts of his that take an even more intellectual approach to this subject:
5 Stages of Infosec Adapt or Die
"Ask for Evidence", Part 2 - The Need for Squeeze

...You need to follow Rob - he has lots of great insight.

What I'm trying to say is know your enemies but, more importantly, know yourself, your managers, and your users as it's everyone else beyond the "threats" that you must rely on to do what's necessary to minimize information security risks. After all, the threats wouldn't have much to exploit if people weren't so careless in their approaches to IT and security.

Work on problems, not symptoms. Learn how humans behave well enough and you might just resolve so many of your security challenges that you put certain threats "out of business" altogether.

More coming from me in this area in 2015...Cheers to a great year!

Monday, December 22, 2014

Some vulnerability + penetration testing content to send off 2014

Here are some pieces I've written recently on determining just how "fit" your network and application environment really is. Whether you're an IT auditor, penetration tester, IT admin, or security consultant, there's some stuff for you:

How to perform a (next-generation) network security audit

Don’t overlook details when scoping your Web application security assessments

Top gotchas when performing email phishing tests

How to take a measured approach to automated penetration testing

Five steps for improving an authenticated vulnerability scan

Next-generation tools for next-generation network security

Look for these security flaws in your messaging environment

How do you know when a security vulnerability matters to your business?

My other information security content I've developed over the years is available on my website at's to the great 2014 we've had - I'm so blessed to work in such an amazing field!
formation security content is available I hope you enjoy it! - See more at:

My other information security content is available I hope you enjoy it! - See more at:

My other information security content is available I hope you enjoy it! - See more at:

Wednesday, November 5, 2014

Car racing and security breaches, you're not as ready as you think you are!

This past weekend I had the opportunity to run the race of my life - a 90 minute enduro car race in my Spec Miata - held at the America Road Race of Champions at Road Atlanta in Braselton, GA.

It wasn't the most competitive race - there were only 17 entries, 14 that made it on track...I've raced with over 60 cars at once. 

It wasn't the most stressful race. That award goes to the motocross races I ran at the Loretta Lynn's Amateur Nationals back in 1987.

It wasn't the most physically demanding race either - sustained heart rate of only ~145bpm - much lower than what motocross required of my body.

It was, however, a race that I feel like I wasn't fully prepared for.

I started training for this race months in advance - both mentally and physically. The preparation in the weeks and days leading up to this race were especially measured. I even had to scramble to get information from my fellow racers and race team during the final hours on Sunday to figure out what to do during my pit stop, as that was my first real one (outside of the arm chair pit stops I do watching F1, IndyCar, etc. races on the weekends).

Yet, still, nothing prepared me for the mental exhaustion, the leg pain, the loss of gross motor skills I'd experience during the race. That stuff was real.

I didn't think I'd run out of water in my drink bottle either...I did, just 30 minutes into the race. I most certainly wasn't prepared for how quickly the mandatory five minutes would pass during my pit stop - the fastest five minutes of my life! I didn't have enough sense of urgency during my own biological pit stop so in rushing to get back on track, one of my harnesses and my HANS device weren't properly fastened - something I had to fix while back out on track. That cost me a position in the race.

Sadly it was ~59 degrees outside. I can't imagine doing such an event in the heat of summer! I definitely learned the value of the CoolShirt system that many of my competitors were wearing (and recommended to me :-). My wife doesn't know it yet, but I now have one on my Christmas wishlist!

I digress.

I'm sharing this story with you because my experience in this race reminded me of what it's like when a data breach occurs. As the saying goes, experience is something you don't get until just after you need it.  I thought I was overly-prepared but given that it was my first 90-minute enduro, I quickly learned from the experience that I wasn't...I did what any self-respecting race car driver or CISO would do afterward: made a lot of notes on what to do differently next time.

Be it a car race or a security breach, things happen pays to be ready. You can never be prepared enough. Most organizations I see have done little to nothing to truly prepare for a security breach. Ignore all forms of preparation (i.e. not even having a documented response plan) and I'm convinced you're doubly-screwed. Even if you take reasonable precautions to prepare for security breaches, well in advance like I did for my race, you're still going to get caught off guard by some things and have to learn along the way.

How well-prepared are you? Ultimately the choice is yours.

I ended up 8th overall in the race.

By the way, if you want to see what happens when you apex too early and your car misfires (due to an electrical gremlin) in the middle of a turn and go off at 90mph, check out this video of that happening to me during another race over the weekend. Whew...

Wednesday, October 8, 2014

What no one is saying about cyber insurance

I race cars for fun and sport and found out the hard way not long ago that if I wanted to increase my life insurance I was going to have to jump through numerous hoops and pay enormous premiums for a minimal increase in my existing coverage. I was thinking about this scenario compared to 'cyber insurance' and, wow, what a difference.

 Knowing what I know, there appear to be minimal barriers to entry for cyber insurance coverage. It's been that way since I first started hearing about it around 14 years ago. The premiums I've seen and heard of aren't outrageous either. Sure, there's an application process and perhaps another questionnaire or two. Maybe - just maybe - there'll be a request for more information such as recent vulnerability scan reports or perhaps a higher level audit that has to be performed.

Yet, unlike car racing where the risks are known (albeit they're much lower than the old days of racing given our safety equipment requirements, smarter rules, etc., yet my life insurance premiums are based on the mindset of the past, but I digress...), I'm confident that the true information security posture of any given organization that's being underwritten by cyber insurance has yet to be discovered.

You see, it's like most audits in the name of compliance: everything looks great on the surface. Ditto for those SOC 2 data center audits that everyone is proud to share.

Security policies in place? Check.
User training program (yearly email reminder and a poster in the breakroom) taking place? Check.
Passwords required? Check.
Anti-malware software in use? Check.

You've seen these.

Getting back to reality, I'm confident that not enough of the right questions are being asked and, more specifically, not enough technical security testing is being performed to reveal the true security posture of those being approved for cyber insurance coverage.

I was discussing this topic with a colleague recently and we came to the conclusion that there are two likely scenarios for these organizations being underwritten:
  1. The truth is not being told
  2. Bad information is being received and/or given
Low-hanging fruit security flaws are everywhere and it's virtually guaranteed that they can be found on any given network at any given time. Weak and blank passwords, no laptop encryption, no testing being performed on critical Web applications, under-secured wireless networks, PII scattered across numerous unprotected network shares, physical security controls open to the public, hundreds of missing third-party software patches on every computer, no proactive security audit logging and monitoring...You name it, it's there. Yet we continue on looking for that magic silver bullet to protect our information in the form of next-generation firewalls, DLP, cloud blah-blah-blah or whatever technology is being pushed on the industry at the moment.

I recently attended a cyber insurance event in Atlanta, and in talking to the insurance salesman, consultants, and others I met, everyone seemed to be on the same page: no one really knows the true security posture yet the cyber insurance policies continue to be underwritten. I don't know all the ins and outs of the cyber insurance industry but I've heard enough stories and I've seen enough security flaws that get overlooked to be confident in saying the cart's before the horse on this one. I suspect it won't last too long as the low-hanging fruit continues to rear its ugly head in both the breaches we know about and, most certainly, the ones we don't.

Don't get me wrong. Cyber insurance is great for a final fallback plan after you've done everything else - the proven basics that have been around for years and even decades. You're likely already doing some remarkable things with information security. Most of what you need to know about - and do with - security is already present in your environment. It could be that you find out that you don't need to buy anything or implement anything new to get to where you need to be - perhaps just a few tweaks here and there. Just don't use cyber insurance as an excuse for poor security decision-making as it will certainly come back to bite when you're least expecting it.

My trip to the 2014 ISC^2 Congress

Last week I had the opportunity to attend the ISC2 Congress in Atlanta. It was held in conjunction with that physical security organization. When I arrived to walk the show floor, it was nothing but physical security vendors - as far as the eye could see. After about 45 minutes (sans program guide), I discovered where the information security vendors where. There were about five of them and they were tucked away in the back off the beaten path.

That wasn't what I was expecting.

Then I thought, this isn't why I came to the show anyway. Sure, it's good to hear what the booth babes are waxing poetic about, and see the latest tech in action, but it's usually better to hear what other experts are saying in their presentations - that's how we learn the most, anyway. One presentation stood out - way out. It was Winn Schwartau's irreverent take on security awareness: "How to Make a Security Awareness Program Fail". I've had my strong opinions on that subject for years now and his thoughts/ideas helped solidify them. [Good to know Winn!]

If you've never seen this man present, you must. Winn made me - and the audience - laugh literally every 30 seconds for the entire presentation. It was the best IT/security related presentation I've ever seen...not too serious, not too unprofessional and not starting every sentence with "So..." (you've heard/seen the cussing and beer drinking at some of the shows in our field). It was perfectly delivered and I learned a ton. Most importantly I decided that I want to be as entertaining and informative a speaker as Winn when I grow up!

All in all, ISC2 Congress is a worthy show if you ever have a chance to attend in the future.

Friday, September 19, 2014

Resources to get up to speed with the latest HIPAA security requirements

Here are some pieces I've written recently that can bring you up to speed on the latest HIPAA security requirements:

HIPAA Security Compliance - From the Past to the Present

What HIPAA Security Compliance is Really About

Minimizing the impact of a HIPAA security breach

Obtaining and maintaining a state of HIPAA security compliance

Want more? Check out the newly-revised second edition of the book I just finished co-authoring with Rebecca Herold that's due out October 21st:
HIPAA security privacy compliance book
Be sure to check out my other IT security compliance resources on my website. Enjoy!

Wednesday, September 17, 2014

What if The Home Depot looked to their own store policies for help with infosec?

If The Home Depot's management were as strict with information security as they are with store policies I'm confident they could've avoided their data breach.

Have you heard their policy monger guy on their intercom system while shopping?? He sounds like that guy we've seen in those disturbing Allstate commercials. A bit creepy. It's also quite uninviting - certainly doesn't make you feel welcome in their stores.

At least they've covered their bases if some kid crashes into a moving forklift while scooting about on his shoes with wheels...

Here are some more thoughts I have on the HD breach in case you're interested.

Wednesday, September 10, 2014

Magnasphere and the physical security vulnerability you may not know about

If you have an alarm system that's dependent on the decades-old reed switches like the one pictured below, you should know they can be easily defeated with a mere compass and a magnet. It's pretty eye-opening...

Certainly a good reason to have two, three, or (depending the country you live in and your stance on self-defense) more layers of security in your building or home! :-)

A good option for beefing up your security and preventing this type of physical breach is offered by Magnasphere. I was recently introduced to the Magnasphere wireless door/window security switches (MSS-RFS-100). It's a great technology, especially if you have a need for a wireless security sensor configuration. They make standard security contacts as well. Either way, it's worth a look-see if this is in your line of work.