You can't secure what you don't acknowledge.SM

Friday, June 6, 2008

My security content from this week

Here's an information security article of mine that was published this week:

How insiders hack SQL databases with free tools and a little luck

As always, for my past information security content be sure to check out www.principlelogic.com/resources.html.

Enjoy!

Thursday, June 5, 2008

When handling sensitive encrypted data - don't just unencrypt it

Here's a prime example of just how encryption/change management/policies/whatever else mean nothing when someone makes a bad decision related to information security. Why was this sensitive information unencrypted when it was moved to a new system? Hint Mr. Contractor: all it takes to easily re-encrypt sensitive data is something as basic as Winzip. If you have to decrypt it to use it...then just re-encrypt when you're done.

If you're ever caught in a situation where you have to decrypt sensitive information, either find an alternative method for encrypting when it's not in use or don't decrypt. It's that simple. Better yet, just encrypt your entire hard drive! There's no reason not to.

Wednesday, June 4, 2008

A good reason to lock your screen when you're away...

I was just thinking about all the passwords our Web browser(s) want save for us for the sake of convenience. It's a great feature that I know I couldn't live without. I know many other people do it too. If you're one of them, be very, very careful leaving your computer screen unlocked when you leave your desk - especially for lunch, for a meeting, or for the day. What a great way for someone to come along, sit down, and within a minute or two have a field day with your online banking, Amazon, eBay and similar Web accounts.

I know this seems trite but I still see plenty of networks where it's up to the users to lock their screens...and guess what, they're usually unlocked. Or, if it's policy, the screen locking is not configured for a reasonable amount of security (i.e. they timeout in 10+ minutes - plenty of time for misdeeds)....Or, the policies are not being enforced altogether.

So, if anything, do yourself a personal favor and do the three finger salute (CTRL-ALT-DEL) and lock your screen every time you get up from your desk. It only takes 21 days to form a new habit such as this - something that can save you a lot of grief when the time comes for someone to try and take you for a ride.

Upcoming keynote presentation I'm giving for GSCPAs

Two weeks from this Friday - on June 20th, 2008 - I'll be giving the keynote presentation for the Georgia Society of CPA's Tech Conference...Here's the press release:

Principle Logic’s Kevin Beaver to Keynote GA Society of CPA's Tech Conference

Kevin Beaver, independent information security expert with Atlanta-based Principle Logic, LLC, will be keynoting the Georgia Society of CPA’s 2008 Technology Conference. Kevin will apply his practical and no-nonsense approach to security in his presentation titled The Business Case for Information Security. He will outline why information security is a business problem and what can and should be done about it.

“I’m honored and humbled to have been invited to speak to a group of people that play such a key role in information security.” says Beaver. “The fact that many accounting professionals want to hear about information security issues says it all. Security’s not a technical problem that IT should own but rather a business issue that business people need to be involved with.”

For more information, please visit the Georgia Society of CPAs Conference site at www.gscpa.org/Public/Conference/Description.aspx and Principle Logic’s Web site at www.principlelogic.com.

About Principle Logic, LLC and Kevin Beaver

As an independent consultant with Principle Logic, LLC, Kevin Beaver’s services include security-related keynote speaking engagements, expert witness consulting and testimony, security assessments of networks and Web applications, and information security pre-audits and gap analyses. Kevin has authored/co-authored seven books on information security including Hacking For Dummies, Hacking Wireless Networks For Dummies, Laptop Encryption For Dummies, Securing the Mobile Enterprise For Dummies, and The Practical Guide to HIPAA Privacy and Security Compliance. He is a regular contributor to SearchWindowsSecurity.com, SearchSoftwareQuality.com, SearchSQLServer.com, and Security Technology & Design magazine. Kevin is also the creator and producer of the Security On Wheels audio programs and blog providing security learning for IT professionals on the go (securityonwheels.com).

Tuesday, June 3, 2008

Google's privacy policy...who really cares!?

Here's an interesting request by privacy and consumer groups to strong arm Google into posting its privacy policy on its home page. Apparently it's the law in California, but as we see day in and day out (especially in the state of California!) the rule of law doesn't really mean that much. It's majority - I mean mob - rule now in what used to be our Constitutional Republic.

I don't necessarily fault Google for this. Their clean home page has always attracted me to their site.

I'm of the belief that consumer/privacy groups and the government have no place to step in to help 'guide' us to a company's privacy policy. If anyone's concerned about their privacy, a few clicks will point you right to it. Or, you can just use Google's site query as follows:

site:www.google.com privacy

It comes right up! ;-)

Not that I trust Google on issues like this! I'm just saying...

Two job resources in case you're looking...

Here are a couple of mailing lists worth checking out if you're looking for a new job in information security:

http://jobcenter.ittoolbox.com (under 'Sign up for Job Alerts' - you may have to login)

http://www.securityfocus.com/archive (select Security Jobs and enter your email address)

You may get a lot of notifications, but if you're in the market, that's not a bad thing! I've seen some jobs posted that actually look pretty good.