You can't secure what you don't acknowledge.SM

Friday, January 15, 2010

I'm featured in the new issue of Entrepreneur Magazine

Check this out. I'm featured in the January 2010 issue of Entrepreneur Magazine's Ask A Pro section where I talk about employee monitoring:




























Entrepreneur
Magazine, January 2010. © 2010 By Entrepreneur Media, Inc. All rights reserved. Reproduced with permission of Entrepreneur Media, Inc.

In this piece, it may not be clear whether or not I support monitoring of employee email so let me clarify. I'm not for micromanagement and Big Brother but I am on the side of business when it comes to the issue of employee monitoring of email, social media, general browsing, or whatever which ultimately leads to improved information security.

Employees are there to provide some type of expertise, sweat labor, or other service in exchange for money. If people occasionally send/receive personal emails and surf the Web that's fine. You can't reasonably prevent that. However, if goofing off or otherwise putting your network and information at risk is most of what they do, huh uh. You wouldn't believe what I see (and the studies back it up) on the typical network: 50%+ network bandwidth consumed by streaming audio and video, majority of Internet browsing sessions going to Facebook, Twitter, etc.

This is not only a matter of people goofing off, being unproductive, and ultimately providing limited value to their employers but it's also creating a negative impact on the network - ultimately on IT. It's also creating security issues. Not only the malware threats but also the risk of sensitive information leaking out of the network. If employee Internet and computer usage are not being proactively monitored - regardless of the protocol or media - it's merely a free-for-all and a no doubt data breach in the making. The lesson here: know your enemy (hint: he's on your network right now) and do something about it.

Speaking of the internal threat, here's a new article I just wrote on what I believe is the real deal with the insider threat that you may be interested in.

Thursday, January 14, 2010

Resolutions are for Losers

It's been proven - and most of us have experienced the fact that - that New Year's resolutions don't work. We say we're going to do this or stop doing that and it may seem to work for a week or maybe a month but, interestingly, we always seem to get back to our same old ways.

Take your local gym for instance. The next time you drive by (or visit) your local gym notice how crowded the parking lot is this time of year. With near 100% certainty I can say that it'll be packed. Why is this? Well, it's all those people who have made New Year's resolutions to "work out more" and "lose weight". Give it a month or two and watch the transformation. Your gym parking lot will be less and less crowed and by mid to late Spring it'll be back to "normal".

This is because resolutions don't work. Resolutions are merely wishes and empty promises to yourself. Period. Be it your personal life or your career the only sustainable way to move ahead from where you're currently at in life - and, most importantly, stay ahead - is to develop a sound set of goals for each area of your life, outline how you're going to go about accomplishing each goal, set deadlines, and hold yourself accountable. It's as "simple" as that. Here's a bit I wrote on this subject that tells you exactly what you need to do:

Eight steps to accomplishing your IT career goals

...You may also be interested in my Security On Wheels audio programs specifically Getting Started in Security and the forthcoming Succeeding in Security where I cover goals and much much more about what it takes to get ahead and stay ahead year after year...no resolutions need. Even if you're more of an IT generalist these audio programs are chock full of goodies you can benefit from.

Here's to an excellent 2010!!

Monday, January 11, 2010

Introducing my new book - Hacking For Dummies, 3rd edition

Well, after months of edits, additions, and subtractions my new piece of work has finally arrived: Hacking For Dummies, 3rd edition
Hacking For Dummies, 3rd edition

I just received my copies last week and it should be in bookstores any time - if it's not already. Hacking For Dummies, 3rd edition is also available on Amazon.com (at a 34% discount to boot!).

So, how is this 3rd edition different or better from the previous editions?
In this new edition, I believe I've finally gotten it right. Technical books such as this are works in progress. There have been so many changes in the world of information security since I first wrote the book in 2003 - new tools, new hacks, and even some new testing methodologies - even since the 2nd edition that came out in 2006 - that I knew an update was due. I've also grown and learned a lot over the years in my work performing independent security assessments which has really helped me to fine tune the content of the book and make it into something valuable. In addition to a lot of fixes and tweaks there's plenty of new content on Windows 7, storage systems, Web applications, databases, mobile devices, and more. New tools, new techniques, just what you need for (in Wiley's words) "Making everything easier!".

What's the book about?
It's about using a malicious mindset to test your systems and your IT operations for weaknesses so you can plug the holes before the bad guys exploit them.

Who should read this book?
From IT Directors to system administrators to compliance officers to security managers - basically anyone responsible for information security and privacy in their business or for their customers. There's something in it for everyone. There's a lot of non-technical content outlining the ethical hacking methodology, managing security changes, and so on that managers can benefit from as well as all the right technical details that IT and security specialists need to know to bring out the worst in their systems.

One more thing...it's a shameless self-promotion but it bears mentioning. I was told by my publisher, John Wiley & Sons, that factoring in the number of editions and time on the market, Hacking For Dummies is/has been the top selling book on computer security. I had no idea. Very cool - and I couldn't have done it without those of you who have bought it! Thank you very much.

Now help me maintain my momentum and go buy a copy of the 3rd edition! :-) You won't be disappointed.

One more thing, if you have your own blog or other outlet and would like to get a review copy, please contact me and I'll work with Wiley to get one out to you.