You can't secure what you don't acknowledge.SM

Wednesday, August 14, 2013

Municipal information security weaknesses, hacking, careers, & committees

Here's some new content I've written recently on various information security topics you might be interested in:

Government Security: Uncovering Your Weaknesses (common vulnerabilities I see when performing security assessments for municipalities)

Eight questions to ask yourself before moving to C-suite management (are you really sure you want to do this!?)

IT career paths: Working for yourself is an attainable dream (if you want to stop working for the man)

Top 9 ways to prevent hacking in your enterprise (seriously, you can if you get these basics in check)

How to form a functional enterprise IT security committee (okay, I use the word 'functional' loosely, but it's nowhere but up from here right!?)

In the meantime, check out my website for links to all of my other information security-related content.

Cheers!

Well, in the spirit of my book Hacking For Dummies (be sure to check out the new 4th edition), here are some tips I've written for my friends at TechTarget and Acunetix on some important web and mobile application security issues you need to be tuned in to beyond all the noise that's out there:

Don’t Let Problems Stop You From Carrying Out Web Application Testing  (before 'Too Scared to Scan' was cool ;-)

Mobile app software: Avoid the perpetual cycle of insecurity

Hybrid security: Beyond pen testing and static analysis

Mac Malware Underscores Why You Can’t Ignore Web Security Threats

Do You Scan with Network Security Controls Enabled or Disabled?

Take Care in Handling the Results of Your Web Application Testing

Much more to come on web and mobile security testing...It's what I love doing and I've learned a tremendous amount while doing it over the past decade.

In the meantime, check out my website for links to all of my other information security-related content.


Cheers!
- See more at: http://securityonwheels.blogspot.com/#sthash.tO6G2DOv.dpuf
Well, in the spirit of my book Hacking For Dummies (be sure to check out the new 4th edition), here are some tips I've written for my friends at TechTarget and Acunetix on some important web and mobile application security issues you need to be tuned in to beyond all the noise that's out there:

Don’t Let Problems Stop You From Carrying Out Web Application Testing  (before 'Too Scared to Scan' was cool ;-)

Mobile app software: Avoid the perpetual cycle of insecurity

Hybrid security: Beyond pen testing and static analysis

Mac Malware Underscores Why You Can’t Ignore Web Security Threats

Do You Scan with Network Security Controls Enabled or Disabled?

Take Care in Handling the Results of Your Web Application Testing

Much more to come on web and mobile security testing...It's what I love doing and I've learned a tremendous amount while doing it over the past decade.

In the meantime, check out my website for links to all of my other information security-related content.


Cheers!
- See more at: http://securityonwheels.blogspot.com/#sthash.tO6G2DOv.dpuf

Monday, August 12, 2013

You can't see the light 'til you open your eyes...

I noticed a lot of interesting topics/news coming from the Black Hat conference last week such as:
  •  SSH Communications Security Unveils General Availability Of SSH Risk Assessor Tool
  • Preparing For Possible Future Crypto Attacks
  • Crack of mobile SIM card crypto and virtual machine features could let an attacker target and clone a phone 
  • HTTPS Hackable In 30 Seconds: DHS Alert
No doubt, these are all worthy topics that will help improve information security over the long haul...researched and presented by people who are much smarter than me.

Yet, given where most businesses are with information security today, we've got *much* bigger things to be concerned with such as:
  1. Network shares - open to anyone on the network - providing unfettered access to sensitive information
  2. No proactive event monitoring using the proper tools and expertise (outsource it!)
  3. Firewalls with no passwords or a complex rulebase with a lot of redundancy and risky rules
  4. Phones and tablets with zero security controls
  5. Laptops with no drive encryption (I know most laptops, according to business executives who know more about security than their IT staff, have "nothing of value"...like the ones listed here, but still)
  6. Database servers without passwords, or with default passwords, serving up PII and more to anyone with simple curiosity and a copy of SQL Server Management Studio or Heidi SQL.
  7. Physical security access control and IP video systems that are accessible to anyone on the LAN (sometimes even Wi-Fi) for track covering, system disabling, video deletion, etc.
  8. Operating systems with patch management software that are *still* missing critical updates that are exploitable using free tools to provide full admin access to the system without the attacker ever having to "log in"
  9. Web apps with SQL injection, rampant cross-site scripting, and login mechanisms that are easily manipulated
  10. Mobile apps that have yet to see an iota of security testing
These are all things I find on a consistent basis...Not because I'm smart but because they're very predictable and often go ignored.

"Can't see the light 'til you open your eyes" ...minimal yet insightful lyrics from one of my favorite bands, Black Country Communion. The "light" that people aren't seeing because they're being distracted by flashy headlines, sky is falling "exploits", valueless auditor mandates, or IT execs who are (ironically) "threatened" by information security is the very light that's going to end up biting them if they're not careful...such as the items listed above.

I read something recently from sales/achievement expert Jeffrey Gitomer that said "People who are cocky and arrogant say, I know that and move along. People who are confident and positive ask themselves How good am I at that? and seek to improve."

Great tie-in to the point I'm making. Which side are you on?

Concentrate on the fundamentals and nothing else for now and as long as it takes to ensure you have true control over the information security basics that have been around for decades. Otherwise, you're ignoring the obvious that will rear its head at some point. As we see time again in the research studies (Verizon DBIR, etc.), odds are much greater that you'll get bitten by something silly rather than a niche exploit that hits a relative few.

Finding and fixing the low-hanging fruit (the 20% of vulnerabilities that cause 80% of the problems) is something I've been advising for years and I'm going to keep doing it because that is where the risk is.