Kevin Beaver's Security Blog

Where's your information security focus?

2012-01-31T09:55:00.000-05:00

You cannot change facts (i.e. the industry your business is in, the regulations it's up against, the type of sensitive information you're responsible for managing, etc.) but you can change problems (i.e. user behavior, wayward goals, management not on board with security, etc. ).

As the philosopher James Burnham once said:

"If there is no alternative, there is no problem."

In the case of information security, there are tons of alternatives to the issues we face. It's up to us to focus on what counts so we can eventually make a difference.

You cannot multiple security by dividing it - Infosec's relationship with Socialism

2012-01-27T08:26:00.000-05:00

I'm not much into urban legends and the like but came across this bit the other day and it really made me think. What a great analogy that impacts all of us both personally and professionally with some interesting information security and compliance tie-ins that I see all the time:

An economics professor at a local college made a statement that he had never failed a single student before, but had recently failed an entire class. That class had insisted that Obama's Socialism worked and that no one would be poor and no one would be rich, a great equalizer.

The professor then said, "OK, we will have an experiment in this class on Obama's plan". All grades will be averaged and everyone will receive the same grade so no one will fail and no one will receive an A.... (substituting grades for dollars - something closer to home and more readily understood by all).After the first test, the grades were averaged and everyone got a B. The students who studied hard were upset and the students who studied little were happy. As the second test rolled around, the students who studied little had studied even less and the ones who studied hard decided they wanted a free ride too so they studied little..The second test average was a D! No one was happy. When the 3rd test rolled around, the average was an F.

As the tests proceeded, the scores never increased as bickering, blame and name-calling all resulted in hard feelings and no one would study for the benefit of anyone else. To their great surprise, ALL FAILED and the professor told them that Socialism would also ultimately fail because when the reward is great, the effort to succeed is great, but when government takes all the reward away, no one will try or want to succeed. It could not be any simpler than that.Remember, there IS a test coming up. The 2012 elections.

These are possibly the 5 best sentences you'll ever read and all applicable to this experiment:

You cannot legislate the poor into prosperity by legislating the wealthy out of prosperity.
What one person receives without working for, another person must work for without receiving.
The government cannot give to anybody anything that the government does not first take from somebody else.
You cannot multiply wealth by dividing it!
When half of the people get the idea that they do not have to work because the other half is going to take care of them, and when the other half gets the idea that it does no good to work because somebody else is going to get what they work for, that is the beginning of the end of any nation.

Not that the big government Republicans are a lot better...The reality is we Americans had better wake up, smell the "change" we're stepping in and learn that no politician, Democrat OR Republican, can make our lives better...only WE can make that happen.

Be it information security, compliance or your personal live....as Og Mandino once said (favorite quote of all time): "Use wisely your power of choice."

Evanta CISO event and why St. Jude's has it right

2012-01-26T15:16:00.002-05:00

This week I had the opportunity and privilege to serve as a panelist on mobile security at the Evanta CISO Executive Summit in Atlanta. What a neat event...it wasn't just another infosec show. It was unique in its focus and well run by Corrine Buchanan and Mitch Evans who always seemed to have a smile on their faces - something we don't see enough of at these types of shows.

Another thing was a St. Jude's Children's Hospital video they played featuring Marlo Thomas talking about her father's work with the hospital. She said something about the hospital regarding its mission that stuck in my mind: "Don't just treat kids. Let's try to figure out what makes them sick."

Great approach with an interesting information security tie-in: Don't just throw technologies and policies at security...find out what's actually at risk. Indeed, we have to be smart in using the resources we're given.

Complacency, meet APT – How basic oversights lead to complex malware infections

2012-01-25T14:03:00.000-05:00

Low-hanging fruit – that is, the missing patches, default passwords, lack of full disk encryption and so on present in practically every environment – is something I’ve ranted about time and again because there’s no reason to have it on your network. Why? Well, for one thing, rogue insiders may just exploit it for ill-gotten gains. But even worse, low-hanging fruit can be the target of malware exploitations that you’re not prepared to take on. You see a few missing patches and unhardened endpoints combined with users gullible enough to click whatever’s placed on their screens and you’ve got yourself the recipe for disaster.

Low-hanging fruit can turn from “Yeah, I need to get to that stuff…” to “Oh crap, all of our workstations are being controlled by someone on the other side of the world”.

Recent shifts in IT like consumerization, mobility and the desire for instant gratification when it comes to computer and Internet access have made these threats even more formidable. Users are indeed going to do what they want to do. In many cases, management will proudly back them up – even if they have no clue about the long-term impact to the very business they’re responsible for running.

Built-in security controls provide an opportunity for us to save time, effort and money keeping our systems in check without having to spend a dime more than we need to. That said there are certain security controls that operating system and hardware vendors haven’t mastered. One in particular is security controls designed to help with APTs and advanced malware. It’s just not possible to get the specialized protection out of the box from the mainstream vendors that you’re going to get with a the niche technologies I talked about my recent paper The Malware Threat Businesses are Ignoring and How Damballa Failsafe Fits In.

It’s no different than how I buy special tires and brake pads for my race car. When there’s a specific need, odds are the stock equipment just won’t cut it.

One of the most damaging misconceptions about malware is that the big anti-virus vendors are going to keep endpoints safe. It’s this very mindset that’s gotten businesses into hot water recently. I saw it when working on an incident response project that falls under the Operation Shady RAT umbrella. I think it’s safe to say that traditional anti-virus vendors come nowhere close to protecting your network – especially if such an attack is targeted. In fact, the entire concept of APTs and advanced malware is not very well understood by the IT and information security community as a whole.

How are you supposed to protect against something like this? It's not simple. You’ve got to have the right tools, the necessary documentation and,perhaps most importantly, management that gets it.

Are your high-tech devices enslaving you?

2012-01-23T15:05:00.000-05:00

The late Richard Carlson, author of Don't Sweat the Small Stuff, said:

"It's important to see when your high-tech communication devices actually limit your freedom, enslaving you instead of providing new opportunities for growth."

Wow...How true that is!

Have you ever tried to not look at your emails or answer phone calls when you're out and about with your family or taking some time to yourself? It's pretty darned difficult but it can be done, if you make it so.

Try it out over the next couple of weeks and you'll see what Dr. Carlson was talking about. You'll give your mind a break and be able to focus on the things that truly matter in life.

My articles & webcasts on hacking, incident response, compliance & IAM

2012-01-20T12:29:00.003-05:00

I wanted to share with you a few new pieces I've written for TechTarget and Cygnus on incident response, compliance for systems integrators and the not-so-sexy but all-too-important technology, identity and access management:

The importance of incident response plans in disaster recovery

Regulatory compliance requirements for security solutions providers

Identity Management’s great bang for the buck

Also, here are some webcasts I recorded for TechTarget, Information Week/Dark Reading and SecurityInfoWatch.com that you may be interested in:
Managing network security threats with an ERM strategy

How Security Breaches Happen and What Your Organization Can Do About It

Building and deploying secure video and access control systems (a.k.a. ethical hacking tips and tricks for video and access control systems)

Enjoy!

As always, be sure to check out www.principlelogic.com/resources.html for links to all of my information security whitepapers, podcasts, webcasts, books and more.

Executives could learn a lot from Supernanny

2012-01-20T08:41:00.002-05:00

We all have a lot to learn from Jo Frost, the Supernanny. In particular, when it comes to information security, IT management, employee computer usage and so on, business executives could benefit a ton. Here's how it'd go:

Create a set of rules.
Enforce your darned rules!

The role of IT in fighting today’s malware

2012-01-20T07:52:00.000-05:00

It seems ever since I wrote my paper The Malware Threat Businesses are Ignoring and How Damballa Failsafe Fits In I’m seeing more and more vendors jump on the bandwagon. Today’s malware impacts everything from the network infrastructure to the endpoint and everyone wants a piece of the pie. I know the market is growing so I can’t blame people for wanting to capitalize on the opportunity.

Vendors aside, what is it that you as an IT professional need to be doing about the threat outside your network and the vulnerabilities inside your network? Being an independent information security consultant and seeing things from an outsider’s perspective, it’s clear to me that most IT shops are, in a grand way, woefully unprepared to fight this threat…much less respond in a mature and professional fashion when a breach and subsequent outbreak occurs.

As I write this post, I’m listening to a song on satellite radio with a chorus that says “If we don’t do it, nobody else will.” Wow, that hits the nail on the head – in a spooky kind of way. Indeed, if you don’t address the advanced malware threat today, indeed, nobody else is going to. Executives on mahogany row won’t. Nor will HR. Software developers are doing their own thing. Even your compliance officer and legal counsel aren’t going to understand the real impact of advanced malware.

You, the IT/information security professional, are going to have to step up and make the case that your business can be – and quite likely is – a target. This means taking the proper steps to:

1. determine your risks
2. get management on board
3. document reasonable policies and an incident response plan
…and, most importantly (and often the missing link):
4. enforcing with the right technologies

Don’t give the bad guys a chance. Do something now. Nobody else will.

My interview in Hackin9 magazine

2012-01-19T16:39:00.004-05:00

If you subscribe to Hackin9 magazine, check out this issue where they feature an interviewed with me about how the information security landscape has changed over the past decade, how you can get started in information security, my take on compliance and more.

If you don't subscribe to Hackin9, it's a great trade rag for technical security pros and (especially?) non-technical IT, security and compliance pros...Putting the occasional typographical errors aside, it's a must-read if you want to stay current on the latest information security trends, exploits and so on.

Quoted in today's SC Magazine feature story on Symantec

2012-01-19T13:02:00.005-05:00

Stephen Lawton wrote today's SC Magazine feature news story on the Symantec source code breach in which I'm quoted.

I provided these quotes late last night and it was interesting timing because I was speaking at local university's AITP chapter yesterday evening and I told my audience that no one is immune from hacking - not even IT and security pros...and obviously not information security companies.

It's a crazy world out there. We have to do our best to prevent the issues but also be prepared in the event something does happen.

Great year for my book Hacking For Dummies, 3rd edition

2012-01-11T10:49:00.005-05:00

2011 was a great year for me in so many ways. I feel extremely blessed and very lucky. Part of this was related to my book Hacking For Dummies, which is now in its third edition. I knew that sales were up - I believe in large part due to all the speaking engagements I did for TechTarget and others.

Well, I just found out from my publisher that it's safe for me to continue to say that Hacking For Dummies is one of the best selling books on information security...right up there with those big-name titles that some may feel less embarrassed to buy.

Another neat fact: since its inception, Hacking For Dummies has been translated into five additional languages (Portuguese, Estonian, Italian, Simplified Chinese and German).

Very cool.

I can't thank you all enough for your support! This year's going to be even better - stay tuned...

New Year's Resolutions merely create gym overcrowding

2012-01-09T11:03:00.004-05:00

Be it New Year's resolutions (I'm going to lose weight this year!), career resolutions (I'm going to get a different job this year!) or financial resolutions (I'm going to get out of debt this year!)....traditional resolutions just don't work.

Just check out how your local gym parking lot transforms between now and next month. I can't wait until around mid-February when the crowds will predictably die down and I can get some personal space back when I'm working out!

We've all fallen into the trap of "resolving" to do something but not following through to actually make it happen. You know what's been said about the road to Hell being paved with good intentions. With resolutions we only end up letting ourselves down and planting those seeds of doubt in our mind that certain tasks can never be accomplished. It's just not true...IF you go about it the right way.

Here's a proven method for doing what you say you're going to do and making stick once and for all in order to enhance your job, your career and your personal life for 2012. It has worked for me and I know you can benefit as well if you make it so.

My Web app security epiphany: The Lysol Effect

2012-01-05T11:16:00.006-05:00

I just had an epiphany in the bathroom. I know, I know...bear with me.

I thought to myself, Why is it people use Lysol to cover up, um, smells and such in the bathroom?? Sure Lysol kills the problem at the source but, goodness gracious, there are other means of consideration than to merely cloud up the bathroom covering up something that probably shouldn't be there in the first place! Know what I mean? Why not take preventive measures to keep things in check rather than junk up the bathroom and surrounding areas with yet another foul scent?

Then it hit me...this social dilemma is no different than people relying solely on Web application firewalls for Web security. We know problems like SQL injection, XSS and session management are there. Why not just fix the flaws rather than covering them up? I wrote about this in a piece on PCI DSS 6.6 compliance four years ago and I still see and hear about this a lot...priorities I suppose.

Anyway....apparently I have an uncanny ability to tie bathroom logic in with information security. It's an awful personality flaw. Please don't hold it against me.

Great quote to live by

2012-01-03T19:42:00.004-05:00

Here's one of my favorite #quotes you can apply to your career, regardless of which field you're in:

"A successful life is one that is lived through understanding and pursuing one's own path, not chasing after the dreams of others." -Chin-Ning Chu

Damballa’s Fight Against Advanced Malware

2012-01-03T14:30:00.004-05:00

Malware being out of sight and out of mind often creates the perception that risks aren't present. Just because there’s no perceived risk, doesn’t mean it’s not there. Heads buried in the sand over the real malware threat leads to breaches that most organizations aren't prepared to handle. Having worked on a project involving an APT infection, I’ve seen first-hand how ugly this stuff can get.

Endpoint protection isn’t enough. Analyzing executables isn’t enough. Even standalone monitoring of network communications and or rating of source malware sources isn’t enough to thwart the real problem. Like the core information security principle, you’ve got to layer controls if you’re going to get the most out of your malware protection.

One of my core information security principles I recommend to my clients is to use what you’ve got when it makes sense. By this I mean use the built-in security controls that your operating systems, databases, network infrastructure devices and so on already have. So many of us assume that we need to buy third-party products to keep our environment secure. This is not true in so many cases.

However, when it comes to fighting advanced malware, it’ll behoove you to use the niche technologies that specialize in this area. The market is tiny (relatively speaking) but Damballa’s Failsafe is worth checking out. I’ve seen Failsafe 5.0 in action and it seems to be a comprehensive solution to a widespread problem that I suspect is only going to get worse. As you've heard me say regarding Web application scanners, password cracking and the like, you've got to have good tools if you're going to find (and, in this case, control) what matters.

I’ve written a new paper where I talk more about the advanced malware problem and how Damballa Failsafe 5.0 fits into the overall information risk equation. Check it out.

Let's make 2012 the year we get past "compliance" as we've known it

2012-01-02T16:09:00.004-05:00

I hope your 2012 has gotten off to a grand start! Mine has. I believe this year is going to further demonstrate why we're working in one of the best possible fields in the world.

To get things rolling this year, I wanted to share with you a few new pieces I've written for TechTarget's SearchCompliance.com regarding...well, compliance. It's one of those topics that tends to infuriate me when it comes to government intrusion into the free market and our own personal lives. However you see it, compliance is still something you have to address in your business. Hopefully some of these bits will help take some of the pain out of compliance. Enjoy!

Top compliance questions you need to be asking your network administrators

Address information risk management now — before the going gets tough

How can you avoid a Web security breach? It's all in the preparation.

Seven dangerous assumptions about compliance

A thorough data retention strategy needs more than just IT oversight

Top 5 techniques for management buy-in for your IT governance strategy

As always, be sure to check out www.principlelogic.com/resources.html for links to all of my information security whitepapers, podcasts, webcasts, books and more.

Holiday wishes and what's in store for 2012

2011-12-20T15:06:00.004-05:00

I'd like to send out a special holiday wish to everyone: Merry Christmas, Happy Hanukkah and Happy New Year!

This year has been extraordinarily great for me in my business and I owe it all to my clients, presentation and seminar participants, and purchasers of my books and audio content. Thank you very much!

I have lots of neat things right around the corner including a YouTube video channel and new Security On Wheels audio programs. In fact, I've already started on my videos and am pulling together some fresh audio content based on the feedback I've gotten regarding my presentations, seminars and webcasts over the past year.

It's time for me to disconnect for a couple of weeks. Here's to a great 2011 and an ever greater 2012!

All the best,
Kevin

WebInspect: How SQL injection testing should be done

2011-12-17T15:56:00.017-05:00

SQL injection is arguably the grandest of all security vulnerabilities. It can be exploited anonymously over the Internet to gain full access to sensitive information - and no one will ever know it occurred. Yet time and again it's either:

overlooked by people who don't test all of their critical systems from every possible angle
overlooked by people who haven't learned how to properly use their Web vulnerability scanners
overlooked by people who chose to only perform PCI-DSS-type vulnerability scans that don't go deeply enough
And, perhaps worst of all, overlooked by tools that can't test for - or properly exploit - SQL injection

Certain automated tools for SQL injection testing/exploitation have been around for years but I've never seen a tool that actually finds SQL injection as frequently or is as simple to use as HP's WebInspect. As shown in the following screenshots, with WebInspect it's a simple two-step process from initial scan to data extraction:

Step 1: Run the vulnerability scan to find SQL injection flaws. Finding it is half the battle. Most vulnerability scanners have no clue of its existence.

Step 2: Right-click on the finding, load the SQL Injector tool to confirm the injection and then click Pump Data to automatically siphon data out. Yes, it's that simple. (Note: in this test instance, extraction was not possible but it is in at least half of the SQL injection flaws I come across).

At your option, you can also use WebInspect's Vulnerability Review function to go back and test the SQL injection flaws once a fix is put in place...no need for a full rescan. Love it.

Folks, this is something that cannot be taken lightly. I'm not just talking about SQL injection itself but the fact that your tools may not be providing you the right information you need. As I've said before, You cannot secure what you don't acknowledge. In this case, I'll tweak that a bit and say You cannot secure what you cannot find. Just because the tools you're using aren't finding or exploiting SQL injection doesn't mean it's not a problem. Trust but verify.

AlgoSec & what happens when you don't look for flaws from every angle

2011-12-16T12:24:00.004-05:00

I recently had the opportunity to see how well AlgoSec's Firewall Analyzer performs in a real-world security assessment. Long story short, Firewall Analyzer found a weak password on an Internet-facing firewall that would've gone undetected otherwise. A traditional vulnerability scanner didn't find it nor did two different Web vulnerability scanners. Nothing was uncovered via manual analysis either.

Only AlgoSec's Firewall Analyzer found the weakness...no doubt a flaw that would've been exploited eventually.

Folks, information security is about piecing things together. We're never going to find it all but we darn sure need to use every means possible to check for flaws from every possible angle. Underscope your assessments and you're screwed - at best you're living a delusional world. Case in point, I just reviewed a vulnerability assessment report that looked at every single external and internal IP address belonging to a business but not a single marketing site, e-commerce application or intranet portal was tested. And everything checked out "OK". The result that the executives saw was Low Risk Overall.

Wow.

Just like I tweeted about today regarding what Qualys finds in vulnerability scans versus much of the "free" and commercial competition (there's no comparison)...I honestly believe that some big data breaches that have already occurred and have yet to happen will be related to using the wrong tools...or not enough tools...that combined with people not testing all the systems that matter. People aren't looking at the whole picture.

I know, you can't rely on tools alone but by golly you'd better make sure you're not only looking at everything that matters but you're also using the best tools possible when doing your security testing. Here's a new bit I wrote that covers this very subject:
Good Web Security Tools and Why They Matter

Big-data-retention-storage-security...what a mess!

2011-12-15T21:00:00.004-05:00

I've written some new bits on storage security and data retention that you may be interested in...especially as your move your "big data" to the cloud in 2012. You are going to do that, right? ;-) Enjoy!

Data security and backup encryption remain critical

Secure data storage strategies and budget-friendly security tools for SMBs

Heading in the Wrong Direction with Data Protection?

As always, be sure to check out www.principlelogic.com/resources.html for links to all of my information security whitepapers, podcasts, webcasts, books and more.

Going green's tie-in with infosec

2011-12-15T08:16:00.004-05:00

If you've been following my blog and my principles for even a short period of time you've probably figured out that I pull no punches when it comes to personal responsibility and limited government. There's hardly anywhere I'm more passionate in this regard than the marketing smoke and mirrors of "Going Green" and the religion of "global warming". I should say "climate change"; that covers warming and cooling for the anti-Capitalist movement, right?.

Bandwagon jumping aside, I do believe that it's up to all of us to take reasonable care of the environment through recycling, minimizing the energy we use and so on. In fact, I strongly believe that if we all just did a little bit in terms of personal and business recycling and being smarter about energy consumption that we could make a huge difference for future generations.

Ditto with information security. I truly believe if we all just did a little bit more...if management exercised more common sense, if users clicked on fewer unsolicited links and if IT managers and developers fixed the low-hanging fruit - the basics of what's continually exploited - just imagine how much more secure our information would be..

The problem is getting people to take personal responsibility for their actions. There's a big, big hurdle with that though and therein lies the problem.

Be it heads in the sand over information security or society slowing dismantling the very essence of what's given us our standard of living in the name of "global warming", as Ayn Rand said: We can evade reality but we cannot evade the consequences of evading reality.

Why uninterruptible power supplies have higher quality than Web apps

2011-12-12T07:25:00.006-05:00

I recently purchased an APC uninterruptible power supply for my office and noticed something peculiar in the packaging. It was a small piece of paper that says "QUALITY ASSURANCE TEST". It has the time, date, operator ID and other identifying information for the specific piece of hardware.

As you can see in the image, this QA test sheet has 33 unique tests that were performed on the unit presumably before it shipped. Everything from polarity checks to AC line calibration to beeper tests were performed on this system.

Then it occurred to me...do we actually demand better quality from uninterruptible power supplies like this than we do from the Web applications that power our businesses? I don't know that we *demand* it but it sure is coming across that way!

Sure, there's unit testing, functional testing, user acceptance testing and so on around any given Web application, but where's the real quality when it comes to security and overall application robustness.

I know companies like APC wouldn't dare let a low-quality uninterruptible power leave the building yet so many companies of similar size and visibility do this every single day with their software. Numerous studies are done each year on security being a missing component of software quality...yet the problem continues on as if it's someone else's problem. I see it in my work every day and we're all impacted when data breaches occur.

Where are we failing ourselves here? Our priorities are misplaced to say the least.

Windows security exploits, all over again

2011-12-11T11:21:00.004-05:00

There's a good bit brewing in the Windows world regarding security and I suspect 2012 will make for an interesting year...Here are some new pieces I've written for TechTarget along these lines where I cover Windows 8 and SharePoint security, using Metasploit to exploit flaws as well as some Windows security oversights I see in practically every internal security assessment I do. Enjoy!

Patching and continuous availability in Windows Server 8

SharePoint security should not be an afterthought

Exploiting Windows vulnerabilities with Metasploit

Five Windows environment security flaws you may be forgetting

As always, be sure to check out www.principlelogic.com/resources.html for links to all of my information security whitepapers, podcasts, webcasts, books and more.

Reactive security at its finest

2011-12-09T08:49:00.004-05:00

I've been hearing on the news about Georgia State University (@GeorgiaStateU) installing 50 new security cameras. No doubt, universities in downtown Atlanta (one of the highest-crime cities in the nation) are not fairing so well with security these days so somebody needs to do something, no?

Well, Georgia State's solutions was to install more security cameras. Is this security theater at it's finest? Not totally, but it is security theater like I see all the time in townhome and apartment complexes where the "gate's always up".

This reminds me of some security concerns I found when I first moved into my previous office: outside doors staying unlocked around the clock, wiring closet accessible to everyone who comes inside the building among others...When I mentioned these concerns to my landlord he, in typical head-in-sand fashion, brushed them off and said "We have security cameras that monitor the parking lot." Oh, okay, well in that case...sheesh.

Like cloud computing contracts and SLAs that so many businesses over-rely on, these cameras are certainly good for reactive measures - a means to fall back on. Sure, they may deter a few thugs but they're not going to stop the actual crime in most situations (think convenience store robberies we see on video all the time). Perhaps this would but it'd never fly so the crimes will likely continue. As with criminal hackers, the thugs terrorizing Atlanta's streets know they have the upper hand.

Are CIOs not doing their jobs?

2011-12-08T07:08:00.003-05:00

In the past week I've come across three different articles on how CFOs are getting more involved in IT. For example, in last week's Atlanta Business Chronicle feature CFOs take on increasing roles in IT department stated: "CFO involvement with IT has been largely driving by the need to upgrade reporting functions and the general inability of many legacy systems to provide the kind of data the C-suite needs." According to Robert Half Management Resources, 44% of CFOs have become more involved in technology-related decision-making. Interesting finding.

And this CSO piece from a couple of weeks ago stated: "For business both small and large, CFOs now are finding themselves with fiduciary responsibility in data-protection cases."

Finally, some interesting findings were documented in this CIO piece from just a few months back:

26% of IT investments in the past year have been authorized by CFOs alone
51% of cases, IT decisions are being made either by the CFO alone, or by the CFO in a collaboration with the CIO
5% of the time the CIO makes the investment call
42% of IT organizations report directly to the CFO
47% of executives viewed IT as being strategic

Ouch!

Is this a sign that CIOs aren't communicating effectively with others in management? Perhaps they're not providing them with the tools they need to make strategic decisions? Does it underscore the very issue I've been ranting about for years regarding executives having their heads in the sand over IT? I'm hopeful that it's merely a sign that IT and information security are getting more visibility in the business and thus luring more decision makers to the table.

Only time will tell. One thing's for sure...If you're an IT leader, you'd better keep doing the things that good leaders do so you can keep your visibility....and your job.

BitLocker, Passware...heads in sand everywhere!

2011-12-07T09:04:00.006-05:00

Three times in the past three weeks. That's how many conversations I've had people who have blown off any sort of technical or operational weaknesses associated with Microsoft BitLocker when using it as an enterprise full disk encryption solution. They're well-documented. I highlighted these issues in my recent whitepaper The Hidden Costs of Microsoft BitLocker as well.

I've said it before and I'll continue saying it: I've sung the praises of BitLocker for years. I still use it on a few non-critical systems that aren't storing sensitive information just to create a hoop for someone to jump through if the systems are lost or stolen. The thing is, there's a tool that can supposedly negate BitLocker's encryption. It's called Passware Kit Forensic.

In one of my recent full disk encryption conversations, someone in a highly-visible healthcare organization told me that even though it's been proven that laptop loss and theft is a big problem for healthcare (backed up by this December 2011 bit from Dark Reading on Ponemon's new study: Healthcare Data in Critical Condition), that loss/theft/Passware Kit Forensic was not a risk to the business. Even when the law says it is. Amazing stuff.

You see I've sung the praises of Passware Kit Forensic to over 1,000 people during my speaking engagements this year alone. I've see it in action and have had some colleagues who have used it recommend it to me. But I want to be able to demonstrate on my blog and to my audiences when I present how BitLocker can be compromised using Passware Kit Forensic. Although Passware has some screenshots on the process here, I need more.

Like other bloggers, trade rags and test labs, I'd like to get a (fully-functioning) demo/test/trial copy of the tool first so I can take it for a spin, validate which scenarios the tool can actually work and document my findings here on my blog, my articles and any forthcoming edition of Hacking For Dummies...especially given how pricey Passware Kit Forensic is ($995; it was $795 just recently so apparently there's a demand for it).

I truly believe this is a big deal and it'd be a win-win for us all. The problem is I can't seem to get anyone at Passware to get back with me. Numerous emails, a Web form submission and LinkedIn requests have fallen on deaf ears. Maybe Passware is no longer around?

For now, just know that the threat and subsequent business risk is likely there and maybe I'll have the opportunity to demonstrate it for you in the future.

Elcomsoft...help!

Information security quote

2011-12-07T08:47:00.000-05:00

Don't expect short-term perfection in your security program. Instead, aim for incremental improvements over time. -KB

Join me live online today with TechTarget & ISACA

2011-12-07T08:01:00.005-05:00

Today is our live virtual seminar Making the Case for the Cloud: The Next Steps. Join me, Urs Fischer, Dave Shackleford, Andrew Baer and Diana Kelley to hear about various aspects of cloud computing you may not have thought about.

Starting at 11:15am ET, I'll be presenting on Incident Response in Cloud Computing. I'll talk about common incident response weaknesses I see in my work, questions you must ask your cloud providers and how you can start developing your incident response plans with a proven incident response plan template.

It'll cost you nothing but an hour or so of your time and it'll be well worth it. You'll even have the opportunity to send me a curveball question at the end of my session. Won't you join us?

School staff members and porn - Why you should care

2011-12-06T17:43:00.006-05:00

Here's an interesting read on government employees trying to make an extra buck by serving up pornography on their high school-issued computers. What a lovely story.

Don't think this kind of behavior is random. I've seen this very thing at the university level during a security assessment I did early on in my information security consulting venture.

You see, one thing I do during my internal security assessments is connect a network analyzer just inside the firewall for a few hours to look at general traffic patterns, protocols and the like. Interestingly, during this assessment I found a workstation that was the top talker on the network. No, it wasn't the email server, or the Web server or the high-traffic FTP server but, instead, a workstation.

After further review it was determined that a staff member was hosting porn on his computer...right on the school network. He was apparently doing pretty well as his workstation was sending and receiving literally 10 times the traffic of any other system on the network.

Folks, just because an employee passed a background check, had good references and seems to be a reasonable person doesn't mean s/he can be trusted to always do the right thing.

You've got to know your network...As I wrote about a network analyzer is a cheap and easy way to get rolling to make sure your network - and your users - are kept in check.

What happens when third-party patches are ignored

2011-12-05T07:58:00.006-05:00

The majority of people I speak with claim they have no means for patching third-party software. As Kelly Jackson Higgins mentions in her recent Dark Reading blog post regarding the rash of Java exploitations, when third-party software goes unmanaged, bad things can happen.

It's great that Metasploit has a a module for Java exploitation - something that'll not only benefit me in my security assessments but will also help bring to light what can happen in any given enterprise. But you know as well as I do that criminal hackers will use it for ill-gotten gains.

In my work, I certainly don't see what HD Moore was quoted as saying in the Dark Reading piece regarding most enterprises not allowing admin privileges on desktops. Between my clients and the people in at my speaking engagements, maybe 5-10% of businesses have their desktops truly locked down. I will agree with the reality that Java is pervasive across any given business. In fact, I had to install Java on a system yesterday and believe the following screenshots underscore the issue:

Given such proclamations, where do you think the bad guys are going to focus their efforts?

Another funny thing about Java is what Microsoft recently documented in its 2011 Security Intelligence Report. Microsoft found that Java exploits make up to 50% of all exploits. Wow. Another side note from this report that I found interesting is that 0.1% of attacks are related to the sky is falling zero-day exploits that so many people (especially vendors) are claiming to be a huge problem.

Bottom line: as I talked about this piece - unless and until you get your arms around third-party patches, you're going to continue to be vulnerable, especially given how simple Metasploit is to use.

You're in charge of your own crisis

2011-12-01T10:08:00.001-05:00

Whether or not you - or your management - believes you'll suffer a security incident it certainly pays to be prepared. Odds are that something is going to occur.

Does your business have a solid incident response plan? What about a communications plan? Is an executive or business PR representative going to say "Um, well, uh you know - we got hacked and stuff..." to the eager media or are they prepared to answer questions in a mature and professional manner?

PR pros will tell you that you'd better be prepared. As Bolling Spalding - a PR expert here in Atlanta - said in this Atlanta Business Chronicle piece:

"Address the situation openly by saying, 'We don't have all the facts yet, but will tell you what we know now and we'll continue to report back as the facts come in.'...If you don't tell the story, someone else will tell it for you, and it might be someone with an ax to grind."

There's too much to lose folks. Do something now so you'll have a plan when the time comes.

If you're interested, here are some tips I've written about information security-related incidents and how to shore up what could be one of your business's greatest weaknesses.

HDMoore's Law, revisited

2011-11-29T08:58:00.007-05:00

Here's a good read by Mike Rothman (@securityincite) on how we tend to bury our heads in the sand over the most obvious things including HD Moore's Law. For years, I've had a slide in my presentations titled "Future Trends" where I've talked about how exploits are getting easier for those with ill intent:

Easier access to tools
Little knowledge needed
Less elaborate “hacks”
More internal breaches
Mobile business → less control
Greater complexity → more security issues
Newer technologies → new security problems

Mike's post is a good reminder that this is a business reality - today, right now - and it's up to every single one of us in IT to stay ahead of the curve.

Don't get mired striving for perfection

2011-11-27T16:50:00.003-05:00

As we wind down 2011, here's a quote that relates to information security, incident response and overall risk management:

“The person who insists upon seeing with perfect clearness before he or she decides, never
decides.” -Henri Frederic Amiel

So, do something to better your information security program. Any positive step forward - anything - is much better than getting mired in the desire for perfection and doing nothing at all.

Don't turn a blind eye on the basics

2011-11-21T20:08:00.004-05:00

I'm all about shoring up the basics of Web security before throwing money at the situation. If you're interested in saving not only money but also time and effort, here are some new pieces I've written on Web security that you may be interested in:

Explaining the why of Web application security

Improving Web security by working with what you’ve got

Not all Web vulnerability scans are created equal

Why people violate security policies

As always, be sure to check out www.principlelogic.com/resources.html for links to all of my information security whitepapers, podcasts, webcasts, books and more.

A new way to bleed

2011-11-20T15:45:00.007-05:00

I was in New York City this past week for my final keynote and related presentations for our TechTarget & CDW information security roadshow. Wow, 10 cities in eight months - what a great way to end our year. Of course, being in New York I couldn't help but notice the *constant* coverage of the Occupy Wall Street protests that ended up turning a bit ugly on Thursday - the day I was leaving. Luckily I didn't get caught up in their nonsense.

Once I reached the airport on my way back home I had several things occur to me regarding these people and their protests. The occupiers are the same folks who will:

break in line
litter
cheat on tests
ensure everyone gets a trophy
buy into the notions of "fair share" as long as it works into their favor by only giving what they're capable of giving while taking whatever they need
flip you off when they pull their car out in front of yours and you honk to make them aware of your presence
hack into others' computers for ill-gotten gains just because they can
never admit fault and hire lawyers to "prove" their cases
be heard at all costs but go to great lengths to shut you up if your views oppose theirs

Ironically, there was a Rich Dad Poor Dad seminar in the hotel where we were presenting. It was chock full of people looking to better themselves. I thought, what an interesting juxtaposition considering all the people Zuccotti Park who were doing nothing productive but, were instead, only holding themselves back.

The occupiers have no interest in taking personal responsibility for any of their actions. It's always someone else trying to bring them down. They don't understand that each and every one of us is currently experiencing the sum of our own choices throughout our lives. The occupiers want stuff handed to them using money that someone else has had to work to earn...and they want it now! Imagine this scenario just a few centuries ago where it was every man and women to fend for themselves. Ha. Without the police power of government these people would never survive. But now we live in a society where government helps ward off such survival of the fittest. We're conforming minions because of the laws that a relative minority want to force upon the will of others. We're more "equal" now and that makes for a better society I suppose.

Folks, this is the very beginning of Socialist nations which, no doubt, evolve into Communist regimes - you know, the very political states in which "human rights" are violated and these same people would demand reprieve. It is interesting how these "smart" occupiers who claim to know it all have no real clue of history...much less how basic economics works. The free market that's based in New York City provides these very people and all of us the greatest opportunity in history to do well for ourselves and our families. But that requires work and these people aren't willing to do that. Too much risk and effort involved. They'd much rather argue for their own limitations.

I write about this because I believe STRONGLY in personal responsibility and limited government. Interestingly, both of these have a direct tie to the field of information security that has been very good to me and my family thanks to my willingness to take risks and work hard year after year to bring things to fruition. Yet, on both sides of the token - the anti-Capitalist occupiers AND the very people who *should* be held accountable for doing what's right to protect their networks and information - I see people continually burying their heads in the sand and pretending that everything is someone else's problem...It seems to be getting worse, but it's probably just me.

Major kudos to all of you who are not only willing to work hard but also willing to think outside the box and not be swayed by mob rule.

For incidents, preparation is key...But you've been hacked, now what?

2011-11-14T17:10:00.005-05:00

Here are some new pieces I've written for TechTarget and Security Technology Executive magazine on compliance that you may be interested in:

Preparing for an incident at the workstation level

Develop a Flight Plan

How to know if your website has been hacked

As always, be sure to check out www.principlelogic.com/resources.html for links to all of my information security whitepapers, podcasts, webcasts, books and more.

Join me at the CDW - TechTarget seminars in Philly & NY next week

2011-11-10T14:40:00.003-05:00

If you happen to be in or around Philadelphia, PA or New York City next week, I'd love it if you could join us for our TechTarget / CDW seminars: Predictive Security: Plan Ahead to Stay Ahead of the Next Threat.

I'll be giving the keynote presentation and splitting the breakout sessions with Pete Lindstrom and other vendor experts. After the morning sessions and a great lunch, we'll get back together around 2pm and close out with a lively Q&A for which we've gotten great feedback.

These are our final two seminars for the year. You'll benefit from us being really warmed up and having our presentations (mostly) fine-tuned.

Hope to see you soon!

Why compliance is a threat

2011-11-10T12:15:00.002-05:00

Compliance as we know it is arguably one of the greatest threats to enterprise security. Here's why:

It creates a heightened sense of self for those responsible for accomplishing a state of compliance.
It can cost more to become "compliant" than it does to create a reasonably secure environment.
It empowers government.

All of the above create complacency and a false sense of security. Please tell me I'm wrong.

Wooo...HIPAA audits are coming & the irony of KPMG's involvement

2011-11-09T11:54:00.005-05:00

I've always believed that compliance is a threat to business [hence why I help businesses take the pain out of compliance by addressing their actual information security issues] and this new bit from HHS's Office of Civil Rights is no different.

Apparently the HIPAA audits are coming...KPMG - an audit firm that has already proven they have trouble implementing the basic security controls they audit others against - scored a $9 million contract to perform up to 150 audits over the next year. Audits that'll prove that covered entities and business associates alike still don't take HIPAA seriously. A simple visit to your local hospital or physician's practice will show this, but I guess it needs to be formalized.

Who knows, maybe in a generation or two, physicians (the bigger problem) and business associates (not quite as much) will wise up to the fact that minimal investments can go a long way towards fixing their low-hanging fruit and implementing basic security controls - really all that's needed for HIPAA compliance in most situations.

Mobile devices are the new desktop, what to do now!?

2011-11-08T14:19:00.004-05:00

Here are some new pieces I've written for my friends at TechTarget on mobile security that you may be interested in including a piece for TechTarget's new (I think) SearchConsumerization.com site:

It's time we shift our thinking about endpoint protection

Act now to prevent smartphone security risks at your organization

Compliance officers' next big headache: Securing mobile applications

You know the deal, be sure to check out www.principlelogic.com/resources.html for links to all of my information security whitepapers, podcasts, webcasts, books and more.

One of my pet peeves: relying on users to wipe out wimpy passwords

2011-11-08T10:09:00.003-05:00

You cannot - and should never - rely on your users for complete security...yet they're often the first or last line of defense - sometimes both.

I wrote about this a while back but it's a problem that's still rampant in IT so I had to bring it up again. It's probably my biggest pet peeves with security. Simply telling users that they need to select strong passwords on their computer systems and leaving it up to them to do the right thing is delusional.

I do believe that most people want to do the right thing...that said, people are going to take the path of least resistance if they're presented with it. Set them up for success instead and take that power away when you can.

What needs to change?

2011-11-01T14:55:00.003-04:00

The late Richard Carlson once said:

Circumstances don't make a person, they reveal him or her. There are times when other people and/or circumstances contribute to our problems, but it is we who must rise to the occasion and take responsibility for our own happiness.

Deep.

Whether you're caught up in an IT project mess, a data breach or even the #Occupy "movement", keep this in mind. We're the sum of our choices to this point. What needs to change?

Your title really means nothing

2011-10-25T08:13:00.004-04:00

I can't tell you how many times I've met people over the years who have a fancy title like CEO or Director of This and That and it ended up being more of a façade than anything. As John Maxwell talks about in this video, your title really means nothing.

I've often told people, I don't care what you call me as long as you pay me what I'm worth. That helps keep me on track to ensure I maximize my value to the marketplace.

Even labels after your name such as CISSP, CCIE, CTO and Esquire mean nothing in the grand scheme of things. Just because you've earned these letters doesn't mean you're suddenly an expert in the field or, for that matter, someone that people actually respect and enjoy working with. Instead it's the value you bring to the table. Work by this mantra and you'll reap rewards you never imagined.

Users making security decisions is your Achilles' heel

2011-10-21T07:56:00.005-04:00

I recently came across some content in a book outlining the benefits of SSL. The author depicted a scenario where SSL is in place to help the user authenticate the server/site he's connecting to and if a certificate-related error popped up in the browser then the user would know that the site was malicious and (presumably) not continue on with the connection. This very situation is an example of how we assume/presume/hope that users are always paying attention and will do the right things with security.

What do you think would happen with the average user in this situation? I'm confident that most people would simply think nothing of it, click past any pop-up warnings and continue about their business. Why? Well, that's what people do. And that's the very problem with have with information security today.

No doubt, we have to be able to balance security with convenience and usability but the moment we allow users to make security decisions - especially ones that could involve phishing and related malware attacks - we open our networks up to complete compromise. This goes along with something I've been saying recently: Your network is only one click away from compromise™ [my new trademark ;-)].

Training, technology - you name it, nothing is 100% certain other than the fact that you have this risk in your business this very moment; guaranteed. I'm not convinced we're going to be able to get past this.

Keynoting the NKU 2011 Security Symposium next week

2011-10-18T07:39:00.004-04:00

If you happen to be in the Cincinnati, OH area next Friday, October 28th, I'd love it if you could join me as I give the keynote presentation for the Northern Kentucky University 2011 Security Symposium. I'll be talking about mobile security problems and solutions and it looks like they've lined up tons of great content and speakers.

Hope to see you there!

Dan Wheldon's crash a harsh reminder

2011-10-17T08:15:00.004-04:00

IndyCar lost a great driver yesterday. When I first heard of Dan Wheldon's crash and death I couldn't believe it. I'm a big IndyCar fan and felt like I knew him - especially with the commentary he has been providing on Versus' coverage of IndyCar this year.

Driving a race car myself - albeit at a *much* different level - I can't help but question the risks of what I do. Seeing these types of incidents rattles me to the core. It's certainly easy to say: Well, Dan knew the risks every time he got into his car...maybe, but it doesn't make it any better nor will it bring back the driver, husband and father we lost yesterday.

I'm letting this incident serve as a reminder of just how fragile life can be and how important it is to spend quantity time with the ones I love. Something most of us probably need to work on.

Rest in peace Dan and God bless you and your family.

What can you really say about your network?

2011-10-11T10:23:00.005-04:00

Here's a new guest blog post I wrote for AlgoSec (a Roswell, Georgia-based company with some really solid firewall management applications) where I talk about something near and dear to all of us in IT:

Do you really understand your network?

...it's more than just a sappy relationship. :-)

By the way, in case you missed it, I wrote a whitepaper for AlgoSec recently that you may be interested in as well:

Firewall Management: 5 Challenges Every Company Must Address

Enjoy.

My latest bits on Windows 7, Microsoft SCM and Metasploit

2011-10-06T05:59:00.001-04:00

Here are some new pieces I've written for my friends at TechTarget on Windows security that you may be interested in including bits on the often overlooked but oh so valuable Security Compliance Manager and Metasploit:

Using Windows 7 management tools to your advantage

Getting to know Security Compliance Manager

Why aren’t you using Metasploit to expose Windows vulnerabilities?

You know the deal, be sure to check out www.principlelogic.com/resources.html for links to all of my information security whitepapers, podcasts, webcasts, books and more.

Join me at the CDW - TechTarget seminar in Phoenix next week

2011-10-05T10:27:00.003-04:00

If you happen to be in or around Phoenix, AZ next Thursday October 13th, I'd love it if you could join me at the TechTarget / CDW seminar: Predictive Security: Plan Ahead to Stay Ahead of the Next Threat.

I'll be giving the keynote and combined breakout session in addition to the sessions provided by other vendor experts. We'll close out with a lively Q&A that I know you'll enjoy.

If you can't make the Phoenix event, I'll be in Philly and New York next month so perhaps our paths will cross in one of those cities.

For what it's worth, here's a sampling of audience feedback on my keynote and breakout sessions from our Boston event two weeks ago and our Dallas event that took place in August:

Kevin was great - perspective with lots of practical suggestions.
Perfect speaker, enjoyable to listen to.
Awakening presentation.
Great speaker, very knowledgeable.
Left me thinking.
Great job! Very enjoyable.
Excellent insight and perspective
Outstanding Presentation
Good lead into sessions for participants
Insightful view of foundation related tasks for security
Set the stage and energy level right
Kevin is a good speaker
Really good relevant quotes and analogies

Hope to see you soon!

Information security's bond with e-discovery is strengthening

2011-10-05T09:52:00.004-04:00

We're seeing more and more how information security and e-discovery go hand in hand. Here are two new pieces I've written that delve into the subject. I hope you enjoy.

Information security’s tie-in with the e-discovery process

Lax enterprise mobile device management hampers e-discovery

As always, be sure to check out www.principlelogic.com/resources.html for links to all of my information security whitepapers, podcasts, webcasts, books and more.

Should You Ban Facebook at the Office?

2011-10-04T11:33:00.002-04:00

In the whitepaper To Block or Not. Is that the Question?, Palo Alto Networks explores the issue of "Enterprise 2.0" applications such as Facebook, Skype, Twitter and YouTube and how users are now in control of the network. Meanwhile, IT staff is saying "just block it!" and users say "just don't block it!," but it's not that simple. As the whitepaper points out, the real answer lies in your ability to see what's actually going on on the network and then decide on the best fit for your organization.

An interesting bit from the whitepaper is that 69% of respondents to a McKinsey study say their companies have gained measurable business benefits, including more innovative productsand services, more effective marketing, better access to knowledge, lower cost of doing business and higher revenues because of Enterprise 2.0 software (while IT staffers argue the opposite: that these applications DON'T boost the bottom line). Knowing that most traditional security controls will block their software, developers of Enterprise 2.0 applications look for ways to circumvent the system so that employees and other users can get access anyway (necessity is the mother of invention, right?).

For governance to work, IT should play a big part in the definition of policies, but not be the sole owner of those policies (something I've been ranting about for years because policy creation and enforcement is an HR, legal and management issue — not an IT issue). I have a client that's experiencing this very dilemma with social media right now. Company managers want to provide Facebook access for their employees. However, recent malware outbreaks have compromised several company systems and placed its network at risk. They have policies and antivirus software, but not anti-spyware protection which would have (presumably) blocked the
infections. We're now working on a plan for moving forward to keep users happy and minimize business risks at the same time.

These new applications are presenting a Catch-22 that's throwing many small and medium-sized businesses for a loop. There are no good answers right now. If you take anything from this, just know you have to do your homework and understand the risks/benefits. Blocking or no blocking, the angles to this issue are still being worked out — one business at a time. Stayed tuned and, in the meantime, stay vigilant.

Web security essentials: something old and something new

2011-09-27T06:31:00.002-04:00

Here are some new bits I've written on Web security that you may be interested in. First a bit on SQL injection - the greatest Web flaw of all in my humble opinion:
SQL Injection – The Web Flaw That Keeps on Giving

And a bit on how to use your users to your advantage to minimize Web security risks:
Getting users on your side to improve Web security

...and finally a piece on why I think that time to market is no longer the excuse for Web security flaws and what's really holding us back today:
Time to market is no longer the excuse

You know the deal, be sure to check out www.principlelogic.com/resources.html for links to all of my additional security whitepapers, podcasts, webcasts, books and more.

Common firewall management challenges whitepaper

2011-09-26T09:10:00.004-04:00

Here's a new whitepaper I recently wrote on the ins and outs - and dos and don'ts - of managing enterprise firewalls:

Firewall Management: 5 Challenges Every Company Must Address

In the paper I cover things such as rules and regulations impacting firewall management, assessing firewall policy risks, managing changes and being able to prove where things stand with your firewalls at any given point in time.

Enjoy!

Compliance or risk: what the real IT leaders focus on

2011-09-26T08:17:00.005-04:00

Whatever your approach to managing IT and information security, here's a new bit I wrote for Security Technology Executive magazine on fixing what needs to be fixed before you do ANYTHING else:
Fix Your Low-Hanging Fruit or Forever Hold Your Peace

Once you have the urgent flaws on your most important systems out of the out of the way, here are some pieces I wrote for SearchCompliance.com on dealing with compliance while, at the same time, actually managing your information risks:

Managing information risk inherent to an effective compliance strategy

Avoid duplicated efforts to cut the cost of regulatory compliance

The long-term consequences of not addressing compliance today

Enjoy!

As always, be sure to check out www.principlelogic.com/resources.html for links to my additional information security articles, whitepapers, podcasts, webcasts, books and more.

Buying, selling & consigning used hardware great for IT budgets

2011-09-21T09:24:00.006-04:00

In IT and information security we're required to come up with creative ways to save money any way we can. Well, how about this novel idea: buy used network and computer hardware, or sell what you've already go so you can upgrade.

A good friend of mine works at a company (Riverside) that does just that. They buy, sell and consign used network and computer hardware to help businesses save (or make) money. If you're looking to "earn" some budget dollars, Riverside will buy your equipment from you - apparently something that most used hardware brokers/sellers don't do.

Is it just me...why aren't we seeing more of this in today's "green" world. You won't find me kneeling at the altar of "global warming" but I most certainly believe in recycling and buying used wherever possible. It helps the environment and seems like an ingenious way to save IT dollars already budgeted and, if selling, actually add some dollars to the bottom line.

Never forget that the people who add the most value in and around IT are the ones who will ultimately rise to the top. Buying and/or selling used network and computer hardware seems to me to be a great way to go about doing so. Just some food for thought.

Pick up that paper at your own peril

2011-09-20T15:36:00.002-04:00

From @Quotes4Writers on Twitter, this totally reminded me of me:

"You have to be brave to take out that white sheet of paper and put on it words that could be
evidence of your stupidity." - Sol Saks

Windows ASLR, APTs, server malware protection and common patching gaps

2011-09-19T07:52:00.005-04:00

Here are some new pieces I've written for the TechTarget sites SearchWindowsServer.com and SearchEnterpriseDesktop.com on Windows (in)securities in the enterprise including a bit on the over-hyped and misunderstood APT threat (is that like "ATM machine"?) which I got to see first hand while working on a project that involved one of the Operation Shady Rat victims:

The APT threat to Windows environments

Why you need address space layout randomization in Windows Server 2008 R2

Are you properly protecting your Windows servers against malware?

Windows server patching gaps you can't afford to miss

Enjoy!

As always, be sure to check out www.principlelogic.com/resources.html for links to my additional information security articles, whitepapers, podcasts, webcasts, books and more.

No CPEs for you!

2011-09-16T14:00:00.003-04:00

I spoke at the @ISACAAtlanta GeekWeek show and all I got was this lousy notification ;-)

Seriously, it was a good show that I recommend next time they have it.

My new paper on BitLocker's hidden costs

2011-09-16T13:04:00.007-04:00

I've been a fan of Microsoft BitLocker since it first came out. It provides a cheap and easy way for users to lock down their laptops and mobile storage devices and is especially helpful in small businesses where security knowledge is scarce at best. Although BitLocker protection can be bypassed, it's still better than nothing - like WEP for wireless networks.

Anyway, if you're considering BitLocker as your disk encryption solution, I just wrote a new whitepaper titled The Hidden Costs of Microsoft® BitLocker® you may be interested in. In the paper I talk about some not so obvious costs and gotchas you need to think long and hard about if you're considering deploying BitLocker in an enterprise setting.

Interestingly, I have friends and colleagues at some large enterprises who are telling me their IT/security management is considering ripping out PGP or other commercial whole disk encryption tool in favor of "free" BitLocker encryption. I advise against this unless and until you know all the facts and think things through.

Check out my paper here for more information.

I love solid state drives but I'm no fan of OCZ

2011-09-16T09:27:00.003-04:00

I tweeted about this the other day but though it deserved a longer post. If you do anything with IT/security tools such as vulnerability scanners, network analyzers and the like you HAVE to get a solid state drive.

Hands down, installing solid state drives in my laptops has been the best computer upgrade I have ever made in 22 years of using computers. Better than doubling my RAM, better than upgrading the CPU...whatever. I wish I would've moved to SSDs sooner. I didn't know it was going to be the case but my SSDs are faster than the 10,000 rpm drive I use in my desktop (which was a huge improvement over the 7,200 rpm drive I used to have). Amazing.

Two words of caution:

1) Know that if your drive fails - especially under warranty and you need to return it - that you have no way of knowing what is recoverable by some yahoo engineer in the manufacturer's lab who has nothing better to do. Based on my limited knowledge of how SSDs work and backed by a forensics expert I work with, even if the drive is dead, it's still possible that data can be extracted from the chips on the drive. This is something you wouldn't have to worry about with traditional platter-based drives because you could give them a good bath with a powerful magnet and you'd know your information is safe.

SSDs just aren't the same, at least based on what I know about them. That combined with the fact that I had encrypted the drive with BitLocker I had no way of knowing what was recoverable when doing that, especially using this tool.

2) Stay away from OCZ Technology SSDs. I bought one knowing that the Amazon reviews weren't great. But it was available at a nice price at my local MicroCenter and figured I had nothing to lose. Plus, like many in management treat information security, I figured nothing bad would happen to me - surely my drive wouldn't fail. ;-)

Well, silly me. Something did happen. My drive died within 3 weeks of purchasing it. Nice. I wrote to OCZ and told them my situation about the nature of the work I do and that I've got potentially sensitive information on it that I cannot afford to have recovered. Per my forensics colleague's suggestion (apparently, the large hard drive makers do this), I asked OCZ if I could return the cover of the drive in hopes that rendering it mostly useless would be enough for me to get a replacement.

OCZ's Technology Forum Support Manager promptly replied: no can do. They needed the drive back to replace it or refund my money. So, I ended up losing close to $200 plus a good 5-6 hours worth of my time buying a new SSD drive and rebuilding my system. Tough lesson learned.

FYI, I bought a Samsung SSD (love it!) and suggest you do the same.

Your organization vs. BP: what will faulty decisions lead to in your business?

2011-09-15T13:51:00.005-04:00

Imagine a scenario where poor management, failure to take appropriate action, personnel changes and miscommunication about who's responsible for what leads to a catastrophic event at your business? That's exactly what the findings were of the BP oil spill.

Sadly, 11 people died because of this incident. Luckily, our line of work isn't quite so risky but your business can still get in a bind when information security is mismanaged.

Here's a link to articles, podcasts and webcasts I've written/recorded on the management's link to information security and a few more bits on how to sell people on information security and keep them on your side to help prevent poor management decisions in the first place.

NetIQ's file integrity monitoring solution

2011-09-14T10:00:00.003-04:00

A couple of weeks ago, I had the privilege of speaking at the Information Week / Dark Reading Virtual Trade Show How Security Breaches Happen and What Your Organization Can Do About It.

In my presentation How to Win the War Against Cybercrime, I apparently had a brain-cramp moment and said that I'm not seeing anybody with good file integrity monitoring. Um, duh, Kevin (as I smack myself in the face), the very vendor who sponsored my session, NetIQ, has such a solution. It's called NetIQ Change Guardian. Sadly (stupidly), I knew this and don't know why I said what I said. I just wanted to set the record straight. Jill and Renee at NetIQ: thanks for keeping me on my toes. :-)

In case you missed the virtual tradeshow, I believe you can still register for it and listen to the recording. Lots of good info - not because of me, but because of the caliber of other IT and information security speakers they had on board. In fact, I was duly impressed by Steve Kovsky - the moderator for my session. I aspire to be able to speak that well one day.

Anyway, check out the virtual tradeshow and NetIQ's offerings. Both quality stuff.

Stephen Covey's insight applies to information security

2011-09-13T07:28:00.003-04:00

I love the following quote...very applicable to what we do:

"You can't talk yourself out of a problem you behave yourself into." - Stephen Covey

Okay, you may be able to talk your way out of bad security decisions with the right attorneys or a cybersecurity insurance policy. Having worked cases involving data breaches, compliance and intellectual property, I can say that it won't be a short-lived, inexpensive or painless ordeal.

Speaking in Boston @ the CDW + TechTarget security seminar next week

2011-09-12T14:54:00.006-04:00

I hope you'll have a chance to join me in Boston next week when I'm speaking at the TechTarget / CDW seminar: Predictive Security: Plan Ahead to Stay Ahead of the Next Threat.

Boston, like several other upcoming events, is a 2-track seminar where I'll be giving the keynote and splitting the breakout sessions with my friend and roadshow colleague Pete Lindstrom among other vendor experts. [sidenote: Pete's the real draw at these events, I'm just there to fill in the gaps....seriously, he's good.] After the keynote, breakout sessions of your choosing and a great lunch, we all get back together around 2pm and close out with a lively Q&A for which we've gotten great feedback.

If you can't make the Boston event or one of the other 2-trackers in Philly or New York this fall, I'll be leading two 1-track events in Phoenix and Raleigh coming up shortly as well.

Here's a sampling of audience feedback of my keynote and three breakout sessions at recent shows:

Very good information, Great speaker
Well laid-out, solid points/arguments, encouraged involvement
Super
Informative, broad, excellent!
Mobile devices discussion was very good and insightful
Informative and aligned with current issues
Great - Clear - Real-time Current examples of industry security
Good intro keynote
Knowledgeable and personable
Kevin does a great job - Good choice
Very real life knowledge not just preaches - He feels the pain, that is great! What an honor to attend!!!
Current real life examples is the best information that can ever be given at any seminar. A+++
Lots of good group discussion
Plenty of great examples, specific tools, crowd discussion, etc. Plenty of good info to take back
Best of the day. Most valuable. Good discussion.
Kevin's presentation was great
Very relevant - focused on concerns that most of us seemed to have about mobile security
Kevin is a great speaker/teacher
Learned lots - Had a great time - Thank you! Very Much!
Good technical info, plenty of things to take back for further use or investigation. Not too much kool-aid/sales pitches.
The content was good. I'm not a security guy so my interest is limited. It was at a good level of complexity
Although I was not here all seminar, what I saw was good - need more 1 day seminars
More relevant to my job function that I had anticipated -- thanks!
Security is a concern of upper management - This seminar provided me good information to take back to the organization
Loved the fact that you gave us tools
Great insights again - thanks for sharing some of the tools and hacks
Liked location; kevin is a very good speaker
Multi-tracks are a great idea! Continue with panel discussions/Q&A in future seminars
More speakers like Kevin Beaver

Hope to see you there!

Microsoft Exchange Data Retention, Incident Response & Other Gotchas

2011-09-12T08:39:00.006-04:00

Depending on where you're at with your Exchange "maturity model", here are a few pieces I've written for SearchExchange.com about Microsoft Exchange security oversights, policies and plans to help you along the way:

How to write an effective data retention policy for Exchange

Solidify Your Exchange Server Incident Response Plan

Common Exchange Security Oversights

Enjoy!

As always, be sure to check out www.principlelogic.com/resources.html for links to my additional information security articles, whitepapers, podcasts, webcasts, books and more.

What it takes to get ahead in IT and beyond

2011-09-07T07:15:00.001-04:00

Good economy or not, people often ask: What can I do to get ahead in business? How can I stand out above the noise to enhance my career? How can I be a better network engineer, information security administrator, IT manager, speaker, writer and so on...?

Whether you work for yourself or for someone else the answer is the same. You simply seek out the people who are at the top of their fields and do what they do. That's it. You don't have to ask these experts directly, you don't have to pay to take some advanced training classes. Instead you simply see what experts in your line of business are doing how they think and model yourself after them.

Twitter, blogs and other social media provide a great way to follow what these people are doing, how they think, how they’re positioning themselves and the niche they create. It's amazing stuff that has worked for me and it can work for you.

So, seek out the people you respect which will likely be the people writing, presenting and evangelizing in the subject areas that you have an interest and go from there.

For additional reading, here are some links to articles I've written on the subject of enhancing your career in IT and beyond as well as my audio programs on IT and information security careers.

DNS hack: UPS, National Geographic, Acer, etc. websites affected

2011-09-04T18:03:00.003-04:00

Happy (almost) Labor Day...here's the latest from the criminal hackers: a DNS hack has redirected numerous websites of UPS, National Geographic, Acer, The Register and more. Nice.

Betcha it was some low-hanging fruit someone, somewhere overlooked.

Talk is cheap: Time to rethink your data retention strategy (or lack thereof)?

2011-08-31T08:01:00.002-04:00

Here's a fascinating story about a court case involving data retention you need to read. And pass it along to your management as well. It talks about how businesses aren't doing what they need to be doing with regard to data retention and how decisions are being made for us by the courts.

Interestingly most businesses I come across (large and small) don't have any semblance of a data retention policy in place - much less do it well. Or they have their in-house legal counsel in charge of it often resulting in nothing more than a piece of paper saying what's supposedly being done (but usually isn't) and management signing off on it under the assumption that all is well in IT-land. It's the same issue I talk about in this recent article I wrote for SearchCompliance.com:
Why it may not be ideal for your lawyer to be your compliance officer

Maybe it's time for business managers to stop hiding behind their "talk" and start doing something about this stuff before something negative comes of it...We're often presented with the opportunity to make decisions. If we choose not to, they're going to be made for us.

My new book: Implementation Strategies for Fulfilling and Maintaining IT Compliance

2011-08-26T07:54:00.006-04:00

Check out my latest book published by Realtimepublishers.com:

In Implementation Strategies for Fulfilling and Maintaining IT Compliance I share strategic and tactical methods for getting your arms around the compliance beast. You can download all the chapters (below) for free by signing up on Realtime's site. They've got a ton over other good content too.

Here's the low down:
Businesses are struggling more and more with the compliance requirements being pushed on them from every angle. The reality is that such regulations aren't going away. However, there’s a silver lining – IT compliance doesn’t have to be that difficult and once you've mastered compliance it can serve as a business enabler and competitive differentiator.

In Implementation Strategies for Fulfilling and Maintaining IT Compliance, a practical guide on real-world issues related to IT compliance, the reader will find reasonable solutions for the professionals responsible for making things happen.

It's great for anyone faced with implementing the standards mandated by regulations such as HIPAA, HITECH Act, GLBA, SOX, and PCI DSS. CIOs, compliance officers, IT directors and network administrators can all benefit from the anecdotal stories, down-to-earth strategies and sage advice for creating gaining and maintaining control of IT compliance so that it can enable rather than hinder the business moving forward.

Chapter 1: Understanding the Real-World Issues Associated with IT Compliance
Chapter 2: The Costs of Compliance and Why It Doesn't Have to be So Expensive
Chapter 3: Simplifying and Automating to Reduce Information Systems Complexity
Chapter 4: Establishing a System of Network Visibility and Ongoing Maintenance

Enjoy!

Join me live today at Dark Reading's webinar #iwkdrbreaches

2011-08-25T09:58:00.007-04:00

I'm speaking at the #Information Week/Dark Reading Virtual Trade Show How Security Breaches Happen and What Your Organization Can Do About It.

My session is titled How to Win the War Against Cybercrime and starts at 2:30pm ET. Here are a few words about it:
What are you doing to avoid becoming the next Wikileaks, Google, or Sony? Despite the fact that businesses will spend over 50 billion dollars worldwide on IT security projects this year, it is a virtual certainty that your organization will experience a security breach at some point.

While the complexity of cyber threats may be increasing, the good news is that the answer to combating these threats need not be complex. By implementing solutions that integrate your identity, access, and security environments, you can protect your organization's network, systems, and critical information from insiders and criminal hackers.

In this presentation, noted information security expert Kevin Beaver will discuss current and evolving cyber security threats, some common oversights he sees in his work and recommend solutions that deliver the information you need to reduce the risk of security breaches across your enterprise.

Thanks to the nice folks at NetIQ for making it happen.

Hope to "see" you there!

What direction are you heading with data protection?

2011-08-24T09:26:00.003-04:00

Here's a new guest blog post I wrote for the folks at Credant:

Heading in the Wrong Direction with Data Protection?

You may see this differently but I think we're heading down the wrong path in this area - especially on phones and other mobile devices. I suspect we'll end up in a situation like we have recently in the U.S. where the very people putting the "stimulus" bill and Obamacare in place are suddenly clamoring to get our national debt under control. Come 2013 or so, it'll be, remember those vendors and bloggers spouting off about how important mobile security was back in 2010/2011 when our network environment was much simpler?

The inability to think long-term is so, so dangerous folks. Don't be like our politicians who can't see past the next election. Make the decision to get your arms around the mobile security beast now. Start today. Here's a link to some resources that can help.

Fine-tuning your Web application security

2011-08-22T07:08:00.002-04:00

I think I could write about Web application security every hour of every day...there's just so much involved with building secure apps, proper security testing, getting (and keeping) management on board and so on...But I wouldn't want to torture you in that way. Anyway, here are a few bits you may be interested in:

Properly scoping your Web security assessments

The cure for many Web application security ills

How much Web security is enough?

Enjoy!

As always, be sure to check out www.principlelogic.com/resources.html for links to my additional Web security whitepapers, podcasts, webcasts, books and more.

Getting ahead in your career + keeping IT staff on board

2011-08-21T09:57:00.003-04:00

Here are some new bits I've written about IT and information security careers. First, what you can do to stand out above the noise and move your career ahead:
How IT pros can boost their worth -- and their salaries

...and second, what management can do to keep IT and security professionals interested in their jobs and on board with the business:
How to retain your IT talent

8 best practices for retaining IT talent

Enjoy!

As always, be sure to check out www.principlelogic.com/resources.html for links to my 500+ articles, whitepapers, podcasts, webcasts, books and more.

What's up with conferences in October?

2011-08-19T08:26:00.005-04:00

I've had to turn down 3 speaking engagements the weeks of October 10th & 17th because I'm, well, speaking at other shows those weeks. Maybe it's something about the weather that time of year? Perhaps discounted meeting facility rental rates? I suspect the real reason is that all the top-notch security speakers are busy then so the conference organizers are reaching out to second stringers like me.

BTW, my apologies for being silent on my blog over the past week...will be re-engaging soon. Have a great weekend!

My webcast/Q&A today on managing network threats

2011-08-10T06:21:00.003-04:00

Join me today in TechTarget's SearchCompliance.com virtual tradeshow:
Enterprise Risk Management: Mitigation Strategies for Today's Global Enterprise

My presentation "Managing Network Security Threats with an ERM Strategy" starts around 3pm ET and I'll be doing a live Q&A just after.

Steve Jobs' ridiculous iTunes interface

2011-08-09T19:45:00.003-04:00

I just spent 6.5 minutes cracking a family member's laptop password in order to demonstrate the dangers of not having whole disk encryption. I then went on to spend 20 minutes+ of my life trying to sync some new music to an iPod Touch with the unbelievably difficult iTunes interface.... After investing a lot of time (that I'll never get back, mind you) I still didn't get the music synced.

What's wrong with this picture!?

Apple and Mr. Jobs: Ask any IT professional what they think about iTunes and it'll echo my experience. We all dislike it in the same way. What gives?

You're the sum of your choices

2011-08-05T05:37:00.003-04:00

Here's a 67 second video that defines the essence of where we are in life, our careers and even in information security today:

I really like what John Wooden said:
"There's a choice you have to make in everything you do. So keep in mind that in the end the choice you make makes you."

I also love what John Maxwell says:
"It's your personal choices. If they're good, it's going to help make you. If they're bad, it's going to be the unmaking of you."

Indeed, we must use wisely our power of choice...Great stuff.

Digital distractions take top priority

2011-08-04T09:00:00.004-04:00

Be it texting while driving, browsing Facebook while in a meeting or checking emails while having lunch with a friend, it seems that there's always something better for us to be doing. It's so much easier being somewhere else rather than in the moment. That's the essence of this well-written piece on Gizmodo:
The Epidemic of Digital Distraction

You see there's a human epidemic that not many people really care to acknowledge or talk about. It's the dangerous desire for instant gratification. Those who don't have the ability to think long term create many, many problems in their own lives and many, many problems in society (think big government). I believe it also contributes to people goofing off on the job.

Don't get me wrong, the desire for instant gratification is in us all. We just have to be disciplined enough to make the right choices. If you're interested in finding ways to slow down and live in the moment, you must read The Speed Trap:

It helped solidify this concept and made me realize I need to focus on the things that count.

The difference between "No" and "How"

2011-08-04T08:52:00.003-04:00

Here's a humorous and thought-provoking post by my friend Pete Lindstrom that you should check out:
Dr. Laura as Information Security Officer

It's so easy for people to say "No" to information security rather than "How"...similar to how many people - children and adults alike - say "I can't!" rather than "How can I?".

People are always going to take the path of least resistance...if you let them.

Indeed, many executives are insulated from reality

2011-08-02T09:28:00.003-04:00

Here's a piece where I, Richard Stiennon, Andrew Baker and others weigh on executive management's involvement in information security:

Focus Experts’ Briefing: How CEOs Can Prepare for and Respond to Cyberattacks

Unless and until executives get on board with security - across the board - I'll continue reciting one of my favorite quotes:

“Many executives are insulated from reality and consequently don’t know what the hell is going on.” -James Champy

10 years working for myself

2011-07-26T07:13:00.004-04:00

This month marks 10 years since I started my information security consulting business Principle Logic. I cannot express to you how grateful I am to be so blessed.

Like many businesses, things weren't all rosy from the get-go. My wife, Amy, and I worked very hard to build up the business through networking, fostering relationships and little bit of marketing sprinkled in here and there. We did that over and over again because we believed in the formula and in ourselves.

Don't get me wrong, the first 2 years were rough...I mean rough. Had it not been for some previous client relationships I had established in previous jobs we would've been hard-pressed to keep moving forward.

But through thick and thicker we pushed on. I wanted to...I had to. Seeing poor management and politics run yet another business into the ground at my final "real job" with an Internet dot-com pushed me over the edge. I knew if I used the fire I had in me in July 2001 to my advantage I could make it work. That fire is what encouraged me to make the leap and, combined with some sticktuitiveness, is what keeps me going to this day. I'm certainly not the sharpest knife in the drawer when it comes to IT and information security. Never have been and never will be. But I've realized that I don't have to be and I'm okay with that.

I want to thank all of you - my clients, my readers, my blog followers - for believing in me, Kevin Beaver, the no-name brand consultant from Atlanta G-A. Had it not been for your willingness to step outside the box and trust that the value one brings to the table is deeper than a name brand I'm confident that I wouldn't have reached this milestone in my career. A sincere thank you to you all.

Finally, I'd like to thank my family for being here for me. Your deep support is immeasurable. I'm very lucky and blessed to have you.

Here's to another 10 years working in an awesome field in the most amazing country in the world...Cheers!

Solid IT and infosec content to check out

2011-07-21T08:37:00.005-04:00

I just got back in town from doing a video shoot on cloud security with my friends and colleagues at TechTarget in Boston (man, I love that city). Anyway, I feel compelled to share with you a few of TechTarget's websites that I write for and I know they have lots of others with all sorts of information security, compliance and IT content. Here you go:

SearchCompliance.com
SearchEnterpriseDesktop.com
SearchEnterpriseLinux.com
SearchWinIT.com
SearchSQLServer.com
SearchMobileComputing.com
SearchSoftwareQuality.com
SearchNetworking.com
SearchSecurityChannel.com

...all of their sites are listed here:
www.techtarget.com

My point is: there's no reason to not keep them on your radar....tons o' good stuff.

Thomas Paine knew his infosec

2011-07-21T08:33:00.002-04:00

Here's a great infosec quote from statesman Thomas Paine:

"Our greatest enemies, the ones we must fight most often, are within."

This applies to both malicious insiders and ourselves as each of us certainly tend to get in our own way when it comes to making things happen with security.

If only "they" could understand us

2011-07-18T15:21:00.006-04:00

You know how most people don't really understand the professions of others with whom they mingle or interact with? You know, retail clerks typically don't understand IT, doctors don't understand accountants, used car salesmen don't get landscaping and so on. Information security is arguably one of the cloudiest and least understood for those who aren't exposed to it on a daily basis.

After reviewing the headlines of my emails today I had a deep thought about this. Imagine if our colleagues, friends and family members kept abreast of the information security happenings from sources like Dark Reading, Slashdot, FierceCIO, NewsFactor and so on and saw headlines such as:

"Pentagon Discloses Largest-Ever Cybertheft"
"Sydney has 10,000 Unsecured Wi-Fi Points"
"99 Percent Of Android Devices Are Vulnerable To Password Theft"
"Lady Gaga Website The Latest in String of Celebrity Hacks"

...and so on. Even if it were for just a week, I think they'd start to see what we're all up against. Maybe people - and society - would start to get information security.

I suppose this all goes back to awareness and buy-in. Two things information security just doesn't have enough of these days.

eEye's Metasploit integration - we need more of this!

2011-07-14T10:57:00.005-04:00

Kudos to eEye Digital Security for integrating Metasploit within their Retina vulnerability scanner. According to this recent press release:

"Using the free Retina Community scanner or the Retina Network Security Scanner (version 5.13.0 or higher), users can see whether a vulnerability has an associated exploit from Core Impact, Metasploit, or Exploit-db.com, allowing IT Security professionals to better prioritize vulnerabilities and fix the biggest risks first. In addition, if a Metasploit exploit exists, users can right-click to launch Metasploit (3.6.0 or higher) directly from the scanner to perform a penetration test against the targeted host."

Thanks for thinking about the workflow of a typical security assessment eEye! I honestly don't know why it has taken vulnerability scanner vendors so long to get this. I'm convinced that some are completely unaware that such features would be of value.

So....a tip to other vulnerability scanning vendors out there: Think about how your scanners work through the eyes of security professionals. What are the pain points? What are the inefficiencies and hurdles to do basic tasks? All you have to do is ask people like myself. I'm often willing and able to share many such frustrations and advice. ;-)

How smartphones can make us look dumb

2011-07-12T18:28:00.002-04:00

Not long ago I heard a gentleman speaking with radio show host Clark Howard about a phone he purchased online. He said it had all sorts of personal information belonging to the previous owner including her healthcare records. Ouch.

If I understood the caller correctly it sounded like this personal information was sent to the previous owner by her doctor. A doctor who I'm sure is HIPAA compliant...after all, as most healthcare practitioners know, all you need for HIPAA compliance is a sticker-based sign-in sheet and notice of privacy practices handout. OK, maybe a firewall and anti-virus software if you want to go out on a limb and buy into the compliance comes in a box theory. But I digress...

Be careful out there folks. Compliance requirements or not, our smartphones are going to make us look dumber and dumber moving forward if we're not careful.

Cloud insecurities, when are they going to end?

2011-07-04T13:35:00.003-04:00

This week's post is about cloud security - technically, lack thereof...Check out these new pieces I've written for Security Technology Executive and Acunetix:

Dark Cloud Looming?

What’s your take on cloud security?

Enjoy!

As always, be sure to check out www.principlelogic.com/resources.html for links to my 500+ articles, whitepapers, podcasts, webcasts, books and more.

Get over yourself

2011-07-01T09:50:00.004-04:00

The late, great Richard Carlson once said:

"Humility and inner peace go hand in hand. The less compelled you are to try to prove yourself to others, the easier it is to feel peaceful inside."

I believe this theory explains why so many people in IT and information security are so stressed out. I'm also convinced that this concept is the basis for all the bad choices and negative behavior we've seen in the world of IT and information security as of late.

Moral of the story: Don't be this guy...That is if you want to have inner peace and you want to go places in your career.

The value of partial code scanning, now

2011-06-27T16:14:00.004-04:00

Check out my new piece on the business value of partial code scanning where I outline why it's better to start your source code analysis now instead of waiting around until certain milestones of your development projects are reached or your software applications are completed altogether.

It's kind of funny and ironic that we humans are all about instant gratification, yet with information risk issues such as source code analysis, we tend to want to wait until everything's perfect (and way more costly) before we get started. This reminds me of the Mark Victor Hansen quote:

“Don't wait until everything is just right. It will never be perfect. There will always be challenges, obstacles and less than perfect conditions. So what. Get started now. With each step you take, you will grow stronger and stronger, more and more skilled, more and more self-confident and more and more successful.”

I wrote this article in conjunction with the nice folks at Checkmarx who happen to produce the best static source code analysis tool I've used...especially given its price compared to the competition - it's not even in the same galaxy as some of the others out there. Definitely worth checking out.

Dropbox "bug" = why the cloud cannot be blindly trusted

2011-06-27T14:16:00.003-04:00

I've been ranting about "the cloud" (what a tired term) for a couple of years now. As if we haven't seen enough examples lately of why we cannot put all our eggs in the cloud basket, here's one more with the "code bug" that impacted Dropbox's authentication mechanism over the weekend.

Sure, Dropbox isn't an enterprise cloud app per se but I'll guarantee you it's impacting your enterprise this very moment. Think data backups, intellectual property, PII, password safes and whatever else your users are syncing across their multiple systems.

How do you explain such exposures to management or to your board when something like this happens. Do you say "Well, our cloud provider said their system was secure because they use SSL and, furthermore, have a SAS 70 Type II audit report to prove it." or "Our legal team approved of the contract and the SLA and gave us the go-ahead."??

I don't know that management will ever get on board the way they need to but cloud insecurities will certainly work themselves out in the marketplace - and in the courts - and eventually get on the radar of the people that matter.

This Dropbox dilemma is a relatively small and insignificant example of what happens when you completely rely on others for information security. I'm not saying don't use the cloud. I'm saying get your arms around the cloud before it impacts your business in a negative way. Odds are it's going to somehow and everyone will be looking at you for a well thought out response.

Exchange incident response, ASLR & common Windows security mistakes

2011-06-25T21:39:00.003-04:00

From Exchange to Windows Server to Windows at the desktop, here are some new pieces I've written about Microsoft security that you may be interested in:

Six commonly overlooked Exchange security vulnerabilities

Solidify Your Exchange Server Incident Response Plan

10 most common security mistakes people are still making

Why you need address space layout randomization in Windows Server 2008 R2

Enjoy!

As always, be sure to check out www.principlelogic.com/resources.html for links to my 500+ articles, whitepapers, podcasts, webcasts, books and more.

I'm a speaker at the Gartner Infosec show this week

2011-06-20T16:50:00.003-04:00

For those of you who happen to be attending the Gartner Security and Risk Management Summit in DC this week, I'd love it if you could check out my session or at least stop by to say hello. I'll be serving as a panelist on mobile security at the following session:

Protect Your Identity, Mobile PC and Data
Session Code SPS13 - Potomac Ballroom 1
9:30-10:30am

Cheers!

When's political correctness going to impact infosec?

2011-06-18T12:23:00.004-04:00

Witnessing the Thought Police's handling of the Tracy Morgan debacle I can't help but wonder if political correctness is not the beginning of dictatorships, Communism, etc. where the population is not allowed to speak up or out against anything.

Don't get me wrong. Being a libertarian, I'm pro-choice on everything...To each his own. As long as you're not affecting the life, liberty or property of someone else, then say what you need to say and do what you need to do. Sure, I know we need to be sensitive in certain situations. The problem is that political correctness leads to the legislation of our thoughts and feelings...Tell me, just how different is that from dictatorships and Communism in parts of the world where, ironically, people cry out for "human rights" because of the oppression brought on by, well, ourselves?

It'll be interesting to see how political correctness invades the very fiber of information security and privacy in businesses down the road. Will we eventually reach a point in the not so distant future where it'll be politically incorrect (esp. here in the U.S.) to tell people what websites they can or cannot use or what applications they can load on their endpoint devices connected to the business network? Will it be demeaning to others when we suggest strong passwords or we point out how security oversights brought on by people making poor choices are bringing the business down?

I'm just saying...People are complex and these are things that are impacting us personally now and likely in our work down the road. How are you going to handle it?

Proud to be a speaker on the TechTarget roadshow

2011-06-17T12:25:00.007-04:00

I just completed two seminars this past week for TechTarget and CDW...One was in Minneapolis, which by the way, was probably the friendliest city I've EVER visited. Great bunch of folks...thanks for the great Midwestern turnout and hospitality!

Our second stop was San Francisco...one of my most favorite cities to visit. I also had the opportunity to visit the nice folks at one of my publishers: Realtimepublishers.com (publisher of my latest book that I'll be posting about soon) and one of the websites where I serve as an IT security expert: Focus.com. Just meeting these people for the first time made the trip worthwhile.

If you're not familiar with it, you should check out these security seminars we're doing...lot's of good discussions around what it takes to really get your arms around the security beast. We may be coming to a town hear you between now and year's end. Here's the website:

Predictive Security: Plan Ahead to Stay Ahead of the Next Threat

Hacking tools & malware creation illegal - what's next?

2011-06-17T09:38:00.005-04:00

With all the criminal behavior taking place on computers around the world, it appears that politicians are seeking some solutions. For instance, European Union Justice Ministers are proposing a ban on hacking tools. I suspect this law will work just as well as gun laws in the U.S. Simply criminalize the inanimate object (or code) and only the law-abiding citizens will comply. It creates the perfect storm for criminals to be able to continue doing what they do.

Furthermore, an unintended consequence of such tools being banned and kept from legitimate use like in the independent security assessment work that I and many of my colleagues do, then businesses in general suffer.

The burning question is: who decides what hacking tools really are? Are they password crackers? Vulnerability scanners? Perhaps Web browsers in general? I suspect they'll have a panel of ignorant bureaucrats making the call like what our "leaders" here in the U.S. (Obama, Pelosi, etc.) envision with their ObamaCare death panels. Government knows best.

On a related note, just today the Japanese parliament enacted legislation that criminalizes the creation of malware. Is this any different? It can certainly be argued that malware serves no purpose other than to do harm. Of course, many people around the world believe the same thing about guns owned and used for the sole purpose of self-defense.

It's a complicated world we live in...what to do now?

IT careers, compliance & the Internet "Freedom" Act

2011-06-13T17:01:00.004-04:00

Here are some recent pieces I wrote on IT and security careers and compliance that you may be interested in...content that likely applies to your very situation:

Career networking dos and don’ts

But Compliance is Someone Else’s Job!

Cybersecurity and Internet Freedom Act – New name, same game

Enjoy!

As always, be sure to check out www.principlelogic.com/resources.html for links to my 500+ articles, whitepapers, podcasts, webcasts, books and more.

New WebsiteDefender from @Acunetix worth a look-see

2011-06-13T16:45:00.005-04:00

The folks at Acunetix have a neat new product/service called WebsiteDefender. I've yet to try it myself but it looks promising - fills a nice niche.

WebsiteDefender is an agent-based tool for websites and WordPress-based blogs that:

Scans your site for security flaws
Detects malware running on your site
Alerts you to suspicious web site activity including file changes

The obvious benefit is to have a more secure online presence but as Acunetix is marketing WebsiteDefender, it can also keep you from getting blacklisted by Google and presumably from being listed as questionable by services like Web of Trust.

Certainly worth checking out. More info to come once I take it for a spin...

The best information security quote ever

2011-06-10T12:54:00.002-04:00

Thinking about all the security incident headlines over the past 30 days alone, this says it all:

"We can evade reality but we cannot evade the consequences of evading reality." -Ayn Rand

Weiner fallout: "I got hacked" is the new scapegoat

2011-06-08T12:27:00.004-04:00

I recently met up with some technology lawyer colleagues after work and we shared our thoughts on the Anthony Weiner "incident". We were talking about how early on in the saga no one but Weiner and the lucky recipients of his tweets really knew what the truth was. Predictably, as we're seeing and hearing more and more these days, Weiner came out and said "I was hacked. It happens to people." In other words, instead of claiming personal responsibility for the issue, he could just claim someone else did it and hopefully wash his hands of the issue.

Don't get me wrong. Companies and people do get hacked, but hacking is not always what caused the problem.

Then it came to us, "I've been hacked" is the new scapegoat. Savvy politicians and business leaders know that getting "hacked" is a generic enough claim that the general public may buy it. After all, many people believe that hacking is this mysterious, intangible "thing" that just happens these days. It's simply dismissed as "Oh well, sucks to be that person or business". Such an excuse is very similar to what I've written about "computer glitches". It's an easy way out.

Interestingly, one thing that hasn't really been discussed in the media covering WeinerGate was here's how you get to the truth...you do X, Y and Z to reveal what really happened. Be it a simple forensics analysis of Weiner's computer(s) all the way to subpoenaing Twitter for their log files associated with the usernames, dates and times in question, there's a way to get to the bottom of such matters. These procedures are carried out as part of the legal process in countless investigations and lawsuits every day in the US. But we weren't hearing about that.

We now know that a formal investigation wasn't needed with Weiner. However, if you're caught in a bind and need to prove your innocence, the e-discovery and forensics processes have a nice way of working things out...It's all a matter of choice and, I suppose, context.

Perhaps it's time to step back, fix the low-hanging fruit that's putting your business at risk, and move forward with your chin up willing to take responsibility for information security once and for all. No scapegoats necessary...

New tool for ferreting out users w/local admin rights

2011-06-07T10:20:00.003-04:00

Here's a free tool by @ViewFinity (the privilege management vendor I wrote about back in March) that helps you discover user accounts that have local admin rights:
Viewfinity Local Admin Discovery

...looks pretty neat if you have a need for running a quick test during an assessment or audit or just want to have something to use periodically to ensure user accounts are kept in check.