You can't secure what you don't acknowledge.SM
Showing posts with label low-hanging fruit. Show all posts
Showing posts with label low-hanging fruit. Show all posts

Wednesday, April 9, 2014

Windows XP: Goodbye my love...well, not really.

Windows XP...ah, the memories!

I wrote many of my books including the first two editions of Hacking For Dummies and the first edition of The Practical Guide to HIPAA Privacy and Security Compliance originally on Windows XP - not to mention countless articles, security assessment reports and more over a 7-8 year span.

It was nice working with you XP!

I waited to write this post today, the day after all the Windows XP end-of-life hype, so as to not get caught up in that mess from yesterday. What's interesting to me about this whole Windows XP story is that every analyst, IT vendor marketing rep, journalist, auditor, and consultant is an "expert" on the doom and gloom that will be brought upon society with all of the businesses and consumers not upgrading their operating systems.

Looking at the headlines, still today, it's kind of funny (and sad):
"Vital industries exposed to risk"
"Isn't safe to use anymore"
...blah, blah, blah.

Apparently Windows XP is still being run on 25% of PCs. Will we hear stories about Windows XP systems being drywalled into oblivion like we've heard about Novell NetWare? Probably not. I do suspect it's going to be around for years to come. And, sure, vulnerabilities will discovered - especially on systems that have scant security controls to begin with. IT's elite will clamor about their amazing exploits. Management will still have their heads in the sand. Life goes on. 

The funny thing about Windows XP is that the OS itself is not where the real risk is in most network environments. [Oh gosh, did I say that out loud!? I'm going to have some "researchers" all over me...shudder.] Real-world experience tells me that much of the risk is all the other stuff people are installing and IT is not patching that's creating the real problems...the latest study shows that 76% of vulnerabilities are NOT Microsoft's issue. I've seen higher numbers in the past.

Microsoft Corporation is being treated like some of the big social/political issues like "global warming", gun control, and income "inequality" because they're expedient, convenient, and intangible enough to get people riled up.

Here's the real issue that we're still not hearing: I know without a doubt that many of the people preaching fire and brimstone about Windows XP are the same people who continue to ignore the critical basics I'll rant about until the day I retire such as:
  • Network shares full of sensitive files made available to everyone with a login
  • Mobile devices with ZERO security controls
  • Minimal - and grossly reactive - system monitoring
  • Firewalls with default passwords
  • Laptops storing tens of thousands of credit card numbers and SSNs with no hard drive encryption
  • Open wireless networks for "easy guest access" that provide full access into the back end network
  • Database servers with no passwords
  • Operating systems with weak passwords
  • Numerous cloud services being used without IT's consent or knowledge
  • Physical security control systems with ZERO security controls
  • etc...
Unless and until these people have helped themselves and the others who depend on them fix this low-hanging information security fruit, I'm going to say: Got XP? No problem!

Monday, March 3, 2014

Interesting sights at #RSAC 2014

I attended the RSA Conference last week...there was a lot of the same security nonsense (see my posts below) but a very good show nonetheless. You should attend next year, especially if you've never been. With 25,000+ attendees and more vendors than you can ever imagine in this space, it's a spectacle.

Speaking of "vendors", one thing that struck me as interesting - what government employee was ballsy enough to use our tax dollars for this fancy setup on the expo floor?:

And, interestingly, right around the corner was this company:

Too funny! Perhaps a thumb in the eye to our national spies? Someone, somewhere had a sense of humor - good to see in an industry that takes itself too seriously most of the time.

What I really want to know is, who was ignorant enough to let anyone at either of these vendor booths scan their badges! Well, not that the NSA weasels don't already have that information. [On a somewhat related note, NSA: what'd you think about that breakfast I just had?? Yummy!]

On a (slightly) more serious note, here are 3 of the 4 blog posts I wrote for my friends at while at the show you might be interested in:

RSA keynotes highlight information security mistakes

The ridiculous emergence of 'cybersecurity' (thanks to the federal government)

Security topics that have come of age (that you need to keep on your radar)

Have a great week!

Wednesday, February 19, 2014

Step up or step aside, somebody needs to fix your security woes

I just got off of phone call with some friends/colleagues where we were discussing the latest security trends. After talking it occurred to me that we're basically going backwards in time with information security. It seems with the Target breach, stupid passwords people are still using in 2014, and even today's new SANS-Norse healthcare security report, it just keeps piling up as if nothing works.

But it can work - if people would get out of their own way.

Looking at it from a psychological perspective (a great way to view security trends/challenges), it's really about the choices people are making - or not making - about security:
You've heard the adage, "if you lie about something long enough and consistently enough, pretty soon people will start believing the lies as the truth." So many people are thinking that IT and security problems are just getting too hard to handle...that the bad guys are just getting "badder". The government can fix things with whatever "cybersecurity" nonsense they're going to shove down our throats. To the cloud so we can wash our hands of all this.

Too many people are acting as if everything is out of their control, like low-information voters at the ballot box.

Like I talked about in this new guest blog post for Rapid7, don't let history repeat itself so that you get burned. Step up or step aside - somebody needs to fix this stuff.

Wednesday, August 14, 2013

Municipal information security weaknesses, hacking, careers, & committees

Here's some new content I've written recently on various information security topics you might be interested in:

Government Security: Uncovering Your Weaknesses (common vulnerabilities I see when performing security assessments for municipalities)

Eight questions to ask yourself before moving to C-suite management (are you really sure you want to do this!?)

IT career paths: Working for yourself is an attainable dream (if you want to stop working for the man)

Top 9 ways to prevent hacking in your enterprise (seriously, you can if you get these basics in check)

How to form a functional enterprise IT security committee (okay, I use the word 'functional' loosely, but it's nowhere but up from here right!?)

In the meantime, check out my website for links to all of my other information security-related content.


Well, in the spirit of my book Hacking For Dummies (be sure to check out the new 4th edition), here are some tips I've written for my friends at TechTarget and Acunetix on some important web and mobile application security issues you need to be tuned in to beyond all the noise that's out there:

Don’t Let Problems Stop You From Carrying Out Web Application Testing  (before 'Too Scared to Scan' was cool ;-)

Mobile app software: Avoid the perpetual cycle of insecurity

Hybrid security: Beyond pen testing and static analysis

Mac Malware Underscores Why You Can’t Ignore Web Security Threats

Do You Scan with Network Security Controls Enabled or Disabled?

Take Care in Handling the Results of Your Web Application Testing

Much more to come on web and mobile security testing...It's what I love doing and I've learned a tremendous amount while doing it over the past decade.

In the meantime, check out my website for links to all of my other information security-related content.

- See more at:
Well, in the spirit of my book Hacking For Dummies (be sure to check out the new 4th edition), here are some tips I've written for my friends at TechTarget and Acunetix on some important web and mobile application security issues you need to be tuned in to beyond all the noise that's out there:

Don’t Let Problems Stop You From Carrying Out Web Application Testing  (before 'Too Scared to Scan' was cool ;-)

Mobile app software: Avoid the perpetual cycle of insecurity

Hybrid security: Beyond pen testing and static analysis

Mac Malware Underscores Why You Can’t Ignore Web Security Threats

Do You Scan with Network Security Controls Enabled or Disabled?

Take Care in Handling the Results of Your Web Application Testing

Much more to come on web and mobile security testing...It's what I love doing and I've learned a tremendous amount while doing it over the past decade.

In the meantime, check out my website for links to all of my other information security-related content.

- See more at:

Monday, August 12, 2013

You can't see the light 'til you open your eyes...

I noticed a lot of interesting topics/news coming from the Black Hat conference last week such as:
  •  SSH Communications Security Unveils General Availability Of SSH Risk Assessor Tool
  • Preparing For Possible Future Crypto Attacks
  • Crack of mobile SIM card crypto and virtual machine features could let an attacker target and clone a phone 
  • HTTPS Hackable In 30 Seconds: DHS Alert
No doubt, these are all worthy topics that will help improve information security over the long haul...researched and presented by people who are much smarter than me.

Yet, given where most businesses are with information security today, we've got *much* bigger things to be concerned with such as:
  1. Network shares - open to anyone on the network - providing unfettered access to sensitive information
  2. No proactive event monitoring using the proper tools and expertise (outsource it!)
  3. Firewalls with no passwords or a complex rulebase with a lot of redundancy and risky rules
  4. Phones and tablets with zero security controls
  5. Laptops with no drive encryption (I know most laptops, according to business executives who know more about security than their IT staff, have "nothing of value" the ones listed here, but still)
  6. Database servers without passwords, or with default passwords, serving up PII and more to anyone with simple curiosity and a copy of SQL Server Management Studio or Heidi SQL.
  7. Physical security access control and IP video systems that are accessible to anyone on the LAN (sometimes even Wi-Fi) for track covering, system disabling, video deletione, tc.
  8. Operating systems with patch management software that are *still* missing critical updates that are exploitable using free tools to provide full admin access to the system without the attacker ever having to "log in"
  9. Web apps with SQL injection, rampant cross-site scripting, and login mechanisms that are easily manipulated
  10. Mobile apps that have yet to see an iota of security testing
These are all things I find on a consistent basis...Not because I'm smart but because they're very predictable and often go ignored.

"Can't see the light 'til you open your eyes" ...minimal yet insightful lyrics from one of my favorite bands, Black Country Communion. The "light" that people aren't seeing because they're being distracted by flashy headlines, sky is falling "exploits", valueless auditor mandates, or IT execs who are (ironically) "threatened" by information security is the very light that's going to end up biting them if they're not careful...such as the items listed above.

I read something recently from sales/achievement expert Jeffrey Gitomer that said "People who are cocky and arrogant say, I know that and move along. People who are confident and positive ask themselves How good am I at that? and seek to improve."

Great tie-in to the point I'm making. Which side are you on?

Concentrate on the fundamentals and nothing else for now and as long as it takes to ensure you have true control over the information security basics that have been around for decades. Otherwise, you're ignoring the obvious that will rear its head at some point. As we see time again in the research studies (Verizon DBIR, etc.), odds are much greater that you'll get bitten by something silly rather than a niche exploit that hits a relative few.

Finding and fixing the low-hanging fruit (the 20% of vulnerabilities that cause 80% of the problems) is something I've been advising for years and I'm going to keep doing it because that is where the risk is.

Wednesday, February 6, 2013

Reactive security, eh? How’s that workin' for ya?

Every time I browse the Chronology of Data Breaches and read the headlines coming out from Dark Reading, threatpost, and the like, I can't help but shake my head.

What is it really going to take to get people - mostly management, but some in IT - to fix the stupid, silly, low-hanging fruit that's plaguing so many networks today...? Well, here's a new piece I wrote for the nice folks at Lumension where I delve into this subject a little more.

As Thomas Jefferson said, Determine never to be idle. It is wonderful how much may be done if we are always doing. Our security problems can be fixed if we choose to fix them.

Tuesday, January 29, 2013

Introducing the brand new Hacking For Dummies, 4th edition

Well, it's here...the fourth edition of my book Hacking For Dummies is officially available today!

Starting summer of 2012 and ending just before Christmas, I put in over 200 hours of blood, sweat, tears, and occasional cussing into this edition...more than any previous updates to the book. That said, my savvy technical editor, Peter Davis, and the wonderful editors at Wiley, Becky Huehls, Virginia Sanders, and Amy Fandrei were the real magic behind it all.

Thanks to everyone's hard work, I truly feel like Hacking For Dummies has finally come of age.

You're not going to learn every single technical detail of every possible security test. As I've said in the past, you need to use the proven time-management principle of focusing on the urgent and the important...eliminating the nasty, silly, and dangerous low-hanging fruit in your environment.That's exactly what Hacking For Dummies, 4th edition is all about.

In addition to walking you through, step by step, the entire information security assessment process (understanding the threats, planning, testing, reporting, and plugging the holes), I also talk about getting management buy-in and costly mistakes to avoid. I share my real-world experiences on what to do and what not to do in order to get the most out of your information security testing and risk management processes.

This edition has a lot of new content including coverage of Windows 8, mobile devices, and mobile apps. I've also fleshed out my chapters on hacking passwords, wireless networks, and web applications.

Hacking For Dummies is not the be-all end-all resource for information security testing. I wouldn't want to put myself out of business! And after all, there is no definitive resource on this subject.

What I can say is if you're looking for a no frills, common sense, street smart guide on the core essentials of ethical hacking, the key vulnerabilities to test for, and some hard lessons I've learned along the way, then Hacking For Dummies, 4th edition is for you. Check it out...I think you'll like it.

Tuesday, November 13, 2012

Are you doing enough to protect your secrets? It's unlikely.

If the person who heads the CIA can't keep his "secrets"; nothing's secret. It's as simple as that.

What are you doing to ensure your intellectual property is protected?

Lawyers will claim their contracts are enough. Management will leave their heads in the sand and claim their IT folks are handling it. Neither are enough.

Fix the silly/ridiculous/inexcusable low-hanging fruit on your network and then put the proper technologies and procedures in place to build things out from there. No matter how much money you've spent, how good your IT staff is, and how much you trust your employees, there's always room for improvement.

Monday, June 11, 2012

Focus on yourself and reap the rewards in IT & infosec

If you're in to big-picture IT and information security stuff like, say, your career and focusing on what matters, here are some new bits I've written for TechTarget and Security Technology Executive magazine that you may be interested in:

Five habits of highly-successful IT pros

Social networking strategies to further your IT career

Five ways to advance your Windows career

Understanding management gets your IT department what it needs

RSA's look at the big picture

Enjoy! As always, check out for links to all of my information security whitepapers, podcasts, webcasts, books and more.

Thursday, March 15, 2012

Thursday, March 1, 2012

My final takeaway from #RSAC

I said my farewell to the RSA Conference Tuesday evening but had some final thoughts about the show that I wanted to share with you.

In addition to the keynotes I talked about, I attended a mock trial session involving malware, a digital certificate acquired for ill-gotten gains, and a healthcare company that ignored all things HIPAA (heard that a million times!) as well as a session by HP's Jacob West (an excellent presenter if you ever get a chance to see him) on mobile application security. Both were very well presented.

I had a chance to mingle with long-time colleagues and clients (many of which I met in person for the first time) on the show floor. It was also neat to see my book in the RSA bookstore - very humbling seeing it mixed in with some of the big sellers in our field.

Here's my big takeaway from everything that I saw and's something you've heard me say before and I'll continue saying it until I retire. It was echoed in every presentation I attended and every bit of marketing literature I read. Be it the overall network, databases, mobile apps, people - whatever - you cannot secure what you don't acknowledge. And so many of us are not acknowledging all the things that matter. So step back, see the big picture, fix the low-hanging fruit (the home-runs), put the proper tools and processes in place and then dig in further over and over again...never letting up.

Overall a really cool've got to go to the RSA Conference next year if you can.

Wednesday, February 8, 2012

What's it going to take for police departments to secure their websites?

Here's yet another story about a police department website being compromised by criminal hackers. When a regular citizen's home address is exposed, that's one thing. But when the addresses of police chiefs are published online, that opens up an entirely new set of risks for their personal safety. Sad. Hey, at least the police chiefs I know are armed and well-trained experts. Would be pretty foolish to try and attack them on their home turf.

As I've mentioned before, you have to test ALL of your websites - marketing site, everything. If it's got an IP address or a URL it's fair game for hacking.

Friday, December 16, 2011

AlgoSec & what happens when you don't look for flaws from every angle

I recently had the opportunity to see how well AlgoSec's Firewall Analyzer performs in a real-world security assessment. Long story short, Firewall Analyzer found a weak password on an Internet-facing firewall that would've gone undetected otherwise. A traditional vulnerability scanner didn't find it nor did two different Web vulnerability scanners. Nothing was uncovered via manual analysis either.

Only AlgoSec's Firewall Analyzer found the doubt a flaw that would've been exploited eventually.

Folks, information security is about piecing things together. We're never going to find it all but we darn sure need to use every means possible to check for flaws from every possible angle. Underscope your assessments and you're screwed - at best you're living a delusional world. Case in point, I just reviewed a vulnerability assessment report that looked at every single external and internal IP address belonging to a business but not a single marketing site, e-commerce application or intranet portal was tested. And everything checked out "OK". The result that the executives saw was Low Risk Overall.


Just like I tweeted about today regarding what Qualys finds in vulnerability scans versus much of the "free" and commercial competition (there's no comparison)...I honestly believe that some big data breaches that have already occurred and have yet to happen will be related to using the wrong tools...or not enough tools...that combined with people not testing all the systems that matter. People aren't looking at the whole picture.

I know, you can't rely on tools alone but by golly you'd better make sure you're not only looking at everything that matters but you're also using the best tools possible when doing your security testing. Here's a new bit I wrote that covers this very subject:
Good Web Security Tools and Why They Matter

Thursday, December 15, 2011

Going green's tie-in with infosec

If you've been following my blog and my principles for even a short period of time you've probably figured out that I pull no punches when it comes to personal responsibility and limited government. There's hardly anywhere I'm more passionate in this regard than the marketing smoke and mirrors of "Going Green" and the religion of "global warming". I should say "climate change"; that covers warming and cooling for the anti-Capitalist movement, right?.

Bandwagon jumping aside, I do believe that it's up to all of us to take reasonable care of the environment through recycling, minimizing the energy we use and so on. In fact, I strongly believe that if we all just did a little bit in terms of personal and business recycling and being smarter about energy consumption that we could make a huge difference for future generations.

Ditto with information security. I truly believe if we all just did a little bit more...if management exercised more common sense, if users clicked on fewer unsolicited links and if IT managers and developers fixed the low-hanging fruit - the basics of what's continually exploited - just imagine how much more secure our information would be..

The problem is getting people to take personal responsibility for their actions. There's a big, big hurdle with that though and therein lies the problem.

Be it heads in the sand over information security or society slowing dismantling the very essence of what's given us our standard of living in the name of "global warming", as Ayn Rand said: We can evade reality but we cannot evade the consequences of evading reality.

Monday, November 21, 2011

Don't turn a blind eye on the basics

I'm all about shoring up the basics of Web security before throwing money at the situation. If you're interested in saving not only money but also time and effort, here are some new pieces I've written on Web security that you may be interested in:

Explaining the why of Web application security

Improving Web security by working with what you’ve got

Not all Web vulnerability scans are created equal

Why people violate security policies

As always, be sure to check out for links to all of my information security whitepapers, podcasts, webcasts, books and more.

Sunday, September 4, 2011

DNS hack: UPS, National Geographic, Acer, etc. websites affected

Happy (almost) Labor's the latest from the criminal hackers: a DNS hack has redirected numerous websites of UPS, National Geographic, Acer, The Register and more. Nice.

Betcha it was some low-hanging fruit someone, somewhere overlooked.

Wednesday, June 8, 2011

Weiner fallout: "I got hacked" is the new scapegoat

I recently met up with some technology lawyer colleagues after work and we shared our thoughts on the Anthony Weiner "incident". We were talking about how early on in the saga no one but Weiner and the lucky recipients of his tweets really knew what the truth was. Predictably, as we're seeing and hearing more and more these days, Weiner came out and said "I was hacked. It happens to people." In other words, instead of claiming personal responsibility for the issue, he could just claim someone else did it and hopefully wash his hands of the issue.

Don't get me wrong. Companies and people do get hacked, but hacking is not always what caused the problem.

Then it came to us, "I've been hacked" is the new scapegoat. Savvy politicians and business leaders know that getting "hacked" is a generic enough claim that the general public may buy it. After all, many people believe that hacking is this mysterious, intangible "thing" that just happens these days. It's simply dismissed as "Oh well, sucks to be that person or business". Such an excuse is very similar to what I've written about "computer glitches". It's an easy way out.

Interestingly, one thing that hasn't really been discussed in the media covering WeinerGate was here's how you get to the do X, Y and Z to reveal what really happened. Be it a simple forensics analysis of Weiner's computer(s) all the way to subpoenaing Twitter for their log files associated with the usernames, dates and times in question, there's a way to get to the bottom of such matters. These procedures are carried out as part of the legal process in countless investigations and lawsuits every day in the US. But we weren't hearing about that.

We now know that a formal investigation wasn't needed with Weiner. However, if you're caught in a bind and need to prove your innocence, the e-discovery and forensics processes have a nice way of working things out...It's all a matter of choice and, I suppose, context.

Perhaps it's time to step back, fix the low-hanging fruit that's putting your business at risk, and move forward with your chin up willing to take responsibility for information security once and for all. No scapegoats necessary...

Wednesday, May 25, 2011

Web appsec compliance & low-hanging fruit - it's all up to us!

Here are some recent pieces I wrote on Web application security common sense for my colleagues at Acunetix that you may be interested in:

But Compliance is Someone Else’s Job!

Low-hanging fruit becomes big news with the 2011 Verizon Data Breach report

Going Beyond Confirmed Web Security Flaws


As always, be sure to check out for links to my 500+ articles, whitepapers, podcasts, webcasts, books and more.