You can't secure what you don't acknowledge.SM

Thursday, August 31, 2017

HIPAA and data encryption - what you need to know

When I co-wrote the first edition of the book The Practical Guide to HIPAA Privacy and Security Compliance, both HIPAA and data encryption were a big deal. Fast forward nearly 15 years and they're still a big deal, yet many people are still struggling with both. 

If you're looking for some insight/guidance on HIPAA compliance, data encryption, or security intelligence in today's business environment, here are a few new pieces that I wrote for the nice folks at Thales e-Security that you may want to check out:

Going beyond addressable with HIPAA and doing what’s right with data encryption 

How security intelligence can support HIPAA compliance

Why PHI access controls matter

The HIPAA compliance payoffs of protecting PHI with encryption


Wednesday, August 16, 2017

Hacking For Dummies featured in new Lifetime movie Running Away

I had the neat opportunity to recently see my book, Hacking For Dummies,  featured in this summer's Lifetime movie called Running Away. I've known that it was a possibility for some time but it was cool to see it on the screen! Here's the scene it's featured in:

You can see more about - and purchase - Hacking For Dummies (currently in its 5th edition) on Amazon by clicking the graphic below:

Thanks for your support!

Thursday, August 10, 2017

Rapid7's Insight platform provides focused analytics for your security program

Fairly recently, Rapid7 took their vulnerability management platform up to the next level with their analytics platform called Rapid7 Insight. It's a beneficial for an independent consultant like myself and even more useful for enterprises with IT environments of growing complexity. Rapid7 Insight is marketed as a way to bring together the Nexpose vulnerability research, Metasploit exploits, global security intelligence and exposure analytics into a single system that can help businesses solve more - and better - security problems. 

A cloud tool that integrates with your Nexpose instance, Rapid7 Insight lets you see what's being uncovered in your environment, monitor specific vulnerabilities, and bring it full circle with ticketing system integration to support remediation workflows. you even have a choice on where to store your data in the cloud in order to meet specific compliance/legal requirements. Here are some examples of Insight's "Liveboards" that provide info on specific areas of vulnerability management. These are external-facing security vulnerability data including details on exploitable vulnerabilities.

Being able to run a tool such as this can add tremendous value to security testing and vulnerability remediation programs. This level of detail can show you exactly where you need to focus your efforts in order to expedite remediations and ensure returns on your security efforts. Hint: getting your patching under control, once and for all will likely be front and center. This information is good for sharing with executive management and can also help you prioritize your efforts that involve security policy development, user awareness and training, incident response and other core areas of security that need attention.

Rapid7 Insight, nor any other tool, is going to fix all of your security will at least set you on the right path. The discipline required to see things through is totally up to you.

Monday, August 7, 2017

How to gain control & become an IoT security expert

You've no doubt heard the vendor spiels and seen their solutions for gaining control of your Internet of Things environment. But do you truly have IoT under control? Like other things in IT, it can be pretty overwhelming, especially when you're struggling to keep your arms around your traditional network environment with cloud and mobile and all the complexities they bring. 

Well, IoT security doesn't have to be that difficult. It's complicated in terms of a well-run security program but, in many ways, there's really nothing new...I can assure you that if you step back to look at the bigger picture of what's going on with IoT security, from vendor marketing overload to understanding your network to fixing the basics, you can (and will) gain control of IoT if you take a measured approach. 

Here are several pieces I've created on IoT security that can help you in your endeavors:

Integrating the IoT into your application security program

Getting Ahead of the IoT Security Curve (an ISACA/TechTarget webinar)

Don't overlook this key element in securing the Internet of Things

Is Your Security Program Ready for the Internet of Things?

IoT at RSA brings a new focus on old problems

Securing the Internet of Things

Top cybersecurity trends for the first half of 2017

I hope this helps. Don't hesitate to reach out to me if you're ever in need of IoT security testing or strategy consulting. Cheers!

Wednesday, June 21, 2017

Using Centrifuge for IoT security testing

I love hacking things, especially new things like what's showing up on networks around the globe in the form of IoT. If IoT security is anywhere on your radar, you're likely incorporating these devices into your security testing program. Well, there's a new IoT security assessment tool in town that you need to know about called Centrifuge brought to you by Tactical Network Solutions - makers of the former (and awesome) Reaver Pro tool

Centrifuge is a cloud-based platform that can reverse engineer binary firmware files and analyze them for security flaws. It supports various IoT systems, including firmware from common routers and network devices from Belkin, D-Link, and Linksys, and finds some interesting stuff. For example, here's the platform showing the file structure from an older Netgear R7000 wireless router's firmware:

And here's the output of Centrifuge's crypto analysis...note the public and private keys uncovered:


The most telling is the number of vulnerabilities uncovered (an amazingly scary number of command injections and buffer overflows in just one product's firmware) as shown here:

IoT poses formidable security threats to both end consumers and businesses alike and those of us in IT and security need to be paying attention. We simply cannot rely on IoT vendors to keep things in check. Instead, we have to find and resolve security flaws ourselves and establish compensating controls where possible. Clearly, there's a lot going on in terms of IoT least we have tools like Centrifuge coming to market to help us further the cause.

Monday, May 15, 2017

The real reasons behind the WannaCry ransomware

As we continue down the path of yet another major security breach - this time with the ransomware WannaCry - let us remember that it's not just about the criminal hackers, out-of-control government agencies such as the NSA, or vendors such as Microsoft putting out vulnerable software. Every single one of us working in IT, security, and business today are complicit in these challenges.
  • Outdated/unsupported operating systems are running. We are responsible.
  • Patches are not getting installed in due time. We are responsible.
  • People are clicking links and making other bad decisions. We are responsible.
  • Stuff is happening on the network, sight unseen. We are responsible.
  • Policies are ignored. We are responsible.
  • Unfunded mandates still exist. We are responsible.
  • Systems – even entire network environments – remain untested. After all, you can't secure what you don't acknowledge. We are responsible.
  • Underscoped and unauthenticated vulnerability scanning and penetration testing paints an inaccurate picture of the average security posture. We are responsible.
  • Incident response procedures remain undocumented. We are responsible.
  • Credibility and relationships are essential for mastering information security, yet we continue to focus on everything but that. We are responsible.
  • Information security continues to be seen as IT's problem. We are responsible.
I don't know how many more widespread breaches we'll have to endure but I do know that everyone has a hand in these challenges before us. We can continue down the path of promising that we are compliant and secure when we are, in reality, reacting aimlessly to everything that happens. I know that managing enterprise IT environments is not easy and I certainly don't envy anyone responsible for securing them. Still, there is so much that most organizations are leaving on the table. But, why?

Is it people protecting their territories under the guise of long-term job security? Perhaps it's lack of budget or management buy-in? Maybe it's an out-of-control user base continuing to not think before they act...?

Whatever it is, it needs to change. The criminal hackers and those supporting them are not going away. In fact, they look at issues such as the WannaCry ransomware outbreak as yet another reason they need to keep doing what they're doing. As the saying goes: change before you have to.

Monday, May 8, 2017

My CSO interview/story: What it takes to be an independent information security consultant

I'm very honored to have been interviewed recently for CSO Magazine about my background and what it takes to stand out - and survive - as an independent security consultant. Check it out here:

Thanks for the nice write-up, Bob Violino!

Monday, April 3, 2017

People will violate your policies all day long...if you let them.

I recently saw this out in front of a local restaurant where management was trying to resolve parking, sidewalk access, and traffic issues. Their "control" obviously doesn't work:

Be it parking cars or using computers, instant gratification is the name of the game. People want what they want. They want it right now. And, they will take the path of least resistance - and violate your policies in the process to get it - especially when enforcement is weak like in the picture above.  

Good lesson for IT and information security leaders. Lots of room for improvement in this area.

Friday, March 31, 2017

Monday, March 13, 2017

Web and mobile application security vulnerability and penetration testing resources

Application security is no doubt one of the most important aspects of a security program. Here are some new pieces I've written that can help keep your web and mobile app vulnerabilities in check and your application security program on the right special attention to the last one regarding security assessments and reality:

Keeping your Web applications in check with HIPAA compliance
Mobile app security risks could cost you millions
Common oversights in mobile app security
How to stay ahead of the curve in application security
Protecting Web applications with network controls - Is it effective?
Secure coding job interview questions
Ignore these common mobile app security risks at your own peril
Why Security Assessments are Often not a True Reflection of Reality

And, in case you missed the RSA conference this year, here are some pieces that I wrote to recap the show:
Top stories coming out of the 2017 RSA Conference worth paying attention to
What you need to know about the 2017 RSA Conference
RSA Conference tips for CISOs – From 10 years ago to today
IoT at RSA: A New Focus on Old Problems

Be sure to check out my other information security resources on my website and follow me on Twitter @kevinbeaver.