You can't secure what you don't acknowledge.SM

Monday, April 3, 2017

People will violate your policies all day long...if you let them.

I recently saw this out in front of a local restaurant where management was trying to resolve parking, sidewalk access, and traffic issues. Their "control" obviously doesn't work:

Be it parking cars or using computers, instant gratification is the name of the game. People want what they want. They want it right now. And, they will take the path of least resistance - and violate your policies in the process to get it - especially when enforcement is weak like in the picture above.  

Good lesson for IT and information security leaders. Lots of room for improvement in this area.

Friday, March 31, 2017

Monday, March 13, 2017

Web and mobile application security vulnerability and penetration testing resources

Application security is no doubt one of the most important aspects of a security program. Here are some new pieces I've written that can help keep your web and mobile app vulnerabilities in check and your application security program on the right special attention to the last one regarding security assessments and reality:

Keeping your Web applications in check with HIPAA compliance
Mobile app security risks could cost you millions
Common oversights in mobile app security
How to stay ahead of the curve in application security
Protecting Web applications with network controls - Is it effective?
Secure coding job interview questions
Ignore these common mobile app security risks at your own peril
Why Security Assessments are Often not a True Reflection of Reality

And, in case you missed the RSA conference this year, here are some pieces that I wrote to recap the show:
Top stories coming out of the 2017 RSA Conference worth paying attention to
What you need to know about the 2017 RSA Conference
RSA Conference tips for CISOs – From 10 years ago to today
IoT at RSA: A New Focus on Old Problems

Be sure to check out my other information security resources on my website and follow me on Twitter @kevinbeaver.


Friday, March 3, 2017

Email phishing services: Just what you need to know to start mastering the task

Got phished? Of course you have...whether you know it or not! 

As with penetration and vulnerability testing and any other form of security assessment, you need to be performing email phishing tests on your users – all of them, including executive management – on a periodic and consistent basis. I'm doing more and more of this work and the results that I'm finding are the point that all other security testing could be stopped and existing security technologies could be eliminated unless and until this situation is under control. I'm finding these gaping holes in IT and security programs not because I'm smart...I just use good tools and know what to do/say beyond traditional email phishing testing - which, by the way, stinks out loud in most organizations and serves as a mere checkbox item.

I'm not going to give away all of my secrets - that's what my independent email phishing consulting services are for. But I will share with you some insight and tips that you're probably not going to find elsewhere or that might require some painstaking "experience" to learn otherwise. Here you go:

Be sure to check out to all of my other information security resources on my website when you get a chance. Cheers!

Monday, February 6, 2017

Getting to know your network with Managed Switch Port Mapping Tool

In my years performing independent network security assessments, one thing that has really stood out to me is the lack of network insight. Regardless of the size of the organization, the industry in which they operate, and the level of security maturity, in most cases, I see IT and security shops with very little:
  • documentation
  • inventory
  • configuration standards
  • logging and alerting outside of basic resource monitoring
What this means – and what it can easily lead to – is incidents and subsequent breaches that may or may not be detected. These gaps combined with today's network complexities are virtually guaranteed to create unnecessary business risks.

In the spirit of having good tools to make your job easier, Northwest Performance Software has a program called Managed Switch Port Mapping Tool that can help put you on the right track in terms of getting to know your network environment, improving your visibility, and managing your ongoing changes. It's a tool that I have used off and on for years in conjunction with their popular toolset called NetScanTools Pro. The Managed Switch Port Mapping Tool is pretty straightforward – it simply uses SNMP to map out network switches which can provide a ton of information about entire network segments - information that often gets taken for granted. Here's a sample screenshot:

We work in a world where vendors are pushing SIEM, CASB, and Next-Gen Whatevers while, at the same time, we don't even have the network and security basics down pat. We're too busy spending time and money on the latest and greatest technologies when we need to just go back and do more to get a grasp on the core essentials of the network. Once that has been achieved, then – and only then – does it make sense to buy into what we're being sold. Just be careful, because such proposals may not always be in your best interest!

Kirk Thomas at Northwest Performance Software has been creating these network tools for a couple of decades now. I first learned about NetScanTools back in the mid-1990s at Novell's BrainShare conference (remember the awesome OS called NetWare!?). Anyway, if you're looking to get a better grasp on your network while, at the same time, improving your overall security posture, check out these tools. They'll only serve to make you look better. If you're like me, you can use a dose of that every now and then!

Thursday, January 19, 2017

Children's Hospital Los Angeles breach reminds us that HIPAA means nothing if you ignore its requirements

Back in 2007 I wrote a blog post on what's it going to take to encrypt laptop hard drives. After seeing this recent story about Children's Hospital Los Angeles, I can't help but shake my head.
The 0 comments on this article says a lot as society is becoming immune to these breaches...I think I've heard it called breach fatigue - it's not unlike presidential politics as of late!
In 2007, these decisions were bad enough...Like weak passwords, unencrypted laptops - especially if they're known to have PHI or PII - are simply inexcusable knowing what we now know in 2017. Doctors are smarter than that.

If anything - like all other lost/stolen laptops with sensitive information that have been regulated by things such as HIPAA for 12+ years - it shows that government and industry laws can't force people to make good decisions. Furthermore, "smart" people in positions of power running businesses don't know as much about security as they think they do and aren't as immune to security gaffes as they think they are.

Sunday, January 8, 2017

Hacking is not just an action, it's an excuse

Given all the ridiculous analyses and "findings" on Russian hacking as of late such as federal government bureaucrats who said there's no evidence to prosecute Clinton or who claim that the NSA does not collect data on America citizens yet they're certain that the Russians meddled in the U.S. election - many assertions of which are coming from talking heads with zero experience working in this field - I thought this blog post I wrote back in June of 2011 was worthy of a re-post:

Weiner fallout: "I got hacked" is the new scapegoat

I recently met up with some technology lawyer colleagues after work and we shared our thoughts on the Anthony Weiner "incident". We were talking about how early on in the saga no one but Weiner and the lucky recipients of his tweets really knew what the truth was. Predictably, as we're seeing and hearing more and more these days, Weiner came out and said "I was hacked. It happens to people." In other words, instead of claiming personal responsibility for the issue, he could just claim someone else did it and hopefully wash his hands of the issue.

Don't get me wrong. Companies and people do get hacked, but hacking is not always what caused the problem.

Then it came to us, "I've been hacked" is the new scapegoat. Savvy politicians and business leaders know that getting "hacked" is a generic enough claim that the general public may buy it. After all, many people believe that hacking is this mysterious, intangible "thing" that just happens these days. It's simply dismissed as "Oh well, sucks to be that person or business". Such an excuse is very similar to what I've written about "computer glitches". It's an easy way out.

Interestingly, one thing that hasn't really been discussed in the media covering WeinerGate was here's how you get to the do X, Y and Z to reveal what really happened. Be it a simple forensics analysis of Weiner's computer(s) all the way to subpoenaing Twitter for their log files associated with the usernames, dates and times in question, there's a way to get to the bottom of such matters. These procedures are carried out as part of the legal process in countless investigations and lawsuits every day in the US. But we weren't hearing about that.

We now know that a formal investigation wasn't needed with Weiner. However, if you're caught in a bind and need to prove your innocence, the e-discovery and forensics processes have a nice way of working things out...It's all a matter of choice and, I suppose, context.

Perhaps it's time to step back, fix the low-hanging fruit that's putting your business at risk, and move forward with your chin up willing to take responsibility for information security once and for all. No scapegoats necessary...
Here are some reading assignments for you written by two of my peers - leaders in our field and fellas who have their heads on straight about this Russian hacking storyline:

"From Putin with Love" - a novel by the New York Times by Rob Graham

Of course it was the Russians by Peter Stephenson

I may be wrong...I often am. There's always three sides to every story (yours, theirs, and the truth). Knowing what I know about information security along with politicians/bureaucrats and their motivations, I'm a bit skeptical.

By the way, don't let our rulers in the U.S. fool you as this country has been meddling in foreign elections for years - perhaps a bit more legitimately:

Tuesday, January 3, 2017

Keys to a great 2017

Welcome to 2017! 

It's another year and another great opportunity to get security right in your organization. As you return to work with a cleared mind and good intentions, building (or maintaining) an effective information security program in the New Year is not unlike my favorite passion: car racing. You not only need to get off to a good start but you also need to keep up your momentum...lap after lap on the track, week after week at the office. The only difference is car races must come to an end. Information security programs must withstand the test of time.The question is: what are you going to do this year to make things better?

On New Year's Day, I received an email newsletter from, Ross Bentley, a very accomplished racecar driver and probably the world's most well-known racing coach and instructor. In this email, Ross talked about the difference between the best drivers and the rest and I think it ties in nicely with my long-time talking points about information security. Here are some of Ross's words:

There are 3 things (not surprisingly) that make the difference:
1. They focus on the basics. The advanced stuff is just doing the basics better.
2. They're committed to learning. They make learning an objective. They know that the more they know, the better they will get.
3. They prepare.
As I reflect on what it's going to take in 2017 for me to become a better information security professional and racecar driver along with how I can advise my clients on how to improve their information security programs, I couldn't have said it any better or any differently than what Ross said. Over the past 11 years, Ross has (unknowingly) taught me just about everything I know about racing cars. Take his advice, combine it with what I've been saying about information security basics, and add in some discipline and persistence day after day and you'll no doubt improve your information security program this year.

For further reading, here are two pieces that I wrote on setting - and achieving - goals that you might enjoy:

8 steps for accomplishing your IT career goals

Setting and Achieving Realistic Information Security Program Goals for 2016


Monday, December 12, 2016

Trump's an expert on hacking too, huh?

Yesterday, soon-to-be President Donald Trump showed just how ignorant politicians can be when it comes to computer security, breaches, and hacking. Referring to the Russians interfering with our recent election, the Donald said:
"Once they hack if you don't catch them in the act you're not going to catch them...They have no idea if it's Russia or China or somebody. It could be somebody sitting in a bed some place."
It's interesting. I've been involved with and heard of many additional hacking situations where the culprit was caught well after the fact...And, yet, the general public buys this kind of stuff because they don't know any better.

Who knows, maybe the Russians were involved. We, the people, will never know the details. Still, this seems to be yet another one of his statements without forethought. And to think this guy is going to be in charge of "cybersecurity" for our country. Between this kind of stuff and his continued attempts telling us what we can't do and how we must think, it's going to be an interesting four years!

Monday, December 5, 2016

Using NowSecure for automated mobile app testing

As an independent information security consultant, I'm always looking for good testing tools to rely on for my work. These tools, such as vulnerability scanners, network analyzers/proxies, and related manual analysis tools, are not the be-all-end-all answer for uncovering security weaknesses, but they are a very important aspect of what I do. Be it more generic vulnerability scans, a targeted penetration test, or a broader, more in-depth, security assessment, I simply don't have the time or brainpower to forgo using good tools.

In the interest of working smarter and not harder, there's a neat tool mobile app security testing automation from NowSecure that can automate the process of mobile app security analysis.This cloud or on-premises platform can be used on currently-deployed mobile apps or apps that are in the middle of their development lifecycle. Just load the APK (Android) or IAP (iOS) file for the mobile app to be tested and the checks are run - including real-world, dynamic simulation - and the report is generated.

You're provided with the specific vulnerability, CVSS references, and recommendations for each finding. NowSecure also includes informational findings as well as security checks that "passed". A summary view of sample findings is shown as follows:

Additional information regarding the mobile app's functionality is provided including:
  • Network connections outlining who/what the mobile app talks to (I always find this amusing and sometimes scary!)   
  • Behavioral events of specific app methods that are run along with timestamps
  • URLs listed in the source code and files contained in the archive package
NowSecure provides an interesting and refreshing approach to security testing. I had someone contact me years ago asking if I had a way to automated the process of testing numerous mobile apps. I didn't and wish I would have - or at least wish NowSecure current platform would've been around then! Mobile app security testing is (still) a big and underserved market to say the least. This type of tool can help take some pain out of the mobile app security assessment process.  Some people out there may be good enough to do manual testing of every computer, web application, and mobile app that's thrown their way. However, odds are these folks are not getting a lot done or providing much value to their employers, customers, or even themselves.

There's too much to do with security and not nearly enough time to do it. Work smart. Don't re-invent the wheel. Automate your security testing with tools like NowSecure where you can. Of course, perform your manual analysis where you need to. I never advocate relying solely on automated tools when performing a full security assessment. There's too much to overlook and lose. However, mobile apps are largely an unexplored frontier so you're going to have to rely on good tools to point you in the right direction and (especially) find those niche flaws that would be impossible or unreasonable to uncover otherwise.

Thursday, November 17, 2016

Careers in information security, dealing with ransomware, and more

With the field information security as popular as ever, I thought this would be a good time to share some pieces I've written on breaking into the field along with a few more on information security leadership. Oh, and I've thrown in a couple of pieces and a webcast on ransomware since that's a big deal these days. Enjoy!

10 Tips for Breaking into the Infosec Field 

What type of organization needs a CISSP on staff?

The important distinction between security facts and security problems

Why System Administrators are so Crucial to Security

The side-effects of miscommunication between IT and security pros

Security mistakes executives make

CEO Spoofing - Don't get fooled

Five ways to prevent a ransomware infection through network security 

Ransomware, Social Engineering and Human Error: What could go wrong?

As always, be sure to check out all of my other information security articles, webcast, etc. on my website

Wednesday, September 21, 2016

Join me along with ISACA and TechTarget today to learn about how to advance your infosec career!

 Kevin Beaver professional speaker keynote
I'm happy to announce that I'll be joining ISACA and TechTarget for their annual online security seminar - a day-long learning event for IT and information security professionals.  My session this afternoon, which starts at 3:30pm ET, will be I Can Do versus I Have Done...Certification, Experience, and the Information Security Career Path.

You can register by clicking the image or via this link:  

I hope to "see" you there!