You can't secure what you don't acknowledge.SM

Friday, December 7, 2007

My articles from this week

Here's my one information security article from this week that you may be interested in. For all of my past content be sure to check out

The Fallacy of SSL


Thursday, December 6, 2007

Stupid policies are ignored by those with an agenda

On a similar note regarding my previous post on the Omaha mall incident, apparently the mall has a policy against concealed weapons - and apparently (I haven't confirmed) there's a Nebraska state law backing such policies in private businesses in that state. This event not only shows how vulnerable we really are but it's also a classic case of stupid policies/laws such as this ONLY apply to law-abiding citizens.

In the context of IT security, I actually see and hear of this quite a bit where policies are created for the sake of having a policy, or political correctness, or to satisfy an auditor - whatever - knowing that they'll do more harm than good or that they'll never be enforceable. Keep this in mind when creating your own organization's information security policies. Make them reasonable and enforceable... otherwise they're just for show and will come back to bite you or someone you care about down the road.

When seconds count, how long will it take for you to respond?

I was listening to Neal Boortz's radio talk show this morning about the tragedy that occurred at the Omaha mall yesterday. A caller brought up the old saying "When seconds count, the police are only minutes away." This made me think about all the organizations out there who don't have an IT-centric incident response plan - or at least don't have one that's adequate enough to respond to real security threats in a professional manner.

The thing is, with most networks I see, there are so many technical controls all intertwined yet no system is talking to another. There's no real event correlation. Add the people complexities on top of this (like everyone being involved yet no truly established leader, responsibilities, or accountability) , and most businesses would never know if a breach happened. Or, they'll find out several days or weeks too late!

In the Omaha mall incident, it took police 6 minutes to arrive. By then it was too late. Ask yourself: when seconds count, how long will it take you to respond to a network security incident? You may come to the realization that things need to change.

Monday, December 3, 2007

My articles from this week

Here are my recent information security articles you may be interested in. For all of my past content be sure to check out

How to get developers to buy into software security

Cheap Microsoft licenses for security pros: the Microsoft Action Pack

Mobile security: Setting responsible goals

Mobile security: Top oversights

You may need to perform a quick third-party registration to access some of them.


Sunday, December 2, 2007

An excellent compliance resource you've gotta check out

If compliance is anywhere on your radar (I'm pretty sure that includes all of us!) then you've gotta check out Rebecca Herold's compliance blog and portal called the Realtime Community | IT Compliance. I've known and worked with Becky for years and can vouch for her level of knowledge in the compliance and privacy arenas.

The hosting company for this site is Realtime Publishers for whom I've written a book (The Definitive Guide to Email Management and Security), several whitepapers, and performed technical editing for numerous publications of theirs. Their content is sponsored by an IT/security vendor which makes it free for everyone. Check out their digital library for Becky's site here and their main Nexus digital library site here. Tons of high-quality content and just the right price.