You can't secure what you don't acknowledge.SM

Friday, January 25, 2008

Thought for the day on what security really is(n't)

"Security is mostly a superstition. It does not exist in nature. Life is either a daring adventure or nothing." - Helen Keller

Along the same lines of this week's post on personal security vs. information security.

My articles from this week

Here's my one information security article from this week that you may be interested in:

How secure is your SQL Server network design? (from

For all of my past information security tips and tricks be sure to check out


Thursday, January 24, 2008

The difference between personal security and information security

With it being an election year here in the U.S. we're surrounded by all this talk of big promises by power-hungry politicians. This nauseating process made me start to think about the difference between information security and personal security.

Let's start with personal security. The politicians say "Elect me and I'll give you the things you need! I'll take someone else's money - by force - and give it to you for your own personal security." What's not to like about that!!?? Many people would much rather have the government take care of them - that is, create personal security for them - than be forced to work hard and be a responsible contributor to society. This personal security is "free". Of course, at the cost of the people who actually pay taxes, individualism, and our long-term freedom.

Contrast this with information security. Let's say you want - no need, through laws and regulations - to create an environment where your "information" and your business are secure...well, that's gonna cost you! There's human resources, technology expenditures, business process changes (and all the related costs that go along with that), the hiring of vendors and consultants for specialized expertise, audit dollars, and on and on.

Now, imagine if businesses today could turn to the government with all their information security needs. WOW. Our networks, our apps, our databases, our laptops, our smart phones, our business processes, you name it, would all be VERY, VERY secure. It'd be unlimited security. To the point where information security professionals and a lot of network administrators wouldn't be needed - at least after all the fancy systems were put in place.

I've always struggled with the word "security" in my job description...I don't like being associated with dependence, mediocrity, and reliance on others - what personal security is all about. Now that I've thought it through though, I see there's a clear difference.

Uh-oh, I'd better get back to work...

Tuesday, January 22, 2008

Great show to get inside the mind of the bad guys

I don't watch a ton of TV but when I do I often lean towards shows that teach me something (Seinfeld, Reno 911!, and South Park aside). If you haven't see it yet, check out the Discovery Channel show called It Takes a Thief. The premise of the show is home security and how weaknesses can/are exploited by burglars.

You'll learn about how to keep your home locked down (lots of stuff you've likely never considered) and you'll learn how the criminal mind works. This insight translates nicely into how the bad guys attack our networks and applications. One of those information security skills that pays to keep sharp.

Monday, January 21, 2008

Crooks will always find a way

I was perusing the latest issue of Security Technology & Design (a trade mag that I write for) and was reminded of some findings of a recent security assessment...It's: where do the bad guys start when attempting to work their way inside a building? Something that's easy to overlook (and often is) is that of unsecured external access to a building. Think about both network type entry points and walk-in entry points: manholes, critical cabling found in splice boxes, network camera connections, and that ever-predictable unmanned rear entry door that people often prop open for their smoke breaks, etc.

The person with a malicious mindset always thinks outside of the box to find weaknesses that have been overlooked by even the savviest of security pros. Think about how a malicious vandal, hacker, or terrorist would look at your building. Look at things from every angle and every entry point. Even the small ones. You might just find that the simple stuff is creating the greatest holes.