You can't secure what you don't acknowledge.SM

Friday, May 9, 2008

My security content from this week

Here's an information security article published this week:

Integrating source code analysis into your database security measures

As always, for my past information security content be sure to check out


Why you need to protect your Blackberries - even in 'secure' locations

Here's an interesting story I stumbled across. Didn't seem to get much coverage elsewhere. Apparently people can't even visit our own White House without getting victimized. Man....that train of thought could go in SO many directions. Anyway, the lesson is to not leave your Blackberries, smartphones, and PDAs lying around in your purse, on your desk, or any other conspicuous place where they can be taken.

No worries here though, I'm sure. With all the news stories and information about mobile device security, I'm sure they were all locked down and no sensitive information was put at risk. And with the FISMA security requirements, I'm sure any government systems were extra secure. [ha!]

Folks, we're just at the beginning of this mobile device security quandary...There's a whole new frontier full of criminal mischievousness ahead of us. I'm sure the stories are going to get more and more interesting.

Thursday, May 8, 2008

Good read on penetration testing helping compliance

Here's a good read from security analyst/guru Mike Rothman on how penetration testing can help with compliance.

The only thing I'd add is that you've gotta do more than traditional "pen testing" as we know it. And you've got to do it periodically and consistently. Not just one time. Use what I call the ethical hacking methodology that combines the best of penetration testing and general vulnerability testing. When seeking reasonable security, look far and wide at weaknesses in technical systems and IT operations. Problems are abound in both areas. a nice side effect, if you do your security testing the right way AND follow-up and plug the holes, you'll achieve compliance with practically every law or regulation known to man.

Wednesday, May 7, 2008

Work for yourself? Check out these gotchas when dealing with clients

Here's a good read for consultants and people with small businesses on what not to do when dealing with clients.

I'll have my own version of these in my upcoming audio program Succeeding as an Independent Consultant. We all make stupid mistakes...the key is whether or not you keep repeating them.

Don't waste your money on a hybrid or ethanol automobile...


The politicians want us to burn more ethanol in our cars but it's a terrible idea. Ethanol not only burns 29% more fuel than it creates, using fossil fuels to create ethanol adds even more carbon dioxide to the atmosphere. Check out these very interesting facts about ethanol we don't hear about in the news.

Anyway...back to working from home. I know, I know, many managers don't believe in telecommuting. They want employees onsite where they can be controlled. It's true. Most managers don't like having people out of sight and therefore out of their control. I've worked with these people and have friends who have managers today that work the same way.

Business leaders and lower-level managers need to get a grip and look into this telecommuting thing. There's no reason that many, many people can't get the same work done at home that they're getting done at the office. In most cases, it'll be more productive as long as employees are disciplined enough to do what they were hired to do. If someone is caught slacking off, not doing what needs to get done, or even embarrassing the business with crying babies or barking dogs in the background of customer phone calls, then make those people work from the office. Let the others who are doing the right things be able to work remotely.

Five or six hours of uninterrupted work from home is way better than the average eight to nine hours at the office dealing with interruptions, background noise, and worst of all, the 60-75 minute commutes (one way!) that many people have. The commutes are enough to deaden employee morale (esp. here in Atlanta). More importantly, multitasking and interruptions at the office are productivity killers. Numerous studies have been done on this. Experts say that when the human brain is interrupted, it takes on average, 20 minutes to get back into the groove of what you were doing!

I was just listening to an audiobook during my commute to a client site this morning called The Leader in You. The book's 13 years old but interestingly, it talks about how businesses in the 21st century are going to have to focus on people and service if they're going to survive. I can't think of no more perfect example of this than management supporting telecommuting in their businesses. That's focusing on your people. And when you focus on your people, they'll want to do more and do better. Everyone wins.

Do what's right business leaders. Your IT staff have all the technologies needed to allow people to work from home. It'll save your business money, boost employee morale, and help keep people from spending stupid money on their $30,000 hybrid and "flex fuel" automobiles just to save a a couple of thousand dollars over several years in gasoline.

Tuesday, May 6, 2008

C'mon Feds - what's taking so long with the breach notification law?

You've probably gathered that I have little respect for the intent and abilities of our Imperial Federal Government here in the U.S. Our "leader" politicians stay busy developing gimmicks like the gas tax holiday instead of coming up with real solutions, arguing about "global warming", making the evil rich pay their fair share of taxes (yeah right!), and prying into Major League baseball steroid use.They have their hands in virtually everything they shouldn't and nothing that they should. Like legislation that gives companies and organizations an incentive to protect our personal information scattered about the electronic oceans of the world. Talk to anyone who's been a victim of ID theft and we soon realize that it's no fun being on that side of the equation.

Apparently, there's six federal breach notification laws in the works, but nothing really happening. Think about it though. Where's the incentive? Our representatives in government really only pay attention where people are speaking the loudest (and have the most money): business, lobby, and special interest groups. They don't hear us little people. You know, the people that they work for. They seem to have forgotten about the function of government.

Although it'll surely help simplify the notification process, I don't want any new federal breach notification law for businesses. I want it for me. For when my information is mishandled by careless employees in organizations with network admins and security managers who don't have the resources or take the time to find out just where the vulnerabilities are. You wouldn't believe the weaknesses I see in this area...

Come on Congressmen and Senators! Channel your energy on things that really matter. Focus.

Monday, May 5, 2008

My security content from this (past) week

Here are two information security podcasts published this past week:

Using the Malicious Mindset in Security Assessments

New service packs for Windows Vista and XP

As always, for my past information security content be sure to check out