You can't secure what you don't acknowledge.SM

Friday, May 23, 2008

My security content from this week

Here's my one information security article that was published this week:

Writing software requirements that address security issues

As always, for my past information security content be sure to check out


The real key to career success

When I got up this morning at 4:30am to complete a report I'm working on, I had to remind myself of a great quote by Elbert Hubbard and thought it'd make for a good post.

It's the one thing that's helped me in my career and in my personal life more than anything else. Mr Hubbard said: “Self-discipline is the ability to make yourself do what you should do, when you should do it, whether you feel like it or not.”

If you take responsibility and hold yourself accountable to this - it really does work.

Have an awesome weekend!

Wednesday, May 21, 2008

Don't do this to yourself (and your company) in online meetings

Here's another thought in the same spirit as my previous post where I talked about sharing out your desktop when using WebEx, GotoMeeting, and the like and then doing stuff that other people probably shouldn't see.

I just attended a very unprofessional webcast put on by an otherwise respectable security vendor where a person on their end didn't have her phone muted. I could hear everything she was saying, part of what the people in the background were saying, her laughing, her munching, her fiddling around on her name it. And no on else on her end seemed to notice. OUCH.

So, avoid making a butt out of yourself - and especially your company if you're presenting to prospective clients - by leaving your phone unmuted during webcasts and conference calls....Just another free community service offering from yours truly. :-)

Ridiculous government intrusion - Go ahead, cuff me & take me away

Apparently our Big Government Federal prosecutors here in the U.S. are going to enforce Web site usage policies on behalf on the businesses who post them. According to this story, simply entering bogus information into online services could turn you into a Federal criminal. Wow. I would expect this from some countries, but I suppose, in reality, the U.S. isn't much different than any of the others in trying to control what we see, say, and do.

I like to been heard but I am a private kind of guy. Unless and until businesses step up and:
1) secure their applications and databases that people can exploit and extract information from, AND
2) stop asking for personal information they don't need in the first place (yeah right!)...

... any time I'm prompted for information on a form that's not relative to the business transaction at hand, businesses will continue to get bogus information from me.

I know the case in the story above is a special situation involving a suicide, but give government bureaucrats an inch and they're going to take a mile. Before we know it, it'll be an elaborate highway system for their own exploitation. Then it's bye-bye Internet as we know it.

Tuesday, May 20, 2008

Manually monitoring email? What's up with that!?

With all of the technical sophistication we have, apparently business people still haven't figured out a way to automate the employee monitoring function. According to a new Proofpoint/Forrester Consulting survey, 41% of organizations companies with 20,000+ employees are *employing* people to monitor outbound email. Are you serious!? We've had automated employee monitoring systems for 10+ years that anyone in HR can manage and companies are paying people to do this manually...the hard way with room for major errors and oversights!!??

I spoke at TechTarget's Security Decisions conference back in 2003 about the ins and outs of employee monitoring. I talked about the technologies you can/should use. What specifically to do and not do. That was 5 years ago and the content filtering and monitoring solutions were pretty darn mature back then.

Oh, and apparently the trend of hiring even more people to do this is on the rise. I guess the whole notion of automating security to close that "loop" is not something people are ready to take on. Amazing.