You can't secure what you don't acknowledge.SM

Friday, August 29, 2008

Talk is cheap

In watching the clips from Obama's Adult American Idol speech last night (I couldn't bear to watch it all live) I was reminded of previous bosses I've had and other people I've seen regarding their "support" of information security:

Posturing and pandering and spouting out whatever makes people feel good is very, very easy.

Just like certain people are good at manipulating others negatively for their own gains, anyone (Obama, McCain, your boss - whoever) can tell you what you want to hear...It's experience, wisdom, and doing the right things - making sure the rubber has good contact with the road - that really matter long term. Not social engineering.

The bottom line folks, talk is cheap - something we must not forget when we have people promising support for what we need (information security or otherwise).

Who needs life vests anyway?

Jazz Airlines (subsidiary of Air Canada) has removed life vests from their airplanes in the name of saving weight and fuel. So, increase the risk of your passengers at whatever cost...?? I'm sure the savings of 83 pounds per flight should more than outweigh any risk. Sounds like the typical risk management decisions being made in all too many businesses out there.

I suspect we'll start seeing this kind of nonsense in the IT world in the next decade or so. Something like "Our operational costs are skyrocketing. We've to start cutting where we can and information security seems the logical first step. Let's turn the firewall off for starters - it's using up too much power plus it's contributing to "global warming"."

You probably think I'm crazy...but seriously believe we'll start seeing requests like this one of these days. Just think, somewhere down the road you'll remember when I made this prediction way back when "green" data centers were becoming the craze. ;-)

Thursday, August 28, 2008

Want to try some 'sploits but don't have anything to 'sploit?

If you've ever wanted to play around with Metasploit - the free pen test/exploitation toolkit - but you didn't know where to start....well, here's an interesting site I came across that hosts free trial versions of software known to be vulnerable to attack using Metasploit, etc..

Oh, if you need a quick primer, check out the following articles I've written on Metasploit as well:
Metasploit 3.1 updates improve Windows penetration testing

Metasploit 3.0 security testing tool - free easy and improved

Using Metasploit for real-world security testing

Metasploit: A penetration testing tool you shouldn't be without

...and finally, this book on Metasploit that I contributed to (tech-edited a few chapters) has some good content:
Metasploit Toolkit for Penetration Testing, Exploit Development, and Vulnerability Research

Crazy things people do to get a Wi-Fi connection

Here's a funny bit about things people have done to get wireless Internet access. Some of these are pretty stupid when you consider the consequences of connecting to a rogue AP where someone's watching your every move on the other end (i.e. web sites browsed, passwords entered, emails sent, etc.). Not to mention exploiting your system for remote access.

Reminds me of how much I love my air card....

Wednesday, August 27, 2008

Do developers really think of security this way?

I was just perusing the latest Programmer's Paradise catalog. The catalog is chock full of developer tools - everything you need for application lifecycle management. Well almost. Their Security section of products made me laugh. I was expecting to see products like DevInspect, Ounce 6, and Fortify 360. But no, what's in there is what all too many developers still see as "security": Reflex Security's VSA Firewall, GFI EndPointSecurity, PGP Desktop, CA Antivirus, and related products. One notable set of products missing were digital certificates for SSL/TLS - you know, the holy grail for security in the eyes of many developers. But not a single product for source code analysis or penetration testing. Wow...I thought the source code analysis vendors were making headway into the developer arena.

Not that the "security" products they're selling aren't part of an overall secure infrastructure. But c'mon guys.

It's almost cute. I know this mindset doesn't speak for all shops and all developers - what I'm referring to is just a software reseller with a catalog put together by some marketing types...But still, it's pretty sad. Sign of the times I suppose and certainly job security for those of us who seek it and are willing to work for it.

A chronology of HIPAA convictions

Does HIPAA affect your organization? It probably does somehow some way at least indirectly. If not, we're all affected personally. Well, my friend and brilliant colleague, Becky Herold, has kept up with HIPAA-related convictions over the past few years. I'm surprised that only seven convictions have taken place. There's no doubt that more violations have occurred...

Interestingly, there's only been one sanction given for noncompliance. Only one healthcare organization out of compliance with HIPAA, huh? Yeah right!!! You show me 100 randomly-selected healthcare organizations and I'll show you 100 organizations that have plenty of information risks - all out of compliance with HPAA...

Thus the big government arm of the law with no real enforcement. I'm sure one of these days - in 10 years or so - a new young politician will draft legislation aimed to protect healthcare records....It'll be such a grand idea. And it'll get passed.

Anyway, off my soapbox. Check out Becky's post.

Gotta love the overused "computer glitch" excuse

Here we go again with a "computer glitch" causing a big problem - this time with the FAA's flight plan tracking system.

Last time I checked, computers are told what to do...I studied computers at the bit level for way too many years in college to know that PEOPLE cause computer problems. It's easier to blame computers though. They don't argue back. Yet.

Tuesday, August 26, 2008

Finally...someone gets their Web security policy right!

When most companies claim Web "security" they tout SSL like I mentioned here. I've had trouble figuring out why the buck stops there...maybe because they're being written by people in marketing??

Anyway, LinkedIn finally got it right. The security stipulation in their privacy policy goes beyond SSL:

In order to secure your personal information, access to your data on LinkedIn is password-protected, and sensitive data (such as credit card information) is protected by SSL encryption when it is exchanged between your web browser and our web site. To protect any data you store on our servers we also regularly audit our system for possible vulnerabilities and attacks and we use a tier-one secured-access data center. It is your responsibility to protect the security of your login information.

Why has no one else said this? Good for LinkedIn.

Great quotes related to information security management

...or mismanagement if you will:

The first quote relates to management's responsibility and using wisely their power of choice when it comes to doing poorly on a security assessment, failing an audit, experiencing a security breach, and falling out of compliance:
"Failure to hit the bullseye is never the fault of the target." - Gilbert Arland

The second one relates to management not supporting information initiatives year after year and then, once a breach occurs, suddenly finding it in them to make things happen:
"When they feel the heat they'll see the light." - Herman Cain

Just a couple of thoughts to add to your arsenal...

Monday, August 25, 2008

My security content from last week - chock full of good stuff

OK - I finally got the links to my latest material. Here are some articles about getting management on board with security (one of the hardest things we face) , controlling unstructured information, Web apps, storage, and more that you may be interested in checking out:

Making the Business Case for Information Security

Document Security - Protecting sensitive information both inside and outside of the firewall

7 Essentials for Selecting an IT Integrator

Web Services: An overlooked entry point for attack

How SMBs can ensure storage security

As always, for all my information security resources, be sure to check out