You can't secure what you don't acknowledge.SM

Friday, September 26, 2008

My latest security content

Here's an article I just wrote for
The 10 most common Windows security vulnerabilities

And also a series of articles I recently completed for on compliance:
The Essentials Series: The Business Imperatives of Compliance in the UK

[note: These articles have a U.K. focus but the concepts can be applied anywhere around the world...And no, those aren't my British-isms in the writing (thanks to the wonder of editing). It is kind of cool to see what I'd sound like if I was from England. ;-)]

As always, be sure to check out for all of my information security articles, podcast interviews, webcasts, screencasts and more.

Point about users & malware I've been trying to get across

I feel as if my opinion on a malware-related security vulnerability I've been pointing out for years has been validated. By actual research!

Here's the deal: It's when users get pop-ups/dialog boxes from web sites, etc....All they want to do is get rid of it, right? It's human nature. They don't care which option they click or what the outcome may be. I'm guilty of doing the same thing. It's something you have to stop and take the time to think through. But our society of instant gratification has programmed us to do something about it NOW regardless of the consequences.

Well this is the essence of why we'll always have computer security problems. Because we can't protect people from themselves. To quote Chip Andrews from his excellent site: There is no 'patch' for stupidity.

Check out the story and link to the research findings here.

Thursday, September 25, 2008

How about a bailout of the information security industry!?

While our government is on the bandwagon of handing out billions of our dollars to the financial industry and, more recently, the auto industry it made me think - what the heck - might as well throw in a few billion or so in support of our industry, right?? After all, it'd be money well-spent on our critical infrastructure here in the U.S.

Here's what could be done to redistribute our wealth and put it in the hands of information security vendors right now:
  1. Give the old-school anti-virus vendors more money for research and development so they can FINALLY offer solutions that detect more than just viruses.
  2. Give the firewall vendors at least 35% of the budget ($800 million or so) simply because they need it to stay afloat.
  3. Give all of the "mainstream" OS and application vendors cash annuities of a couple of billion each payable over the next 20 years to help them find ways of developing secure software that doesn't need patching every other day.
  4. Give all of the encryption software vendors money for advertising and really cool free stuff to hand out at conferences (cars, juke boxes, gift certificates, etc.) with hopes that one day people will start buying their software.
  5. Allot at least 75% of the budget towards supporting focus groups and watchdog committees allowing information security vendors to better understand why management, by and large, doesn't buy into security they way they probably should.
  6. Finally, provide another 10% of the budget to create a tri-partisan committee on secure web development headed by a Secretary of Poor Coding that oversees every line of code in every single application made available over the Web with the goal of having a secure Internet by Q1 2012.
The key here is to think short-term...only focus on our industry and, more specifically, our own companies. We can worry about who'll pay for all this later...

Tuesday, September 23, 2008

Big target for the bad guys

I just heard an ad on my local radio station about what's going on out there on the Web combined with the silly and careless Web application vulnerabilities I see in my work I cringed when I heard about what this company does. They store all of your medical records online in one convenient location. It's actually a great idea but there's certainly some room for abuse.

I'm not picking on all they do have a decent privacy policy - something I've written about before. Surely they're testing their app for vulnerabilities.

My point is to do your own due diligence before giving up all of your personal information with the online businesses you deal with. A privacy policy is easy to post. It's just a written statement that may or very well may not be enforced by the people who placed it there.

Sure, no security is guaranteed but you at least want to do business with organizations that take it seriously and are actually testing their Web sites/applications the right way.

Another job site for security careers

In addition to the job sites catering to security professionals I mentioned in a previous post, here's another site for you...Can't vouch for its quality but it looks promising:

Has Sarbanes-Oxley failed us?, surely not!? But then again...

Those of us in IT and information security know all about Sarbanes Oxley. You know the Public Company Accounting Reform and Investor Protection Act of 2002 that our Imperial Federal Government put in place back in 2002...?

That was look at the mess we're in. Lehman Brothers, AIG, Fannie Mae, Freddie Mac - all living proof that Sarbanes Oxley is a failed piece of reactive legislation. Now we're talking about every day people - me and you - having to pay $700 billion to bail out these failures all because of bad policies. And our government going to do a better job of running things? Ha!

There's also HIPAA, GLBA, PCI and many many other regulations affecting our work that many business leaders don't know (or care) about...When's the fallout from these going to occur? Probably in a few years when some new bureaucrat touting "change" wants to buy a few votes.

I've got a bad taste in my mouth: compliance.

Too bad business leaders can't do what's right. Furthermore, too bad people can't think long term and realize the consequences of knee-jerk reactions like what our government "leaders" are attempting to put in place now. Just like Sarbanes-Oxley back in 2002.

Things that affect us in our work and affect us in our economy could be worked out in a free market. I think those days are gone. Probably more job security for those of us in this field but too bad for the good old U.S. of A.