You can't secure what you don't acknowledge.SM

Friday, November 14, 2008

When will security be thought of this way?

When out on my lunch break today I drove by the entrance to a manufacturing plant (a Fortune 500 global company) that had a sign that read "Safety is everyone's responsibility".

I understand that protecting electronic bits and bytes isn't as critical as protecting human bodies but this sign made me think about information security and where it is on the radar of business leaders. The truth is that unless and until management buys into security to the level where they're putting reminders/mandates on signs out front such as this one we're simply going through the motions and, effectively, going against the grain.

My latest security content

Here's an article I wrote for
Managing single sign-on burdens in Windows

...and here's a podcast I recorded for TechTarget as a whole:
Top Five Issues of Mobile Security

Be sure to check out for all of my information security articles, podcast interviews, webcasts, screencasts and more.

Thursday, November 13, 2008

Insight into the "fight" between developers & IT

It's the never-ending battle: developers blame the network people for slow performance - and vice versa. I see it all the time and know one wants to take ownership - much less initiative - to fix the problem. Here's a funny post about handing over a network analyzer to developers to help them help themselves.

Wednesday, November 12, 2008

Excellent resource for hacking goodies

Check out Adrian Crenshaw's site: It's chock full of good insight on some hard-to-find hacking tricks. Good video demos as well.

I had the pleasure of meeting Adrian when I keynoted the Louisville ISSA conference last month. Very nice and knowledgeable guy.

New way to crack WPA on wireless networks

Everything in security is just a matter of time, right? Well, a couple of researchers - one of which is the author of the Aircrack-ng tool that I've covered a lot over the years - have found a new way to crack the WPA TKIP key in a just a few minutes without using a dictionary attack (previously the only way to crack it). Reaffirms the arms race we're mired in. Pretty interesting stuff. This could open up a whole new frontier in wireless hacking.

Think computer security is not a business issue - just ask the FBI

Here's an interesting tidbit from the Atlanta InfraGard's CounterIntelligence Working Group web site reminding us that information security IS a business problem. Too many executives think this kind of stuff won't happen to them:

"The Issue … Does your company have products or technology that someone might want to steal from you? ... If a new competitor suddenly sprang up in the marketplace with exact copies of your products and was selling them for significantly less than yours, what would you do? … How would you respond? … Could your business survive this type of loss or illicit competition? Are you aware of the risks and threats your company faces in today’s global economy? Whether your company is big or small – whether you are the CEO, chairman or charged with security for your company, this is one meeting you do not want to miss.

Think it can’t happen to you or your company? Come hear Brett Kingstone, author of The Real War Against America describe a real life story of international intrigue. Kingstone, founder of Super Vision International, will tell his story of a desperate struggle against his former Chinese distributor who stole designs, equipment and profits. When Kingstone learned that the market had been flooded with knock off Super Vision products, he began immediately fighting to protect the business he started as a 19-year-old Stanford student. With the help of private investigators posing as rich Arab sheiks, Kingstone gathered evidence to take the criminals to civil court. But the defendants along with their lawyers and bankers went to extremes to cover their crimes and ill-gotten gains. In 2002, Super Vision won a $33 million verdict against the intellectual-property thieves, but has yet to see a dime. One expert testified that the defendants wired $28.5 million out of the U.S. before the trial "using methods consistent with money laundering."

Our country’s challenge: Protect U.S. private sector companies’ sensitive information and technologies, and thereby competitiveness in an age of globalization. It is a non-traditional, “asymmetrical threat” that you must develop safeguards against—but you’re not alone. The FBI and other government agencies are not only aware of the these risks to Fortune 50,0000 companies, but have programs to brief you on new risks that you need to be aware of and actions to think about in today’s global economy.

Hear the solution: The U.S. is the world’s leader in business innovation. Consider the breakthrough research and business innovation that’s taking place in U.S. companies. Sensitive work, most of which occurs in the unclassified realm, is the key to our nation’s global advantage economically, militarily and intellectually. The FBI is working to communicate and build awareness through partnerships with public and private entities by educating and enabling our partners to identify what is at risk and how to protect it. We call it “knowing your domain”—identifying the research, information and technologies that are targeted by our adversaries and establishing an ongoing dialogue and information exchange with partners to change behaviors and reduce opportunities that benefit the opposition’s efforts. The FBI’s Counterintelligence (CI) Domain Program is responsible for determining and safeguarding those technologies and business practices which, if compromised, would result in losses to our national or economic security. Through our partnerships with businesses, academia, and U.S. government agencies, the FBI and its intelligence community partners are able to identify and effectively protect projects of great importance to the U.S. This provides the first line of defense inside entities where foreign intelligence services are focused."

Atlanta-area CISSP training from guys who know their stuff

If you're looking to take a CISSP prep course, check DSTI's 4-day CISSP bootcamp in Kennesaw, GA December 10-13. You can get more information at Apparently they're offering a 5% discount is offered for ISSA members. Even though their Web site leaves a little to be desired, I know the guys that run this company and they're top notch.

If you're wondering if certification is the best route to take in your security career, check out this recent article I wrote called Does certification really matter? as well as my audio program Certifications, Degrees, or Experience - What's best for your security career? where I really tell it like it is.

Tuesday, November 11, 2008

New book on PCI worth checking out

Here's a new book fresh off the press written by my friend and colleague Tim Virtue. Very good insight into the world of PCI DSS compliance.

I reviewed it for the publisher before it went to print and got my name imprinted forever on the back cover!

My latest security content

Here's an article I wrote for
Ten ways you can make your data backups more secure

Here's one I wrote for Security Technology & Design magazine:
Ten Ways to Protect Your Web servers

...noticing a trend!?

Be sure to check out for all of my information security articles, podcast interviews, webcasts, screencasts and more.

Are certifications hurting your salary more than helping?

Here's a good read on certifications and whether or not they enhance or hinder your earning ability - especially if you focus on vendor-specific certifications such as what Microsoft offers.

Mr. Mikols article led me to think about this are more in-depth and I came to this conclusion: I do believe that you can spend too much time focusing on getting certified. In fact, I've seen it personally. The mindset I've come across time and time again is "I just got three of the CompTIA certifications and now I'm going to get Cisco certified...and then I'm going for my MCSE...and then I'm definitely going get my CISSP. Will probably get the Certified Ethical Hacker after that...I can't wait to see what's around the corner." And on and get my drift. I've seen people with 10, 12, sometimes 15 certifications behind their names. Wow!

Don't get me wrong folks. Certification can be a good thing as I talked about in this column as well as what I go in-depth on in my audio program Certifications, Degrees, or Experience - What's best for your security career?

What I am saying is that if you have a dozen IT/security certifications you may come across to some people as desperate - wanting to be seen and/or trying to cover up some other character flaw just to get a job or prove whatever. I'm thinking does anybody really have that kind of time to get all of those certifications!? Well, obviously so. Just don't go overboard. I think a basic set of certifications is all you need to prove your worth and get past most barriers to entry. Beyond that, if you really want to stand out above the noise and move ahead, your time will be MUCH better spent working on things like:
  • writing skills
  • presentation skills
  • goal setting
  • time management
  • networking (with people) to build relationships
...and so on.

Anyone can learn technical material for certifications and day to day job tasks....and a large majority of us in this field often do. But very few chose to better themselves at a core level focusing on the points above - and its these things that are going to make the difference long-term.

If you want to succeed in security, you've got to channel your priorities in the right direction. I'll talk about all of this and much more in my soon-to-be-released Security On Wheels audio program Succeeding in Security. Stay tuned for that.

Until later...all the best.