You can't secure what you don't acknowledge.SM

Wednesday, May 13, 2009

Windows 7 - worth the wait?

I've never been big on major OS upgrades however Windows 7 is looking promising. I installed Windows 7 RC on an older test system this past weekend and it actually seems to work well so far! I am having some video driver crashes but other than that it looks like MS may have actually fixed the quirkiness with Vista. I always liked the Vista interface (Windows 7 has it) but as I've written about in the past I ended up NOT being a fan of the troubled OS. The latest I heard (from a TechEd briefing) is that we can expect Windows 7 to be out around the holidays.

Windows 7 is worth taking a look-see...After all, it's likely where things in your business are headed, might as well get a jump on it, huh?

Definitely more to come from me on this....

Tuesday, May 12, 2009

Secure code by force?

The Senate Homeland Security Committee, in their infinite wisdom, prodded by SANS' Alan Paller apparently believe they can legislate secure software from IT vendors.

That'd be like legislating more secure health records, and personal financial information, and so on. Oh wait, that has been done. And it's not working all that well as far as I can tell.

That'd also be like legislating higher-quality cars. Ha! The Feds can work that out since they're going to own that industry moving forward.

Ahhh. Laws, laws, laws - they're cropping up all over the place and are hardly doing anyone any good.

New version of Acunetix WVS is coming

I just downloaded and am eager to try out the latest from the guys at Acunetix: Acunetix Web Vulnerability Scanner version 6.5 beta. It seems like they just came out with version 6.0! My last post on it was only a couple of months ago.

Acunetix WVS 6.5 beta has a new feature called "file upload forms vulnerability checks" which they claim is an industry first. This is interesting because I often find vulnerabilities in upload forms but it usually requires manual analysis to uncover them. I'll be curious to see how it works and how effective it is.

WVS 6.5 also has a new login sequence recorder too...Woohoo! I say that because trying to get Web vulnerability scanners to login to Web sites (esp. forms-based ones) is probably the most difficult part of the entire process. So help is much needed - and much appreciated - in this area.

Do two wrongs make a right?

I came across this bit recently on whether or not it's considered illegal hacking if security vendors and researchers become Internet crime fighters.

Maybe it's just me but I think this is risky behavior. Want to hack something? Then setup your own systems to hack...or find a willing participant or paying client, get their permission in writing, and do it the right way.

Monday, May 11, 2009

One of the best ways to get experience

People often ask me what's the best way to get a job in the information security field and I often reply with getting hands-on experience, that's the key. I delve into this topic in my audio programs Getting Started in Security and Certifications, Degrees, or Experience - What's Best for Your Security Career?. In fact, this very question was the basis and inspiration for me to create those audio programs.

Well, here's a bit in last week's Wall Street Journal that also talks about this very thing. If you're just out of college, changing careers, or somehow want to get hands-on experience in a real-world business, this is a great way to go about it. It may not pay well - or at all - but right now, in today's world, gaining experience is very likely the most important thing you can be doing to break into the field and advance your career.

My latest security content

Here's my latest information security content - more from the queue coming soon...just waiting for it to be published.

Here's a webcast I recorded for
Continuous Data Protection (CDP) Strategies for the Enterprise

Here are two whitepapers I wrote for on behalf of Credant:
Navigate the Future of HIPAA Compliance

Data Protection for the Evolving Workforce

As always, be sure to check out for all of my information security articles, podcasts, webcasts, screencasts and more.

Insight into the future of spying?

Have you heard of GhostNet? It's a computer spying ring traced to China. I read about it in my local paper a few weeks ago and it's pretty intriguing stuff. Imagine what the computing world is going to look like 15-20 years from now. Are the superpowers going to be holding each other hostage electronically? Amazing stuff.