You can't secure what you don't acknowledge.SM

Friday, February 5, 2010

My latest information security content

Here are my latest information security articles covering policies, internal threats and employee monitoring, and (when all else, fails) incident response. Enjoy!

Security policy oversights and mistakes we keep making

The real deal with internal security threats

Monitoring user activity with network analyzers

Lack of incident response plan leaves hole in compliance strategy

Incident response – the often overlooked component of business continuity

As always, be sure to check out for all of my information security articles, whitepapers, podcasts, webcasts, videos, Twitter updates, and more.

My new trade rag column

I've got a new monthly column in Security Technology Executive magazine called Get with IT you may want to check out. It's a real gem of a magazine!

Looking past Layer 7 - Web security is more than the app

Here's a bit I wrote on why we need to look deeper than the application when testing our Web security:

Looking past Layer 7's the little, often overlooked, things that'll get you.

Tuesday, February 2, 2010

What part of No Truck Crossing do you not understand?

Check out this wild video of a train crash yesterday. It's a great example of the fact that just because you have a policy (i.e. the no truck crossing sign) doesn't mean that people will abide by (i.e. the dummy driver who probably thought "Aw, I can make this."). Some people just believe that they are exempt from certain things.

Keep this in mind for your information security can't save people from themselves all the time (like in this case) but you've got to set people up for success whenever you can.

Monday, February 1, 2010

Deep thought of the day

All we have are our knowledge and our time and we don’t have a grip on managing our day-to-day tasks and projects we’ll let both go to waste and drive ourselves crazy. Get to know the basics of time management soon. This knowledge will do wonders for your career.

Relying on users to wipe out wimpy passwords??

I just came across this Dark Reading bit by Adrian Lane on wiping out wimpy passwords. Adrian says that user training is needed so people know how to create strong passwords. I'm not picking on you Adrian however this has become a downright ridiculous approach, one that's been proven time and again not to work.

My take is if you have to set your users up for success and, therefore, have to MAKE them create strong passphrases. It's as simple as enabling minimum password complexity policies in the OS and building in strong passphrase requirements within Web applications so that they don't have the option to take the path of least resistance.

Just like anti-lock brake systems in automobiles, circuit breakers in home electrical panels, and seat belt requirements on airplanes, we have to build in security controls that set our users up for success. Period. Unless and until we do, we're going to continue having the same old ridiculous password issues we've always had.