You can't secure what you don't acknowledge.SM

Friday, September 16, 2011

No CPEs for you!

I spoke at the @ISACAAtlanta GeekWeek show and all I got was this lousy notification ;-)

Seriously, it was a good show that I recommend next time they have it.

My new paper on BitLocker's hidden costs

I've been a fan of Microsoft BitLocker since it first came out. It provides a cheap and easy way for users to lock down their laptops and mobile storage devices and is especially helpful in small businesses where security knowledge is scarce at best. Although BitLocker protection can be bypassed, it's still better than nothing - like WEP for wireless networks.

Anyway, if you're considering BitLocker as your disk encryption solution, I just wrote a new whitepaper titled The Hidden Costs of Microsoft® BitLocker® you may be interested in. In the paper I talk about some not so obvious costs and gotchas you need to think long and hard about if you're considering deploying BitLocker in an enterprise setting.

Interestingly, I have friends and colleagues at some large enterprises who are telling me their IT/security management is considering ripping out PGP or other commercial whole disk encryption tool in favor of "free" BitLocker encryption. I advise against this unless and until you know all the facts and think things through.

Check out my paper here for more information.

I love solid state drives but I'm no fan of OCZ

I tweeted about this the other day but though it deserved a longer post. If you do anything with IT/security tools such as vulnerability scanners, network analyzers and the like you HAVE to get a solid state drive.

Hands down, installing solid state drives in my laptops has been the best computer upgrade I have ever made in 22 years of using computers. Better than doubling my RAM, better than upgrading the CPU...whatever. I wish I would've moved to SSDs sooner. I didn't know it was going to be the case but my SSDs are faster than the 10,000 rpm drive I use in my desktop (which was a huge improvement over the 7,200 rpm drive I used to have). Amazing.

Two words of caution:

1) Know that if your drive fails - especially under warranty and you need to return it - that you have no way of knowing what is recoverable by some yahoo engineer in the manufacturer's lab who has nothing better to do. Based on my limited knowledge of how SSDs work and backed by a forensics expert I work with, even if the drive is dead, it's still possible that data can be extracted from the chips on the drive. This is something you wouldn't have to worry about with traditional platter-based drives because you could give them a good bath with a powerful magnet and you'd know your information is safe.

SSDs just aren't the same, at least based on what I know about them. That combined with the fact that I had encrypted the drive with BitLocker I had no way of knowing what was recoverable when doing that, especially using this tool.

2) Stay away from OCZ Technology SSDs. I bought one knowing that the Amazon reviews weren't great. But it was available at a nice price at my local MicroCenter and figured I had nothing to lose. Plus, like many in management treat information security, I figured nothing bad would happen to me - surely my drive wouldn't fail. ;-)

Well, silly me. Something did happen. My drive died within 3 weeks of purchasing it. Nice. I wrote to OCZ and told them my situation about the nature of the work I do and that I've got potentially sensitive information on it that I cannot afford to have recovered. Per my forensics colleague's suggestion (apparently, the large hard drive makers do this), I asked OCZ if I could return the cover of the drive in hopes that rendering it mostly useless would be enough for me to get a replacement.

OCZ's Technology Forum Support Manager promptly replied: no can do. They needed the drive back to replace it or refund my money. So, I ended up losing close to $200 plus a good 5-6 hours worth of my time buying a new SSD drive and rebuilding my system. Tough lesson learned.

FYI, I bought a Samsung SSD (love it!) and suggest you do the same.

Thursday, September 15, 2011

Your organization vs. BP: what will faulty decisions lead to in your business?

Imagine a scenario where poor management, failure to take appropriate action, personnel changes and miscommunication about who's responsible for what leads to a catastrophic event at your business? That's exactly what the findings were of the BP oil spill.

Sadly, 11 people died because of this incident. Luckily, our line of work isn't quite so risky but your business can still get in a bind when information security is mismanaged.

Here's a link to articles, podcasts and webcasts I've written/recorded on the management's link to information security and a few more bits on how to sell people on information security and keep them on your side to help prevent poor management decisions in the first place.

Wednesday, September 14, 2011

NetIQ's file integrity monitoring solution

A couple of weeks ago, I had the privilege of speaking at the Information Week / Dark Reading Virtual Trade Show How Security Breaches Happen and What Your Organization Can Do About It.

In my presentation How to Win the War Against Cybercrime, I apparently had a brain-cramp moment and said that I'm not seeing anybody with good file integrity monitoring. Um, duh, Kevin (as I smack myself in the face), the very vendor who sponsored my session, NetIQ, has such a solution. It's called NetIQ Change Guardian. Sadly (stupidly), I knew this and don't know why I said what I said. I just wanted to set the record straight. Jill and Renee at NetIQ: thanks for keeping me on my toes. :-)

In case you missed the virtual tradeshow, I believe you can still register for it and listen to the recording. Lots of good info - not because of me, but because of the caliber of other IT and information security speakers they had on board. In fact, I was duly impressed by Steve Kovsky - the moderator for my session. I aspire to be able to speak that well one day.

Anyway, check out the virtual tradeshow and NetIQ's offerings. Both quality stuff.

Tuesday, September 13, 2011

Stephen Covey's insight applies to information security

I love the following quote...very applicable to what we do:

"You can't talk yourself out of a problem you behave yourself into." - Stephen Covey

Okay, you may be able to talk your way out of bad security decisions with the right attorneys or a cybersecurity insurance policy. Having worked cases involving data breaches, compliance and intellectual property, I can say that it won't be a short-lived, inexpensive or painless ordeal.

Monday, September 12, 2011

Speaking in Boston @ the CDW + TechTarget security seminar next week

I hope you'll have a chance to join me in Boston next week when I'm speaking at the TechTarget / CDW seminar: Predictive Security: Plan Ahead to Stay Ahead of the Next Threat.

Boston, like several other upcoming events, is a 2-track seminar where I'll be giving the keynote and splitting the breakout sessions with my friend and roadshow colleague Pete Lindstrom among other vendor experts. [sidenote: Pete's the real draw at these events, I'm just there to fill in the gaps....seriously, he's good.] After the keynote, breakout sessions of your choosing and a great lunch, we all get back together around 2pm and close out with a lively Q&A for which we've gotten great feedback.

If you can't make the Boston event or one of the other 2-trackers in Philly or New York this fall, I'll be leading two 1-track events in Phoenix and Raleigh coming up shortly as well.

Here's a sampling of audience feedback of my keynote and three breakout sessions at recent shows:
  • Very good information, Great speaker
  • Well laid-out, solid points/arguments, encouraged involvement
  • Super
  • Informative, broad, excellent!
  • Mobile devices discussion was very good and insightful
  • Informative and aligned with current issues
  • Great - Clear - Real-time Current examples of industry security
  • Good intro keynote
  • Knowledgeable and personable
  • Kevin does a great job - Good choice
  • Very real life knowledge not just preaches - He feels the pain, that is great! What an honor to attend!!!
  • Current real life examples is the best information that can ever be given at any seminar. A+++
  • Lots of good group discussion
  • Plenty of great examples, specific tools, crowd discussion, etc. Plenty of good info to take back
  • Best of the day. Most valuable. Good discussion.
  • Kevin's presentation was great
  • Very relevant - focused on concerns that most of us seemed to have about mobile security
  • Kevin is a great speaker/teacher
  • Learned lots - Had a great time - Thank you! Very Much!
  • Good technical info, plenty of things to take back for further use or investigation. Not too much kool-aid/sales pitches.
  • The content was good. I'm not a security guy so my interest is limited. It was at a good level of complexity
  • Although I was not here all seminar, what I saw was good - need more 1 day seminars
  • More relevant to my job function that I had anticipated -- thanks!
  • Security is a concern of upper management - This seminar provided me good information to take back to the organization
  • Loved the fact that you gave us tools
  • Great insights again - thanks for sharing some of the tools and hacks
  • Liked location; kevin is a very good speaker
  • Multi-tracks are a great idea! Continue with panel discussions/Q&A in future seminars
  • More speakers like Kevin Beaver

Hope to see you there!

Microsoft Exchange Data Retention, Incident Response & Other Gotchas

Depending on where you're at with your Exchange "maturity model", here are a few pieces I've written for about Microsoft Exchange security oversights, policies and plans to help you along the way:

How to write an effective data retention policy for Exchange

Solidify Your Exchange Server Incident Response Plan

Common Exchange Security Oversights


As always, be sure to check out for links to my additional information security articles, whitepapers, podcasts, webcasts, books and more.