You can't secure what you don't acknowledge.SM

Friday, October 21, 2011

Users making security decisions is your Achilles' heel

I recently came across some content in a book outlining the benefits of SSL. The author depicted a scenario where SSL is in place to help the user authenticate the server/site he's connecting to and if a certificate-related error popped up in the browser then the user would know that the site was malicious and (presumably) not continue on with the connection. This very situation is an example of how we assume/presume/hope that users are always paying attention and will do the right things with security.

What do you think would happen with the average user in this situation? I'm confident that most people would simply think nothing of it, click past any pop-up warnings and continue about their business. Why? Well, that's what people do. And that's the very problem with have with information security today.

No doubt, we have to be able to balance security with convenience and usability but the moment we allow users to make security decisions - especially ones that could involve phishing and related malware attacks - we open our networks up to complete compromise. This goes along with something I've been saying recently: Your network is only one click away from compromise™ [my new trademark ;-)].

Training, technology - you name it, nothing is 100% certain other than the fact that you have this risk in your business this very moment; guaranteed. I'm not convinced we're going to be able to get past this.

Tuesday, October 18, 2011

Keynoting the NKU 2011 Security Symposium next week

If you happen to be in the Cincinnati, OH area next Friday, October 28th, I'd love it if you could join me as I give the keynote presentation for the Northern Kentucky University 2011 Security Symposium. I'll be talking about mobile security problems and solutions and it looks like they've lined up tons of great content and speakers.

Hope to see you there!

Monday, October 17, 2011

Dan Wheldon's crash a harsh reminder

IndyCar lost a great driver yesterday. When I first heard of Dan Wheldon's crash and death I couldn't believe it. I'm a big IndyCar fan and felt like I knew him - especially with the commentary he has been providing on Versus' coverage of IndyCar this year.

Driving a race car myself - albeit at a *much* different level - I can't help but question the risks of what I do. Seeing these types of incidents rattles me to the core. It's certainly easy to say: Well, Dan knew the risks every time he got into his car...maybe, but it doesn't make it any better nor will it bring back the driver, husband and father we lost yesterday.

I'm letting this incident serve as a reminder of just how fragile life can be and how important it is to spend quantity time with the ones I love. Something most of us probably need to work on.

Rest in peace Dan and God bless you and your family.