You can't secure what you don't acknowledge.SM

Sunday, December 9, 2012

What do credibility, BYOD, & mobile security have in common?

They're the topics of three new pieces I've written!

I can't believe I've been writing more than ever lately but haven't kept up with my posts accordingly. In the interest of catching up, here's some new content I've written on mobile security, BYOD, and IT/security careers:

Credibility is the cornerstone of your career

As BYOD, cloud change networking, VPN management still indispensible

Top 10 reasons we have our heads in the sand over mobile security

By the way, you'll need to register with TechTarget to access the content but their membership is worth it - lots of great resources on practically every IT topic imaginable.


As always, check out for links to all of my information security whitepapers, podcasts, webcasts, books and more.

Monday, November 26, 2012

Fix for painful authenticated web vulnerability scans requiring MFA

Authenticated web security scans are one of the most frustrating parts of web security assessments. I mean they're downright painful, oftentimes seemingly impossible - especially if multi-factor authentication (MFA) technology is in use. Yet authenticated scans are critically important. It's scary how many times I uncover serious flaws (i.e. SQL injection) while logged-in as a typical user of a web site/application. That is if I can get my web vulnerability scanners to login and work properly!

Side note I have to bring up: I hate to think how many web security flaws are overlooked because people aren't testing their applications as authenticated users. Who am I to question it...

You see, the problem is that web vulnerability scanners are often tripped up with form-based logins. Why? Because they struggle to determine and maintain session state (the browser's/scanner's ongoing communication with the web application). Newer web technologies such as Flash and AJAX are big contributors to the problem, but web applications using MFA can be especially troublesome.

During a recent web security assessment, I struggled - hours on end - to get two different commercial vulnerability scanners to work with Oracle's Bharosa multi-factor authentication technology. I literally lost a day's worth of work trying to get these scanners to record login macros and properly maintain their session state so they could complete their scans.

What a frustrating scenario. The solution was simpler than I thought it'd be. I ended up using a third scanner - NTOSpider, which I've leaned on before to get me out of a bind in such situations - and it worked like a charm! What took me 6+ hours of pain and hassle with the other scanners (with no results, mind you), took just 6 minutes with NTOSpider.

I recorded the login macro, tested it, and got the scan rolling. It was amazingly simple. Given how much NTOSpider got logged out and had to log back in to the application, I could tell it was struggling a bit to maintain state, but it still WORKED! NTOSpider's feature that shows whether or not the scanner is current logged-in to the application is especially nice in these situations.

Side note I have to bring up: I can't imagine how many web security scans are deemed "complete" when they, in reality, failed to authenticate and properly test the application. I suspect this is a huge problem that's being overlooked all the time and people wonder why their web applications are hacked. Who am I to question it...

I'm a big advocate of using multiple scanners when testing web applications...just not in this context! But you've got to do what you've got to do in order to get good results. If you're testing web applications as authenticated users (you should!) and end up struggling to get your login macros to work, know that NTOSpider might just get you out of a bind like it did for me. Or, if it's one of your main scanners, prevent these problems in the first place.

Whether your applications use MFA, form-based logins, or good old-fashioned NTLM pop-up windows, just make sure you're using multiple scanners to test your web applications as they all tend to find unique flaws you probably can't afford to overlook. Oh, and never rely on scanners that and you'll surely get bitten.

Tuesday, November 13, 2012

Are you doing enough to protect your secrets? It's unlikely.

If the person who heads the CIA can't keep his "secrets"; nothing's secret. It's as simple as that.

What are you doing to ensure your intellectual property is protected?

Lawyers will claim their contracts are enough. Management will leave their heads in the sand and claim their IT folks are handling it. Neither are enough.

Fix the silly/ridiculous/inexcusable low-hanging fruit on your network and then put the proper technologies and procedures in place to build things out from there. No matter how much money you've spent, how good your IT staff is, and how much you trust your employees, there's always room for improvement.

Wednesday, October 10, 2012

Arguing for infosec's limitations

Here's a powerful information security-related quote that underscores many of the challenges we face:

"Some men have thousands of reasons why they cannot do what they want to, when all they need is one reason why they can." -Willis R. Whitney

Is your management on board with security or not? They're either part of the solution or part of the problem. It's up to you to take the appropriate steps to convince them that information security is better than the alternative.

Thursday, October 4, 2012

Calling all executives and managers...

For all those who don't quite "get" information security...You've heard the saying: It's not what happens to you in life that is important - what matters is how you react to what happens.

Don't let this be your mantra for managing information risks!

It DOES matter what happens to you...figure out where you're weak and don't let it happen. Oh, and, have a Plan B.

Tuesday, October 2, 2012

Tuesday, September 25, 2012

Be it in healthcare or infosec, the short term is for losers

With all the doctor & hospital visits I've gone (and am still going) through with family members in the past few years, I've come to the conclusion that many (most?) healthcare providers - especially those smart doctors society holds on a pedestal - absolutely cannot see the big picture. They can't think past the appointment time slot in which they're currently working, much less next year and beyond.

Adding to the problem, the left hand never talks to the right so everyone is engaging in their own area of "expertise" yet nothing gets done at a higher level and the patient is the one who ends up suffering because of this approach. Here's an example of what I'm talking about...this is the hospital meal that my father received after going in for a suspected heart attack:

The Dinner of Champions

What's wrong with this picture!? Luckily, for us, it ended up being symptoms from a hiatal hernia. Whew. But still...? Come on healthcare professionals! Hey, at least our beloved Obama is going to fix this...(ha!).

The problem of not seeing the big picture is very common among business execs and even many IT professionals who just don't get what information security is all about. We see it everywhere, especially when data breaches occur...But we also see it when our own peers claim the sky is falling because of the latest Adobe Reader zero day exploit or the Web interface on someone's printer is susceptible to CSRF. Amazing....sad.

The desire for immediate gratification leads to a lot of bad choices. Ask any success/achievement expert and he or she will tell you that the lack of time perspective is one of the greatest problems in society - arguably the one thing that holds people back the most. It certainly has an impact on IT and information security.

If you want to stand out among the noise and the ignorance associated with IT and information security, think long-term in all the decisions you make. Don't expect short-term perfection in your security program. Instead, aim for incremental improvements over time.The missing link is actually making those incremental improvements over time...As Henri Frederic Amiel once said “The person who insists upon seeing with perfect clearness before he or she decides, never decides.” This is no doubt the root cause of the problems we can't seem to solve.

Tuesday, September 11, 2012

GoDaddy: 'Malfunction' as the new scapegoat?

We've been hearing about 'computer glitch' for a while. That's what the talking heads on the news always cite when something goes awry with a computer system. Perhaps 'malfunction' is the new scapegoat? That's the route GoDaddy is taking. They say it was a 'malfunction', not hacking, that took them and presumably hundreds of thousands (millions?) of other systems offline for hours yesterday.

I'm sure it had nothing to do with poor planning...or people making bad choices. That'd be too simple...and too responsible. It's easier to blame computer problems on the obscure - something that can't be understood - much less proven - by the general population, even forensics analysts.
Calling a network outage a 'malfunction' is similar to how legal counsel encourage executives to refer to security breaches as 'events'. In the end, a business continuity problem is a business continuity problem. It's your responsibility.

Stuff's going to happen. You just have to ask yourself what needs to be done to minimize the impact to your business. Don't wait until the you know what hits the fan to try to figure it out. Here's some material I've written that can help you get started down this path.

Thursday, August 16, 2012

You can't buy security for $1, but some people will fall for it

I recently deposited a check at a giant monster mega bank that's continually trying to sell me new services and the teller asked: "Would you like to buy identity theft protection for just $1 today?"

Wow, you're saying my personal information will be safe and secure for a mere $1...!? Amazing...but no thanks. Sadly, many in management are like the average consumer: they just don't realize what it takes to ensure information security. No it's not just about anti-virus, or firewalls or that little lock thingy in our Web browsers. No, it's about some set of unenforceable policies sitting on a shelf that no one knows about. Nor is it those silly marketing slicks telling us our privacy "rights".

It's not that simple.

Don't you just know that, right now, this very bank has laptops, tablets, smartphones and the like chock full of sensitive information waiting to be exploited in when a loss or theft occurs. The general public doesn't get security...that's why these banks are successful in selling services that people don't need. I'm not's good for our field.

Sadly, consumer ignorance and the unwillingness to question how personal information is handled will be overlooked while, at the same time, many of these very consumers will blame the big evil corporations for trying to make a profit. Who's the real dummy here?

Side note: identity theft protection is not a bad thing to have...Based on what I see in my information security assessment work, I wouldn't dare be without it! Just don't pay for it...Not even $1. Here's some info on how you can get it for free.

Tuesday, August 14, 2012

Aiming for the CISSP? Check out this book.

I recently completed the technical edits for the new book CISSP For Dummies, 4th edition. It's a great book (not because of my contribution!) that I wish I would've had when I was studying for my CISSP test back in 2001. If you're prepping for the CISSP exam or just want to brush up on the fundamental concepts of information security, this book is a must-have. Just keep in mind what I've always said, certifications are only part of the information security career equation.

Interesting side note: Years ago, around the time I first wrote Hacking For Dummies, Wiley  approached me to write CISSP For Dummies. I had too much going on at the time so I declined the offer. Now that I see what this book has evolved into, I'm glad I didn't agree to write it! I believe Peter Gregory and Larry Miller did it more justice than I ever could have. Check it out.

Wednesday, August 8, 2012

Pressure washer v. university data center...guess who wins?

Oops, Georgia State University forgot to check their data center for leaks. Okay, I'm not going to pick on my friends at GSU. In their defense you cannot - in any way, shape, form or fashion - predict or plan for every possible disaster recovery/business continuity scenario or outcome. But a threat exploiting a weakness that knocks phones and Internet access out for five hours, this is a great example. Add it to your list.

Tuesday, July 24, 2012

This week's webcast on common sense security

Join me and Phil Owens of GFI tomorrow (Wednesday July 24, 2012) as we wax poetic about what it really takes to have a reasonable layered security defense against malware:

Defense in Depth: The Layered Approach to IT Security 
Crashed systems, data theft, decreased productivity, revenue loss, reputation loss – today’s malware threats can cause critical damage to your business. IT professionals, now more than ever, need a method of in-depth protection to effectively defend their information, devices and network. They need layered security.

Watch this Ziff Davis B2B webcast to determine if your current security measures are doing enough. Phil Owens of GFI and independent information security expert Kevin Beaver of Principle Logic will provide insight into:
  • How malware can impact your business
  • The latest malware attack vectors
  • The importance of employee education
  • Why you need layered security
I hope you'll consider joining in! You can register here.

Interesting quote on human psyche that relates to infosec

I just saw the following quote from publisher Malcolm Forbes that underscores the very essence of the problems we see in information security, business and life in general:

"Too many people overvalue what they are not and undervalue what they are."

Indeed, so many people want to control or break down (they're one in the same) others because their own lives are out of control. They simply don't believe in themselves. Like how exercise and good nutrition translate to healthy living, the problems we face are solved by simple means. It's a matter of choice.

Tuesday, July 10, 2012

With all the recent hype and hoopla over Windows 8 and Server 2012, I thought I'd throw in my two cents into the Microsoft analysis are some recent pieces I've written that you may be interested in:

Thoughts and considerations around the forthcoming System Center 2012 Configuration Manager

Why the simple Windows 8 Metro interface may not benefit users

Microsoft Security Compliance Manager enhances desktop security

A first look at Microsoft Office 15 features

BitLocker's improvements leave gaps to be aware of

You know the sure to check out for links to all of my information security whitepapers, podcasts, webcasts, books and more.Enjoy!

Monday, July 9, 2012

What NTOSpider offers the appsec world

I feel like I've said it a million times: you cannot rely on just one Web vulnerability scanner. There are simply too many vendors doing too many checks across too many websites and applications. The complexity of what needs to be tested is enormous not to mention the quality of the Web vulnerability scanners on the market (tip: you get what you pay for). Well, NTObjectives' NTOSpider is a perfect example of a tool that's going to find a few, sometimes tons, of additional things that the competition won't uncover. Nice, but it's such a frustrating reality for those of us working in application security.

Having used NTOSpider off and on for nearly a decade, I've found its interface to be very usable. It has some niceties that none of the other scanners have. But, like so many others, it has its frustrating quirks and shortcomings - a few of which I'll include in my upcoming post about "the perfect Web vulnerability scanner".

One of the things that stands out to me is NTOSpider's ability to crawl, effectively, through just about any type of website or application. I spent years with another scanner failing me on some select applications and NTOSpider tackles them with no complaints or questions asked. NTOSpider's reporting is awesome too...lots of different views are available right inside the UI and it also generates PDFs and HTML versions for you to divvy up among the stakeholders. Speaking of reporting, NTOjectives'  recently announced NTOEnterprise - an add-on that looks promising for bigger shops and those looking to do more in-depth vulnerability management.

NTOSpider has turned up a fair number of false positives for me over the years especially around weak passwords discovered and SQL injection. Even the built-in SQL Invader tool confirmed they didn't exist. These issues have lessened recently but they still take time to validate...and if you've done this enough you know that it's always a buzz kill to see the mac daddy exploits the scanner is alerting to aren't really there after all. It keeps us honest though...and makes us earn our keep. I do hate to think of how many non-technical auditors or compliance managers are running such scans (using NTOSpider or whatever tool) and holding the feet of IT/security/development to the fire for no reason at all.

One of the things I like best about NTObjectives: accountability. Sales and support - even if you need to get top dog Dan Kuykendall involved - are always there and eager to please. You're not going to get that from the big-box guys.

NTOSpider is a good tool to have. If you can afford several Web vulnerability scanners, it should definitely be on your short list. If you go into it with an open mind and an understanding that there is no one best tool, you'll do fine.

Wednesday, June 20, 2012

Want to know the traits of top infosec leaders?

Join me in 24 hours for my webinar with EC-Council (the folks behind the CEH, Certified Ethical Hacker, certification) titled Four Traits of Successful Information Security Leaders.

I'll share with you my experiences and mistakes as an information security leader as well some observations I've made of those at the top of their game over the past 11 years I've spent working for myself. There will be a Q&A at the end to top it all off.

Check it out. There's no'll just need to sign-up for an account on BrightTALK. Look forward to seeing you there!

Monday, June 11, 2012

Focus on yourself and reap the rewards in IT & infosec

If you're in to big-picture IT and information security stuff like, say, your career and focusing on what matters, here are some new bits I've written for TechTarget and Security Technology Executive magazine that you may be interested in:

Five habits of highly-successful IT pros

Social networking strategies to further your IT career

Five ways to advance your Windows career

Understanding management gets your IT department what it needs

RSA's look at the big picture

Enjoy! As always, check out for links to all of my information security whitepapers, podcasts, webcasts, books and more.

Thursday, June 7, 2012

The weakness of vulnerability scans that people (sadly) ignore

Those of us who live and breathe information security on a daily basis understand that vulnerability scans are only part of the information security assessment equation. We can't live without them but as I've outlined here we by all means cannot rely on them completely.

I was just speaking with a colleague about this and came up with an analogy for our overdependence on external vulnerability scans in the name of PCI DSS, lack of funds to do it right or whatever the excuse du jour:  Relying solely on basic unauthenticated vulnerability scans to find all the security problems on your network is like depending on a home inspector to check out your new diggs from his automobile on the street. He may be able to find some issues with the porch, roof, siding or driveway - especially if he's got a good set of binoculars - but he's certainly not going to see what's really taking place on the inside. Vulnerability scans are no different, especially in the case of Web applications.

Moral of the story: Don't trust that external vulnerability scans will show you where your network security truly stands. It's shortsighted and will bite you when you least need/expect it. And, if the breach ends up in a lawsuit or going to court, it'll most certainly be brought out by the lawyers and their expert witness that due diligence was started but not performed up to par.

Wednesday, June 6, 2012

Great quote that applies to information security

“Follow the path of the unsafe, independent thinker. Expose your ideas to the danger of controversy. Speak your mind and fear less the label of ‘crackpot’ than the stigma of conformity.” 
– Thomas J. Watson, Jr.

I've found that it's a great way to live your life too. :)

Monday, May 28, 2012

Thank a veteran

Saw this, unsure who wrote it, but I really like it:
  • It is the veteran, not the preacher, who has given you freedom of religion.
  • It is the veteran, not the reporter, who has given you freedom of the press.
  • It is the veteran, not the poet, who has given you freedom of speech.
  • It is the veteran, not the protester, who has given you freedom to assemble.
  • It is the veteran, not the lawyer, who has given you the right to a fair trial.
  • It is the veteran, not the politician, who has given you the right to vote.
  • It is the veteran, who salutes the Flag, who serves under the Flag, whose coffin is draped by the Flag.
Let us not forget why we have what we have. Happy Memorial Day.

Monday, May 21, 2012

Real-life example of people not seeing the big picture

The inability to think long-term, to see the bigger picture consequences of our choices, is no doubt at the root of most information security problems. Here's an example of what I'm talking about...what's wrong with this car?

No, this isn't a race car with Hoosier racing's a street car owned by someone working or shopping at a Wal-Mart who has chosen to drive with improper equipment. Like many people who choose to ignore information security problems, this poor sap won't know what hit him the next time he crosses standing water during a downpour.

We must think before we act or we're doomed to endure the consequences of our choices.

Tuesday, May 15, 2012

IT's malignant narcissism and what you can do to rise above the noise

IT department optimism does not translate into IT department budget. That's what Jonathan Feldman wrote about in this Information Week piece. Their study provides lots of interesting insight into how many working in IT see things compared to, well, the rest of the business. I'm not surprised.

While we're on the subject, I've recorded a video on IT's role in fixing this problem and wrote a new piece for TechTarget's site on why understanding management gets your IT department what it needs.

If you're going to move ahead - heck, even just survive - in IT, it's critical to understand how the desire for gain or fear of loss are at the basis of every "sale" you make. Stop thinking of yourself as an IT person and, instead, as a business professional who's helping the business move forward and accomplish its goals by leveraging IT.

Friday, May 11, 2012

Web application security assessment war stories

I spend a lot of time performing Web security assessments and every project is a neat learning experience for me. I'm always eager to share my Web security war stories, what to do and what NOT to do so here are some new pieces you may be interested in...From exploiting Web vulnerabilities to IT geek speak and a bunch of stuff in between, I hope there's something here for you:

The Value of Web Exploitation

Web Application Firewalls and the False Sense of Security They can Create

Not All Web Vulnerabilities Are What They Appear to Be

The One Web Security Testing Oversight You Don’t Want to Miss

IT Geek Speak and What Management Really Needs to Hear


As always, check out for links to all of my information security whitepapers, podcasts, webcasts, books and more.

Thursday, May 10, 2012

New video: The things my most secure clients have in common

Quote on reasoning with the unreasonable and why character is critical

Be it executives with their heads in the sand over security or know-it-all propeller heads who can't see the big picture of business risk, I've found that you just can't reason with the unreasonable. Here's something that Robert Schuller said that underscores the issue and helps us understand why being the bigger person is most important:

"People are unreasonable, illogical and self-centered. Love them anyway. If you do good, people will accuse you of selfish ulterior motives. Do good anyway. If you are successful, you will win false friends and true enemies. Succeed anyway. Honesty and frankness make you vulnerable. Be honest and frank anyway."

Speaking of principles and character, I read a recent article by Larry Reed in the Atlanta Business Chronicle titled Character: Nothing is more important. This one piece sums up what I believe it truly takes to be successful in IT and information security. I especially like the part where Mr. Reed says "Integrity is more important than all the degrees you’ve earned, all the management courses you could possibly take, and all the knowledge that you could absorb on any subject." I couldn't agree more.

Focus on these things and you'll see that there's a vast conspiracy out there to make you successful.

Thursday, May 3, 2012

Video: The (partial) solution to information security denial

The funny thing about iPhones & airplane toilets

My Delta co-passengers and I recently had the opportunity to experience a near 1-hour flight delay due to, none other than, some dude dropping his iPhone into the aft toilet on our fancy Boeing 757. I'm not making this up...

Yep, there we were sitting at the gate and this guy comes up to the flight attendants to ask for some help getting his iPhone out of the crapper. Yuck! The captain got involved, and then maintenance, and then all the ensuing paperwork.

This incident reminded me of when the authorities shut down an interstate when some dude is threatening to jump from a bridge above. Imagine the economic impact. Few think about that...But thanks to the ever so brave maintenance man, the passenger ended up getting his "$900" iPhone back. He said he had insurance on it and needed it to be able to get a new one. Reasonable argument I suppose..if you're a hazmat kinda guy.

I feel for the poor sap at AT&T who takes it back not knowing where it's been.

I bring this up because it's a scenario that could very well play out in your enterprise. I'm not so sure that anything could be recovered from a phone after being immersed in a toilet...but you never know, especially if the phone has a Micro SD card for external storage (i.e. BlackBerry & Android-based devices).

Will your employees know what to do in this type of situation? Will it matter if the device is personally-owned versus business-owned? You need to develop a stance on this and integrate into your mobile security policy. Oh, and let everyone know about it. Will you need to enact any sort of incident response procedures or data breach notification (I can hear it now: "Sorry Mr. or Mrs. Customer, We've had a craptacular situation involving your data that you need to know about...").

It was a funny situation. Crappy jokes aside, this is certainly something to think about for your own business.

Wednesday, April 25, 2012

My webcast on software source code analysis

Here's a recent webcast I put together with the folks at Checkmarx (makers of a dandy source code analyzer) that you may be interested in:

The business value of partial code scanning


Monday, April 23, 2012

How are you spending your time?

Not long ago I had a conversation with a colleague of mine who's also a consultant. We were discussing the topic of how, even with today's shaky economy, people still goof off on the job as if they had nothing to lose.

Are you seeing this too?

I wrote about this phenomenon over three years ago. Funny how not much changes internally given all the external forces pressing down on us.

Not being willing to do whatever it takes to become - and remain - a valuable asset to your business is a sure-fire way to get axed when big decisions are being made. Trust me, I learned this lesson the hard way working for a previous employer before I went out on my own.

I recommend continually asking yourself: What's the most valuable use of my time? I often find the answer to be something else other than what I'm currently doing. We all struggle with this. We're only human. It's the people who learn and overcome that move to the head of the pack.

In case you're interested, check out the additional articles I've written on time management and IT careers and even a couple of audiobooks that can help you boost your current career situation.

Monday, April 16, 2012

Basic features of WebInspect - the kind of stuff great scanners are made of

Wondering what helps minimize the pain, stress and time required to run effective Web vulnerability scans? It's the things you can see in the toolbar of HP's WebInspect:

Start/Resume, Pause - because you're going to need to pause and resume your scans at some point.
Rescan - because you're going to want to re-run the scan again or re-test for the flaws uncovered previously.
Compare - because you're going to have a need to compare results for remediation validation testing, etc. eventually.

If you do this work enough, these types of vulnerability scanner features can have tremendous payoffs over the long haul.

Sunday, April 8, 2012

Disk encryption for HIPAA + HITECH & why BitLocker may not be the solution

I'm finally back in the swing of things after taking some time off for Spring Break. I hope you're enjoying your Spring as well.

Here are two articles I've recently written about full disk encryption...arguably the greatest missing link in any given business's information security program.

Things you need to think about regarding disk encryption and data protection for HIPAA and HITECH

BitLocker’s improvements leave gaps to be aware of


As always, be sure to check out for links to all of my information security whitepapers, podcasts, webcasts, books and more.

Saturday, March 31, 2012

Video: Don't worry about your title, focus on this instead

My thoughts on why you need not worry about how people address you. [Hint: it's not about you.] There are bigger things to be concerned with.

Wednesday, March 28, 2012

This is your crazy JetBlue captain speaking

Anyone is capable of doing anything...that's what comes to mind when I think about the JetBlue captain going mad on a flight yesterday. Here's what I know...Just because someone has passed a background check, has a good references and has created a good track record for himself doesn't mean he's not capable of flying off the hook and doing bad things. This applies to pilots as in this situation and it applies to your own users when it comes to information security.

Sadly, as with doctors, law enforcement officers and the like, we typically hold pilots on pedestals without question. These are the people we look up to assuming they're well put together and always doing good things. This is not always true. We have to trust, but verify...yet still, we never really know. I'm just glad the JetBlue co-pilot and passengers executed a worthy backup plan. Great reminder we always need a Plan B...especially today if you work in JetBlue's PR department.

Thursday, March 22, 2012

Don't underestimate the value of firewall rulebase analysis

Are firewalls sexy? No...but you must understand that they're an integral part of your overall information risk equation. From configuration flaws to rulebase anomalies to overall system inefficiencies, your firewall rulebases can make or break security, business continuity and other critical parts of your IT operations.

Last week, AlgoSec's Nimmy Reichenberg and I recorded a webinar titled How to Automate Firewall Operations, Simplify Compliance Audits and Reduce Risk that you may want to check out. It's not salesy or filled with marketing fluff. It's more of us having a conversation about some common firewall security and management oversights and what needs to be done to rein in the problems.

I'm a believer in firewall rulebase optimization. I've seen mis-managed and undersecured firewalls do everything from take down an entire enterprise's operations for hours on end to making critical network flaws open to the outside world. I'm working on such projects right now and I'm pretty sure every network - every firewall - that hasn't been properly reviewed and that isn't being properly managed has these same risks present at this very moment.

Check out our discussion and see if you think there's a fit for better firewall oversight in your enterprise.You can't change what you tolerate in IT...acknowledge the issues that are hidden in your environment and vow to do something about them once and for all.

An interesting Microsoft tool to help with data classification

Have you ever heard of Microsoft's Data Classification Toolkit for Windows Server 2008 R2? Me either. But it may be worth taking a look at. The lack of data classification and proper retention is at the core of many IT risks not to mention legal and compliance issues. You can't secure (or protect, or retain, or dispose of) what you don't acknowledge.

If the Data Classification Toolkit is anything like Security Compliance Manager, it may well be worth checking out. It's free...and if you don't have any other tools or means to get your arms around data classification, why not start with it? Could provide a good segue into better security controls as a whole.

Monday, March 19, 2012

Neat tools to seek out sensitive files on laptops & websites

"Oh yeah, I forgot about all of those files." I've never had a security tool lead to these predictable words regarding sensitive files being stored on unencrypted laptops as much as Identity Finder has. You may have seen Identity Finder in my previous post and related articles and presentations where I've mentioned or demonstrated it. Identity Finder is a commercial product that IT and information security professionals can use to uncover files that are at risk on under-protected laptops - even the entire enterprise.

 Here's a quick peek of what Identity Finder can uncover on a laptop:

Pretty eye-opening, huh? Especially if you find all of this information on an unencrypted laptop.

Check out Identity Finder. It's one of those good bang for the buck tools that can help you with information discovery, classification, leakage prevention or just to simply make the case that PII or intellectual property are not being protected the way they should be.

There's a related tool I recently came across that you should check out as well called FOCA. FOCA (more specifically FOCA Free) is a data gathering tool you can use to seek out sensitive files on websites you may be testing. It's got a few little quirks but, compared to so many other free tools I try, it actually works. Here's a screenshot of its interface:

I'm convinced that those of us in IT and infosec are no different than surgeons, carpenters or race mechanics. If we don't have the right tools for the task, we're not going to accomplish all we need to accomplish. Consider adding Identity Finder - and FOCA - to your arsenal. They can't hurt!

Thursday, March 15, 2012

Wednesday, March 14, 2012

My upcoming webcast with Checkmarx: How to Use Source Code Analysis to Improve Information Security

Join me next week, Thursday March 22, for a quick webcast where I'll be co-presenting on the topic of source code analysis and how it can improve your information security over time.

I'm convinced that source code analysis is one of the missing links in the overall security process. As I say all the time: you cannot secure what you don't acknowledge. Ignoring security flaws at the source can be bad for business. Performing source code analyses, I've found Web application flaws like hard-coded cryptographic keys and password string, SQL injection and file manipulation...none of which external penetration testing tools uncovered.

This stuff is important. We're only asking for 30 minutes of your time. I hope you'll join us. You can register here.

My Atlanta CDW/TechTarget seminar

We had a friendly and larger than expected crowd at our event CDW/TechTarget information security seminar yesterday. Thanks to those who came out!

My favorite part of these events is learning new ideas from the participants and the other speakers. In this ever-changing world in which we work, it's hard to keep up and there's certainly no way to know it all. Every little nugget helps.

Looking forward to an even better event next week in Chicago!

Friday, March 9, 2012

My upcoming webcast on firewall management

Join me and AlgoSec's Nimmy Reichenberg next week for a unique discussion on strategies for improving firewall management.

We all know it's the elephant in the room...Today's enterprises have firewalls that are so complex and so fragile yet no one's really taking care of them. Any processes that do exist around rule management, rule changes and firewall risk analysis are often manual - and oh so painful.

I know, I know, firewalls are not all that sexy any more. And why bother them if they're running well and doing what they need to do?

It's not that simple...From strategies to lessons learned, Nimmy and I will share with you just what you need to know to get your firewall house in order. Will you join us? It'll just take an hour of your time and the payoffs can be tremendous.

Check out the following link for more info and to register:
5 Strategies to Improve Firewall Management: How to Automate Operations, Simplify Compliance Audits and Reduce Risk 

Hope to "see" you there next week!

Thursday, March 1, 2012

My final takeaway from #RSAC

I said my farewell to the RSA Conference Tuesday evening but had some final thoughts about the show that I wanted to share with you.

In addition to the keynotes I talked about, I attended a mock trial session involving malware, a digital certificate acquired for ill-gotten gains, and a healthcare company that ignored all things HIPAA (heard that a million times!) as well as a session by HP's Jacob West (an excellent presenter if you ever get a chance to see him) on mobile application security. Both were very well presented.

I had a chance to mingle with long-time colleagues and clients (many of which I met in person for the first time) on the show floor. It was also neat to see my book in the RSA bookstore - very humbling seeing it mixed in with some of the big sellers in our field.

Here's my big takeaway from everything that I saw and's something you've heard me say before and I'll continue saying it until I retire. It was echoed in every presentation I attended and every bit of marketing literature I read. Be it the overall network, databases, mobile apps, people - whatever - you cannot secure what you don't acknowledge. And so many of us are not acknowledging all the things that matter. So step back, see the big picture, fix the low-hanging fruit (the home-runs), put the proper tools and processes in place and then dig in further over and over again...never letting up.

Overall a really cool've got to go to the RSA Conference next year if you can.

Tuesday, February 28, 2012

Video: #RSAC 2012 is off and running

I'm live at the RSA Conference and here are my thoughts on the first two keynotes along with why you need to come to this show.

Monday, February 27, 2012

Live from #RSAC: Cloud computing's got some kinks (but you knew that)

I'm attending the RSA Conference this week and just sat through a panel discussion on cross-jurisdictional issues in the cloud. It was part of the Cloud Security Alliance Summit 2012.

Here's what I heard: there are tons of considerations around the management, access and even the e-discovery personal data in the cloud...lots of variables and just as many things still up in the air. I'm convinced that being an information privacy and security savvy attorney is a solid - and likely most lucrative - career paths that IT professionals could take right now.

One of the audience members (apparently a founder of the Unified Compliance Framework) asked the panel why we needed yet another group (the Cloud Security Alliance) establishing yet another set of information security standards when 99.99% of everything that's being touted today is already part of some other regulation, standard or framework. I completely agree and didn't hear any compelling explanations...Everyone wants their piece of the pie I suppose. 

Video: Seeing the big picture in information security

Little has been written about this in the context of information security but it's something you've go to consider in every decision you make:

Friday, February 24, 2012

CDW-TechTarget seminars are back this year - join me in Atlanta soon

Great news - I'll be speaking at the CDW-TechTarget roadshows again this year! Our first show kicks off in Atlanta on March 13th and then we start zig-zagging across the country every few weeks until late September.

For most of the shows I'll be giving two presentations:
Adapting Your Old-School Network Security Agenda to Today's New-School Security Challenges
Ensuring Security Controls in an Anytime, Anywhere Access Environment

There will also be vendor expert sessions and a panel discussion at the end of the morning that I'll be moderating. You'll be out of there by lunchtime.

At a couple of the shows, we'll have two tracks running simultaneously so the day will be a bit longer (lunch included) and I'll be presenting an additional session titled Building Security (and Confidence) in the Cloud.

I hope you'll be able to join me. We got a lot of great feedback on these events last year and I know this year will be even better.

Check out the locations, dates and registration form here. There's no charge to attend if you're selected. See you in Atlanta in two and a half weeks!

Sunday, February 19, 2012

Got compliance on your mind?

I figured you seems everyone does these days. However you look at compliance - be it a threat, a security enabler or just a pain in the rear-end - here are some new pieces I've written that may help:

Our dangerous overdependence on IT auditing

Compliance considerations when disposing old equipment

How Windows Server 8 can help with compliance


Be sure to check out for links to all of my information security whitepapers, podcasts, webcasts, books and more.

Monday, February 13, 2012

Is it really possible to get users on board with security?

I think so. Here's how.

I don't think that user awareness and training is THE answer to information security like many others believe. I do know that you shouldn't let another year pass without getting your users on board with what you're doing.

Sunday, February 12, 2012

SQL injection cheatsheet & tips for getting management on board

Here's a neat "cheatsheet" on SQL injection by NTObjectives that outlines some common attack strings, commands and so forth. Their SQL Invader SQL injection tool is worth checking out as well.

If you're having trouble selling management on the dangers of SQL injection, check out this piece I wrote about it not long ago:
SQL Injection – The Web Flaw That Keeps on Giving

Ten Ways to Sell Security to Management

Happy hacking!

Friday, February 10, 2012

Video: The one infosec skill you need to be working on

Develop and maintain this one skill and you'll position yourself to be a much more valuable information security professional:

Wednesday, February 8, 2012

Video: My new whitepaper on SQL Server security threats & compliance

Check out my new whitepaper The SQL Security Security Threat - It's closer than you think sponsored by Idera:

What's it going to take for police departments to secure their websites?

Here's yet another story about a police department website being compromised by criminal hackers. When a regular citizen's home address is exposed, that's one thing. But when the addresses of police chiefs are published online, that opens up an entirely new set of risks for their personal safety. Sad. Hey, at least the police chiefs I know are armed and well-trained experts. Would be pretty foolish to try and attack them on their home turf.

As I've mentioned before, you have to test ALL of your websites - marketing site, everything. If it's got an IP address or a URL it's fair game for hacking.

Introducing my information security YouTube channel - PrincipleLogic

Check out my new YouTube channel (

I'm really excited about this. More videos coming soon.

I plan to post video blogs once or twice a week so be sure to subscribe on YouTube or via my RSS feed.


Tuesday, January 31, 2012

Where's your information security focus?

You cannot change facts (i.e. the industry your business is in, the regulations it's up against, the type of sensitive information you're responsible for managing, etc.) but you can change problems (i.e. user behavior, wayward goals, management not on board with security, etc. ).

As the philosopher James Burnham once said:
"If there is no alternative, there is no problem." 

In the case of information security, there are tons of alternatives to the issues we face. It's up to us to focus on what counts so we can eventually make a difference.

Friday, January 27, 2012

You cannot multiple security by dividing it - Infosec's relationship with Socialism

I'm not much into urban legends and the like but came across this bit the other day and it really made me think. What a great analogy that impacts all of us both personally and professionally with some interesting information security and compliance tie-ins that I see all the time:

An economics professor at a local college made a statement that he had never failed a single student before, but had recently failed an entire class. That class had insisted that Obama's Socialism worked and that no one would be poor and no one would be rich, a great equalizer. 

The professor then said, "OK, we will have an experiment in this class on Obama's plan". All grades will be averaged and everyone will receive the same grade so no one will fail and no one will receive an A.... (substituting grades for dollars - something closer to home and more readily understood by all). After the first test, the grades were averaged and everyone got a B. The students who studied hard were upset and the students who studied little were happy. As the second test rolled around, the students who studied little had studied even less and the ones who studied hard decided they wanted a free ride too so they studied little..The second test average was a D! No one was happy. When the 3rd test rolled around, the average was an F. 

As the tests proceeded, the scores never increased as bickering, blame and name-calling all resulted in hard feelings and no one would study for the benefit of anyone else. To their great surprise, ALL FAILED and the professor told them that Socialism would also ultimately fail because when the reward is great, the effort to succeed is great, but when government takes all the reward away, no one will try or want to succeed. It could not be any simpler than that. Remember, there IS a test coming up. The 2012 elections. 

These are possibly the 5 best sentences you'll ever read and all applicable to this experiment: 
  1. You cannot legislate the poor into prosperity by legislating the wealthy out of prosperity. 
  2. What one person receives without working for, another person must work for without receiving. 
  3. The government cannot give to anybody anything that the government does not first take from somebody else. 
  4. You cannot multiply wealth by dividing it! 
  5. When half of the people get the idea that they do not have to work because the other half is going to take care of them, and when the other half gets the idea that it does no good to work because somebody else is going to get what they work for, that is the beginning of the end of any nation. 

Not that the big government Republicans are a lot better...The reality is we Americans had better wake up, smell the "change" we're stepping in and learn that no politician, Democrat OR Republican, can make our lives better...only WE can make that happen.

Be it information security, compliance or your personal Og Mandino once said (favorite quote of all time): "Use wisely your power of choice."

Thursday, January 26, 2012

Evanta CISO event and why St. Jude's has it right

This week I had the opportunity and privilege to serve as a panelist on mobile security at the Evanta CISO Executive Summit in Atlanta. What a neat wasn't just another infosec show. It was unique in its focus and well run by Corrine Buchanan and Mitch Evans who always seemed to have a smile on their faces - something we don't see enough of at these types of shows.

Another thing was a St. Jude's Children's Hospital video they played featuring Marlo Thomas talking about her father's work with the hospital. She said something about the hospital regarding its mission that stuck in my mind: "Don't just treat kids. Let's try to figure out what makes them sick."

Great approach with an interesting information security tie-in: Don't just throw technologies and policies at security...find out what's actually at risk. Indeed, we have to be smart in using the resources we're given.

Wednesday, January 25, 2012

Complacency, meet APT – How basic oversights lead to complex malware infections

Low-hanging fruit – that is, the missing patches, default passwords, lack of full disk encryption and so on present in practically every environment – is something I’ve ranted about time and again because there’s no reason to have it on your network. Why? Well, for one thing, rogue insiders may just exploit it for ill-gotten gains. But even worse, low-hanging fruit can be the target of malware exploitations that you’re not prepared to take on. You see a few missing patches and unhardened endpoints combined with users gullible enough to click whatever’s placed on their screens and you’ve got yourself the recipe for disaster.

Low-hanging fruit can turn from “Yeah, I need to get to that stuff…” to “Oh crap, all of our workstations are being controlled by someone on the other side of the world”.

Recent shifts in IT like consumerization, mobility and the desire for instant gratification when it comes to computer and Internet access have made these threats even more formidable. Users are indeed going to do what they want to do. In many cases, management will proudly back them up – even if they have no clue about the long-term impact to the very business they’re responsible for running.

Built-in security controls provide an opportunity for us to save time, effort and money keeping our systems in check without having to spend a dime more than we need to. That said there are certain security controls that operating system and hardware vendors haven’t mastered. One in particular is security controls designed to help with APTs and advanced malware. It’s just not possible to get the specialized protection out of the box from the mainstream vendors that you’re going to get with a the niche technologies I talked about my recent paper The Malware Threat Businesses are Ignoring and How Damballa Failsafe Fits In.

It’s no different than how I buy special tires and brake pads for my race car. When there’s a specific need, odds are the stock equipment just won’t cut it.

One of the most damaging misconceptions about malware is that the big anti-virus vendors are going to keep endpoints safe. It’s this very mindset that’s gotten businesses into hot water recently. I saw it when working on an incident response project that falls under the Operation Shady RAT umbrella. I think it’s safe to say that traditional anti-virus vendors come nowhere close to protecting your network – especially if such an attack is targeted. In fact, the entire concept of APTs and advanced malware is not very well understood by the IT and information security community as a whole.

How are you supposed to protect against something like this? It's not simple. You’ve got to have the right tools, the necessary documentation and, perhaps most importantly, management that gets it.

Monday, January 23, 2012

Are your high-tech devices enslaving you?

The late Richard Carlson, author of Don't Sweat the Small Stuff, said:

"It's important to see when your high-tech communication devices actually limit your freedom, enslaving you instead of providing new opportunities for growth."

Wow...How true that is!

Have you ever tried to not look at your emails or answer phone calls when you're out and about with  your family or taking some time to yourself? It's pretty darned difficult but it can be done, if you make it so.

Try it out over the next couple of weeks and you'll see what Dr. Carlson was talking about. You'll give your mind a break and be able to focus on the things that truly matter in life.

Friday, January 20, 2012

My articles & webcasts on hacking, incident response, compliance & IAM

I wanted to share with you a few new pieces I've written for TechTarget and Cygnus on incident response, compliance for systems integrators and the not-so-sexy but all-too-important technology,  identity and access management:

The importance of incident response plans in disaster recovery

Regulatory compliance requirements for security solutions providers

Identity Management’s great bang for the buck

Also, here are some webcasts I recorded for TechTarget, Information Week/Dark Reading and that you may be interested in:
Managing network security threats with an ERM strategy

How Security Breaches Happen and What Your Organization Can Do About It

Building and deploying secure video and access control systems (a.k.a. ethical hacking tips and tricks for video and access control systems)


As always, be sure to check out for links to all of my information security whitepapers, podcasts, webcasts, books and more.

Executives could learn a lot from Supernanny

We all have a lot to learn from Jo Frost, the Supernanny. In particular, when it comes to information security, IT management, employee computer usage and so on, business executives could benefit a ton. Here's how it'd go:
  1. Create a set of rules.
  2. Enforce your darned rules!

The role of IT in fighting today’s malware

It seems ever since I wrote my paper The Malware Threat Businesses are Ignoring and How Damballa Failsafe Fits In I’m seeing more and more vendors jump on the bandwagon. Today’s malware impacts everything from the network infrastructure to the endpoint and everyone wants a piece of the pie. I know the market is growing so I can’t blame people for wanting to capitalize on the opportunity.

Vendors aside, what is it that you as an IT professional need to be doing about the threat outside your network and the vulnerabilities inside your network? Being an independent information security consultant and seeing things from an outsider’s perspective, it’s clear to me that most IT shops are, in a grand way, woefully unprepared to fight this threat…much less respond in a mature and professional fashion when a breach and subsequent outbreak occurs.

As I write this post, I’m listening to a song on satellite radio with a chorus that says “If we don’t do it, nobody else will.” Wow, that hits the nail on the head – in a spooky kind of way. Indeed, if you don’t address the advanced malware threat today, indeed, nobody else is going to. Executives on mahogany row won’t. Nor will HR. Software developers are doing their own thing. Even your compliance officer and legal counsel aren’t going to understand the real impact of advanced malware.

You, the IT/information security professional, are going to have to step up and make the case that your business can be – and quite likely is – a target. This means taking the proper steps to:

1. determine your risks
2. get management on board
3. document reasonable policies and an incident response plan
…and, most importantly (and often the missing link):
4. enforcing with the right technologies

Don’t give the bad guys a chance. Do something now. Nobody else will.

Thursday, January 19, 2012

My interview in Hackin9 magazine

If you subscribe to Hackin9 magazine, check out this issue where they feature an interviewed with me about how the information security landscape has changed over the past decade, how you can get started in information security, my take on compliance and more.

If you don't subscribe to Hackin9, it's a great trade rag for technical security pros and (especially?) non-technical IT, security and compliance pros...Putting the occasional typographical errors aside, it's a must-read if you want to stay current on the latest information security trends, exploits and so on.

Quoted in today's SC Magazine feature story on Symantec

Stephen Lawton wrote today's SC Magazine feature news story on the Symantec source code breach in which I'm quoted.

I provided these quotes late last night and it was interesting timing because I was speaking at local university's AITP chapter yesterday evening and I told my audience that no one is immune from hacking - not even IT and security pros...and obviously not information security companies.

It's a crazy world out there. We have to do our best to prevent the issues but also be prepared in the event something does happen.

Wednesday, January 11, 2012

Great year for my book Hacking For Dummies, 3rd edition

2011 was a great year for me in so many ways. I feel extremely blessed and very lucky. Part of this was related to my book Hacking For Dummies, which is now in its third edition. I knew that sales were up - I believe in large part due to all the speaking engagements I did for TechTarget and others.

Well, I just found out from my publisher that it's safe for me to continue to say that Hacking For Dummies is one of the best selling books on information security...right up there with those big-name titles that some may feel less embarrassed to buy.

Another neat fact: since its inception, Hacking For Dummies has been translated into five additional languages (Portuguese, Estonian, Italian, Simplified Chinese and German).

Very cool.

I can't thank you all enough for your support! This year's going to be even better - stay tuned...

Monday, January 9, 2012

New Year's Resolutions merely create gym overcrowding

Be it New Year's resolutions (I'm going to lose weight this year!), career resolutions (I'm going to get a different job this year!) or financial resolutions (I'm going to get out of debt this year!)....traditional resolutions just don't work.

Just check out how your local gym parking lot transforms between now and next month. I can't wait until around mid-February when the crowds will predictably die down and I can get some personal space back when I'm working out!

We've all fallen into the trap of "resolving" to do something but not following through to actually make it happen. You know what's been said about the road to Hell being paved with good intentions. With resolutions we only end up letting ourselves down and planting those seeds of doubt in our mind that certain tasks can never be accomplished. It's just not true...IF you go about it the right way.

Here's a proven method for doing what you say you're going to do and making stick once and for all in order to enhance your job, your career and your personal life for 2012. It has worked for me and I know you can benefit as well if you make it so.

Thursday, January 5, 2012

My Web app security epiphany: The Lysol Effect

I just had an epiphany in the bathroom. I know, I know...bear with me.

I thought to myself, Why is it people use Lysol to cover up, um, smells and such in the bathroom?? Sure Lysol kills the problem at the source but, goodness gracious, there are other means of consideration than to merely cloud up the bathroom covering up something that probably shouldn't be there in the first place! Know what I mean? Why not take preventive measures to keep things in check rather than junk up the bathroom and surrounding areas with yet another foul scent?

Then it hit me...this social dilemma is no different than people relying solely on Web application firewalls for Web security. We know problems like SQL injection, XSS and session management are there. Why not just fix the flaws rather than covering them up? I wrote about this in a piece on PCI DSS 6.6 compliance four years ago and I still see and hear about this a lot...priorities I suppose.

Anyway....apparently I have an uncanny ability to tie bathroom logic in with information security. It's an awful personality flaw. Please don't hold it against me.