You can't secure what you don't acknowledge.SM

Thursday, January 5, 2012

My Web app security epiphany: The Lysol Effect

I just had an epiphany in the bathroom. I know, I know...bear with me.

I thought to myself, Why is it people use Lysol to cover up, um, smells and such in the bathroom?? Sure Lysol kills the problem at the source but, goodness gracious, there are other means of consideration than to merely cloud up the bathroom covering up something that probably shouldn't be there in the first place! Know what I mean? Why not take preventive measures to keep things in check rather than junk up the bathroom and surrounding areas with yet another foul scent?

Then it hit me...this social dilemma is no different than people relying solely on Web application firewalls for Web security. We know problems like SQL injection, XSS and session management are there. Why not just fix the flaws rather than covering them up? I wrote about this in a piece on PCI DSS 6.6 compliance four years ago and I still see and hear about this a lot...priorities I suppose.

Anyway....apparently I have an uncanny ability to tie bathroom logic in with information security. It's an awful personality flaw. Please don't hold it against me.

Tuesday, January 3, 2012

Great quote to live by

Here's one of my favorite #quotes you can apply to your career, regardless of which field you're in:

"A successful life is one that is lived through understanding and pursuing one's own path, not chasing after the dreams of others." -Chin-Ning Chu

Damballa’s Fight Against Advanced Malware

Malware being out of sight and out of mind often creates the perception that risks aren't present. Just because there’s no perceived risk, doesn’t mean it’s not there. Heads buried in the sand over the real malware threat leads to breaches that most organizations aren't prepared to handle. Having worked on a project involving an APT infection, I’ve seen first-hand how ugly this stuff can get.

Endpoint protection isn’t enough. Analyzing executables isn’t enough. Even standalone monitoring of network communications and or rating of source malware sources isn’t enough to thwart the real problem. Like the core information security principle, you’ve got to layer controls if you’re going to get the most out of your malware protection.

One of my core information security principles I recommend to my clients is to use what you’ve got when it makes sense. By this I mean use the built-in security controls that your operating systems, databases, network infrastructure devices and so on already have. So many of us assume that we need to buy third-party products to keep our environment secure. This is not true in so many cases.

However, when it comes to fighting advanced malware, it’ll behoove you to use the niche technologies that specialize in this area. The market is tiny (relatively speaking) but Damballa’s Failsafe is worth checking out. I’ve seen Failsafe 5.0 in action and it seems to be a comprehensive solution to a widespread problem that I suspect is only going to get worse. As you've heard me say regarding Web application scanners, password cracking and the like, you've got to have good tools if you're going to find (and, in this case, control) what matters.

I’ve written a new paper where I talk more about the advanced malware problem and how Damballa Failsafe 5.0 fits into the overall information risk equation. Check it out.

Monday, January 2, 2012

Let's make 2012 the year we get past "compliance" as we've known it

I hope your 2012 has gotten off to a grand start! Mine has. I believe this year is going to further demonstrate why we're working in one of the best possible fields in the world.

To get things rolling this year, I wanted to share with you a few new pieces I've written for TechTarget's regarding...well, compliance. It's one of those topics that tends to infuriate me when it comes to government intrusion into the free market and our own personal lives. However you see it, compliance is still something you have to address in your business. Hopefully some of these bits will help take some of the pain out of compliance. Enjoy!

Top compliance questions you need to be asking your network administrators

Address information risk management now — before the going gets tough

How can you avoid a Web security breach? It's all in the preparation.

Seven dangerous assumptions about compliance

A thorough data retention strategy needs more than just IT oversight

Top 5 techniques for management buy-in for your IT governance strategy

As always, be sure to check out for links to all of my information security whitepapers, podcasts, webcasts, books and more.