You can't secure what you don't acknowledge.SM

Friday, January 20, 2012

My articles & webcasts on hacking, incident response, compliance & IAM

I wanted to share with you a few new pieces I've written for TechTarget and Cygnus on incident response, compliance for systems integrators and the not-so-sexy but all-too-important technology,  identity and access management:

The importance of incident response plans in disaster recovery

Regulatory compliance requirements for security solutions providers

Identity Management’s great bang for the buck

Also, here are some webcasts I recorded for TechTarget, Information Week/Dark Reading and that you may be interested in:
Managing network security threats with an ERM strategy

How Security Breaches Happen and What Your Organization Can Do About It

Building and deploying secure video and access control systems (a.k.a. ethical hacking tips and tricks for video and access control systems)


As always, be sure to check out for links to all of my information security whitepapers, podcasts, webcasts, books and more.

Executives could learn a lot from Supernanny

We all have a lot to learn from Jo Frost, the Supernanny. In particular, when it comes to information security, IT management, employee computer usage and so on, business executives could benefit a ton. Here's how it'd go:
  1. Create a set of rules.
  2. Enforce your darned rules!

The role of IT in fighting today’s malware

It seems ever since I wrote my paper The Malware Threat Businesses are Ignoring and How Damballa Failsafe Fits In I’m seeing more and more vendors jump on the bandwagon. Today’s malware impacts everything from the network infrastructure to the endpoint and everyone wants a piece of the pie. I know the market is growing so I can’t blame people for wanting to capitalize on the opportunity.

Vendors aside, what is it that you as an IT professional need to be doing about the threat outside your network and the vulnerabilities inside your network? Being an independent information security consultant and seeing things from an outsider’s perspective, it’s clear to me that most IT shops are, in a grand way, woefully unprepared to fight this threat…much less respond in a mature and professional fashion when a breach and subsequent outbreak occurs.

As I write this post, I’m listening to a song on satellite radio with a chorus that says “If we don’t do it, nobody else will.” Wow, that hits the nail on the head – in a spooky kind of way. Indeed, if you don’t address the advanced malware threat today, indeed, nobody else is going to. Executives on mahogany row won’t. Nor will HR. Software developers are doing their own thing. Even your compliance officer and legal counsel aren’t going to understand the real impact of advanced malware.

You, the IT/information security professional, are going to have to step up and make the case that your business can be – and quite likely is – a target. This means taking the proper steps to:

1. determine your risks
2. get management on board
3. document reasonable policies and an incident response plan
…and, most importantly (and often the missing link):
4. enforcing with the right technologies

Don’t give the bad guys a chance. Do something now. Nobody else will.

Thursday, January 19, 2012

My interview in Hackin9 magazine

If you subscribe to Hackin9 magazine, check out this issue where they feature an interviewed with me about how the information security landscape has changed over the past decade, how you can get started in information security, my take on compliance and more.

If you don't subscribe to Hackin9, it's a great trade rag for technical security pros and (especially?) non-technical IT, security and compliance pros...Putting the occasional typographical errors aside, it's a must-read if you want to stay current on the latest information security trends, exploits and so on.

Quoted in today's SC Magazine feature story on Symantec

Stephen Lawton wrote today's SC Magazine feature news story on the Symantec source code breach in which I'm quoted.

I provided these quotes late last night and it was interesting timing because I was speaking at local university's AITP chapter yesterday evening and I told my audience that no one is immune from hacking - not even IT and security pros...and obviously not information security companies.

It's a crazy world out there. We have to do our best to prevent the issues but also be prepared in the event something does happen.