You can't secure what you don't acknowledge.SM

Monday, December 22, 2014

Some vulnerability + penetration testing content to send off 2014

Here are some pieces I've written recently on determining just how "fit" your network and application environment really is. Whether you're an IT auditor, penetration tester, IT admin, or security consultant, there's some stuff for you:

How to perform a (next-generation) network security audit

Don’t overlook details when scoping your Web application security assessments

Top gotchas when performing email phishing tests

How to take a measured approach to automated penetration testing

Five steps for improving an authenticated vulnerability scan

Next-generation tools for next-generation network security

Look for these security flaws in your messaging environment

How do you know when a security vulnerability matters to your business?

My other information security content I've developed over the years is available on my website at  www.principlelogic.com/resources. Enjoy...here's to the great 2014 we've had - I'm so blessed to work in such an amazing field!
formation security content is available www.principlelogic.com/resources. I hope you enjoy it! - See more at: http://securityonwheels.blogspot.com/#sthash.EbvfNb5R.dpuf

My other information security content is available www.principlelogic.com/resources. I hope you enjoy it! - See more at: http://securityonwheels.blogspot.com/#sthash.EbvfNb5R.dpuf

My other information security content is available www.principlelogic.com/resources. I hope you enjoy it! - See more at: http://securityonwheels.blogspot.com/#sthash.EbvfNb5R.dpuf

Wednesday, November 5, 2014

Car racing and security breaches, you're not as ready as you think you are!

This past weekend I had the opportunity to run the race of my life - a 90 minute enduro car race in my Spec Miata - held at the America Road Race of Champions at Road Atlanta in Braselton, GA.

It wasn't the most competitive race - there were only 17 entries, 14 that made it on track...I've raced with over 60 cars at once. 

It wasn't the most stressful race. That award goes to the motocross races I ran at the Loretta Lynn's Amateur Nationals back in 1987.

It wasn't the most physically demanding race either - sustained heart rate of only ~145bpm - much lower than what motocross required of my body.

It was, however, a race that I feel like I wasn't fully prepared for.

I started training for this race months in advance - both mentally and physically. The preparation in the weeks and days leading up to this race were especially measured. I even had to scramble to get information from my fellow racers and race team during the final hours on Sunday to figure out what to do during my pit stop, as that was my first real one (outside of the arm chair pit stops I do watching F1, IndyCar, etc. races on the weekends).

Yet, still, nothing prepared me for the mental exhaustion, the leg pain, the loss of gross motor skills I'd experience during the race. That stuff was real.

I didn't think I'd run out of water in my drink bottle either...I did, just 30 minutes into the race. I most certainly wasn't prepared for how quickly the mandatory five minutes would pass during my pit stop - the fastest five minutes of my life! I didn't have enough sense of urgency during my own biological pit stop so in rushing to get back on track, one of my harnesses and my HANS device weren't properly fastened - something I had to fix while back out on track. That cost me a position in the race.

Sadly it was ~59 degrees outside. I can't imagine doing such an event in the heat of summer! I definitely learned the value of the CoolShirt system that many of my competitors were wearing (and recommended to me :-). My wife doesn't know it yet, but I now have one on my Christmas wishlist!

I digress.

I'm sharing this story with you because my experience in this race reminded me of what it's like when a data breach occurs. As the saying goes, experience is something you don't get until just after you need it.  I thought I was overly-prepared but given that it was my first 90-minute enduro, I quickly learned from the experience that I wasn't...I did what any self-respecting race car driver or CISO would do afterward: made a lot of notes on what to do differently next time.

Be it a car race or a security breach, things happen quickly...it pays to be ready. You can never be prepared enough. Most organizations I see have done little to nothing to truly prepare for a security breach. Ignore all forms of preparation (i.e. not even having a documented response plan) and I'm convinced you're doubly-screwed. Even if you take reasonable precautions to prepare for security breaches, well in advance like I did for my race, you're still going to get caught off guard by some things and have to learn along the way.

How well-prepared are you? Ultimately the choice is yours.

I ended up 8th overall in the race.

By the way, if you want to see what happens when you apex too early and your car misfires (due to an electrical gremlin) in the middle of a turn and go off at 90mph, check out this video of that happening to me during another race over the weekend. Whew...

Wednesday, October 8, 2014

What no one is saying about cyber insurance

I race cars for fun and sport and found out the hard way not long ago that if I wanted to increase my life insurance I was going to have to jump through numerous hoops and pay enormous premiums for a minimal increase in my existing coverage. I was thinking about this scenario compared to 'cyber insurance' and, wow, what a difference.

 Knowing what I know, there appear to be minimal barriers to entry for cyber insurance coverage. It's been that way since I first started hearing about it around 14 years ago. The premiums I've seen and heard of aren't outrageous either. Sure, there's an application process and perhaps another questionnaire or two. Maybe - just maybe - there'll be a request for more information such as recent vulnerability scan reports or perhaps a higher level audit that has to be performed.

Yet, unlike car racing where the risks are known (albeit they're much lower than the old days of racing given our safety equipment requirements, smarter rules, etc., yet my life insurance premiums are based on the mindset of the past, but I digress...), I'm confident that the true information security posture of any given organization that's being underwritten by cyber insurance has yet to be discovered.

You see, it's like most audits in the name of compliance: everything looks great on the surface. Ditto for those SOC 2 data center audits that everyone is proud to share.

Security policies in place? Check.
User training program (yearly email reminder and a poster in the breakroom) taking place? Check.
Passwords required? Check.
Anti-malware software in use? Check.

You've seen these.

Getting back to reality, I'm confident that not enough of the right questions are being asked and, more specifically, not enough technical security testing is being performed to reveal the true security posture of those being approved for cyber insurance coverage.

I was discussing this topic with a colleague recently and we came to the conclusion that there are two likely scenarios for these organizations being underwritten:
  1. The truth is not being told
  2. Bad information is being received and/or given
Low-hanging fruit security flaws are everywhere and it's virtually guaranteed that they can be found on any given network at any given time. Weak and blank passwords, no laptop encryption, no testing being performed on critical Web applications, under-secured wireless networks, PII scattered across numerous unprotected network shares, physical security controls open to the public, hundreds of missing third-party software patches on every computer, no proactive security audit logging and monitoring...You name it, it's there. Yet we continue on looking for that magic silver bullet to protect our information in the form of next-generation firewalls, DLP, cloud blah-blah-blah or whatever technology is being pushed on the industry at the moment.

I recently attended a cyber insurance event in Atlanta, and in talking to the insurance salesman, consultants, and others I met, everyone seemed to be on the same page: no one really knows the true security posture yet the cyber insurance policies continue to be underwritten. I don't know all the ins and outs of the cyber insurance industry but I've heard enough stories and I've seen enough security flaws that get overlooked to be confident in saying the cart's before the horse on this one. I suspect it won't last too long as the low-hanging fruit continues to rear its ugly head in both the breaches we know about and, most certainly, the ones we don't.

Don't get me wrong. Cyber insurance is great for a final fallback plan after you've done everything else - the proven basics that have been around for years and even decades. You're likely already doing some remarkable things with information security. Most of what you need to know about - and do with - security is already present in your environment. It could be that you find out that you don't need to buy anything or implement anything new to get to where you need to be - perhaps just a few tweaks here and there. Just don't use cyber insurance as an excuse for poor security decision-making as it will certainly come back to bite when you're least expecting it.

My trip to the 2014 ISC^2 Congress

Last week I had the opportunity to attend the ISC2 Congress in Atlanta. It was held in conjunction with that physical security organization. When I arrived to walk the show floor, it was nothing but physical security vendors - as far as the eye could see. After about 45 minutes (sans program guide), I discovered where the information security vendors where. There were about five of them and they were tucked away in the back off the beaten path.

That wasn't what I was expecting.

Then I thought, this isn't why I came to the show anyway. Sure, it's good to hear what the booth babes are waxing poetic about, and see the latest tech in action, but it's usually better to hear what other experts are saying in their presentations - that's how we learn the most, anyway. One presentation stood out - way out. It was Winn Schwartau's irreverent take on security awareness: "How to Make a Security Awareness Program Fail". I've had my strong opinions on that subject for years now and his thoughts/ideas helped solidify them. [Good to know Winn!]

If you've never seen this man present, you must. Winn made me - and the audience - laugh literally every 30 seconds for the entire presentation. It was the best IT/security related presentation I've ever seen...not too serious, not too unprofessional and not starting every sentence with "So..." (you've heard/seen the cussing and beer drinking at some of the shows in our field). It was perfectly delivered and I learned a ton. Most importantly I decided that I want to be as entertaining and informative a speaker as Winn when I grow up!


All in all, ISC2 Congress is a worthy show if you ever have a chance to attend in the future.

Friday, September 19, 2014

Resources to get up to speed with the latest HIPAA security requirements

Here are some pieces I've written recently that can bring you up to speed on the latest HIPAA security requirements:

HIPAA Security Compliance - From the Past to the Present


What HIPAA Security Compliance is Really About

Minimizing the impact of a HIPAA security breach


Obtaining and maintaining a state of HIPAA security compliance

Want more? Check out the newly-revised second edition of the book I just finished co-authoring with Rebecca Herold that's due out October 21st:
HIPAA security privacy compliance book
Be sure to check out my other IT security compliance resources on my website. Enjoy!

Wednesday, September 17, 2014

What if The Home Depot looked to their own store policies for help with infosec?

If The Home Depot's management were as strict with information security as they are with store policies I'm confident they could've avoided their data breach.

Have you heard their policy monger guy on their intercom system while shopping?? He sounds like that guy we've seen in those disturbing Allstate commercials. A bit creepy. It's also quite uninviting - certainly doesn't make you feel welcome in their stores.

At least they've covered their bases if some kid crashes into a moving forklift while scooting about on his shoes with wheels...

Here are some more thoughts I have on the HD breach in case you're interested.

Wednesday, September 10, 2014

Magnasphere and the physical security vulnerability you may not know about

If you have an alarm system that's dependent on the decades-old reed switches like the one pictured below, you should know they can be easily defeated with a mere compass and a magnet. It's pretty eye-opening...

Certainly a good reason to have two, three, or (depending the country you live in and your stance on self-defense) more layers of security in your building or home! :-)

A good option for beefing up your security and preventing this type of physical breach is offered by Magnasphere. I was recently introduced to the Magnasphere wireless door/window security switches (MSS-RFS-100). It's a great technology, especially if you have a need for a wireless security sensor configuration. They make standard security contacts as well. Either way, it's worth a look-see if this is in your line of work.


Tuesday, September 2, 2014

Bits & pieces on the 2014 Home Depot data breach

The news of the new Home Depot credit card breach combined with me being based in Atlanta as well, I feel compelled to share some links to some of the recent pieces I've written about point-of-sale and retail information security in hopes that a nugget or two might prove beneficial to someone out there...here they are:

The Target Breach – Can It Be Prevented?

Six endpoint management lessons from POS security breaches

Security Watch: Retail Cybersecurity

...and a ~2 year old discussion:
Roundtable: The State of Retail Security

Thursday, August 28, 2014

The latest Android / Gmail security flaw & why people don't take IT & security seriously

You may have heard about the recently-discovered Android exploit that makes Gmail vulnerable to criminal hackers. I read it over and realized that I have to use this opportunity share an example of what I talk about when "researchers" claim that all is bad in the world because of the latest and greatest exploit impacting whatever software or device they've discovered.

This Android/Gmail finding in particular is a great example of yet another one of those the sky is falling security "flaws" that I've been calling out for years...and they won't go away...and we wonder why people outside of IT and security don't see us as credible business professionals

Let me explain.

The AJC story states that:
"Security researchers have uncovered a major flaw in mobile operating systems which could give hackers easy access to personal information. Here's the scary bit: The exploit can hack into your Gmail account with a 92 percent success rate." 

Wow...scary indeed. That's a great success rate that shows all IT and security departments need to drop everything they're doing and put this exploit at the top of their priority lists. Something tells me that there's not a fix...

Yet it goes on to say:
"A Greenbot writer notes actually using this vulnerability is pretty complicated. "First, you have to download a malicious app to start monitoring your activity. Then, the attack has to happen at the exact moment you are entering sensitive information. ... The malicious app has to inject a phony, look-alike login screen without the user noticing. That means the fake screen has to be precisely timed."

Oh, so it's not really that bad. In fact, so many variables have to magically line up that most people and businesses will never be impacted? Whew...

And, finally: 
"...the best advice researchers have for avoiding these attacks is not to download sketchy apps in the first place." 

Perfect...I won't. Good to confirm there is no solution to fix a problem that may or may not be creating security risks in any given environment. 

This leads me back to the security basics that people keep avoiding and then go on to wonder they keep getting hit. It's a perpetual cycle of ignorance brought on by research unvetted by the media and, like most things, made into a bigger deal than it needs to be.

I'm glad there are folks out there (who are way smarter than me) finding such flaws and keeping vendors honest. But you can't follow their lead. 

Want to know the real secrets avoiding security incidents and data breaches? Know your environment, understand your unique risks, and follow the proven security essentials that have been around for decades. Don't fall for the IT geek speak that likely has no bearing on your business. These are the things that will keep what's important in check - and very likely keep your users' Gmail passwords more secure - than anything else possibly could.

Wednesday, August 27, 2014

My new webcast on securing your Web environment against denial of service attacks

I saw a recent study that found that distributed denial of service attacks are getting larger and larger.

The thing you need to be thinking about is how you're going to prevent and respond when your Web presence becomes a target.

Well, good timing, because I just recorded a new webcast for my friends at SearchSecurity.com on this very topic...In Proven Practices for Securing Your Website Against DDoS Attacks, I have a one-on-one discussion with Dyn's expert Andrew Sullivan on DoS attacks impacting your Web presence including how they work and what you can do about them...

Check it out if this is on your radar...I think you'll like it!

Tuesday, August 19, 2014

CommView for WiFi - a great option for wireless network analysis

Several years ago I wrote about the neat WEP/WPA recovery tools offered as part of TamoSoft's wireless network analyzer called CommView for WiFi. Well, those tools are no longer available but CommView for WiFi is as relevant as ever. I've been using it for years. It seems that it hasn't changed a ton other than some UI and packet analysis enhancements - probably just oversights on my part since I don't use it every day.

I've featured CommView for WiFi in my book Hacking For Dummies but wanted to tell you about it here as well. It's an enterprise-ready tool by itself but when you add on the remote agent and TamoGraph Site Survey, it's everything you'll likely need in terms of wireless network analysis, monitoring, as well as site surveying for new wireless deployments and troubleshooting.

The following are screenshots showing CommView for WiFi's main interface and its packet generator tool:


CommView for WiFi also has tab called Latest IP Connections that's really neat. In order to protect the infected, I chose not to show this, however, in the few minutes I had the tool loaded to write this blog post, CommView for WiFi detected outbound communication sessions with several interesting hosts including one in Russia. Yet another reason to get control of BYOD and mobile security!

I see that CommView for WiFi's reviews aren't stellar over at CNET but I think that's because of the junk adware wrapper code that CNET includes with its downloads. No worries, just download it directly from TamoSoft and you should be good to go. Michael Berg at TamoSoft is continually updating the program and is very responsive when questions arise.

Yet another great "you get what you pay for" network/security tool.

Monday, August 18, 2014

A resource to help with PCI DSS 3.0's penetration testing methodology requirements

PCI DSS has been getting a lot of buzz lately and the latest version 3.0 will continue gaining momentum until the many small and medium-sized businesses get their arms around the new requirements. Of particular interest is the updated requirement 11.3 (below) which is much more prescriptive on how to find the actual security flaws that matter.

I've always believe that you can't secure what you don't acknowledge...PCI DSS 3.0 now mandates a formal methodology for security testing that:

• Is based on industry-accepted penetration testing approaches (for example, NIST SP800-115)
• Includes coverage for the entire CDE perimeter and critical systems
• Testing from both inside and outside the network
• Includes testing to validate any segmentation and scope-reduction controls
• Defines application-layer penetration tests to include, at a minimum, the vulnerabilities listed in Requirement 6.5
• Defines network-layer penetration tests to include components that support network functions as well as operating systems
• Includes review and consideration of threats and vulnerabilities experienced in the last 12 months
• Specifies retention of penetration testing results and remediation activities results.


These updates are no doubt an evolution of the realization that many people were simply performing basic vulnerability scans of network hosts or hiring fly-by-night "pen-testers" to seek out one or two easy wins in the cardholder data environment rather than performing a more in-depth security assessment that looks at everything that matters.

I suspect many people (especially those working in SMBs with limited resources) will migrate towards the NIST standard similar to how many people have jumped on the "cybersecurity" bandwagon. There's also the resourceful Open Source Security Testing Methodology Manual (OSSTMM) that's been around quite some time.

The important thing you need to know is that none of these standards will be a best-fit, end all be all solution for your organization. Similar to exercise and diet programs for individuals and strategic corporate plans for businesses, every person/organization has their own unique needs when it comes to information security testing. The interesting thing to be in many of these standards, and just general popular belief, is that open source tools are all you need to perform an effective security assessment. I've said time and again, in all but a handful of scenarios, you're going to get what you pay for with your security testing tools. Outside of the awesome Metasploit tool and a few mostly forgettable others I've used over the years, I've yet to find any open source tool that works a fraction as well as the commercial alternatives.

With PCI DSS 3.0, or whatever requirement, your information security test tools and methodologies will absolutely define your testing outcomes and ultimately your business risks. Before going down yet another confusing path in the name of security and compliance, everything you need to know to get started - and darn near master - your penetration testing is outlined in my book Hacking For Dummies...I hope this helps and best of luck:

Tuesday, August 5, 2014

Are you stuck in this information security rut?

Here's a new post I wrote for Rapid7's blog that I think you might like...

There’s nothing really new in the world in which we work. Every problem you face in information security has already been solved by someone else. Why not use that to your advantage? There’s no time for baby steps in security. Sure, you need to “walk before you run” by thinking before you act. That comes in the form of knowing your network, understanding your risks, and getting the right people on board. But not taking the time to learn from other people’s mistakes and developments in information security is downright bad for business...{read more at Rapid7.com}

Tuesday, June 10, 2014

Pitching your ideas in IT

If you work in IT, your communication and selling skills are more important than anything you can ever do technically. This includes "pitching" your ideas to your audience - typically management and users. As a speaker, I often struggle with new approaches for pitching my ideas.

Here's a good Success.com Q&A with Shark Tank's Daymond John to help remind us of what people are looking for. I especially like where Daymond says: "There are no new ideas ever in the world." ...so true, even in our field.

Wednesday, June 4, 2014

More Web security vulnerability assessment, audit, and pen testing resources

I've been busy in the world of Web security testing - both with work and with writing. Check out these new pieces on the subject. I suspect I'll tick off a "researcher" or two given my business angle and 80/20 Rule-approach of focusing on the most problematic areas of Web security...Still, I hope that these are beneficial to you and what you're trying to accomplish in your organization:

Key Web application security metrics

Taking politics out of the Web security equation

Getting back to basics with Web security

Core causes of Web security risks and what you can do about them

Security Considerations When Using AWS Cloud Services

The Big Security Oversight When Using Amazon Web Services
Don't forget to check out all of my other information security content at www.principlelogic.com/resources. - See more at: http://securityonwheels.blogspot.com/#sthash.hRUYP9DQ.dpuf
Don't forget to check out all of my other information security content at www.principlelogic.com/resources. - See more at: http://securityonwheels.blogspot.com/#sthash.hRUYP9DQ.dpuf

By the way, with the continued banter/debate around vulnerability assessments v. audits. v. pen tests, here's my two cents on the subject:
Is it a pen test, an audit, or a vulnerability assessment?

Don't forget to check out all of my other information security content at www.principlelogic.com/resources

Wednesday, May 14, 2014

Web security vulnerability testing and management resources you need

Here are some recent pieces I've written that can make or break your success in information security: - See more at: http://securityonwheels.blogspot.com/#sthash.YEhOcnEF.dpuf
Here are some recent pieces I've written that can make or break your success in information security: - See more at: http://securityonwheels.blogspot.com/#sthash.YEhOcnEF.dpuf
Here are some recent pieces I've written that can make or break your success in information security: - See more at: http://securityonwheels.blogspot.com/#sthash.YEhOcnEF.dpuf
Here are some recent pieces I've written that can make or break your success in information security: - See more at: http://securityonwheels.blogspot.com/#sthash.YEhOcnEF.dpuf
Here are some recent pieces I've written that can make or break your success in information security: - See more at: http://securityonwheels.blogspot.com/#sthash.YEhOcnEF.dpuf
 
 
Here are some recent pieces I've written that can make or break your success in information security: - See more at: http://securityonwheels.blogspot.com/#sthash.YEhOcnEF.dpuf
From scanners to compliance to software development and beyond, here are several Web security pieces I've written for the folks at Acunetix that I thought you might like:

The Role Of An Automated Web Vulnerability Scanner In A Holistic Web Security Audit

How Your Web Presence is Throwing You Out Of Compliance

The disconnect between IT audit and software developers

Top 10 Insider Threats and How to Protect Yourself

Top 5 Information Security Trends

Top 5 network security vulnerabilities that are often overlooked


Don't forget to check out all of my other information security content at www.principlelogic.com/resources.

Be sure to check out the hundreds of security articles, webcasts, and more I've written/developed over the past 12 years at principlelogic.com/resources. - See more at: http://securityonwheels.blogspot.com/2014/04/things-that-impact-careers-in.html#sthash.zTjCeszI.dpuf

Be sure to check out the hundreds of security articles, webcasts, and more I've written/developed over the past 12 years at principlelogic.com/resources. - See more at: http://securityonwheels.blogspot.com/2014/04/things-that-impact-careers-in.html#sthash.zTjCeszI.dpuf

Thursday, May 1, 2014

Running vulnerability scans over VPN connections

If you haven't yet, you'll likely run into a situation where you need to run vulnerability scans over a VPN connection (i.e. for remote office networks). Well, certain scanners won't scan over "raw sockets" - the underlying communication method for certain VPN connections. Other scanners can't even connect to a remote network at all because they're caught up in their own little virtual machines that you cannot add a VPN client to.

If you're faced with this situation, check out GFI LanGuard (currently in version 2014). LanGuard works like a charm over various VPN connections. I have found that when performing unauthenticated scans LanGuard typically doesn't find as many relevant vulnerabilities as other scanners but its authenticated scans of Windows and Linux systems are very good. I have some clients that use LanGuard for patch management with positive results as well. Definitely a worthy tool!


Wednesday, April 30, 2014

Things that impact careers in information security

Here are some recent pieces I've written that can make or break your success in information security:

Open your eyes and you’ll see the light

Steering your career as a desktop admin in the mobility age

The mindset of everyday employees and their impact on security

Why a CIO's relationship with enterprise IT security is important

Be sure to check out the hundreds of security articles, webcasts, and more I've written/developed over the past 12 years at principlelogic.com/resources.
Be sure to go to principlelogic.com/resources for links to hundreds of security resources I've written/developed over the past decade+. - See more at: http://securityonwheels.blogspot.com/#sthash.PLfJQfID.dpuf

Be sure to go to principlelogic.com/resources for links to hundreds of security resources I've written/developed over the past decade+. - See more at: http://securityonwheels.blogspot.com/#sthash.PLfJQfID.dpuf

Tuesday, April 22, 2014

6 reasons information security causes global warming

In keeping with the divorce and everything Capitalist or conservative causes "global warming" movement, how about this:

Information security causes global warming (or cooling, or whatever it needs to be called today)
I really believe we have a "crisis" on our hands and here's why:
  1. The need for IT security controls is a negative side-effect of Capitalism - man bettering himself if you will. If we didn't have computers and the Internet, the advancement of mankind, and greedy corporations trying to make profits, this wouldn't be a problem.
  2. Security policies are often distributed to employees in hard copy form which requires cutting down trees which requires manufacturing, and more jobs, and more people commuting to work, and fuel usage for shipment....
  3. Information security clauses lengthen business contracts contributing to the same paper manufacturing and delivery problems as above.
  4. Firewalls, IPSs, and anti-virus software require manufacturing, and more jobs, and, well, more carbon dioxide and Capitalists getting their way.
  5. Added security controls require more power and space in data centers thus impeding the "green" data center movement we're seeing a lot of.
  6. When criminal hackers' and malicious insiders' attacks are blocked by our non-environmentally-friendly security controls, it hurts their feelings and makes them feel less about themselves and their jobs which leads to lower productivity at work which leads to more snack and smoke breaks which lead to overflowing landfills and, of course, increased carbon dioxide in the sky.
Finally! Managers and executives now have a valid excuse for not buying into information security...How could anyone in their right mind possibly support anything that causes "global warming" anyway..?? 

I know, I know, my approach seems flawed, but so is the "logic" and the "facts" behind the religion of "global warming". If it were only this easy to push information security initiatives in an emotional fashion in the name of something that has no basis in fact and without having to present the real side of the story!

Now I've got to go figure out how I'm going to offset the "carbon emissions" pouring from my race car's open exhaust and my daily driver's big V8. I'm confident a government bureaucrat will guide me along the way.

Here's why:

  1. The need for security controls is a negative side-effect of Capitalism - man bettering himself if you will. If we didn't have computers and the Internet, the advancement of mankind, and greedy corporations trying to make profits, this wouldn't be a problem.
  2. Security policies are often distributed to employees in hard copy form which requires cutting down trees which requires manufacturing, and more jobs, and more people commuting to work, and fuel usage for shipment....
  3. Information security clauses lengthen business contracts contributing to the same paper manufacturing and delivery problems as above.
  4. Firewalls, IPSs, and anti-virus software require manufacturing, and more jobs, and, well, more carbon dioxide and Capitalists getting their way.
  5. Added security controls require more power and space in data centers thus impeding the "green" data center movement we're seeing a lot of.
  6. When malicious hackers' and rogue insiders' attacks are blocked by our non-environmentally-friendly security controls, it hurts their feelings and makes them feel less about themselves and their jobs which leads to lower productivity at work which leads to more snack and smoke breaks which lead to overflowing landfills and, of course, increased carbon dioxide in the sky.

    And finally...
  7. Managers and executives now have a valid excuse for not buying into information security...How could anyone in their right mind possibly support anything that causes "global warming" anyway..??
I know, I know, my logic is flawed, but so is the logic and the facts behind the religion of "global warming". If it were only this easy to push information security initiatives in an emotional fashion in the name of something that has no basis in fact and without having to present the real side of the story. We'd be gagillionaires!

'Nuff said - I just had to get this off my chest. Now, I've got to go figure out how I'm going to offset my big SUV's "carbon emissions" for 2008. We're in a crisis you know... ;-)
- See more at: http://securityonwheels.blogspot.com/2007/12/seven-reasons-information-security.html#sthash.dBiLAmpe.dpuf

Friday, April 11, 2014

Heartbleed - the biggest Web security problem ever???

I just came across this piece from NewsFactor: Is Heartbleed the Biggest Web Security Threat Ever? and couldn't help but chime in. Contrary to popular hype, I don't think the biggest web security issue we face (now or ever) is a technical problem...instead, it's something with hair on top like I talked about here.

As with the hype over the Target breach and the gloom and doom over Windows XP's end of life, it's never the hard-to-find, technical stuff that many people believe is at the "heart" of our security woes. Instead, this issue, like most others in life, can be distilled down into a much more basic form. We're our own worst enemies...

P.S. Wouldn't it be weird if the NSA is somehow tied to this vulnerability...? ;)

Wednesday, April 9, 2014

Windows XP: Goodbye my love...well, not really.

Windows XP...ah, the memories!

I wrote many of my books including the first two editions of Hacking For Dummies and the first edition of The Practical Guide to HIPAA Privacy and Security Compliance originally on Windows XP - not to mention countless articles, security assessment reports and more over a 7-8 year span.

It was nice working with you XP!

I waited to write this post today, the day after all the Windows XP end-of-life hype, so as to not get caught up in that mess from yesterday. What's interesting to me about this whole Windows XP story is that every analyst, IT vendor marketing rep, journalist, auditor, and consultant is an "expert" on the doom and gloom that will be brought upon society with all of the businesses and consumers not upgrading their operating systems.

Looking at the headlines, still today, it's kind of funny (and sad):
"Vital industries exposed to risk"
"Isn't safe to use anymore"
...blah, blah, blah.

Apparently Windows XP is still being run on 25% of PCs. Will we hear stories about Windows XP systems being drywalled into oblivion like we've heard about Novell NetWare? Probably not. I do suspect it's going to be around for years to come. And, sure, vulnerabilities will discovered - especially on systems that have scant security controls to begin with. IT's elite will clamor about their amazing exploits. Management will still have their heads in the sand. Life goes on. 

The funny thing about Windows XP is that the OS itself is not where the real risk is in most network environments. [Oh gosh, did I say that out loud!?...now I'm going to have some "researchers" all over me...shudder.] Real-world experience tells me that much of the risk is all the other stuff people are installing and IT is not patching that's creating the real problems...the latest study shows that 76% of vulnerabilities are NOT Microsoft's issue. I've seen higher numbers in the past.

Microsoft Corporation is being treated like some of the big social/political issues like "global warming", gun control, and income "inequality" because they're expedient, convenient, and intangible enough to get people riled up.

Here's the real issue that we're still not hearing: I know without a doubt that many of the people preaching fire and brimstone about Windows XP are the same people who continue to ignore the critical basics I'll rant about until the day I retire such as:
  • Network shares full of sensitive files made available to everyone with a login
  • Mobile devices with ZERO security controls
  • Minimal - and grossly reactive - system monitoring
  • Firewalls with default passwords
  • Laptops storing tens of thousands of credit card numbers and SSNs with no hard drive encryption
  • Open wireless networks for "easy guest access" that provide full access into the back end network
  • Database servers with no passwords
  • Operating systems with weak passwords
  • Numerous cloud services being used without IT's consent or knowledge
  • Physical security control systems with ZERO security controls
  • etc...
Unless and until these people have helped themselves and the others who depend on them fix this low-hanging information security fruit, I'm going to say: Got XP? No problem!