Webinar on database security this week

Here's a webinar put on by Application Security, Inc. that I'm participating in this Thursday (1/28/10) in case you're interested...should be enlightening.

Five Burning Questions Series: 2010 IT Security Auditor’s Roundtable

Read More

What are your thoughts on Web hosting / colo providers?

Better think things through when giving up the reigns and letting a third-party Web hosting or colo provider run the show:

When using a Web hosting provider can be bad - really bad - for your business

You'd think Network Solutions would have better security controls in place.

When will people pull their heads out of the sand? Maybe never??

Speaking of this specific vulnerability, here's a recent bit I wrote on Acunetix's blog about on looking past layer 7 and fixing all Web-related issues.

Read More

My latest information security content

Here are my latest information security articles and a podcast focusing on Web security and document security. Enjoy!

First, my Web security articles:
Changes coming to the OWASP Top 10 in 2010 (read the comments too, I stirred the puddin' with this piece!)

Free Web proxy tools you need to get to know

Securing Web servers in Windows environments

...and a document security podcast (this is a really interesting story if you haven't heard about it)
Document redaction and the recent TSA leak

You know the drill - as always, be sure to check out www.principlelogic.com/resources.html for all of my information security articles, podcasts, webcasts, videos, Twitter updates, and more.

Read More

Twitter - how about some capacity planning?

Keep getting the Twitter is over capacity this morning. Good sign they're popular...still not good for business.

Read More

I'm featured in the new issue of Entrepreneur Magazine

Check this out. I'm featured in the January 2010 issue of Entrepreneur Magazine's Ask A Pro section where I talk about employee monitoring:

Entrepreneur Magazine, January 2010. © 2010 By Entrepreneur Media, Inc. All rights reserved. Reproduced with permission of Entrepreneur Media, Inc.

In this piece, it may not be clear whether or not I support monitoring of employee email so let me clarify. I'm not for micromanagement and Big Brother but I am on the side of business when it comes to the issue of employee monitoring of email, social media, general browsing, or whatever which ultimately leads to improved information security.

Employees are there to provide some type of expertise, sweat labor, or other service in exchange for money. If people occasionally send/receive personal emails and surf the Web that's fine. You can't reasonably prevent that. However, if goofing off or otherwise putting your network and information at risk is most of what they do, huh uh. You wouldn't believe what I see (and the studies back it up) on the typical network: 50%+ network bandwidth consumed by streaming audio and video, majority of Internet browsing sessions going to Facebook, Twitter, etc.

This is not only a matter of people goofing off, being unproductive, and ultimately providing limited value to their employers but it's also creating a negative impact on the network - ultimately on IT. It's also creating security issues. Not only the malware threats but also the risk of sensitive information leaking out of the network. If employee Internet and computer usage are not being proactively monitored - regardless of the protocol or media - it's merely a free-for-all and a no doubt data breach in the making. The lesson here: know your enemy (hint: he's on your network right now) and do something about it.

Speaking of the internal threat, here's a new article I just wrote on what I believe is the real deal with the insider threat that you may be interested in.

Read More

Resolutions are for Losers

It's been proven - and most of us have experienced the fact that - that New Year's resolutions don't work. We say we're going to do this or stop doing that and it may seem to work for a week or maybe a month but, interestingly, we always seem to get back to our same old ways.

Take your local gym for instance. The next time you drive by (or visit) your local gym notice how crowded the parking lot is this time of year. With near 100% certainty I can say that it'll be packed. Why is this? Well, it's all those people who have made New Year's resolutions to "work out more" and "lose weight". Give it a month or two and watch the transformation. Your gym parking lot will be less and less crowed and by mid to late Spring it'll be back to "normal".

This is because resolutions don't work. Resolutions are merely wishes and empty promises to yourself. Period. Be it your personal life or your career the only sustainable way to move ahead from where you're currently at in life - and, most importantly, stay ahead - is to develop a sound set of goals for each area of your life, outline how you're going to go about accomplishing each goal, set deadlines, and hold yourself accountable. It's as "simple" as that. Here's a bit I wrote on this subject that tells you exactly what you need to do:

Eight steps to accomplishing your IT career goals

...You may also be interested in my Security On Wheels audio programs specifically Getting Started in Security and the forthcoming Succeeding in Security where I cover goals and much much more about what it takes to get ahead and stay ahead year after year...no resolutions need. Even if you're more of an IT generalist these audio programs are chock full of goodies you can benefit from.

Here's to an excellent 2010!!

Read More

Introducing my new book - Hacking For Dummies, 3rd edition

Well, after months of edits, additions, and subtractions my new piece of work has finally arrived: Hacking For Dummies, 3rd edition


I just received my copies last week and it should be in bookstores any time - if it's not already. Hacking For Dummies, 3rd edition is also available on Amazon.com (at a 34% discount to boot!).

So, how is this 3rd edition different or better from the previous editions?
In this new edition, I believe I've finally gotten it right. Technical books such as this are works in progress. There have been so many changes in the world of information security since I first wrote the book in 2003 - new tools, new hacks, and even some new testing methodologies - even since the 2nd edition that came out in 2006 - that I knew an update was due. I've also grown and learned a lot over the years in my work performing independent security assessments which has really helped me to fine tune the content of the book and make it into something valuable. In addition to a lot of fixes and tweaks there's plenty of new content on Windows 7, storage systems, Web applications, databases, mobile devices, and more. New tools, new techniques, just what you need for (in Wiley's words) "Making everything easier!".

What's the book about?
It's about using a malicious mindset to test your systems and your IT operations for weaknesses so you can plug the holes before the bad guys exploit them.

Who should read this book?
From IT Directors to system administrators to compliance officers to security managers - basically anyone responsible for information security and privacy in their business or for their customers. There's something in it for everyone. There's a lot of non-technical content outlining the ethical hacking methodology, managing security changes, and so on that managers can benefit from as well as all the right technical details that IT and security specialists need to know to bring out the worst in their systems.

One more thing...it's a shameless self-promotion but it bears mentioning. I was told by my publisher, John Wiley & Sons, that factoring in the number of editions and time on the market, Hacking For Dummies is/has been the top selling book on computer security. I had no idea. Very cool - and I couldn't have done it without those of you who have bought it! Thank you very much.

Now help me maintain my momentum and go buy a copy of the 3rd edition! :-) You won't be disappointed.

One more thing, if you have your own blog or other outlet and would like to get a review copy, please contact me and I'll work with Wiley to get one out to you.

Read More

My latest security content, Linux-style

Hope your first week of the last decade of the new millennium is going well!

Here's some more new information security content - focusing on Linux security this time around. Enjoy!

Finding password weaknesses in your Linux systems

Hardening Linux with Bastille UNIX

Using BackTrack to check for Linux vulnerabilities

Many thanks to Leah Rosin with SearchEnterpriseLinux.com for getting me on board with these.

You know the drill - as always, be sure to check out www.principlelogic.com/resources.html for all of my information security articles, podcasts, webcasts, videos, Twitter updates, and more.

Read More

Great information security quote

This sends a message, huh?:

"All that is necessary for the triumph of evil is that good men do nothing." -Edmund Burke

It's not just applicable to information security - it also applies to the War on Islamic Terrorism...uhum, I mean "Man-Caused Disaster".

Read More

My latest security content

Here's some more new information security content - stuff on network administration, employee monitoring, checklist audits, and more. Enjoy!

How to get - and keep - user support with security

How to get management on board with Web 2.0 security issues

Underlying causes of inconsistent patch management

Are your IT administrators trustworthy?

Monitoring user activity with network analyzers

Priorities for your sound regulatory compliance management policy

Go beyond a checklist audit for real IT security and data protection

Getting your arms around the compliance beast

As always, be sure to check out www.principlelogic.com/resources.html for all of my information security articles, podcasts, webcasts, videos, Twitter updates, and more.

Read More