Great information security quote

"I am more afraid of an army of 100 sheep led by a lion than an army of 100 lions led by a sheep." -Charles Talleyrand

Applies nicely to the management of information security and amazingly well to our government "leaders" today.

Read More

P2P risks, all over again

It's sad when our government has to warn businesses about their own P2P network security flaws.

I wrote about the security considerations with P2P applications seemingly a lifetime ago (2003) for TechTarget in a piece titled Are P2P applications worth the risk?

Around this same time I served as a P2P expert on a panel discussion at American Intellectual Property Law Association's conference in Atlanta where we discussed these same issues.

Nothing has changed with the threats and the vulnerabilities of P2P applications...nothing. OK, it can be argued that things have gotten worse. Yet we continue to ignore what's going on at the desktop and at the protocol level. Interesting insight into how far we've come with information security since then.

Read More

Failure is always an option

Michael Eisner once said "Succeeding is not really a life experience that does much good. Failing is a much more sobering and enlightening experience."

This is something we often take for granted...and something that's facilitated by our society of not wanting people (especially our kids) to fail.

I wouldn't trade my failures in life for anything...they've gotten me to where I am today. Failure's always an option and not something to be ashamed of as long as you embrace it and learn from it.

Read More

What's your certification worth? Nothing.

According to Global Knowledge (you know, the training/certification folks), IT and security certifications are worth tens of thousands of dollars and, in some cases, over $100,000.

Man oh man if it were only that easy to jump in and make that kind of money - and be able to sustain it. I say that certifications such as CISSP, ITIL, or PMP are worth absolutely nothing unless you make it so. What you earn is up to you - your qualities and the value you bring to the table - not just a simple certification.

Here are some pieces I've written about what it takes to meet and exceed these certification "value" levels. It's easier than you think.
http://securityonwheels.blogspot.com/search/label/certifications
http://www.principlelogic.com/careers.html

If you're just getting started down this path or you want to learn more about getting ahead in IT and information security in 2010, then use the discount code 'CertWorth' for 50 percent off the following Security On Wheels audio programs through the end of February:

• Certifications, Degrees, or Experience - What's Best for Your Security Career? (MP3 format - run time: 24:35)
• Getting Started in Security (MP3 format - run time: 49:57)
  

Read More

Great tool for seeking out sensitive info on your network

One of the greatest risks in business today is the issue of unstructured information scattered about the network waiting to be misused and abused by rogue insiders and other outsiders that have gained "internal" access.

Reality has shown us that we absolutely cannot protect what we don't acknowledge. The best way to minimize this risk is to search your network far and wide for PII and other sensitive business information you can't afford to have exploited so you'll know which controls you need to put in place to keep it safe. I've done this with basic text search tools such as the one built right into Windows Explorer. Some enterprise solutions to this have come (and gone) in the name of data classification, storage management, and e-discovery tools.

But there's a tool I recently came across that's piqued my interest called Identity Finder shown in the screenshot below:


















Identity Finder has both a standalone and an enterprise version that will search inside many of the common file types and, as you can see in the figure above, seek out credit card numbers, passwords, SSNs, bank account numbers, and more. It's amazing what it will dig up on any given system...reason enough to make you at least want to encrypt your laptop hard drives.

I haven't been real pleased with the overall performance of the tool and the consulting license for the enterprise edition is well out of my price range given all the other costs associated with performing a reasonable internal vulnerability assessment. But overall Identity Finder is definitely worth checking out - especially if you're trying to make the case for unstructured information and identity theft risks or you're trying to take your information classification, compliance, and risk management initiatives to a new level.

Read More

My latest information security content

Here are my latest information security articles covering policies, internal threats and employee monitoring, and (when all else, fails) incident response. Enjoy!

Security policy oversights and mistakes we keep making

The real deal with internal security threats

Monitoring user activity with network analyzers

Lack of incident response plan leaves hole in compliance strategy

Incident response – the often overlooked component of business continuity

As always, be sure to check out www.principlelogic.com/resources.html for all of my information security articles, whitepapers, podcasts, webcasts, videos, Twitter updates, and more.

Read More

My new trade rag column

I've got a new monthly column in Security Technology Executive magazine called Get with IT you may want to check out. It's a real gem of a magazine!

Read More

Looking past Layer 7 - Web security is more than the app

Here's a bit I wrote on why we need to look deeper than the application when testing our Web security:

Looking past Layer 7

...it's the little, often overlooked, things that'll get you.

Read More

What part of No Truck Crossing do you not understand?

Check out this wild video of a train crash yesterday. It's a great example of the fact that just because you have a policy (i.e. the no truck crossing sign) doesn't mean that people will abide by (i.e. the dummy driver who probably thought "Aw, I can make this."). Some people just believe that they are exempt from certain things.

Keep this in mind for your information security matters...you can't save people from themselves all the time (like in this case) but you've got to set people up for success whenever you can.

Read More

Deep thought of the day

All we have are our knowledge and our time and we don’t have a grip on managing our day-to-day tasks and projects we’ll let both go to waste and drive ourselves crazy. Get to know the basics of time management soon. This knowledge will do wonders for your career.

Read More

Relying on users to wipe out wimpy passwords??

I just came across this Dark Reading bit by Adrian Lane on wiping out wimpy passwords. Adrian says that user training is needed so people know how to create strong passwords. I'm not picking on you Adrian however this has become a downright ridiculous approach, one that's been proven time and again not to work.

My take is if you have to set your users up for success and, therefore, have to MAKE them create strong passphrases. It's as simple as enabling minimum password complexity policies in the OS and building in strong passphrase requirements within Web applications so that they don't have the option to take the path of least resistance.

Just like anti-lock brake systems in automobiles, circuit breakers in home electrical panels, and seat belt requirements on airplanes, we have to build in security controls that set our users up for success. Period. Unless and until we do, we're going to continue having the same old ridiculous password issues we've always had.

Read More