Security strategies that lead to success

Here's a new webcast I recorded where I talk about how to use visibility, control, and simplicity to your advantage to take the pain out of IT and security management:

Strategies for Securing your Enterprise for Success

Be sure to check out www.principlelogic.com/resources.html for all of my information security articles, podcasts, webcasts, videos, Twitter updates, and more.

Read More

IT security roundtable starting soon

Join me if you can in just over an hour for AppSec's Five Burning Questions: Q2 2010 IT Security Auditor Roundtable. I and others from companies such as Ernst & Young, KMPG, and Protiviti will discuss database audit challenges and share tips and best practices you can implement to ensure database compliance and security.

I hope to "see" you there!

Read More

How to become a better presenter

There are a lot of unknowns in IT but one thing's for sure: if you're going to be successful in your job and move up the career ladder you have to sharpen your presentation skills. Here's a new piece I wrote that'll help you get started down the right path:

Eight tips every IT pro can use towards becoming a better presenter

Read More

The ultimate SQL Server faux pas, other oversights & solutions

Here's a new piece I wrote where I talk about one of the root causes of SQL Server security issues:

The ultimate SQL Server security faux pas: Overlooked systems

...along with some additional oversights:
Common oversights with SQL Server audits

...and, to top things off, some things you can do to lock down your database environment (SQL Server or not)
Meet compliance requirements with improved database security practices

Read More

Cracking Windows 7 passwords + a bit on BitLocker

Here's the latest on Windows 7 passwords along with how they can be cracked and some tools for doing so:
Cracking passwords in Windows 7

I wrote a whitepaper on BitLocker in Windows 7 not long ago and here are some additional thoughts/tips in case you're considering it:
Using BitLocker in Windows 7

For additional reading, Paul Thurrott's SuperSite for Windows is a great resource on Windows 7 and more.

Read More

The key to failure

Bill Cosby said it best: "I don't know the key to success, but the key to failure is trying to please everybody."

Be it your current job, your career, information security, IT, whatever - you cannot forget this sage advice.

Read More

Re-post of my update on CSRF

I was just informed by my editor at SearchSoftwareQuality.com that they're going to take my Ask the Expert response regarding CSRF (referred to in this post) offline until they've had a chance to review it. In the interest of not letting this fizzle out without people knowing what happened as well as maintaining my stance on the topic and further clarifying what I meant, here's the original question along with my answer and my recent update:

Is cross-site request forgery as big a deal as the vendors make it out to be?
Even with some of the best commercial Web vulnerability scanners, it's very rare that I find cross-site request forgery (CSRF). That doesn't mean it's not there. Given the complexity of CSRF, it's actually pretty difficult to find. The good news is it's even more difficult to exploit CSRF which essentially takes advantage of the trust a Web application has for a user. So, based on what I'm seeing in my work I don't think CSRF is as big of a deal - or perhaps I should say -- as top of a priority as some of the vendors and Top 10 lists characterize it. This doesn't mean you shouldn't use a high-quality vulnerability scanner to look for it. I'm just saying that you likely have many simpler and more obvious problems to uncover and fix first.

UPDATE: In order to clear up some confusion and clarify my statement on CSRF I'd like to expand on my answer:

1. CSRF doesn't exist everywhere. I rarely see CSRF using both automated scanners and manual analysis. Every application is different. Your mileage may vary.
2. If you do find CSRF, it's important to take everything into consideration (context, attack perspective, authentication mechanism used, application logic, level of sensitive information processed by or stored on the system, whether or not the system is Internet-accessible, and so on).
3. CSRF can indeed be a serious threat...as with many things we deal with in IT, it all depends (see #2).
4. You're not going to find every single vulnerability every single time you perform a security assessment of your applications. There are too many variables and complexities. To assume that a one-shot check should/will uncover everything all at once is delusional. This is why we have to perform security assessments on a consistent and ongoing basis using good tools and in-depth manual analysis.
5. Security is very complex. It's not binary. There are always variables and complexities including opinions, politics, culture, and contracts that will muddy the waters to keep you from finding everything and, in turn, being able to do something about everything you find.
6. If you want good results with application security you focus on your highest payoff tasks. Maybe it's CSRF, maybe it's not.

For more details on finding and fixing CSRF flaws, check out my recent tip: Application security checklist: Ways to beat cross-site request forgery.

Read More

Great information security quote

Socrates said it best:

"The more you know, the more you realize you know nothing."

How true this is in the context of information security.

Funny how we start out knowing everything in our teens, think we know everything in our 20s, and, in our 30s and beyond, come to the realization that things are much more complex than we originally thought.

Common sense - and humility - are the key ingredients to succeeding in this field.

Read More

Have you seen Win7's Windows XP Mode?

It's a great way for setting up a virtual testing environment. Here's a recent piece I wrote about it:

Using Windows XP Mode for security testing in Windows 7

I'm really digging Windows 7....even if you just upgrade your own machine, Windows 7 has lots of things that will help you work more efficiently.

Read More

Essentials for cracking SQL Server passwords

Looking to check the resiliency of your Microsoft SQL Server systems? You may very well find that you don't have to look much further than weak/blank passwords to gain full access. I've come across a few vulnerable SQL Server systems via manual analysis. However, I couldn't live without a small set of SQL Server password cracking tools that you should check out as well.

Here's a piece I wrote that can help you get started:

Password cracking tools for SQL Server

Read More

Using POST vs. GET

Here's a piece I wrote recently for SearchSoftwareQuality.com:

Why use POST vs. GET to keep applications secure

Sure, it's not cut and dried but use the wrong one when you could've used the other, the resulting vulnerabilities can get ugly.

Read More

Job hunting? How you can stand out & kick your competitors' butts

Looking for a job in IT or infosec? Here's what you need to do:

Getting hired in IT: How to stand out

Read More

CSRF doesn't matter?? The sky is falling!

Here's a great piece where something I wrote put a grown man with a hacker handle's boxers in a bunch. With all due respect to what Robert has contributed to our field, he is missing the point of my 8 sentence statement about cross-site request forgery (CSRF) not being a top priority. It reminds of me when I wrote about Changes coming to the OWASP Top 10 in 2010. [Boy, some of the "leet" in our field get cranky in a hurry when you say anything that's contrary to their experience!]

What I said was based on what I'm seeing in my work I don't think CSRF is as big of a deal - or perhaps I should say as top of a priority - as some of the vendors and Top 10 lists characterize it.

Sure, CSRF is still an issue...but what's the context? What's the perspective? What systems or sensitive information are being placed at risk? How does it affect the business? Based on what I see it's just not there and when it is, it's usually not as big of a deal as many of the other Web security gaffes we really should be focusing our efforts on.

Robert's blind railing against what I said is overlooks my consistent rants I have about NOT relying on tools to find security flaws like what I wrote about here and here and here and here and here. But who am I to question things...

It's so funny how some people worry about picking knits when there's an elephant in the room. It's all about priorities folks - we have to prioritize things and focus on the urgent and the important. If you find CSRF that's creating an urgent situation, then you better address it quick! Likewise with XSS, SQL injection, weak passwords, authentication mechanism flaws, and so on. But you've got to focus on what matters to your business in the context of your business - not just what some vendor, Top 10 list, or blogger says is important. Every situation - every application - is different.

There's something about our field - I've met many people over the years who like to find any flaw they can that's even remotely exploitable - regardless of whether or not it really matters in the grand scheme of things - and make a big deal out of it to justify their expertise and their existence. Given all the issues we face in information security today, that approach just doesn't add up.

Read More

Read More

A simple yet highly-effective career booster

One of the best things you can ever do for your career in IT or information security is to network, network, network. It's all about who knows you. Here's what it takes:

Networking to enhance your IT career

Read More

My (other) webinar this week: Strategies for Securing your Enterprise for Success

If you're around at 2pm ET this Thursday (tax day, woohoo!) please join me for another free webinar: Strategies for Securing your Enterprise for Success

As with all my webinars/webcasts I'll keep it short and sweet - I'll talk for ~20 minutes and we'll have a Q&A at the end.

You can register here:
https://credantevents.webex.com/credantevents/onstage/g.php?t=a&d=660432648

"See" you there!

Read More

My webinar this week: Data Protection: The Realities of Proactive vs. Reactive

Join me tomorrow around lunchtime (or breakfast depending on where you're at) for a webinar on Data Protection: The Realities of Proactive vs. Reactive

I'm going to talk for ~20 minutes and we'll have a Q&A at the end.

It's at 12pm ET and you can register here:
https://www1.gotomeeting.com/register/936383032

Hope to "see" you there!

Read More

View every day as a blessing

Between losing both grandmothers and helping my mom through a serious struggle she's having with cancer over the past 4 weeks combined with this news about Brian Tracy who has been a wonderful inspiration and mentor to me I'm compelled to say: View every day as a blessing for we truly don't know how much time we have here on Earth.

Read More

My 500th blog post + how does your salary compare to others?

I just realized that this is my 500th blog post. Hopefully you're up to 500 more posts of my security nonsense!

If you haven't seen it yet you should check out Global Knowledge's 2010 Salary Survey. It sheds some light on what you can and should be earning in IT and information security. Just remember that Global Knowledge is a training company and they want to tout how well -off you'll be by earning a certification. As I've ranted about in the past here and here - certifications aren't everything and are often nothing if you have little else to off your employer.

If you want to learn more about how to advance your career in IT or information security, be sure to check out the following audio programs I've developed:

Certifications, Degrees, or Experience - What's Best for Your Security Career?

Getting Started in Security

Read More

Tools & techniques for hacking Windows servers & workstations

Ever wonder how Windows servers get hacked? Perhaps you're unsure of which approach you need to use the get the most out of your security testing at the server and desktop levels? Or you may be wondering what you need to do to lock down Windows-based Web servers? Maybe you're curious about how Windows Server 2008 R2 stands up to security tests?

Well, I've got just what you need to know in the following tips I recently wrote for SearchWindowsServer.com and SearchEnterpriseDesktop.com:

How Windows Servers Get Hacked

Security testing: Finding the best method for your Windows servers

Tests for securing the internal Windows network

The right security tools for finding Windows desktop weaknesses

Web server security practices for Windows environments

How Windows Server 2008 R2 stands up to security checks

Read More

Pros and cons of disk imaging

Disk imaging is one of those awesome technologies that so many businesses can benefit from yet so few people (at least from what I see) are using it. Here's a new piece I wrote for SearchDataBackup.com where I talk about the pros and cons of disk imaging and how you can benefit from it:

Using disk imaging software in data backup and recovery

Read More

THE process for successful Web security testing

Here's a new piece I wrote for SearchSoftwareQuality.com where I talk about the lifecycle of testing for Web security flaws. From obtaining buy-in to reporting to the stakeholders, it's a process you need to master.

Security testing best practices for today's Web 2.0 applications

Read More

Two B I G reasons to secure your home computers/network

Here's a crazy story: burglar breaks into a home, uploads child pornography on the family computer, and tries to frame the husband of his co-worker who he had a crush on.

If this isn't a good enough reason to secure your home computers, I don't know what is.

Not to mention your wireless network. How'd you like one of those creeps we used to see on Dateline's To Catch a Predator doing what they do online using your Internet connection. Better hope you have some good investigators who can show what really happened.

Interestingly, most people are oblivious to this stuff...Amazing. What can you do.?

Read More