NetScan Tools LE - a must-have for investigators

Have you ever had a need to run a program and get a relatively small amount of data just to do your job but end up getting caught in the complexity of the application and not getting what you need after all? That's happened to me a bunch.

Well, NorthWest Performance Software (makers of a long-time favorite of mine: NetScanTools Pro) has a new tool that helps resolves this problem called NetScanTools LE. Designed for law enforcement investigators (hence the "LE"), prosecutors, corporate security folks and the like, NetScanTools packages the ability to gather information on IP addresses, domain names, hostnames, and email addresses all in one concise program. It's for the non-technical types who just want the basics...get in and get out. Given its investigative approach, the tool is case driven and includes timestamps and even packet capturing to help investigators prove they did what they say they did while gathering their data. It's really inexpensive to boot.

Included functions are:

• ping sweeping
• port scanning
• IP to country mapping
  
• email validation
  
• Whois lookups
• RBL checks
• text-only Web page grabber (I really like this)
  

The following screenshot shows the clean interface of NetScanTools LE:






























While I'm on the subject of cool tools, if you've never checked out NetScanTools Pro, you really should. It's chock full of even more utilities (all in one place, albeit bordering on the complex) those of us in IT and security can benefit from. I have a need for such tools on practically a daily basis.

Furthermore, Kirk Thomas who heads up NorthWest Performance Software is very attentive and eager to get feedback on his products in order to make them better. And based on our conversations I like how he thinks.

Read More

"New" Web security content to check out

Here are several new links to some recent (and, due to my crazy year, not so recent) articles I've written for various TechTarget sites on the subjects of Web application and server security:

Web server weaknesses you don't want to overlook (the "rest of the story" of Web flaws)

SQL injection tools for automated testing (a must-have for your toolkit)

Beefing up SSL to ensure your applications are locked down (good for some of those often-reported PCI DSS compliance gotchas)

Common security flaws to check for on your Linux-based Web systems (overlooked Linux systems are a great facilitator of Web vulnerabilities)

Enjoy!

Read More

HIPAA & HITECH: new requirements + same approaches = new book

My colleague and co-author Becky Herold and I are working on the second edition of our HIPAA book and I'm realizing, wow, not much has changed in the way of managing information risks since we first wrote it in 2003. Yet, the protected health information breaches keep on occurring (look at the two latest ones from this week).

Stay tuned though...we've got lots of good updates and new info forthcoming on HIPAA and the HITECH Act that can help you forge your way through the compliance mess.

Read More

Work harder on yourself than you do on your job

Many people want to take the easy path that promises to lead them to their riches rather than work hard over the long term and earn it the good old-fashioned way. It's the lottery mentality. James Allen said it best:

"Men are anxious to improve their circumstances, but are unwilling to improve themselves; they therefore remain bound."

Want to get begin improving your circumstances in your life and in your IT/security career? Here are some pieces I've written and an audio program I recorded that can help you get started.

Read More

Good new book on security awareness

I have to admit, when my colleague Marcos Christodonte first approached me about reviewing his new security awareness book, Cyber Within, I thought here's yet another book on boring old security awareness. I was wrong. Cyber Within takes a very unique (suspense novel-like) approach to address the problem we have with employees and information security. And it works.

The book is a quick read - just 47 pages - but it's just enough to help drive home the message that employees are our worst enemy when it comes to security. The book also has some cut-out forms in the back for reporting incidents and employee quick tips you can use during your security training.

The argument could be made that everything in the book falls into place too easily but I still think it's a good read and a good resource. Kudos to Marcos. Heaven knows we need some original - and non-plagiarized - material in our field these days!

You can check it out Cyber Within on Amazon by clicking the book cover below:

Read More

Acunetix WVS v7 - grand improvements in the making

When I find a good security tool I not only love using it but I love telling everyone about it. Having gone down this road many times myself, I understand the time, money, and hassle associated with investing in security tools that aren't all that. Well, here's one for you: Acunetix Web Vulnerability Scanner (AWVS) version 7 (it's currently in beta and free for you to try).

The folks at at Acunetix tout several new things in AWVS v7 such as:

• intelligent scanning engine
  
• improved Web 2.0 support
• lower false positives
• ability to re-launch a reported vulnerability check
  
• faster scan times

Having taken AWVS v7 for a spin a few times, I can say that they've delivered. It's actually pretty weird using version 7 because outside of the much-improved dashboard it looks very similar to AWVS version 6. But once you dig in and (especially) see how fast it is, you can tell they've gotten it right this time. It reminds me of Windows 7 compared to Vista - looks similar but much, much better.

There are only a handful of Web vulnerability scanners worth considering. Acunetix makes one of them. Check it out while the getting's good.

Read More

500 million and counting...

I just received a press release from Beth Givens at the Privacy Rights Clearinghouse stating "500 Million Sensitive Records Breached Since 2005". 500 million+ known records that have been compromised in 5.5 years in the U.S. alone due to people in organizations large and small making poor choices about information security and privacy! Simply amazing.

If you haven't seen the Chronology of Data Breaches, check it out. It's fascinating. The problem of people putting forth little to no effort to keep information secure affects every single one of us. Scroll through the breach list and you'll likely see a business or organization you've dealt with in some fashion or another.

What's it going to take? Security standards have been developed. Security and privacy laws have been passed. The word's getting out. Yet, still, the carelessness and ignorance continues. Seriously, what's it going to take? I know it's easy for me to ask these questions being on the other side of the table. I don't envy anyone who's responsible for managing information security. Arguably it's one of the most difficult things to do in business today. Perhaps we need to re-think how we're doing things. Personally, I'm starting to like my colleague Pete Lindstrom's modest proposal to publish SSNs and be done with it. In our complex world with no real way to get our arms around this best once and for all, perhaps there is no good answer.

Beth Givens and company: Keep up the good work pulling all of this information together and keeping us informed.

Read More

Selling security: To persuade to is succeed

Okay, so your managers aren't getting security and your users aren't on board either. Security's not looking too good but you know it needs to happen. Just how can you "sell" security to those who matter most? Here's a collection of articles and blog posts I've written that address this very subject:

How to get - and keep - user support with security
How to get management on board with Web 2.0 security issues
Building credibility and getting others on your side
Making the Business Case for Information Security
The Business Case for Information Security - What businesses are up against and why it is needed
Selling security to upper management
My blog posts on selling security

But wait, if you're looking for more, here's a great read: 17 ways to be a more persuasive speaker - it contains content you can not only use when selling security but also when presenting, speaking, or anything you do to try and persuade other people to do things they may be reluctant to do.

Read More

Relentless incrementalism

I don't know who coined the term "relentless incrementalism" but it's very fitting when it comes to information security. In the context of what we do, relentless incrementalism means doing small things over time that add up to big outcomes in the long term.

All of us - management included - have to understand that security is not a one-time deal. Nor is it a product or a "compliant" status. It's not something your network administrator is taking care of. It's not something the compliance officer or CSO handles. Information security is a process that you, management and arguably everyone in your organization have to work on every single day.

This could be security assessments, system monitoring, quizzing employees, keeping your skills sharp by attending security conferences - you name it. Every situation is different. Whatever risks your business is facing, whatever regulations you're up against, and whatever is important in your environment - those are the things you must address on a periodic and consistent basis.

It's like keeping your body healthy. We all know that diets don't work. We all know that nature will have its way if we remain inactive. Regardless of the hype and magic "fixes" related to dieting and exercise, any reasonably-minded person knows that the calories we burn must be equal to or greater than the calories we consume. It's basic math. Yet we (myself included) get caught up in everything else and take this simple formula for granted.

We have to change our mindsets and our lifestyles if we're going to make things happen. Information security is no different. Every action counts. Every choice you and you leadership make either serves to support information security or serves to get in the way of information security. Find what works and keep working at it...relentlessly.

Read More

Panic is not a strategy

Seriously...it's not.

In this new piece I wrote for Security & Technology Design magazine, I talk about the lack of incident response planning being one of if not the biggest risk in any given organization...and what you can do about it:

Incident response: The biggest security gaffe of all?

If anything, never forget what Captain Chesley Sullenberger said after he landed U.S. Airways flight 1549 into the Hudson River last year:

"I didn't have time to learn what I needed to know...I had to have done hard work for decades for tens of thousands of hours to prepare for that moment."

...that says it all.

Read More

Common sense counts the most

A great quote I heard over the weekend has a direct tie-in to what we focus (or don't focus) our efforts on in information security. NASCAR champion Ned Jarrett said:

"There's nothing stronger when you're trying to get something done than common sense."

I couldn't agree more.

In the realm of IT and managing information risks, I'll take common sense over book smarts any day.

Read More

Have you told someone "no" lately? It's good for you.

Jack Canfield had a great quote that relates well to information security (and the lack of time to manage it) as well as our overall careers. He said:

"Success depends on getting good at saying no without feeling guilty. You cannot get ahead with your own goals if you are always saying yes to someone else's projects. You can only get ahead with your desired lifestyle if you are focused on the things that will produce that lifestyle."

A related quote that I strive to live by is by the late Richard Carlson:
“Just because someone throws you the ball doesn't mean you have to catch it.”

Are you majoring in minors or focusing on what matters? Are people, email, Twitter posts, etc. distracting you from what truly matters? You have to focus on the urgent and important. That's what security and career success are all about.

Read More

How dare we question our rulers!?

I've kept my mouth shut about this long enough. Why aren't more Americans standing up against this mosque at ground zero nonsense!? The mosque is clearly nothing more than a symbolic mark of victory on our soil by the very group that's trying so hard to bring our society down. And our own government is facilitating this.

Where is our country headed when one of our "rulers" says that any opposition "should be investigated"? Imagine, just for a second, if you or management in your business "investigated" any opposition to security policies, audit reports and so on. You'd be laughed out the door. Much less grave of an issue but you get my point.

Read this post and watch the embedded video around the 10 second mark. The thing is, those who flaunt and say they're not this or that and those who blame something "bad" on others are typically the very people doing those things. Watch any reality TV show. Ask any psychologist. People who use this tactic have convinced themselves and are indeed manipulating others into thinking they're gold and any opposition is dirt. They're performing something called leveling that either brings them up to a level of superiority or brings others down to make them look bad. It's a fascinating concept that goes on life around us all every single day.

So Queen Pelosi has the gall to say "But there is no question that there is a concerted effort to make this a political issue by some." Um, sorry Queen Pelosi, YOU are the one making this a political issue. It is an election year after all and your opposition is looking better and better every day that passes.

How about this, Queen Pelosi: this opposition is being "funded" by me, my family members, my friends, and my colleagues. Why don't you launch an investigation into all of us who are standing up against your policies? That's where America is headed anyway, why not begin with this heated matter?

I've always said that political correctness or technology - likely both - will be the end us. We're seeing this very thing in the making now...slowly but surely.

Wake up America!

Read More

Apple's iPad - a forensic investigation in the making?

Here's a new piece I wrote for SearchCompliance.com on regarding the realities and risks of iPads in the enterprise.
Enterprise iPads: Compliance risk or productivity tool?

Simply put, they're not all that different that other mobile computing devices but they do bring something unique to the table...

Speaking of "i" devices in the enterprise, here's a great read I saw recently in Information Week that outlines a scenario that's at the root of this problem:
Secret CIO: Deliver Strategic IT ... And My iPhone On Monday

Read More

Metasploit enters the Web arena

OK, Metasploit has had several Web-related exploits for years but HD and company are now getting serious about taking Web application scanning and exploitation to the next level.

As with Metasploit and Metasploit Express, there's only so much you can do with scanner and exploit tools so the verdict is still out. I love this innovation nonetheless.

Read More

Is car hacking the next big thing?

For years I've been telling close friends who share my motorsports passion that we're going to start seeing cars getting hacked. I believe this to be especially true once cars are online and communicating with the "smart highway" system we're slowly approaching.

Well, we're now starting to see the beginning of such hacks. Some research was uncovered earlier this year on how a car's ECU (electronic control unit) can be manipulated in ways ranging from merely annoying the driver all the way to making them crash. The latest car hack uncovered involves the wireless tire pressure sensors in 2008+ automobiles (something the government mandated because of irresponsible drivers ignoring the maintenance required of their vehicles).

As with any computer system, if there's a hardware port, a wireless signal, or an IP address, then it's going to be exploitable/exploited. I just hope it doesn't start happening to me and my colleagues and on the racetrack! Wouldn't that be a fine how do you do?...

Can't wait to see the evolution of this. Sure, car hacking doesn't involve sensitive information...instead it involves something of much greater value: people's lives. I think this is going to be big, really big. Stayed tuned for more.

Read More

Great information security quote (don't believe the hype)

There's a Japanese proverb that fits nicely into infosec:

"If you believe everything you read, perhaps it's better not to read."

Be it F.U.D., vendor hype, or "experts" who claim the sky is falling with every new exploit they uncover - you ultimately need to focus on doing what's best in your environment under your terms.

Read More

Avoid the temptation to go nowhere

The cancellation of Tony Robbins show after just two episodes underscores how many people aren't interested in learning more about getting ahead in life. Instead, mindless drivel is the "norm" of today.

If you want to make things happen, dare to be different.

Read More

How you can get developers on board with security starting today

Some people - including a brilliant colleague of mine - think security is not the job of software developers. In the grand scheme of things I think such an approach is shortsighted and bad for business. It's kind of like an auto assembly line worker not being responsible for the quality of his work or citizens not being responsible for their own healthcare (oh wait!) or why the bottom 50% of income earners in the U.S. shouldn't be responsible for paying their fair share. It's always someone else's problem. Sadly, "responsibilities" without ramifications is the way things are in most societies today.

Getting back to the point, getting developers on board with security - as we've seen over the past decade - is most certainly NOT one of those things that's going to magically happen. So is it even possible to get developers on board with security? I think so. But you have to be smart about it. You can't just say "You! Write secure code!" Ha, if it were only that easy. There are many gotchas along the way so you have to come up with a solid game plan. I wrote about the problem and some solutions in a new piece you may want to check out:

Getting developers on board with security – once and for all

Speaking of developers and security flaws, here are some more articles I've written recently for TechTarget's SearchSoftwareQuality.com that you may be interested in:

Application security checklist: Finding, eliminating SQL injection flaws

Finding cross-site scripting (XSS) application flaws checklist

Happy reading and most of all, good luck!

Read More

A bit of inspiration

I'm back from my last break of the summer and thought I'd share this quote I came across for a bit of inspiration:

"A successful life is one that is lived through understanding and pursuing one's own path, not chasing after the dreams of others." -- Chin-Ning Chu

This reminds me of another great quote which says "If you don't have goals for yourself you're doomed forever to achieve the goals of someone else."

Whether you're in need of some focus for your career or for your internal information security initiatives, here are some other pieces I've written on goal setting that may help...studying this subject has certainly helped me.

Eight steps to accomplishing your IT career goals (can be applied to all types of goal setting)
My blog posts on goal setting and IT and information security careers
Related articles I've written on IT and information security careers
My Security On Wheels audio programs providing security learning for IT professionals on the go

Read More