Holiday wishes and what's in store for 2012

I'd like to send out a special holiday wish to everyone: Merry Christmas, Happy Hanukkah and Happy New Year!

This year has been extraordinarily great for me in my business and I owe it all to my clients, presentation and seminar participants, and purchasers of my books and audio content. Thank you very much!

I have lots of neat things right around the corner including a YouTube video channel and new Security On Wheels audio programs. In fact, I've already started on my videos and am pulling together some fresh audio content based on the feedback I've gotten regarding my presentations, seminars and webcasts over the past year.

It's time for me to disconnect for a couple of weeks. Here's to a great 2011 and an ever greater 2012!

All the best,
Kevin

Read More

WebInspect: How SQL injection testing *should* be done

SQL injection is arguably the grandest of all security vulnerabilities. It can be exploited anonymously over the Internet to gain full access to sensitive information - and no one will ever know it occurred. Yet time and again it's either:

1. overlooked by people who don't test all of their critical systems from every possible angle
2. overlooked by people who haven't learned how to properly use their Web vulnerability scanners
3. overlooked by people who chose to only perform PCI-DSS-type vulnerability scans that don't go deeply enough
4. And, perhaps worst of all, overlooked by tools that can't test for - or properly exploit - SQL injection

Certain automated tools for SQL injection testing/exploitation have been around for years but I've never seen a tool that actually finds SQL injection as frequently or is as simple to use as HP's WebInspect. As shown in the following screenshots, with WebInspect it's a simple two-step process from initial scan to data extraction:

Step 1: Run the vulnerability scan to find SQL injection flaws. Finding it is half the battle. Most vulnerability scanners have no clue of its existence.















Step 2: Right-click on the finding, load the SQL Injector tool to confirm the injection and then click Pump Data to automatically siphon data out. Yes, it's that simple. (Note: in this test instance, extraction was not possible but it is in at least half of the SQL injection flaws I come across).


















At your option, you can also use WebInspect's Vulnerability Review function to go back and test the SQL injection flaws once a fix is put in place...no need for a full rescan. Love it.
















Folks, this is something that cannot be taken lightly. I'm not just talking about SQL injection itself but the fact that your tools may not be providing you the right information you need. As I've said before, You cannot secure what you don't acknowledge. In this case, I'll tweak that a bit and say You cannot secure what you cannot find. Just because the tools you're using aren't finding or exploiting SQL injection doesn't mean it's not a problem. Trust but verify.

Read More

AlgoSec & what happens when you don't look for flaws from every angle

I recently had the opportunity to see how well AlgoSec's Firewall Analyzer performs in a real-world security assessment. Long story short, Firewall Analyzer found a weak password on an Internet-facing firewall that would've gone undetected otherwise. A traditional vulnerability scanner didn't find it nor did two different Web vulnerability scanners. Nothing was uncovered via manual analysis either.

Only AlgoSec's Firewall Analyzer found the weakness...no doubt a flaw that would've been exploited eventually.

Folks, information security is about piecing things together. We're never going to find it all but we darn sure need to use every means possible to check for flaws from every possible angle. Underscope your assessments and you're screwed - at best you're living a delusional world. Case in point, I just reviewed a vulnerability assessment report that looked at every single external and internal IP address belonging to a business but not a single marketing site, e-commerce application or intranet portal was tested. And everything checked out "OK". The result that the executives saw was Low Risk Overall.

Wow.

Just like I tweeted about today regarding what Qualys finds in vulnerability scans versus much of the "free" and commercial competition (there's no comparison)...I honestly believe that some big data breaches that have already occurred and have yet to happen will be related to using the wrong tools...or not enough tools...that combined with people not testing all the systems that matter. People aren't looking at the whole picture.

I know, you can't rely on tools alone but by golly you'd better make sure you're not only looking at everything that matters but you're also using the best tools possible when doing your security testing. Here's a new bit I wrote that covers this very subject:
Good Web Security Tools and Why They Matter

Read More

Big-data-retention-storage-security...what a mess!

I've written some new bits on storage security and data retention that you may be interested in...especially as your move your "big data" to the cloud in 2012. You are going to do that, right? ;-) Enjoy!

Data security and backup encryption remain critical

Secure data storage strategies and budget-friendly security tools for SMBs

Heading in the Wrong Direction with Data Protection?

As always, be sure to check out www.principlelogic.com/resources.html for links to all of my information security whitepapers, podcasts, webcasts, books and more.

Read More

Going green's tie-in with infosec

If you've been following my blog and my principles for even a short period of time you've probably figured out that I pull no punches when it comes to personal responsibility and limited government. There's hardly anywhere I'm more passionate in this regard than the marketing smoke and mirrors of "Going Green" and the religion of "global warming". I should say "climate change"; that covers warming and cooling for the anti-Capitalist movement, right?.

Bandwagon jumping aside, I do believe that it's up to all of us to take reasonable care of the environment through recycling, minimizing the energy we use and so on. In fact, I strongly believe that if we all just did a little bit in terms of personal and business recycling and being smarter about energy consumption that we could make a huge difference for future generations.

Ditto with information security. I truly believe if we all just did a little bit more...if management exercised more common sense, if users clicked on fewer unsolicited links and if IT managers and developers fixed the low-hanging fruit - the basics of what's continually exploited - just imagine how much more secure our information would be..

The problem is getting people to take personal responsibility for their actions. There's a big, big hurdle with that though and therein lies the problem.

Be it heads in the sand over information security or society slowing dismantling the very essence of what's given us our standard of living in the name of "global warming", as Ayn Rand said: We can evade reality but we cannot evade the consequences of evading reality.

Read More

Why uninterruptible power supplies have higher quality than Web apps

I recently purchased an APC uninterruptible power supply for my office and noticed something peculiar in the packaging. It was a small piece of paper that says "QUALITY ASSURANCE TEST". It has the time, date, operator ID and other identifying information for the specific piece of hardware.


As you can see in the image, this QA test sheet has 33 unique tests that were performed on the unit presumably before it shipped. Everything from polarity checks to AC line calibration to beeper tests were performed on this system.

Then it occurred to me...do we actually demand better quality from uninterruptible power supplies like this than we do from the Web applications that power our businesses? I don't know that we *demand* it but it sure is coming across that way!

Sure, there's unit testing, functional testing, user acceptance testing and so on around any given Web application, but where's the real quality when it comes to security and overall application robustness.

I know companies like APC wouldn't dare let a low-quality uninterruptible power leave the building yet so many companies of similar size and visibility do this every single day with their software. Numerous studies are done each year on security being a missing component of software quality...yet the problem continues on as if it's someone else's problem. I see it in my work every day and we're all impacted when data breaches occur.

Where are we failing ourselves here? Our priorities are misplaced to say the least.

Read More

Windows security exploits, all over again

There's a good bit brewing in the Windows world regarding security and I suspect 2012 will make for an interesting year...Here are some new pieces I've written for TechTarget along these lines where I cover Windows 8 and SharePoint security, using Metasploit to exploit flaws as well as some Windows security oversights I see in practically every internal security assessment I do. Enjoy!

Patching and continuous availability in Windows Server 8

SharePoint security should not be an afterthought

Exploiting Windows vulnerabilities with Metasploit

Five Windows environment security flaws you may be forgetting

As always, be sure to check out www.principlelogic.com/resources.html for links to all of my information security whitepapers, podcasts, webcasts, books and more.

Read More

Reactive security at its finest

I've been hearing on the news about Georgia State University (@GeorgiaStateU) installing 50 new security cameras. No doubt, universities in downtown Atlanta (one of the highest-crime cities in the nation) are not fairing so well with security these days so somebody needs to do something, no?

Well, Georgia State's solutions was to install more security cameras. Is this security theater at it's finest? Not totally, but it is security theater like I see all the time in townhome and apartment complexes where the "gate's always up".

This reminds me of some security concerns I found when I first moved into my previous office: outside doors staying unlocked around the clock, wiring closet accessible to everyone who comes inside the building among others...When I mentioned these concerns to my landlord he, in typical head-in-sand fashion, brushed them off and said "We have security cameras that monitor the parking lot." Oh, okay, well in that case...sheesh.

Like cloud computing contracts and SLAs that so many businesses over-rely on, these cameras are certainly good for reactive measures - a means to fall back on. Sure, they may deter a few thugs but they're not going to stop the actual crime in most situations (think convenience store robberies we see on video all the time). Perhaps this would but it'd never fly so the crimes will likely continue. As with criminal hackers, the thugs terrorizing Atlanta's streets know they have the upper hand.

Read More

Are CIOs not doing their jobs?

In the past week I've come across three different articles on how CFOs are getting more involved in IT. For example, in last week's Atlanta Business Chronicle feature CFOs take on increasing roles in IT department stated: "CFO involvement with IT has been largely driving by the need to upgrade reporting functions and the general inability of many legacy systems to provide the kind of data the C-suite needs." According to Robert Half Management Resources, 44% of CFOs have become more involved in technology-related decision-making. Interesting finding.

And this CSO piece from a couple of weeks ago stated: "For business both small and large, CFOs now are finding themselves with fiduciary responsibility in data-protection cases."

Finally, some interesting findings were documented in this CIO piece from just a few months back:

• 26% of IT investments in the past year have been authorized by CFOs alone
• 51% of cases, IT decisions are being made either by the CFO alone, or by the CFO in a collaboration with the CIO
• 5% of the time the CIO makes the investment call
• 42% of IT organizations report directly to the CFO
• 47% of executives viewed IT as being strategic

Ouch!

Is this a sign that CIOs aren't communicating effectively with others in management? Perhaps they're not providing them with the tools they need to make strategic decisions? Does it underscore the very issue I've been ranting about for years regarding executives having their heads in the sand over IT? I'm hopeful that it's merely a sign that IT and information security are getting more visibility in the business and thus luring more decision makers to the table.

Only time will tell. One thing's for sure...If you're an IT leader, you'd better keep doing the things that good leaders do so you can keep your visibility....and your job.

Read More

BitLocker, Passware...heads in sand everywhere!

Three times in the past three weeks. That's how many conversations I've had people who have blown off any sort of technical or operational weaknesses associated with Microsoft BitLocker when using it as an enterprise full disk encryption solution. They're well-documented. I highlighted these issues in my recent whitepaper The Hidden Costs of Microsoft BitLocker as well.

I've said it before and I'll continue saying it: I've sung the praises of BitLocker for years. I still use it on a few non-critical systems that aren't storing sensitive information just to create a hoop for someone to jump through if the systems are lost or stolen. The thing is, there's a tool that can supposedly negate BitLocker's encryption. It's called Passware Kit Forensic.

In one of my recent full disk encryption conversations, someone in a highly-visible healthcare organization told me that even though it's been proven that laptop loss and theft is a big problem for healthcare (backed up by this December 2011 bit from Dark Reading on Ponemon's new study: Healthcare Data in Critical Condition), that loss/theft/Passware Kit Forensic was not a risk to the business. Even when the law says it is. Amazing stuff.

You see I've sung the praises of Passware Kit Forensic to over 1,000 people during my speaking engagements this year alone. I've see it in action and have had some colleagues who have used it recommend it to me. But I want to be able to demonstrate on my blog and to my audiences when I present how BitLocker can be compromised using Passware Kit Forensic. Although Passware has some screenshots on the process here, I need more.

Like other bloggers, trade rags and test labs, I'd like to get a (fully-functioning) demo/test/trial copy of the tool first so I can take it for a spin, validate which scenarios the tool can actually work and document my findings here on my blog, my articles and any forthcoming edition of Hacking For Dummies...especially given how pricey Passware Kit Forensic is ($995; it was $795 just recently so apparently there's a demand for it).

I truly believe this is a big deal and it'd be a win-win for us all. The problem is I can't seem to get anyone at Passware to get back with me. Numerous emails, a Web form submission and LinkedIn requests have fallen on deaf ears. Maybe Passware is no longer around?

For now, just know that the threat and subsequent business risk is likely there and maybe I'll have the opportunity to demonstrate it for you in the future.

Elcomsoft...help!

Read More

Information security quote

Don't expect short-term perfection in your security program. Instead, aim for incremental improvements over time. -KB

Read More

Join me live online today with TechTarget & ISACA

Today is our live virtual seminar Making the Case for the Cloud: The Next Steps. Join me, Urs Fischer, Dave Shackleford, Andrew Baer and Diana Kelley to hear about various aspects of cloud computing you may not have thought about.

Starting at 11:15am ET, I'll be presenting on Incident Response in Cloud Computing. I'll talk about common incident response weaknesses I see in my work, questions you must ask your cloud providers and how you can start developing your incident response plans with a proven incident response plan template.

It'll cost you nothing but an hour or so of your time and it'll be well worth it. You'll even have the opportunity to send me a curveball question at the end of my session. Won't you join us?

Read More

School staff members and porn - Why you should care

Here's an interesting read on government employees trying to make an extra buck by serving up pornography on their high school-issued computers. What a lovely story.

Don't think this kind of behavior is random. I've seen this very thing at the university level during a security assessment I did early on in my information security consulting venture.

You see, one thing I do during my internal security assessments is connect a network analyzer just inside the firewall for a few hours to look at general traffic patterns, protocols and the like. Interestingly, during this assessment I found a workstation that was the top talker on the network. No, it wasn't the email server, or the Web server or the high-traffic FTP server but, instead, a workstation.

After further review it was determined that a staff member was hosting porn on his computer...right on the school network. He was apparently doing pretty well as his workstation was sending and receiving literally 10 times the traffic of any other system on the network.

Folks, just because an employee passed a background check, had good references and seems to be a reasonable person doesn't mean s/he can be trusted to always do the right thing.

You've got to know your network...As I wrote about a network analyzer is a cheap and easy way to get rolling to make sure your network - and your users - are kept in check.

Read More

What happens when third-party patches are ignored

The majority of people I speak with claim they have no means for patching third-party software. As Kelly Jackson Higgins mentions in her recent Dark Reading blog post regarding the rash of Java exploitations, when third-party software goes unmanaged, bad things can happen.

It's great that Metasploit has a a module for Java exploitation - something that'll not only benefit me in my security assessments but will also help bring to light what can happen in any given enterprise. But you know as well as I do that criminal hackers will use it for ill-gotten gains.

In my work, I certainly don't see what HD Moore was quoted as saying in the Dark Reading piece regarding most enterprises not allowing admin privileges on desktops. Between my clients and the people in at my speaking engagements, maybe 5-10% of businesses have their desktops truly locked down. I will agree with the reality that Java is pervasive across any given business. In fact, I had to install Java on a system yesterday and believe the following screenshots underscore the issue:
































Given such proclamations, where do you think the bad guys are going to focus their efforts?

Another funny thing about Java is what Microsoft recently documented in its 2011 Security Intelligence Report. Microsoft found that Java exploits make up to 50% of all exploits. Wow. Another side note from this report that I found interesting is that 0.1% of attacks are related to the sky is falling zero-day exploits that so many people (especially vendors) are claiming to be a huge problem.

Bottom line: as I talked about this piece - unless and until you get your arms around third-party patches, you're going to continue to be vulnerable, especially given how simple Metasploit is to use.

Read More

You're in charge of your own crisis

Whether or not you - or your management - believes you'll suffer a security incident it certainly pays to be prepared. Odds are that something is going to occur.

Does your business have a solid incident response plan? What about a communications plan? Is an executive or business PR representative going to say "Um, well, uh you know - we got hacked and stuff..." to the eager media or are they prepared to answer questions in a mature and professional manner?

PR pros will tell you that you'd better be prepared. As Bolling Spalding - a PR expert here in Atlanta - said in this Atlanta Business Chronicle piece:

"Address the situation openly by saying, 'We don't have all the facts yet, but will tell you what we know now and we'll continue to report back as the facts come in.'...If you don't tell the story, someone else will tell it for you, and it might be someone with an ax to grind."

There's too much to lose folks. Do something now so you'll have a plan when the time comes.

If you're interested, here are some tips I've written about information security-related incidents and how to shore up what could be one of your business's greatest weaknesses.

Read More

HDMoore's Law, revisited

Here's a good read by Mike Rothman (@securityincite) on how we tend to bury our heads in the sand over the most obvious things including HD Moore's Law. For years, I've had a slide in my presentations titled "Future Trends" where I've talked about how exploits are getting easier for those with ill intent:

• Easier access to tools
  
• Little knowledge needed
  
• Less elaborate “hacks”
  
• More internal breaches
  
• Mobile business → less control
  
• Greater complexity → more security issues
  
• Newer technologies → new security problems

Mike's post is a good reminder that this is a business reality - today, right now - and it's up to every single one of us in IT to stay ahead of the curve.

Read More

Don't get mired striving for perfection

As we wind down 2011, here's a quote that relates to information security, incident response and overall risk management:

“The person who insists upon seeing with perfect clearness before he or she decides, never
decides.” -Henri Frederic Amiel

So, do something to better your information security program. Any positive step forward - anything - is much better than getting mired in the desire for perfection and doing nothing at all.

Read More

Don't turn a blind eye on the basics

I'm all about shoring up the basics of Web security before throwing money at the situation. If you're interested in saving not only money but also time and effort, here are some new pieces I've written on Web security that you may be interested in:

Explaining the why of Web application security

Improving Web security by working with what you’ve got

Not all Web vulnerability scans are created equal

Why people violate security policies

As always, be sure to check out www.principlelogic.com/resources.html for links to all of my information security whitepapers, podcasts, webcasts, books and more.

Read More

A new way to bleed

I was in New York City this past week for my final keynote and related presentations for our TechTarget & CDW information security roadshow. Wow, 10 cities in eight months - what a great way to end our year. Of course, being in New York I couldn't help but notice the *constant* coverage of the Occupy Wall Street protests that ended up turning a bit ugly on Thursday - the day I was leaving. Luckily I didn't get caught up in their nonsense.

Once I reached the airport on my way back home I had several things occur to me regarding these people and their protests. The occupiers are the same folks who will:

• break in line
• litter
  
• cheat on tests
• ensure everyone gets a trophy
• buy into the notions of "fair share" as long as it works into their favor by only giving what they're capable of giving while taking whatever they need
• flip you off when they pull their car out in front of yours and you honk to make them aware of your presence
• hack into others' computers for ill-gotten gains just because they can
• never admit fault and hire lawyers to "prove" their cases
• be heard at all costs but go to great lengths to shut you up if your views oppose theirs

Ironically, there was a Rich Dad Poor Dad seminar in the hotel where we were presenting. It was chock full of people looking to better themselves. I thought, what an interesting juxtaposition considering all the people Zuccotti Park who were doing nothing productive but, were instead, only holding themselves back.

The occupiers have no interest in taking personal responsibility for any of their actions. It's always someone else trying to bring them down. They don't understand that each and every one of us is currently experiencing the sum of our own choices throughout our lives. The occupiers want stuff handed to them using money that someone else has had to work to earn...and they want it now! Imagine this scenario just a few centuries ago where it was every man and women to fend for themselves. Ha. Without the police power of government these people would never survive. But now we live in a society where government helps ward off such survival of the fittest. We're conforming minions because of the laws that a relative minority want to force upon the will of others. We're more "equal" now and that makes for a better society I suppose.

Folks, this is the very beginning of Socialist nations which, no doubt, evolve into Communist regimes - you know, the very political states in which "human rights" are violated and these same people would demand reprieve. It is interesting how these "smart" occupiers who claim to know it all have no real clue of history...much less how basic economics works. The free market that's based in New York City provides these very people and all of us the greatest opportunity in history to do well for ourselves and our families. But that requires work and these people aren't willing to do that. Too much risk and effort involved. They'd much rather argue for their own limitations.

I write about this because I believe STRONGLY in personal responsibility and limited government. Interestingly, both of these have a direct tie to the field of information security that has been very good to me and my family thanks to my willingness to take risks and work hard year after year to bring things to fruition. Yet, on both sides of the token - the anti-Capitalist occupiers AND the very people who *should* be held accountable for doing what's right to protect their networks and information - I see people continually burying their heads in the sand and pretending that everything is someone else's problem...It seems to be getting worse, but it's probably just me.

Major kudos to all of you who are not only willing to work hard but also willing to think outside the box and not be swayed by mob rule.

Read More

For incidents, preparation is key...But you've been hacked, now what?

Here are some new pieces I've written for TechTarget and Security Technology Executive magazine on compliance that you may be interested in:

Preparing for an incident at the workstation level

Develop a Flight Plan

How to know if your website has been hacked

As always, be sure to check out www.principlelogic.com/resources.html for links to all of my information security whitepapers, podcasts, webcasts, books and more.

Read More

Join me at the CDW - TechTarget seminars in Philly & NY next week

If you happen to be in or around Philadelphia, PA or New York City next week, I'd love it if you could join us for our TechTarget / CDW seminars: Predictive Security: Plan Ahead to Stay Ahead of the Next Threat.

I'll be giving the keynote presentation and splitting the breakout sessions with Pete Lindstrom and other vendor experts. After the morning sessions and a great lunch, we'll get back together around 2pm and close out with a lively Q&A for which we've gotten great feedback.

These are our final two seminars for the year. You'll benefit from us being really warmed up and having our presentations (mostly) fine-tuned.

Hope to see you soon!

Read More

Why compliance is a threat

Compliance as we know it is arguably one of the greatest threats to enterprise security. Here's why:

1. It creates a heightened sense of self for those responsible for accomplishing a state of compliance.
   
2. It can cost more to become "compliant" than it does to create a reasonably secure environment.
3. It empowers government.

All of the above create complacency and a false sense of security. Please tell me I'm wrong.

Read More

Wooo...HIPAA audits are coming & the irony of KPMG's involvement

I've always believed that compliance is a threat to business [hence why I help businesses take the pain out of compliance by addressing their actual information security issues] and this new bit from HHS's Office of Civil Rights is no different.

Apparently the HIPAA audits are coming...KPMG - an audit firm that has already proven they have trouble implementing the basic security controls they audit others against - scored a $9 million contract to perform up to 150 audits over the next year. Audits that'll prove that covered entities and business associates alike still don't take HIPAA seriously. A simple visit to your local hospital or physician's practice will show this, but I guess it needs to be formalized.

Who knows, maybe in a generation or two, physicians (the bigger problem) and business associates (not quite as much) will wise up to the fact that minimal investments can go a long way towards fixing their low-hanging fruit and implementing basic security controls - really all that's needed for HIPAA compliance in most situations.

Read More

Mobile devices are the new desktop, what to do now!?

Here are some new pieces I've written for my friends at TechTarget on mobile security that you may be interested in including a piece for TechTarget's new (I think) SearchConsumerization.com site:

It's time we shift our thinking about endpoint protection

Act now to prevent smartphone security risks at your organization

Compliance officers' next big headache: Securing mobile applications

You know the deal, be sure to check out www.principlelogic.com/resources.html for links to all of my information security whitepapers, podcasts, webcasts, books and more.

Read More

One of my pet peeves: relying on users to wipe out wimpy passwords

You cannot - and should never - rely on your users for complete security...yet they're often the first or last line of defense - sometimes both.

I wrote about this a while back but it's a problem that's still rampant in IT so I had to bring it up again. It's probably my biggest pet peeves with security. Simply telling users that they need to select strong passwords on their computer systems and leaving it up to them to do the right thing is delusional.

I do believe that most people want to do the right thing...that said, people are going to take the path of least resistance if they're presented with it. Set them up for success instead and take that power away when you can.

Read More

What needs to change?

The late Richard Carlson once said:

Circumstances don't make a person, they reveal him or her. There are times when other people and/or circumstances contribute to our problems, but it is we who must rise to the occasion and take responsibility for our own happiness.

Deep.

Whether you're caught up in an IT project mess, a data breach or even the #Occupy "movement", keep this in mind. We're the sum of our choices to this point. What needs to change?

Read More

Your title really means nothing

I can't tell you how many times I've met people over the years who have a fancy title like CEO or Director of This and That and it ended up being more of a façade than anything. As John Maxwell talks about in this video, your title really means nothing.

I've often told people, I don't care what you call me as long as you pay me what I'm worth. That helps keep me on track to ensure I maximize my value to the marketplace.

Even labels after your name such as CISSP, CCIE, CTO and Esquire mean nothing in the grand scheme of things. Just because you've earned these letters doesn't mean you're suddenly an expert in the field or, for that matter, someone that people actually respect and enjoy working with. Instead it's the value you bring to the table. Work by this mantra and you'll reap rewards you never imagined.

Read More

Users making security decisions is your Achilles' heel

I recently came across some content in a book outlining the benefits of SSL. The author depicted a scenario where SSL is in place to help the user authenticate the server/site he's connecting to and if a certificate-related error popped up in the browser then the user would know that the site was malicious and (presumably) not continue on with the connection. This very situation is an example of how we assume/presume/hope that users are always paying attention and will do the right things with security.

What do you think would happen with the average user in this situation? I'm confident that most people would simply think nothing of it, click past any pop-up warnings and continue about their business. Why? Well, that's what people do. And that's the very problem with have with information security today.

No doubt, we have to be able to balance security with convenience and usability but the moment we allow users to make security decisions - especially ones that could involve phishing and related malware attacks - we open our networks up to complete compromise. This goes along with something I've been saying recently: Your network is only one click away from compromise™ [my new trademark ;-)].

Training, technology - you name it, nothing is 100% certain other than the fact that you have this risk in your business this very moment; guaranteed. I'm not convinced we're going to be able to get past this.

Read More

Keynoting the NKU 2011 Security Symposium next week

If you happen to be in the Cincinnati, OH area next Friday, October 28th, I'd love it if you could join me as I give the keynote presentation for the Northern Kentucky University 2011 Security Symposium. I'll be talking about mobile security problems and solutions and it looks like they've lined up tons of great content and speakers.

Hope to see you there!

Read More

Dan Wheldon's crash a harsh reminder

IndyCar lost a great driver yesterday. When I first heard of Dan Wheldon's crash and death I couldn't believe it. I'm a big IndyCar fan and felt like I knew him - especially with the commentary he has been providing on Versus' coverage of IndyCar this year.

Driving a race car myself - albeit at a *much* different level - I can't help but question the risks of what I do. Seeing these types of incidents rattles me to the core. It's certainly easy to say: Well, Dan knew the risks every time he got into his car...maybe, but it doesn't make it any better nor will it bring back the driver, husband and father we lost yesterday.

I'm letting this incident serve as a reminder of just how fragile life can be and how important it is to spend quantity time with the ones I love. Something most of us probably need to work on.

Rest in peace Dan and God bless you and your family.

Read More

What can you really say about your network?

Here's a new guest blog post I wrote for AlgoSec (a Roswell, Georgia-based company with some really solid firewall management applications) where I talk about something near and dear to all of us in IT:

Do you really understand your network?

...it's more than just a sappy relationship. :-)

By the way, in case you missed it, I wrote a whitepaper for AlgoSec recently that you may be interested in as well:

Firewall Management: 5 Challenges Every Company Must Address

Enjoy.

Read More

My latest bits on Windows 7, Microsoft SCM and Metasploit

Here are some new pieces I've written for my friends at TechTarget on Windows security that you may be interested in including bits on the often overlooked but oh so valuable Security Compliance Manager and Metasploit:

Using Windows 7 management tools to your advantage

Getting to know Security Compliance Manager

Why aren’t you using Metasploit to expose Windows vulnerabilities?

You know the deal, be sure to check out www.principlelogic.com/resources.html for links to all of my information security whitepapers, podcasts, webcasts, books and more.

Read More

Join me at the CDW - TechTarget seminar in Phoenix next week

If you happen to be in or around Phoenix, AZ next Thursday October 13th, I'd love it if you could join me at the TechTarget / CDW seminar: Predictive Security: Plan Ahead to Stay Ahead of the Next Threat.

I'll be giving the keynote and combined breakout session in addition to the sessions provided by other vendor experts. We'll close out with a lively Q&A that I know you'll enjoy.

If you can't make the Phoenix event, I'll be in Philly and New York next month so perhaps our paths will cross in one of those cities.

For what it's worth, here's a sampling of audience feedback on my keynote and breakout sessions from our Boston event two weeks ago and our Dallas event that took place in August:

• Kevin was great - perspective with lots of practical suggestions.
• Perfect speaker, enjoyable to listen to.
• Awakening presentation.
• Great speaker, very knowledgeable.
  
• Left me thinking.
• Great job! Very enjoyable.
• Excellent insight and perspective
• Outstanding Presentation
• Good lead into sessions for participants
• Insightful view of foundation related tasks for security
• Set the stage and energy level right
• Kevin is a good speaker
• Really good relevant quotes and analogies
  

Hope to see you soon!

Read More

Information security's bond with e-discovery is strengthening

We're seeing more and more how information security and e-discovery go hand in hand. Here are two new pieces I've written that delve into the subject. I hope you enjoy.

Information security’s tie-in with the e-discovery process

Lax enterprise mobile device management hampers e-discovery

As always, be sure to check out www.principlelogic.com/resources.html for links to all of my information security whitepapers, podcasts, webcasts, books and more.

Read More

Should You Ban Facebook at the Office?

In the whitepaper To Block or Not. Is that the Question?, Palo Alto Networks explores the issue of "Enterprise 2.0" applications such as Facebook, Skype, Twitter and YouTube and how users are now in control of the network. Meanwhile, IT staff is saying "just block it!" and users say "just don't block it!," but it's not that simple. As the whitepaper points out, the real answer lies in your ability to see what's actually going on on the network and then decide on the best fit for your organization.

An interesting bit from the whitepaper is that 69% of respondents to a McKinsey study say their companies have gained measurable business benefits, including more innovative productsand services, more effective marketing, better access to knowledge, lower cost of doing business and higher revenues because of Enterprise 2.0 software (while IT staffers argue the opposite: that these applications DON'T boost the bottom line). Knowing that most traditional security controls will block their software, developers of Enterprise 2.0 applications look for ways to circumvent the system so that employees and other users can get access anyway (necessity is the mother of invention, right?).

For governance to work, IT should play a big part in the definition of policies, but not be the sole owner of those policies (something I've been ranting about for years because policy creation and enforcement is an HR, legal and management issue — not an IT issue). I have a client that's experiencing this very dilemma with social media right now. Company managers want to provide Facebook access for their employees. However, recent malware outbreaks have compromised several company systems and placed its network at risk. They have policies and antivirus software, but not anti-spyware protection which would have (presumably) blocked the
infections. We're now working on a plan for moving forward to keep users happy and minimize business risks at the same time.

These new applications are presenting a Catch-22 that's throwing many small and medium-sized businesses for a loop. There are no good answers right now. If you take anything from this, just know you have to do your homework and understand the risks/benefits. Blocking or no blocking, the angles to this issue are still being worked out — one business at a time. Stayed tuned and, in the meantime, stay vigilant.

Read More

Web security essentials: something old and something new

Here are some new bits I've written on Web security that you may be interested in. First a bit on SQL injection - the greatest Web flaw of all in my humble opinion:
SQL Injection – The Web Flaw That Keeps on Giving

And a bit on how to use your users to your advantage to minimize Web security risks:
Getting users on your side to improve Web security

...and finally a piece on why I think that time to market is no longer the excuse for Web security flaws and what's really holding us back today:
Time to market is no longer the excuse

You know the deal, be sure to check out www.principlelogic.com/resources.html for links to all of my additional security whitepapers, podcasts, webcasts, books and more.

Read More

Common firewall management challenges whitepaper

Here's a new whitepaper I recently wrote on the ins and outs - and dos and don'ts - of managing enterprise firewalls:

Firewall Management: 5 Challenges Every Company Must Address

In the paper I cover things such as rules and regulations impacting firewall management, assessing firewall policy risks, managing changes and being able to prove where things stand with your firewalls at any given point in time.

Enjoy!

Read More

Compliance or risk: what the real IT leaders focus on

Whatever your approach to managing IT and information security, here's a new bit I wrote for Security Technology Executive magazine on fixing what needs to be fixed before you do ANYTHING else:
Fix Your Low-Hanging Fruit or Forever Hold Your Peace

Once you have the urgent flaws on your most important systems out of the out of the way, here are some pieces I wrote for SearchCompliance.com on dealing with compliance while, at the same time, actually managing your information risks:

Managing information risk inherent to an effective compliance strategy

Avoid duplicated efforts to cut the cost of regulatory compliance

The long-term consequences of not addressing compliance today

Enjoy!

As always, be sure to check out www.principlelogic.com/resources.html for links to my additional information security articles, whitepapers, podcasts, webcasts, books and more.

Read More

Buying, selling & consigning used hardware great for IT budgets

In IT and information security we're required to come up with creative ways to save money any way we can. Well, how about this novel idea: buy used network and computer hardware, or sell what you've already go so you can upgrade.

A good friend of mine works at a company (Riverside) that does just that. They buy, sell and consign used network and computer hardware to help businesses save (or make) money. If you're looking to "earn" some budget dollars, Riverside will buy your equipment from you - apparently something that most used hardware brokers/sellers don't do.

Is it just me...why aren't we seeing more of this in today's "green" world. You won't find me kneeling at the altar of "global warming" but I most certainly believe in recycling and buying used wherever possible. It helps the environment and seems like an ingenious way to save IT dollars already budgeted and, if selling, actually add some dollars to the bottom line.

Never forget that the people who add the most value in and around IT are the ones who will ultimately rise to the top. Buying and/or selling used network and computer hardware seems to me to be a great way to go about doing so. Just some food for thought.

Read More

Pick up that paper at your own peril

From @Quotes4Writers on Twitter, this totally reminded me of me:

"You have to be brave to take out that white sheet of paper and put on it words that could be
evidence of your stupidity." - Sol Saks

Read More

Windows ASLR, APTs, server malware protection and common patching gaps

Here are some new pieces I've written for the TechTarget sites SearchWindowsServer.com and SearchEnterpriseDesktop.com on Windows (in)securities in the enterprise including a bit on the over-hyped and misunderstood APT threat (is that like "ATM machine"?) which I got to see first hand while working on a project that involved one of the Operation Shady Rat victims:

The APT threat to Windows environments

Why you need address space layout randomization in Windows Server 2008 R2

Are you properly protecting your Windows servers against malware?

Windows server patching gaps you can't afford to miss

Enjoy!

As always, be sure to check out www.principlelogic.com/resources.html for links to my additional information security articles, whitepapers, podcasts, webcasts, books and more.

Read More

No CPEs for you!

I spoke at the @ISACAAtlanta GeekWeek show and all I got was this lousy notification ;-)

























Seriously, it was a good show that I recommend next time they have it.

Read More

My new paper on BitLocker's hidden costs

I've been a fan of Microsoft BitLocker since it first came out. It provides a cheap and easy way for users to lock down their laptops and mobile storage devices and is especially helpful in small businesses where security knowledge is scarce at best. Although BitLocker protection can be bypassed, it's still better than nothing - like WEP for wireless networks.

Anyway, if you're considering BitLocker as your disk encryption solution, I just wrote a new whitepaper titled The Hidden Costs of Microsoft® BitLocker® you may be interested in. In the paper I talk about some not so obvious costs and gotchas you need to think long and hard about if you're considering deploying BitLocker in an enterprise setting.

Interestingly, I have friends and colleagues at some large enterprises who are telling me their IT/security management is considering ripping out PGP or other commercial whole disk encryption tool in favor of "free" BitLocker encryption. I advise against this unless and until you know all the facts and think things through.

Check out my paper here for more information.

Read More

I love solid state drives but I'm no fan of OCZ

I tweeted about this the other day but though it deserved a longer post. If you do anything with IT/security tools such as vulnerability scanners, network analyzers and the like you HAVE to get a solid state drive.

Hands down, installing solid state drives in my laptops has been the best computer upgrade I have ever made in 22 years of using computers. Better than doubling my RAM, better than upgrading the CPU...whatever. I wish I would've moved to SSDs sooner. I didn't know it was going to be the case but my SSDs are faster than the 10,000 rpm drive I use in my desktop (which was a huge improvement over the 7,200 rpm drive I used to have). Amazing.

Two words of caution:

1) Know that if your drive fails - especially under warranty and you need to return it - that you have no way of knowing what is recoverable by some yahoo engineer in the manufacturer's lab who has nothing better to do. Based on my limited knowledge of how SSDs work and backed by a forensics expert I work with, even if the drive is dead, it's still possible that data can be extracted from the chips on the drive. This is something you wouldn't have to worry about with traditional platter-based drives because you could give them a good bath with a powerful magnet and you'd know your information is safe.

SSDs just aren't the same, at least based on what I know about them. That combined with the fact that I had encrypted the drive with BitLocker I had no way of knowing what was recoverable when doing that, especially using this tool.

2) Stay away from OCZ Technology SSDs. I bought one knowing that the Amazon reviews weren't great. But it was available at a nice price at my local MicroCenter and figured I had nothing to lose. Plus, like many in management treat information security, I figured nothing bad would happen to me - surely my drive wouldn't fail. ;-)

Well, silly me. Something did happen. My drive died within 3 weeks of purchasing it. Nice. I wrote to OCZ and told them my situation about the nature of the work I do and that I've got potentially sensitive information on it that I cannot afford to have recovered. Per my forensics colleague's suggestion (apparently, the large hard drive makers do this), I asked OCZ if I could return the cover of the drive in hopes that rendering it mostly useless would be enough for me to get a replacement.

OCZ's Technology Forum Support Manager promptly replied: no can do. They needed the drive back to replace it or refund my money. So, I ended up losing close to $200 plus a good 5-6 hours worth of my time buying a new SSD drive and rebuilding my system. Tough lesson learned.

FYI, I bought a Samsung SSD (love it!) and suggest you do the same.

Read More

Your organization vs. BP: what will faulty decisions lead to in your business?

Imagine a scenario where poor management, failure to take appropriate action, personnel changes and miscommunication about who's responsible for what leads to a catastrophic event at your business? That's exactly what the findings were of the BP oil spill.

Sadly, 11 people died because of this incident. Luckily, our line of work isn't quite so risky but your business can still get in a bind when information security is mismanaged.

Here's a link to articles, podcasts and webcasts I've written/recorded on the management's link to information security and a few more bits on how to sell people on information security and keep them on your side to help prevent poor management decisions in the first place.

Read More

NetIQ's file integrity monitoring solution

A couple of weeks ago, I had the privilege of speaking at the Information Week / Dark Reading Virtual Trade Show How Security Breaches Happen and What Your Organization Can Do About It.

In my presentation How to Win the War Against Cybercrime, I apparently had a brain-cramp moment and said that I'm not seeing anybody with good file integrity monitoring. Um, duh, Kevin (as I smack myself in the face), the very vendor who sponsored my session, NetIQ, has such a solution. It's called NetIQ Change Guardian. Sadly (stupidly), I knew this and don't know why I said what I said. I just wanted to set the record straight. Jill and Renee at NetIQ: thanks for keeping me on my toes. :-)

In case you missed the virtual tradeshow, I believe you can still register for it and listen to the recording. Lots of good info - not because of me, but because of the caliber of other IT and information security speakers they had on board. In fact, I was duly impressed by Steve Kovsky - the moderator for my session. I aspire to be able to speak that well one day.

Anyway, check out the virtual tradeshow and NetIQ's offerings. Both quality stuff.

Read More

Stephen Covey's insight applies to information security

I love the following quote...very applicable to what we do:

"You can't talk yourself out of a problem you behave yourself into." - Stephen Covey

Okay, you may be able to talk your way out of bad security decisions with the right attorneys or a cybersecurity insurance policy. Having worked cases involving data breaches, compliance and intellectual property, I can say that it won't be a short-lived, inexpensive or painless ordeal.

Read More

Speaking in Boston @ the CDW + TechTarget security seminar next week

I hope you'll have a chance to join me in Boston next week when I'm speaking at the TechTarget / CDW seminar: Predictive Security: Plan Ahead to Stay Ahead of the Next Threat.

Boston, like several other upcoming events, is a 2-track seminar where I'll be giving the keynote and splitting the breakout sessions with my friend and roadshow colleague Pete Lindstrom among other vendor experts. [sidenote: Pete's the real draw at these events, I'm just there to fill in the gaps....seriously, he's good.] After the keynote, breakout sessions of your choosing and a great lunch, we all get back together around 2pm and close out with a lively Q&A for which we've gotten great feedback.

If you can't make the Boston event or one of the other 2-trackers in Philly or New York this fall, I'll be leading two 1-track events in Phoenix and Raleigh coming up shortly as well.

Here's a sampling of audience feedback of my keynote and three breakout sessions at recent shows:

• Very good information, Great speaker
• Well laid-out, solid points/arguments, encouraged involvement
• Super
• Informative, broad, excellent!
• Mobile devices discussion was very good and insightful
• Informative and aligned with current issues
• Great - Clear - Real-time Current examples of industry security
• Good intro keynote
• Knowledgeable and personable
• Kevin does a great job - Good choice
• Very real life knowledge not just preaches - He feels the pain, that is great! What an honor to attend!!!
• Current real life examples is the best information that can ever be given at any seminar. A+++
• Lots of good group discussion
• Plenty of great examples, specific tools, crowd discussion, etc. Plenty of good info to take back
• Best of the day. Most valuable. Good discussion.
• Kevin's presentation was great
• Very relevant - focused on concerns that most of us seemed to have about mobile security
• Kevin is a great speaker/teacher
• Learned lots - Had a great time - Thank you! Very Much!
• Good technical info, plenty of things to take back for further use or investigation. Not too much kool-aid/sales pitches.
• The content was good. I'm not a security guy so my interest is limited. It was at a good level of complexity
• Although I was not here all seminar, what I saw was good - need more 1 day seminars
• More relevant to my job function that I had anticipated -- thanks!
• Security is a concern of upper management - This seminar provided me good information to take back to the organization
• Loved the fact that you gave us tools
• Great insights again - thanks for sharing some of the tools and hacks
• Liked location; kevin is a very good speaker
• Multi-tracks are a great idea! Continue with panel discussions/Q&A in future seminars
• More speakers like Kevin Beaver

Hope to see you there!

Read More

Microsoft Exchange Data Retention, Incident Response & Other Gotchas

Depending on where you're at with your Exchange "maturity model", here are a few pieces I've written for SearchExchange.com about Microsoft Exchange security oversights, policies and plans to help you along the way:

How to write an effective data retention policy for Exchange

Solidify Your Exchange Server Incident Response Plan

Common Exchange Security Oversights

Enjoy!

As always, be sure to check out www.principlelogic.com/resources.html for links to my additional information security articles, whitepapers, podcasts, webcasts, books and more.

Read More

What it takes to get ahead in IT and beyond

Good economy or not, people often ask: What can I do to get ahead in business? How can I stand out above the noise to enhance my career? How can I be a better network engineer, information security administrator, IT manager, speaker, writer and so on...?

Whether you work for yourself or for someone else the answer is the same. You simply seek out the people who are at the top of their fields and do what they do. That's it. You don't have to ask these experts directly, you don't have to pay to take some advanced training classes. Instead you simply see what experts in your line of business are doing how they think and model yourself after them.

Twitter, blogs and other social media provide a great way to follow what these people are doing, how they think, how they’re positioning themselves and the niche they create. It's amazing stuff that has worked for me and it can work for you.

So, seek out the people you respect which will likely be the people writing, presenting and evangelizing in the subject areas that you have an interest and go from there.

For additional reading, here are some links to articles I've written on the subject of enhancing your career in IT and beyond as well as my audio programs on IT and information security careers.

Read More

DNS hack: UPS, National Geographic, Acer, etc. websites affected

Happy (almost) Labor Day...here's the latest from the criminal hackers: a DNS hack has redirected numerous websites of UPS, National Geographic, Acer, The Register and more. Nice.



Betcha it was some low-hanging fruit someone, somewhere overlooked.

Read More

Talk is cheap: Time to rethink your data retention strategy (or lack thereof)?

Here's a fascinating story about a court case involving data retention you need to read. And pass it along to your management as well. It talks about how businesses aren't doing what they need to be doing with regard to data retention and how decisions are being made for us by the courts.



Interestingly most businesses I come across (large and small) don't have any semblance of a data retention policy in place - much less do it well. Or they have their in-house legal counsel in charge of it often resulting in nothing more than a piece of paper saying what's supposedly being done (but usually isn't) and management signing off on it under the assumption that all is well in IT-land. It's the same issue I talk about in this recent article I wrote for SearchCompliance.com:

Why it may not be ideal for your lawyer to be your compliance officer



Maybe it's time for business managers to stop hiding behind their "talk" and start doing something about this stuff before something negative comes of it...We're often presented with the opportunity to make decisions. If we choose not to, they're going to be made for us.

Read More

My new book: Implementation Strategies for Fulfilling and Maintaining IT Compliance

Check out my latest book published by Realtimepublishers.com:


In Implementation Strategies for Fulfilling and Maintaining IT Compliance I share strategic and tactical methods for getting your arms around the compliance beast. You can download all the chapters (below) for free by signing up on Realtime's site. They've got a ton over other good content too.

Here's the low down:
Businesses are struggling more and more with the compliance requirements being pushed on them from every angle. The reality is that such regulations aren't going away. However, there’s a silver lining – IT compliance doesn’t have to be that difficult and once you've mastered compliance it can serve as a business enabler and competitive differentiator.

In Implementation Strategies for Fulfilling and Maintaining IT Compliance, a practical guide on real-world issues related to IT compliance, the reader will find reasonable solutions for the professionals responsible for making things happen.

It's great for anyone faced with implementing the standards mandated by regulations such as HIPAA, HITECH Act, GLBA, SOX, and PCI DSS. CIOs, compliance officers, IT directors and network administrators can all benefit from the anecdotal stories, down-to-earth strategies and sage advice for creating gaining and maintaining control of IT compliance so that it can enable rather than hinder the business moving forward.

Chapter 1: Understanding the Real-World Issues Associated with IT Compliance
Chapter 2: The Costs of Compliance and Why It Doesn't Have to be So Expensive
Chapter 3: Simplifying and Automating to Reduce Information Systems Complexity
Chapter 4: Establishing a System of Network Visibility and Ongoing Maintenance

Enjoy!

Read More

Join me live today at Dark Reading's webinar #iwkdrbreaches

I'm speaking at the #Information Week/Dark Reading Virtual Trade Show How Security Breaches Happen and What Your Organization Can Do About It.



My session is titled How to Win the War Against Cybercrime and starts at 2:30pm ET. Here are a few words about it:

What are you doing to avoid becoming the next Wikileaks, Google, or Sony? Despite the fact that businesses will spend over 50 billion dollars worldwide on IT security projects this year, it is a virtual certainty that your organization will experience a security breach at some point.



While the complexity of cyber threats may be increasing, the good news is that the answer to combating these threats need not be complex. By implementing solutions that integrate your identity, access, and security environments, you can protect your organization's network, systems, and critical information from insiders and criminal hackers.



In this presentation, noted information security expert Kevin Beaver will discuss current and evolving cyber security threats, some common oversights he sees in his work and recommend solutions that deliver the information you need to reduce the risk of security breaches across your enterprise.



Thanks to the nice folks at NetIQ for making it happen.



Hope to "see" you there!

Read More

What direction are you heading with data protection?

Here's a new guest blog post I wrote for the folks at Credant:



Heading in the Wrong Direction with Data Protection?



You may see this differently but I think we're heading down the wrong path in this area - especially on phones and other mobile devices. I suspect we'll end up in a situation like we have recently in the U.S. where the very people putting the "stimulus" bill and Obamacare in place are suddenly clamoring to get our national debt under control. Come 2013 or so, it'll be, remember those vendors and bloggers spouting off about how important mobile security was back in 2010/2011 when our network environment was much simpler?



The inability to think long-term is so, so dangerous folks. Don't be like our politicians who can't see past the next election. Make the decision to get your arms around the mobile security beast now. Start today. Here's a link to some resources that can help.

Read More

Fine-tuning your Web application security

I think I could write about Web application security every hour of every day...there's just so much involved with building secure apps, proper security testing, getting (and keeping) management on board and so on...But I wouldn't want to torture you in that way. Anyway, here are a few bits you may be interested in:



Properly scoping your Web security assessments



The cure for many Web application security ills



How much Web security is enough?



Enjoy!



As always, be sure to check out www.principlelogic.com/resources.html for links to my additional Web security whitepapers, podcasts, webcasts, books and more.

Read More

Getting ahead in your career + keeping IT staff on board

Here are some new bits I've written about IT and information security careers. First, what you can do to stand out above the noise and move your career ahead:

How IT pros can boost their worth -- and their salaries



...and second, what management can do to keep IT and security professionals interested in their jobs and on board with the business:

How to retain your IT talent



8 best practices for retaining IT talent



Enjoy!



As always, be sure to check out www.principlelogic.com/resources.html for links to my 500+ articles, whitepapers, podcasts, webcasts, books and more.

Read More

What's up with conferences in October?

I've had to turn down 3 speaking engagements the weeks of October 10th & 17th because I'm, well, speaking at other shows those weeks. Maybe it's something about the weather that time of year? Perhaps discounted meeting facility rental rates? I suspect the real reason is that all the top-notch security speakers are busy then so the conference organizers are reaching out to second stringers like me.



BTW, my apologies for being silent on my blog over the past week...will be re-engaging soon. Have a great weekend!

Read More

My webcast/Q&A today on managing network threats

Join me today in TechTarget's SearchCompliance.com virtual tradeshow:

Enterprise Risk Management: Mitigation Strategies for Today's Global Enterprise



My presentation "Managing Network Security Threats with an ERM Strategy" starts around 3pm ET and I'll be doing a live Q&A just after.

Read More

Steve Jobs' ridiculous iTunes interface

I just spent 6.5 minutes cracking a family member's laptop password in order to demonstrate the dangers of not having whole disk encryption. I then went on to spend 20 minutes+ of my life trying to sync some new music to an iPod Touch with the unbelievably difficult iTunes interface.... After investing a lot of time (that I'll never get back, mind you) I still didn't get the music synced.



What's wrong with this picture!?



Apple and Mr. Jobs: Ask any IT professional what they think about iTunes and it'll echo my experience. We all dislike it in the same way. What gives?

Read More

You're the sum of your choices

Here's a 67 second video that defines the essence of where we are in life, our careers and even in information security today:



I really like what John Wooden said:
"There's a choice you have to make in everything you do. So keep in mind that in the end the choice you make makes you."

I also love what John Maxwell says:
"It's your personal choices. If they're good, it's going to help make you. If they're bad, it's going to be the unmaking of you."

Indeed, we must use wisely our power of choice...Great stuff.

Read More

Digital distractions take top priority

Be it texting while driving, browsing Facebook while in a meeting or checking emails while having lunch with a friend, it seems that there's always something better for us to be doing. It's so much easier being somewhere else rather than in the moment. That's the essence of this well-written piece on Gizmodo:
The Epidemic of Digital Distraction

You see there's a human epidemic that not many people really care to acknowledge or talk about. It's the dangerous desire for instant gratification. Those who don't have the ability to think long term create many, many problems in their own lives and many, many problems in society (think big government). I believe it also contributes to people goofing off on the job.

Don't get me wrong, the desire for instant gratification is in us all. We just have to be disciplined enough to make the right choices. If you're interested in finding ways to slow down and live in the moment, you must read The Speed Trap:



It helped solidify this concept and made me realize I need to focus on the things that count.

Read More

The difference between "No" and "How"

Here's a humorous and thought-provoking post by my friend Pete Lindstrom that you should check out:
Dr. Laura as Information Security Officer

It's so easy for people to say "No" to information security rather than "How"...similar to how many people - children and adults alike - say "I can't!" rather than "How can I?".

People are always going to take the path of least resistance...if you let them.

Read More

Indeed, many executives are insulated from reality

Here's a piece where I, Richard Stiennon, Andrew Baker and others weigh on executive management's involvement in information security:

Focus Experts’ Briefing: How CEOs Can Prepare for and Respond to Cyberattacks

Unless and until executives get on board with security - across the board - I'll continue reciting one of my favorite quotes:

“Many executives are insulated from reality and consequently don’t know what the hell is going on.” -James Champy

Read More