Security talent ≠ security success

Here's one of those great quotes that applies directly to infosec:

“Talent is cheaper than table salt. What separates the talented individual from the successful one is a lot of hard work.” -Stephen King

There are plenty of people who understand security architecture, hacking and related technical issues but few who really get the essence of risk and have taken the necessary steps to make information security work in support of the business.

Read More

New issue of Security Technology Executive @secinfowatch

The new edition of a very solid and unique magazine on security (both physical and IT) - Security Technology Executive - is now online.

Be sure to check out the column I wrote in this issue entitled "Fighting the Malware Fight All Over Again" on page 21.

Read More

Are you focusing on the infosec basics where it counts?

Here's a good read from @arstechnica on the HBGary story. It's a fascinating story in and of itself. But the oversights related to information security "best practices" is amazing.

What is it going to take to get people to focus on the basics? Seriously, folks...Forget about all the fancy hack attacks and complex exploits for now and fix the low-hanging fruit. It's basic triage - stop the bleeding first. Focus on your highest payoff tasks and work your way down the list.

All things considered, by just focusing on the basics of information security controls and testing alone you can achieve top-notch security, relatively speaking, which is light years ahead of where most organizations are today.

Read More

Not surprised by the Wells Fargo ATM outage based on what I see

Here's an interesting story about the widespread Wells Fargo ATM outage that occurred last week. There's speculation around the cause of the outage. Was it a hack? Was the system inadvertently taken down during system upgrades? Who knows...

What I can say is that virtually every ATM I've come across in my work performing internal security assessments in/around the financial industry has been riddled with security holes. I've seen weak OS passwords, missing patches dating back 8+ years (many of which are easily exploitable via Metasploit to boot) open network shares and so on. Not long ago, I came across an ATM controller system (the big system typically running UNIX that controls all the ATMs across the bank) that had a blank password for the root account. How's that for accountability?

Seeing what's going on with ATMs it's no surprise to me that this Wells Fargo outage occurred. I'm not saying a vulnerability was exploited in this situation, but you never know. I am surprised these types of outages don't occur more often. When these types of security holes are present in ATMs, all it takes is a rogue insider with a little bit of technical sense to take everything offline, and more.

Remember if it's got an IP address, anything's fair game.

Read More

Windows 7, Windows Phone 7, & Windows Firewall

Be it smartphones or desktops, when it comes to securing Windows you've got to look at both. Here are some new pieces I wrote for SearchEnterpriseDesktop.com that you may be interested in:

Security considerations for Windows Phone 7

Should you use third-party patching tools to keep Windows 7 secure?

Weighing Windows Firewall for enterprise desktop protection

Read More

Leave the phone alone...

You have to watch this video. Seriously, stop what you're doing now and watch this. This issue has a profound affect on you, your family, your friends - everyone around us. It'll make you cry. No matter how good a driver you are and no matter how much you've heard about this topic - everyone needs to see this video. Please pass it along.

Read More

Is it possible to do more with less?

In this era of limited budgets and "wait and see" leadership you still have to do something to manage IT and information security. I've always had trouble understanding why people can't focus on the basics and solve these problems using solutions already at their disposal. I guess the marketing machine is just doing its job.

Here's a good article about this very thing written by my colleague and publisher Steve Lasky with Atlanta-based Security Technology Executive magazine. Steve's piece reminds us all how we can do more with less if we choose to. If you're struggling to keep the shop running check out this piece I wrote for SearchWinIT.com as well:

How to maintain IT shop efficiency when you're the last man standing

Regardless, keep your chin up...this too shall pass.

Read More

Principles are not values

When I started my information security consulting business 10 years ago I believed the words "principle" and "logic" would be a good fit for the way I think and work. The concept and mode of operation has worked out great. I was just reading a quote by Stephen Covey that reminded me of this - and information security leadership in general...he said:

"Principles are not values. A gang of thieves can share values, but they are in violation of the fundamental principles we're talking about. Principles are territory. Values are maps. When we value correct principles, we have truth - a knowledge of things as they are."

Deep...

Read More

Findings from the Fort Hood shooting underscores today's incident response reality

You may have heard about this in the news over the weekend: apparently the Army psychiatrist turned Islamic extremist who killed 13 people at Fort Hood in November 2009 could've been prevented had the FBI and Army been communicating with one another.

Sadly the same poor communication exists in the corporate world. Along the same lines of this incident, based on what I see in my security assessments I can confidently say that any substantial data breach in any given enterprise is not going to be handled properly. There are breakdowns leading up to incidents and failures on the reactive side of the equation. It's information systems complexity intertwined with the human propensity to ignore the obvious and push things off until they HAVE to be addressed just waiting to be exploited.

There are two other takeaways from this that cannot be ignored:
1) failed communications between government agencies always has been a problem and always will be - especially as government grows
2) government - including the police - is incapable of keeping us safe all the time

In both our personal lives and at work it pays to be vigilant.

Read More

Lessons on Web security threats and testing

Here are some recent webcasts/podcasts I recorded for SearchSoftwareQuality.com (@SoftwareTestTT) on Web application security:

Security Lesson: Beating Web application security threats

Security Lesson: How to test for common security defects

I feel like I'm just scratching the surface on this topic but, thinking about what's going on out there, many people have yet to realize there's even a problem. Focus on these basics and you're going to eliminate the large majority of Web security risks.

Enjoy...

Read More

I'm quoted in today's Wall Street Journal, p. B9

Joe Mullich, a writer for the @WSJ, has put together some great stories on cybercrime and data breaches in Marketplace (section B) today. My contribution is on smartphone security and it's located on page B9 at the end of the piece titled "A Surge of Smishes - Workers' laxness opens door to smartphone data theft".

Also check out the piece on TigerText (the secret texting app) on page B11. Cool stuff.

Read More

Check out tomorrow's Wall Street Journal @wsj

I'm being featured in a piece on #smartphones and mobile security in tomorrow's Wall Street Journal. More to come soon...

Read More

Don't just do something, sit there.

Seriously, it's time to kill the #KillSwitch bill that I've written about recently. It's dangerous, it's not what America is about and it's only going to make things worse for our country, our economy and our personal liberty.

Here's some more details along what you can do about it today:
http://www.downsizedc.org/blog/new-initiative-kill-the-kill-switch-bill

Read More