A quick review of WebInspect 9 shows HP's still got it

It's been a long time coming but it's finally here: HP's WebInspect version 9. I've been using WebInspect for nearly 10 years now and I believe this new version of WebInspect is one of the most significant upgrades they've put out. They've essentially taken what was already one of the best Web vulnerability scanners and have made it better, especially when it comes to workflow and streamlined usability.

A few things I think you'll like about WebInspect 9 include:

1. A Review Vulnerability feature which allows you to retest specific vulnerabilities without having to run a full scan again. Nice.
2. A Steps feature which shows the pages/steps the scanner took to reach the vulnerability. Good for reproducing the flaw to exploit it manually and good for developers/QA pros to see how the scanner did what it did.
3. Streamlined macro recorder. It may take some getting used to but I think it's better overall.
4. A tab feature to Close All, Close This, Close All But This when you have multiple scans open. I know it sounds a bit trite but little things like this matter a lot over time.
   

Speaking of usability, the scanner seems faster too. Maybe it's just that I've finally realized the horsepower and torque needed to run such tools.

In addition, I've found that WebInspect 9 has gotten better at finding - and confirming - cross-site request forgery (CSRF) vulnerabilities. In fact when running WebInspect 9 it found some legitimate CSRF flaws that WebInspect 8 wasn't able to uncover running a scan with the same parameters. You don't want to rely on a scanner alone to find all CSRF-related flaws and you'll want to validate such findings through manual analysis and/or a tool like CSRFTester (which is something you should check out if you haven't already). That said it is nice to see that Web vulnerability scanners are getting better at ferreting out session-related flaws.

Also, SWFScan (HP's standalone Flash vulnerability scanner) is now integrated into WebInspect along with the traditional tools. As with HTTP Editor and SQL Injector, just right-click on a specific Flash vulnerability, select SWFScan and off it goes.

My least favorite thing about WebInspect 9 is that it marks yet another milestone representing the loss of even more former SPI Dynamics employees at HP...my long-time colleagues and friends. Working with such a vast group of development, QA and product management professionals who are so on top of their game gives me hope in software security and shows that software can be made top notch when the right resources are put forth. It also shows that software vendors ARE listening to what people say so don't hesitate to provide any feedback you may have. It'll make a better product for all of us.

Keeping in mind all the things I've said about vulnerability scanners, WebInspect 9 is definitely worth checking out.

Read More

Viewfinity's latest privilege management offering

I had the opportunity to meet up with my colleague Matt Stubbs with SnappConner on a recent visit to Salt Lake City. One of the things we discussed was Viewfinity's new privilege management software release.

Viewfinity provides a public or private cloud solution to locking down Windows desktops including:

• getting your arms around administrator-level privileges (perhaps once and for all?)
  
• allowing users to install permitted applications, printers, etc.
  
• blocking/whitelisting of applications
  

Check out this screencast here for a good overview as well as this piece I wrote for TechTarget that provides some additional ideas for Windows desktop security.

There are other solutions available for Windows desktop protection but Viewfinity makes such controls available via a unique approach. Something I'll have to add to my OS security presentation at my CDW/TechTarget speaking events this year.

Read More

Getting your ducks in a row with cloud compliance

Cloud, cloud, cloud - it's all we're hearing about these days. Frankly I'm over the hype - have been for a while...But whether or not we buy into all this hoopla over "the cloud", the technologies and associated security risks and compliance headaches aren't going anywhere. With that here are a couple of new pieces I've written for SearchCompliance.com that you may be interested in:

The cloud’s compliance complexities you cannot ignore

Top questions that must be answered before taking on the cloud

Enjoy!

Also, be sure to check out www.principlelogic.com/resources.html for all of my information security articles, podcasts, webcasts, screencasts and more.

Read More

Discount code for SecureWorld Expo Atlanta

Have you ever attended SecureWorld Expo? It's a neat security conference that travels around the U.S. bringing content to you. I traveled around and spoke at their shows for years and can attest that it's a very good value - especially when you can't afford or otherwise justify going to RSA, CSI and related shows.

The folks that run SecureWorld Expo have setup a discount code for me (SWEBEAV) that will allow you to register for any of the SecureWorld conferences with $100 off of the $265 Two-Day Conference Pass, or $200 off of the $695 SecureWorld + Extended Training.

I'll be milling about at their show that's coming to Atlanta on May 3rd and 4th so I hope to see you there!

Read More

Perhaps the goofing off is justified

I've written in the past about how little we utilize our brain capacity - especially at it relates to goofing off on the job...Well perhaps those folks goofing off know something that I didn't. According to the Department of Labor and BTN Research:

The average productivity of the American worker (defined as output per hour of work) has increased 30 percent over the past decade (i.e., 2001-2010). Mathematically this means the quantity of work done in 2000 during a 40-hour work week could now be completed in less than 31 hours.

Okay, back to Facebook and those March Madness brackets!

Read More

The real secret to career success...in any market

I often hear stories and radio commercials about the tough time college graduates are having right now finding work. In a recent bit, some recommendations were to work harder and get online because you've got to find a way to stand out in the eyes of potential employers in this market.

Yeah, yeah...anybody can do those two things. But let's back up. There's one thing that most people don't do: it's setting and managing their goals. I've heard that only around 2% of people have goals and apparently around 1% of people actually review their goals on a consistent basis.

If I was hiring someone - anyone - right now (be it a college grad or seasoned veteran) one of the biggest deciding factors would be whether or not they have a set of personal and career goals that they live and work by.

Legendary basketball coach Bobby Knight once said "The will to win is not nearly as important as the will to prepare to win." Setting goals and letting them steer your life in the direction you want it go is arguably the most important thing you can do to boost your career and accomplish what you never thought possible.

There's a saying that if you don't have goals you're doomed forever to achieve the goals of someone else. Make goal setting a top priority and hold yourself accountable never letting up on the self-discipline it takes to review them and live/work by them day after day...That's the real secret to success. Study this subject.

Here's a recent article I wrote on setting and managing goals to help you get rolling:
Eight Steps to Accomplishing Your IT Career Goals

Read More

CLEAR's customer no-service

CLEARly incompetent - that's how I rate @CLEAR Wireless' customer service. I signed up for their service about 6 weeks ago. It actually works pretty well. Great download speeds and so-so upload speeds. Still, overall, WiMax is an amazing technology.

As much as I liked it I just couldn't bear the slow upload speeds so I decided to take the hit on the two months of service I prepaid for and cancel my service. According to their return policy I have the right to return the wireless modem within 30 days so I took them up on that.

I first went to a CLEAR store in the mall but the gentleman there said I needed to call their 888 number and have them send me a "shipping label". So I did...First I spoke with Karen (who, by the way, was not aware of their return policy and wanted me to fax her a copy of their policy - funny). I called back the next day as instructed and spoke with Jeanette...She was going to send out the return mailing label. About two days passed and nothing.

I had to call back and spoke with Patty in customer no-service who assured me that my mailing label was on its way. I *finally* received this elusive mailing label and low and behold it wasn't valid. After spending 3-4 days going back and forth with UPS they realized that the mailing label wasn't valid because it had already been used. UPS told me to contact the shipper. You can imagine how pleased I was to find that out. :)

So I called CLEAR's customer no-service and spoke with Rob again....This was on Friday, nearly 4 days ago. He proceeded to ask me about the problem I had with their service...Huh uh, I wasn't going down that path again. He then wanted me to give him the MAC address of the modem I was returning. I didn't have it with me at the time and politely asked that he go ahead and send out another label. Rob assured me he was going to send one out - it would go out within the next 2 hours and I'd have it within 24 hours he said.

Guess what folks?? No label. Holy moly! Here I am 12 days later and I *still* have the darned modem. U-n-b-e-l-i-e-v-a-b-l-e. Given that I've put ~3 hours of my time in returning this device I would've been better off just throwing it out the window...or donating it....or smashing it with a sledgehammer.

Perhaps a chargeback is in order...Or maybe I should write to their VP of Customer No-Service. I'm running out of ways to get their attention. Simply amazing....

Thinking about CLEAR? Buyer beware! Pretty good Internet access; awful, awful, awful handling of (former) customers.

Unless and until CLEAR can prove to be better than Comcast and AT&T at customer service (that wouldn't take much), they'll continue on in their wayward ways.

For now though, steer clear of CLEAR, seriously.

Oh, if anyone from CLEAR is reading this: Just send me my darned mailing label and we can be done with this.

Read More

Disaster recovery & security plus e-discovery & records management

Here are some recent articles I wrote for TechTarget's SearchDisasterRecovery.com and SearchCompliance.com on the relationships between DR planning and information security as well as records management and the dreaded e-discovery process. Serving as an expert witness on various information security cases, I can assure you that you'll want to be prepared for both - especially the latter:

Disaster recovery security: The importance of addressing data security issues in DR plans

Leaning on records management can soften the angst of e-discovery

Enjoy...

Read More

My upcoming information security speaker roadshow

Thanks to TechTarget and CDW starting this month I'm embarking on an 11 city speaking tour across the U.S. Along with my colleague Pete Lindstrom, we'll be speaking/ranting about all sorts of network security and data protection stuff including:

Embedding Security into the Network—Building Defense in Depth

• Securing your Presence at the Perimeter: Contrary to Popular Belief, you do still have a Network Perimeter
• Locking Down Server and Workstation Operating Systems: A Critical Component of Your Network Security Strategy
• Mobile Security Blunders and What You Can Do About Them

Data Protection and DLP—Compliance and Technology Update

• Weighing Information Asset Value and Risk to the Organization
• Making the Case for an Investment in Data Loss / Leakage Prevention
• Leveraging the Benefits of Encryption and Rights Management

I hope you can join us at these no-cost events...it should be both informative and fun. Check it all out and register here.

Read More

Data breach statistics show that problems still exist

Have you checked out the Chronology of Data Breaches lately?

...Very interesting stats on known data breaches. I peruse the site through every now and then and it seems that every time I do there's an organization that 1) I've done business with (for personal stuff) or 2) as in the case of MicroBilt Corporation's breach posted last week they're right down the road from me.

Does the six degrees of separation law apply to data breaches as well?

Read More

Two career essentials: time management & hands-on experience

If I had to choose two things that IT and information security pros need to focus on more than anything else, it'd be learning how to manage your time and continually fine-tuning your technical skills.

Well here are two pieces I wrote for SearchWinIT.com that that delve into these topics:

Time management strategies for the IT pro

Low-cost ways to get the IT skills you need

...learn these skills and practice them over and over again and you'll be amazed at what you can accomplish in your career.

Read More

My roundtable tomorrow on the state of IT compliance

Join me and my colleagues/friends Becky Herold (The Privacy Professor) and Scott Woodison (security manager extraordinaire) on Focus.com tomorrow at 2pm ET where we'll be talking about:

• Compliance vs. managing information risks - there is a difference
• Common compliance-related mistakes
• Recent changes to information security and privacy regulations and how they affect you
• Recommendations on what your business can do to get its arms around the compliance beast
  

It'll be laid back yet informative...we'll no doubt leave you with some things to be thinking about and some tips for dealing with compliance once and for all.

Here's the link for more info and to register (no-charge to participate):

http://www.focus.com/events/information-technology/focus-it-roundtable-state-it-compliance-whats-working-and-wh/

See you there!

Read More

The real numbers behind lost laptops

Here's a recent piece I wrote for my friends at SearchCompliance.com regarding the lost laptop problem and what it's costing businesses:

The Billion Dollar Lost Laptop – What’s it costing your business?

I've seen some naysayers out there stating that there's no way a lost laptop could match up to Ponemon's figures. I say why find out!? Whatever the cost, the solutions for laptop security are simple once the choice is made to keep them in check.

Read More