The value of partial code scanning, now

Check out my new piece on the business value of partial code scanning where I outline why it's better to start your source code analysis now instead of waiting around until certain milestones of your development projects are reached or your software applications are completed altogether.

It's kind of funny and ironic that we humans are all about instant gratification, yet with information risk issues such as source code analysis, we tend to want to wait until everything's perfect (and way more costly) before we get started. This reminds me of the Mark Victor Hansen quote:

“Don't wait until everything is just right. It will never be perfect. There will always be challenges, obstacles and less than perfect conditions. So what. Get started now. With each step you take, you will grow stronger and stronger, more and more skilled, more and more self-confident and more and more successful.”

I wrote this article in conjunction with the nice folks at Checkmarx who happen to produce the best static source code analysis tool I've used...especially given its price compared to the competition - it's not even in the same galaxy as some of the others out there. Definitely worth checking out.

Read More

Dropbox "bug" = why the cloud cannot be blindly trusted

I've been ranting about "the cloud" (what a tired term) for a couple of years now. As if we haven't seen enough examples lately of why we cannot put all our eggs in the cloud basket, here's one more with the "code bug" that impacted Dropbox's authentication mechanism over the weekend.

Sure, Dropbox isn't an enterprise cloud app per se but I'll guarantee you it's impacting your enterprise this very moment. Think data backups, intellectual property, PII, password safes and whatever else your users are syncing across their multiple systems.

How do you explain such exposures to management or to your board when something like this happens. Do you say "Well, our cloud provider said their system was secure because they use SSL and, furthermore, have a SAS 70 Type II audit report to prove it." or "Our legal team approved of the contract and the SLA and gave us the go-ahead."??

I don't know that management will ever get on board the way they need to but cloud insecurities will certainly work themselves out in the marketplace - and in the courts - and eventually get on the radar of the people that matter.

This Dropbox dilemma is a relatively small and insignificant example of what happens when you completely rely on others for information security. I'm not saying don't use the cloud. I'm saying get your arms around the cloud before it impacts your business in a negative way. Odds are it's going to somehow and everyone will be looking at you for a well thought out response.

Read More

Exchange incident response, ASLR & common Windows security mistakes

From Exchange to Windows Server to Windows at the desktop, here are some new pieces I've written about Microsoft security that you may be interested in:

Six commonly overlooked Exchange security vulnerabilities

Solidify Your Exchange Server Incident Response Plan

10 most common security mistakes people are still making

Why you need address space layout randomization in Windows Server 2008 R2

Enjoy!

As always, be sure to check out www.principlelogic.com/resources.html for links to my 500+ articles, whitepapers, podcasts, webcasts, books and more.

Read More

I'm a speaker at the Gartner Infosec show this week

For those of you who happen to be attending the Gartner Security and Risk Management Summit in DC this week, I'd love it if you could check out my session or at least stop by to say hello. I'll be serving as a panelist on mobile security at the following session:

Protect Your Identity, Mobile PC and Data
Session Code SPS13 - Potomac Ballroom 1
9:30-10:30am

Cheers!

Read More

When's political correctness going to impact infosec?

Witnessing the Thought Police's handling of the Tracy Morgan debacle I can't help but wonder if political correctness is not the beginning of dictatorships, Communism, etc. where the population is not allowed to speak up or out against anything.

Don't get me wrong. Being a libertarian, I'm pro-choice on everything...To each his own. As long as you're not affecting the life, liberty or property of someone else, then say what you need to say and do what you need to do. Sure, I know we need to be sensitive in certain situations. The problem is that political correctness leads to the legislation of our thoughts and feelings...Tell me, just how different is that from dictatorships and Communism in parts of the world where, ironically, people cry out for "human rights" because of the oppression brought on by, well, ourselves?

It'll be interesting to see how political correctness invades the very fiber of information security and privacy in businesses down the road. Will we eventually reach a point in the not so distant future where it'll be politically incorrect (esp. here in the U.S.) to tell people what websites they can or cannot use or what applications they can load on their endpoint devices connected to the business network? Will it be demeaning to others when we suggest strong passwords or we point out how security oversights brought on by people making poor choices are bringing the business down?

I'm just saying...People are complex and these are things that are impacting us personally now and likely in our work down the road. How are you going to handle it?

Read More

Proud to be a speaker on the TechTarget roadshow

I just completed two seminars this past week for TechTarget and CDW...One was in Minneapolis, which by the way, was probably the friendliest city I've EVER visited. Great bunch of folks...thanks for the great Midwestern turnout and hospitality!

Our second stop was San Francisco...one of my most favorite cities to visit. I also had the opportunity to visit the nice folks at one of my publishers: Realtimepublishers.com (publisher of my latest book that I'll be posting about soon) and one of the websites where I serve as an IT security expert: Focus.com. Just meeting these people for the first time made the trip worthwhile.

If you're not familiar with it, you should check out these security seminars we're doing...lot's of good discussions around what it takes to really get your arms around the security beast. We may be coming to a town hear you between now and year's end. Here's the website:

Predictive Security: Plan Ahead to Stay Ahead of the Next Threat

Read More

Hacking tools & malware creation illegal - what's next?

With all the criminal behavior taking place on computers around the world, it appears that politicians are seeking some solutions. For instance, European Union Justice Ministers are proposing a ban on hacking tools. I suspect this law will work just as well as gun laws in the U.S. Simply criminalize the inanimate object (or code) and only the law-abiding citizens will comply. It creates the perfect storm for criminals to be able to continue doing what they do.

Furthermore, an unintended consequence of such tools being banned and kept from legitimate use like in the independent security assessment work that I and many of my colleagues do, then businesses in general suffer.

The burning question is: who decides what hacking tools really are? Are they password crackers? Vulnerability scanners? Perhaps Web browsers in general? I suspect they'll have a panel of ignorant bureaucrats making the call like what our "leaders" here in the U.S. (Obama, Pelosi, etc.) envision with their ObamaCare death panels. Government knows best.

On a related note, just today the Japanese parliament enacted legislation that criminalizes the creation of malware. Is this any different? It can certainly be argued that malware serves no purpose other than to do harm. Of course, many people around the world believe the same thing about guns owned and used for the sole purpose of self-defense.

It's a complicated world we live in...what to do now?

Read More

IT careers, compliance & the Internet "Freedom" Act

Here are some recent pieces I wrote on IT and security careers and compliance that you may be interested in...content that likely applies to your very situation:

Career networking dos and don’ts

But Compliance is Someone Else’s Job!

Cybersecurity and Internet Freedom Act – New name, same game

Enjoy!

As always, be sure to check out www.principlelogic.com/resources.html for links to my 500+ articles, whitepapers, podcasts, webcasts, books and more.

Read More

New WebsiteDefender from @Acunetix worth a look-see

The folks at Acunetix have a neat new product/service called WebsiteDefender. I've yet to try it myself but it looks promising - fills a nice niche.

WebsiteDefender is an agent-based tool for websites and WordPress-based blogs that:

• Scans your site for security flaws
  
• Detects malware running on your site
  
• Alerts you to suspicious web site activity including file changes
  

The obvious benefit is to have a more secure online presence but as Acunetix is marketing WebsiteDefender, it can also keep you from getting blacklisted by Google and presumably from being listed as questionable by services like Web of Trust.

Certainly worth checking out. More info to come once I take it for a spin...

Read More

The best information security quote ever

Thinking about all the security incident headlines over the past 30 days alone, this says it all:

"We can evade reality but we cannot evade the consequences of evading reality." -Ayn Rand

Read More

Weiner fallout: "I got hacked" is the new scapegoat

I recently met up with some technology lawyer colleagues after work and we shared our thoughts on the Anthony Weiner "incident". We were talking about how early on in the saga no one but Weiner and the lucky recipients of his tweets really knew what the truth was. Predictably, as we're seeing and hearing more and more these days, Weiner came out and said "I was hacked. It happens to people." In other words, instead of claiming personal responsibility for the issue, he could just claim someone else did it and hopefully wash his hands of the issue.

Don't get me wrong. Companies and people do get hacked, but hacking is not always what caused the problem.

Then it came to us, "I've been hacked" is the new scapegoat. Savvy politicians and business leaders know that getting "hacked" is a generic enough claim that the general public may buy it. After all, many people believe that hacking is this mysterious, intangible "thing" that just happens these days. It's simply dismissed as "Oh well, sucks to be that person or business". Such an excuse is very similar to what I've written about "computer glitches". It's an easy way out.

Interestingly, one thing that hasn't really been discussed in the media covering WeinerGate was here's how you get to the truth...you do X, Y and Z to reveal what really happened. Be it a simple forensics analysis of Weiner's computer(s) all the way to subpoenaing Twitter for their log files associated with the usernames, dates and times in question, there's a way to get to the bottom of such matters. These procedures are carried out as part of the legal process in countless investigations and lawsuits every day in the US. But we weren't hearing about that.

We now know that a formal investigation wasn't needed with Weiner. However, if you're caught in a bind and need to prove your innocence, the e-discovery and forensics processes have a nice way of working things out...It's all a matter of choice and, I suppose, context.

Perhaps it's time to step back, fix the low-hanging fruit that's putting your business at risk, and move forward with your chin up willing to take responsibility for information security once and for all. No scapegoats necessary...

Read More

New tool for ferreting out users w/local admin rights

Here's a free tool by @ViewFinity (the privilege management vendor I wrote about back in March) that helps you discover user accounts that have local admin rights:
Viewfinity Local Admin Discovery

...looks pretty neat if you have a need for running a quick test during an assessment or audit or just want to have something to use periodically to ensure user accounts are kept in check.

Read More

InfraGard Atlanta hack highlights some lessons for us all

What started with an email from a colleague's compromised Gmail account Friday evening has ended up making international news - the InfraGard Atlanta website has been hacked. With user names, email addresses and passwords - including those associated with the FBI - available via a quick web search I knew that this was a pretty serious issue. Although I've been disconnected from InfraGard Atlanta for the past ~6 years, I originally served as an officer when the group was getting off the ground back in the early 2000s...I hate seeing something like this happen to my friends and colleagues.

What's so frustrating in situations like this is the fact there are so many people associated with InfraGard Atlanta who are well-qualified (and often very willing) to pitch in and help to prevent such breaches. It must be human nature because I've offered to do gratis security assessments for various non-profits I've been associated with over the past few years and a funny - yet consistent - thing occurs every time...It's cricket, cricket, then nothing but silence...Or "no thanks, we're good" or "it's just our website" or "we don't have anything a hacker would want"...and on and on. You get my drift. Why is it we tend to ignore the elephant in the room and pass on pro bono services where they're often needed the most? I digress.

So, what can we do about this other than getting people to buy into security which I suspect isn't going to happen any time soon? The best thing you can do is to test every single system that's publicly accessible on your network. It's the only way you're going to find the flaws that matter...and man oh man, do we ever have some low-hanging fruit out there for the taking! Still, all the penetration and vulnerability testing you can throw at your systems is not going to uncover every single flaw in your environment. But it'll get you darn close and that's where you want to be.

All of that said, here are the lessons to take from this:

1) Test your websites and your externally-accessible hosts for security flaws...ALL of them, right now! Start today.

2) Test your websites and your externally-accessible hosts for security flaws over and over again, never letting up until the sites/hosts are taken offline [by choice, not denial of service ;)].

3) Fix the flaws you find.

4) Stop making bad password decisions. We've all done it and it's got to stop. Make a conscious choice right now to change that moving forward. Vow to never create an insecure password again and vow to stop sharing passwords across different websites and systems. Also, start going back and changing weak passwords that you know exist out there.

If you find the passwords that were recovered in the InfraGard Atlanta breach you'll see how "complex" passwords can still be cracked. Sure, part of such password flaws are architecture or operational-based weaknesses but my point is if you have a choice, then choose to create long and complex passphrases that are easy to remember yet next to impossible to crack.

The choice is yours....use it wisely.

Read More