Web security essentials: something old and something new

Here are some new bits I've written on Web security that you may be interested in. First a bit on SQL injection - the greatest Web flaw of all in my humble opinion:
SQL Injection – The Web Flaw That Keeps on Giving

And a bit on how to use your users to your advantage to minimize Web security risks:
Getting users on your side to improve Web security

...and finally a piece on why I think that time to market is no longer the excuse for Web security flaws and what's really holding us back today:
Time to market is no longer the excuse

You know the deal, be sure to check out www.principlelogic.com/resources.html for links to all of my additional security whitepapers, podcasts, webcasts, books and more.

Read More

Common firewall management challenges whitepaper

Here's a new whitepaper I recently wrote on the ins and outs - and dos and don'ts - of managing enterprise firewalls:

Firewall Management: 5 Challenges Every Company Must Address

In the paper I cover things such as rules and regulations impacting firewall management, assessing firewall policy risks, managing changes and being able to prove where things stand with your firewalls at any given point in time.

Enjoy!

Read More

Compliance or risk: what the real IT leaders focus on

Whatever your approach to managing IT and information security, here's a new bit I wrote for Security Technology Executive magazine on fixing what needs to be fixed before you do ANYTHING else:
Fix Your Low-Hanging Fruit or Forever Hold Your Peace

Once you have the urgent flaws on your most important systems out of the out of the way, here are some pieces I wrote for SearchCompliance.com on dealing with compliance while, at the same time, actually managing your information risks:

Managing information risk inherent to an effective compliance strategy

Avoid duplicated efforts to cut the cost of regulatory compliance

The long-term consequences of not addressing compliance today

Enjoy!

As always, be sure to check out www.principlelogic.com/resources.html for links to my additional information security articles, whitepapers, podcasts, webcasts, books and more.

Read More

Buying, selling & consigning used hardware great for IT budgets

In IT and information security we're required to come up with creative ways to save money any way we can. Well, how about this novel idea: buy used network and computer hardware, or sell what you've already go so you can upgrade.

A good friend of mine works at a company (Riverside) that does just that. They buy, sell and consign used network and computer hardware to help businesses save (or make) money. If you're looking to "earn" some budget dollars, Riverside will buy your equipment from you - apparently something that most used hardware brokers/sellers don't do.

Is it just me...why aren't we seeing more of this in today's "green" world. You won't find me kneeling at the altar of "global warming" but I most certainly believe in recycling and buying used wherever possible. It helps the environment and seems like an ingenious way to save IT dollars already budgeted and, if selling, actually add some dollars to the bottom line.

Never forget that the people who add the most value in and around IT are the ones who will ultimately rise to the top. Buying and/or selling used network and computer hardware seems to me to be a great way to go about doing so. Just some food for thought.

Read More

Pick up that paper at your own peril

From @Quotes4Writers on Twitter, this totally reminded me of me:

"You have to be brave to take out that white sheet of paper and put on it words that could be
evidence of your stupidity." - Sol Saks

Read More

Windows ASLR, APTs, server malware protection and common patching gaps

Here are some new pieces I've written for the TechTarget sites SearchWindowsServer.com and SearchEnterpriseDesktop.com on Windows (in)securities in the enterprise including a bit on the over-hyped and misunderstood APT threat (is that like "ATM machine"?) which I got to see first hand while working on a project that involved one of the Operation Shady Rat victims:

The APT threat to Windows environments

Why you need address space layout randomization in Windows Server 2008 R2

Are you properly protecting your Windows servers against malware?

Windows server patching gaps you can't afford to miss

Enjoy!

As always, be sure to check out www.principlelogic.com/resources.html for links to my additional information security articles, whitepapers, podcasts, webcasts, books and more.

Read More

No CPEs for you!

I spoke at the @ISACAAtlanta GeekWeek show and all I got was this lousy notification ;-)

























Seriously, it was a good show that I recommend next time they have it.

Read More

My new paper on BitLocker's hidden costs

I've been a fan of Microsoft BitLocker since it first came out. It provides a cheap and easy way for users to lock down their laptops and mobile storage devices and is especially helpful in small businesses where security knowledge is scarce at best. Although BitLocker protection can be bypassed, it's still better than nothing - like WEP for wireless networks.

Anyway, if you're considering BitLocker as your disk encryption solution, I just wrote a new whitepaper titled The Hidden Costs of Microsoft® BitLocker® you may be interested in. In the paper I talk about some not so obvious costs and gotchas you need to think long and hard about if you're considering deploying BitLocker in an enterprise setting.

Interestingly, I have friends and colleagues at some large enterprises who are telling me their IT/security management is considering ripping out PGP or other commercial whole disk encryption tool in favor of "free" BitLocker encryption. I advise against this unless and until you know all the facts and think things through.

Check out my paper here for more information.

Read More

I love solid state drives but I'm no fan of OCZ

I tweeted about this the other day but though it deserved a longer post. If you do anything with IT/security tools such as vulnerability scanners, network analyzers and the like you HAVE to get a solid state drive.

Hands down, installing solid state drives in my laptops has been the best computer upgrade I have ever made in 22 years of using computers. Better than doubling my RAM, better than upgrading the CPU...whatever. I wish I would've moved to SSDs sooner. I didn't know it was going to be the case but my SSDs are faster than the 10,000 rpm drive I use in my desktop (which was a huge improvement over the 7,200 rpm drive I used to have). Amazing.

Two words of caution:

1) Know that if your drive fails - especially under warranty and you need to return it - that you have no way of knowing what is recoverable by some yahoo engineer in the manufacturer's lab who has nothing better to do. Based on my limited knowledge of how SSDs work and backed by a forensics expert I work with, even if the drive is dead, it's still possible that data can be extracted from the chips on the drive. This is something you wouldn't have to worry about with traditional platter-based drives because you could give them a good bath with a powerful magnet and you'd know your information is safe.

SSDs just aren't the same, at least based on what I know about them. That combined with the fact that I had encrypted the drive with BitLocker I had no way of knowing what was recoverable when doing that, especially using this tool.

2) Stay away from OCZ Technology SSDs. I bought one knowing that the Amazon reviews weren't great. But it was available at a nice price at my local MicroCenter and figured I had nothing to lose. Plus, like many in management treat information security, I figured nothing bad would happen to me - surely my drive wouldn't fail. ;-)

Well, silly me. Something did happen. My drive died within 3 weeks of purchasing it. Nice. I wrote to OCZ and told them my situation about the nature of the work I do and that I've got potentially sensitive information on it that I cannot afford to have recovered. Per my forensics colleague's suggestion (apparently, the large hard drive makers do this), I asked OCZ if I could return the cover of the drive in hopes that rendering it mostly useless would be enough for me to get a replacement.

OCZ's Technology Forum Support Manager promptly replied: no can do. They needed the drive back to replace it or refund my money. So, I ended up losing close to $200 plus a good 5-6 hours worth of my time buying a new SSD drive and rebuilding my system. Tough lesson learned.

FYI, I bought a Samsung SSD (love it!) and suggest you do the same.

Read More

Your organization vs. BP: what will faulty decisions lead to in your business?

Imagine a scenario where poor management, failure to take appropriate action, personnel changes and miscommunication about who's responsible for what leads to a catastrophic event at your business? That's exactly what the findings were of the BP oil spill.

Sadly, 11 people died because of this incident. Luckily, our line of work isn't quite so risky but your business can still get in a bind when information security is mismanaged.

Here's a link to articles, podcasts and webcasts I've written/recorded on the management's link to information security and a few more bits on how to sell people on information security and keep them on your side to help prevent poor management decisions in the first place.

Read More

NetIQ's file integrity monitoring solution

A couple of weeks ago, I had the privilege of speaking at the Information Week / Dark Reading Virtual Trade Show How Security Breaches Happen and What Your Organization Can Do About It.

In my presentation How to Win the War Against Cybercrime, I apparently had a brain-cramp moment and said that I'm not seeing anybody with good file integrity monitoring. Um, duh, Kevin (as I smack myself in the face), the very vendor who sponsored my session, NetIQ, has such a solution. It's called NetIQ Change Guardian. Sadly (stupidly), I knew this and don't know why I said what I said. I just wanted to set the record straight. Jill and Renee at NetIQ: thanks for keeping me on my toes. :-)

In case you missed the virtual tradeshow, I believe you can still register for it and listen to the recording. Lots of good info - not because of me, but because of the caliber of other IT and information security speakers they had on board. In fact, I was duly impressed by Steve Kovsky - the moderator for my session. I aspire to be able to speak that well one day.

Anyway, check out the virtual tradeshow and NetIQ's offerings. Both quality stuff.

Read More

Stephen Covey's insight applies to information security

I love the following quote...very applicable to what we do:

"You can't talk yourself out of a problem you behave yourself into." - Stephen Covey

Okay, you may be able to talk your way out of bad security decisions with the right attorneys or a cybersecurity insurance policy. Having worked cases involving data breaches, compliance and intellectual property, I can say that it won't be a short-lived, inexpensive or painless ordeal.

Read More

Speaking in Boston @ the CDW + TechTarget security seminar next week

I hope you'll have a chance to join me in Boston next week when I'm speaking at the TechTarget / CDW seminar: Predictive Security: Plan Ahead to Stay Ahead of the Next Threat.

Boston, like several other upcoming events, is a 2-track seminar where I'll be giving the keynote and splitting the breakout sessions with my friend and roadshow colleague Pete Lindstrom among other vendor experts. [sidenote: Pete's the real draw at these events, I'm just there to fill in the gaps....seriously, he's good.] After the keynote, breakout sessions of your choosing and a great lunch, we all get back together around 2pm and close out with a lively Q&A for which we've gotten great feedback.

If you can't make the Boston event or one of the other 2-trackers in Philly or New York this fall, I'll be leading two 1-track events in Phoenix and Raleigh coming up shortly as well.

Here's a sampling of audience feedback of my keynote and three breakout sessions at recent shows:

• Very good information, Great speaker
• Well laid-out, solid points/arguments, encouraged involvement
• Super
• Informative, broad, excellent!
• Mobile devices discussion was very good and insightful
• Informative and aligned with current issues
• Great - Clear - Real-time Current examples of industry security
• Good intro keynote
• Knowledgeable and personable
• Kevin does a great job - Good choice
• Very real life knowledge not just preaches - He feels the pain, that is great! What an honor to attend!!!
• Current real life examples is the best information that can ever be given at any seminar. A+++
• Lots of good group discussion
• Plenty of great examples, specific tools, crowd discussion, etc. Plenty of good info to take back
• Best of the day. Most valuable. Good discussion.
• Kevin's presentation was great
• Very relevant - focused on concerns that most of us seemed to have about mobile security
• Kevin is a great speaker/teacher
• Learned lots - Had a great time - Thank you! Very Much!
• Good technical info, plenty of things to take back for further use or investigation. Not too much kool-aid/sales pitches.
• The content was good. I'm not a security guy so my interest is limited. It was at a good level of complexity
• Although I was not here all seminar, what I saw was good - need more 1 day seminars
• More relevant to my job function that I had anticipated -- thanks!
• Security is a concern of upper management - This seminar provided me good information to take back to the organization
• Loved the fact that you gave us tools
• Great insights again - thanks for sharing some of the tools and hacks
• Liked location; kevin is a very good speaker
• Multi-tracks are a great idea! Continue with panel discussions/Q&A in future seminars
• More speakers like Kevin Beaver

Hope to see you there!

Read More

Microsoft Exchange Data Retention, Incident Response & Other Gotchas

Depending on where you're at with your Exchange "maturity model", here are a few pieces I've written for SearchExchange.com about Microsoft Exchange security oversights, policies and plans to help you along the way:

How to write an effective data retention policy for Exchange

Solidify Your Exchange Server Incident Response Plan

Common Exchange Security Oversights

Enjoy!

As always, be sure to check out www.principlelogic.com/resources.html for links to my additional information security articles, whitepapers, podcasts, webcasts, books and more.

Read More

What it takes to get ahead in IT and beyond

Good economy or not, people often ask: What can I do to get ahead in business? How can I stand out above the noise to enhance my career? How can I be a better network engineer, information security administrator, IT manager, speaker, writer and so on...?

Whether you work for yourself or for someone else the answer is the same. You simply seek out the people who are at the top of their fields and do what they do. That's it. You don't have to ask these experts directly, you don't have to pay to take some advanced training classes. Instead you simply see what experts in your line of business are doing how they think and model yourself after them.

Twitter, blogs and other social media provide a great way to follow what these people are doing, how they think, how they’re positioning themselves and the niche they create. It's amazing stuff that has worked for me and it can work for you.

So, seek out the people you respect which will likely be the people writing, presenting and evangelizing in the subject areas that you have an interest and go from there.

For additional reading, here are some links to articles I've written on the subject of enhancing your career in IT and beyond as well as my audio programs on IT and information security careers.

Read More

DNS hack: UPS, National Geographic, Acer, etc. websites affected

Happy (almost) Labor Day...here's the latest from the criminal hackers: a DNS hack has redirected numerous websites of UPS, National Geographic, Acer, The Register and more. Nice.



Betcha it was some low-hanging fruit someone, somewhere overlooked.

Read More