HDMoore's Law, revisited

Here's a good read by Mike Rothman (@securityincite) on how we tend to bury our heads in the sand over the most obvious things including HD Moore's Law. For years, I've had a slide in my presentations titled "Future Trends" where I've talked about how exploits are getting easier for those with ill intent:

• Easier access to tools
  
• Little knowledge needed
  
• Less elaborate “hacks”
  
• More internal breaches
  
• Mobile business → less control
  
• Greater complexity → more security issues
  
• Newer technologies → new security problems

Mike's post is a good reminder that this is a business reality - today, right now - and it's up to every single one of us in IT to stay ahead of the curve.

Read More

Don't get mired striving for perfection

As we wind down 2011, here's a quote that relates to information security, incident response and overall risk management:

“The person who insists upon seeing with perfect clearness before he or she decides, never
decides.” -Henri Frederic Amiel

So, do something to better your information security program. Any positive step forward - anything - is much better than getting mired in the desire for perfection and doing nothing at all.

Read More

Don't turn a blind eye on the basics

I'm all about shoring up the basics of Web security before throwing money at the situation. If you're interested in saving not only money but also time and effort, here are some new pieces I've written on Web security that you may be interested in:

Explaining the why of Web application security

Improving Web security by working with what you’ve got

Not all Web vulnerability scans are created equal

Why people violate security policies

As always, be sure to check out www.principlelogic.com/resources.html for links to all of my information security whitepapers, podcasts, webcasts, books and more.

Read More

A new way to bleed

I was in New York City this past week for my final keynote and related presentations for our TechTarget & CDW information security roadshow. Wow, 10 cities in eight months - what a great way to end our year. Of course, being in New York I couldn't help but notice the *constant* coverage of the Occupy Wall Street protests that ended up turning a bit ugly on Thursday - the day I was leaving. Luckily I didn't get caught up in their nonsense.

Once I reached the airport on my way back home I had several things occur to me regarding these people and their protests. The occupiers are the same folks who will:

• break in line
• litter
  
• cheat on tests
• ensure everyone gets a trophy
• buy into the notions of "fair share" as long as it works into their favor by only giving what they're capable of giving while taking whatever they need
• flip you off when they pull their car out in front of yours and you honk to make them aware of your presence
• hack into others' computers for ill-gotten gains just because they can
• never admit fault and hire lawyers to "prove" their cases
• be heard at all costs but go to great lengths to shut you up if your views oppose theirs

Ironically, there was a Rich Dad Poor Dad seminar in the hotel where we were presenting. It was chock full of people looking to better themselves. I thought, what an interesting juxtaposition considering all the people Zuccotti Park who were doing nothing productive but, were instead, only holding themselves back.

The occupiers have no interest in taking personal responsibility for any of their actions. It's always someone else trying to bring them down. They don't understand that each and every one of us is currently experiencing the sum of our own choices throughout our lives. The occupiers want stuff handed to them using money that someone else has had to work to earn...and they want it now! Imagine this scenario just a few centuries ago where it was every man and women to fend for themselves. Ha. Without the police power of government these people would never survive. But now we live in a society where government helps ward off such survival of the fittest. We're conforming minions because of the laws that a relative minority want to force upon the will of others. We're more "equal" now and that makes for a better society I suppose.

Folks, this is the very beginning of Socialist nations which, no doubt, evolve into Communist regimes - you know, the very political states in which "human rights" are violated and these same people would demand reprieve. It is interesting how these "smart" occupiers who claim to know it all have no real clue of history...much less how basic economics works. The free market that's based in New York City provides these very people and all of us the greatest opportunity in history to do well for ourselves and our families. But that requires work and these people aren't willing to do that. Too much risk and effort involved. They'd much rather argue for their own limitations.

I write about this because I believe STRONGLY in personal responsibility and limited government. Interestingly, both of these have a direct tie to the field of information security that has been very good to me and my family thanks to my willingness to take risks and work hard year after year to bring things to fruition. Yet, on both sides of the token - the anti-Capitalist occupiers AND the very people who *should* be held accountable for doing what's right to protect their networks and information - I see people continually burying their heads in the sand and pretending that everything is someone else's problem...It seems to be getting worse, but it's probably just me.

Major kudos to all of you who are not only willing to work hard but also willing to think outside the box and not be swayed by mob rule.

Read More

For incidents, preparation is key...But you've been hacked, now what?

Here are some new pieces I've written for TechTarget and Security Technology Executive magazine on compliance that you may be interested in:

Preparing for an incident at the workstation level

Develop a Flight Plan

How to know if your website has been hacked

As always, be sure to check out www.principlelogic.com/resources.html for links to all of my information security whitepapers, podcasts, webcasts, books and more.

Read More

Join me at the CDW - TechTarget seminars in Philly & NY next week

If you happen to be in or around Philadelphia, PA or New York City next week, I'd love it if you could join us for our TechTarget / CDW seminars: Predictive Security: Plan Ahead to Stay Ahead of the Next Threat.

I'll be giving the keynote presentation and splitting the breakout sessions with Pete Lindstrom and other vendor experts. After the morning sessions and a great lunch, we'll get back together around 2pm and close out with a lively Q&A for which we've gotten great feedback.

These are our final two seminars for the year. You'll benefit from us being really warmed up and having our presentations (mostly) fine-tuned.

Hope to see you soon!

Read More

Why compliance is a threat

Compliance as we know it is arguably one of the greatest threats to enterprise security. Here's why:

1. It creates a heightened sense of self for those responsible for accomplishing a state of compliance.
   
2. It can cost more to become "compliant" than it does to create a reasonably secure environment.
3. It empowers government.

All of the above create complacency and a false sense of security. Please tell me I'm wrong.

Read More

Wooo...HIPAA audits are coming & the irony of KPMG's involvement

I've always believed that compliance is a threat to business [hence why I help businesses take the pain out of compliance by addressing their actual information security issues] and this new bit from HHS's Office of Civil Rights is no different.

Apparently the HIPAA audits are coming...KPMG - an audit firm that has already proven they have trouble implementing the basic security controls they audit others against - scored a $9 million contract to perform up to 150 audits over the next year. Audits that'll prove that covered entities and business associates alike still don't take HIPAA seriously. A simple visit to your local hospital or physician's practice will show this, but I guess it needs to be formalized.

Who knows, maybe in a generation or two, physicians (the bigger problem) and business associates (not quite as much) will wise up to the fact that minimal investments can go a long way towards fixing their low-hanging fruit and implementing basic security controls - really all that's needed for HIPAA compliance in most situations.

Read More

Mobile devices are the new desktop, what to do now!?

Here are some new pieces I've written for my friends at TechTarget on mobile security that you may be interested in including a piece for TechTarget's new (I think) SearchConsumerization.com site:

It's time we shift our thinking about endpoint protection

Act now to prevent smartphone security risks at your organization

Compliance officers' next big headache: Securing mobile applications

You know the deal, be sure to check out www.principlelogic.com/resources.html for links to all of my information security whitepapers, podcasts, webcasts, books and more.

Read More

One of my pet peeves: relying on users to wipe out wimpy passwords

You cannot - and should never - rely on your users for complete security...yet they're often the first or last line of defense - sometimes both.

I wrote about this a while back but it's a problem that's still rampant in IT so I had to bring it up again. It's probably my biggest pet peeves with security. Simply telling users that they need to select strong passwords on their computer systems and leaving it up to them to do the right thing is delusional.

I do believe that most people want to do the right thing...that said, people are going to take the path of least resistance if they're presented with it. Set them up for success instead and take that power away when you can.

Read More

What needs to change?

The late Richard Carlson once said:

Circumstances don't make a person, they reveal him or her. There are times when other people and/or circumstances contribute to our problems, but it is we who must rise to the occasion and take responsibility for our own happiness.

Deep.

Whether you're caught up in an IT project mess, a data breach or even the #Occupy "movement", keep this in mind. We're the sum of our choices to this point. What needs to change?

Read More