Where's your information security focus?

You cannot change facts (i.e. the industry your business is in, the regulations it's up against, the type of sensitive information you're responsible for managing, etc.) but you can change problems (i.e. user behavior, wayward goals, management not on board with security, etc. ).

As the philosopher James Burnham once said:

"If there is no alternative, there is no problem." 

In the case of information security, there are tons of alternatives to the issues we face. It's up to us to focus on what counts so we can eventually make a difference.

Read More

You cannot multiple security by dividing it - Infosec's relationship with Socialism

I'm not much into urban legends and the like but came across this bit the other day and it really made me think. What a great analogy that impacts all of us both personally and professionally with some interesting information security and compliance tie-ins that I see all the time:

An economics professor at a local college made a statement that he had never failed a single student before, but had recently failed an entire class. That class had insisted that Obama's Socialism worked and that no one would be poor and no one would be rich, a great equalizer. 

The professor then said, "OK, we will have an experiment in this class on Obama's plan". All grades will be averaged and everyone will receive the same grade so no one will fail and no one will receive an A.... (substituting grades for dollars - something closer to home and more readily understood by all). After the first test, the grades were averaged and everyone got a B. The students who studied hard were upset and the students who studied little were happy. As the second test rolled around, the students who studied little had studied even less and the ones who studied hard decided they wanted a free ride too so they studied little..The second test average was a D! No one was happy. When the 3rd test rolled around, the average was an F. 

As the tests proceeded, the scores never increased as bickering, blame and name-calling all resulted in hard feelings and no one would study for the benefit of anyone else. To their great surprise, ALL FAILED and the professor told them that Socialism would also ultimately fail because when the reward is great, the effort to succeed is great, but when government takes all the reward away, no one will try or want to succeed. It could not be any simpler than that. Remember, there IS a test coming up. The 2012 elections. 

These are possibly the 5 best sentences you'll ever read and all applicable to this experiment: 

1. You cannot legislate the poor into prosperity by legislating the wealthy out of prosperity. 
2. What one person receives without working for, another person must work for without receiving. 
3. The government cannot give to anybody anything that the government does not first take from somebody else. 
4. You cannot multiply wealth by dividing it! 
5. When half of the people get the idea that they do not have to work because the other half is going to take care of them, and when the other half gets the idea that it does no good to work because somebody else is going to get what they work for, that is the beginning of the end of any nation. 

Not that the big government Republicans are a lot better...The reality is we Americans had better wake up, smell the "change" we're stepping in and learn that no politician, Democrat OR Republican, can make our lives better...only WE can make that happen.

Be it information security, compliance or your personal live....as Og Mandino once said (favorite quote of all time): "Use wisely your power of choice."

Read More

Evanta CISO event and why St. Jude's has it right

This week I had the opportunity and privilege to serve as a panelist on mobile security at the Evanta CISO Executive Summit in Atlanta. What a neat event...it wasn't just another infosec show. It was unique in its focus and well run by Corrine Buchanan and Mitch Evans who always seemed to have a smile on their faces - something we don't see enough of at these types of shows.

Another thing was a St. Jude's Children's Hospital video they played featuring Marlo Thomas talking about her father's work with the hospital. She said something about the hospital regarding its mission that stuck in my mind: "Don't just treat kids. Let's try to figure out what makes them sick."

Great approach with an interesting information security tie-in: Don't just throw technologies and policies at security...find out what's actually at risk. Indeed, we have to be smart in using the resources we're given.

Read More

Complacency, meet APT – How basic oversights lead to complex malware infections

Low-hanging fruit – that is, the missing patches, default passwords, lack of full disk encryption and so on present in practically every environment – is something I’ve ranted about time and again because there’s no reason to have it on your network. Why? Well, for one thing, rogue insiders may just exploit it for ill-gotten gains. But even worse, low-hanging fruit can be the target of malware exploitations that you’re not prepared to take on. You see a few missing patches and unhardened endpoints combined with users gullible enough to click whatever’s placed on their screens and you’ve got yourself the recipe for disaster.

Low-hanging fruit can turn from “Yeah, I need to get to that stuff…” to “Oh crap, all of our workstations are being controlled by someone on the other side of the world”.

Recent shifts in IT like consumerization, mobility and the desire for instant gratification when it comes to computer and Internet access have made these threats even more formidable. Users are indeed going to do what they want to do. In many cases, management will proudly back them up – even if they have no clue about the long-term impact to the very business they’re responsible for running.

Built-in security controls provide an opportunity for us to save time, effort and money keeping our systems in check without having to spend a dime more than we need to. That said there are certain security controls that operating system and hardware vendors haven’t mastered. One in particular is security controls designed to help with APTs and advanced malware. It’s just not possible to get the specialized protection out of the box from the mainstream vendors that you’re going to get with a the niche technologies I talked about my recent paper The Malware Threat Businesses are Ignoring and How Damballa Failsafe Fits In.

It’s no different than how I buy special tires and brake pads for my race car. When there’s a specific need, odds are the stock equipment just won’t cut it.

One of the most damaging misconceptions about malware is that the big anti-virus vendors are going to keep endpoints safe. It’s this very mindset that’s gotten businesses into hot water recently. I saw it when working on an incident response project that falls under the Operation Shady RAT umbrella. I think it’s safe to say that traditional anti-virus vendors come nowhere close to protecting your network – especially if such an attack is targeted. In fact, the entire concept of APTs and advanced malware is not very well understood by the IT and information security community as a whole.

How are you supposed to protect against something like this? It's not simple. You’ve got to have the right tools, the necessary documentation and, perhaps most importantly, management that gets it.

Read More

Are your high-tech devices enslaving you?

The late Richard Carlson, author of Don't Sweat the Small Stuff, said:

"It's important to see when your high-tech communication devices actually limit your freedom, enslaving you instead of providing new opportunities for growth."

Wow...How true that is!

Have you ever tried to not look at your emails or answer phone calls when you're out and about with  your family or taking some time to yourself? It's pretty darned difficult but it can be done, if you make it so.

Try it out over the next couple of weeks and you'll see what Dr. Carlson was talking about. You'll give your mind a break and be able to focus on the things that truly matter in life.

Read More

My articles & webcasts on hacking, incident response, compliance & IAM

I wanted to share with you a few new pieces I've written for TechTarget and Cygnus on incident response, compliance for systems integrators and the not-so-sexy but all-too-important technology,  identity and access management:

The importance of incident response plans in disaster recovery

Regulatory compliance requirements for security solutions providers

Identity Management’s great bang for the buck

Also, here are some webcasts I recorded for TechTarget, Information Week/Dark Reading and SecurityInfoWatch.com that you may be interested in:
Managing network security threats with an ERM strategy

How Security Breaches Happen and What Your Organization Can Do About It

Building and deploying secure video and access control systems (a.k.a. ethical hacking tips and tricks for video and access control systems)

Enjoy!

As always, be sure to check out www.principlelogic.com/resources.html for links to all of my information security whitepapers, podcasts, webcasts, books and more.

Read More

Executives could learn a lot from Supernanny

We all have a lot to learn from Jo Frost, the Supernanny. In particular, when it comes to information security, IT management, employee computer usage and so on, business executives could benefit a ton. Here's how it'd go:

1. Create a set of rules.
2. Enforce your darned rules!

Read More

The role of IT in fighting today’s malware

It seems ever since I wrote my paper The Malware Threat Businesses are Ignoring and How Damballa Failsafe Fits In I’m seeing more and more vendors jump on the bandwagon. Today’s malware impacts everything from the network infrastructure to the endpoint and everyone wants a piece of the pie. I know the market is growing so I can’t blame people for wanting to capitalize on the opportunity.

Vendors aside, what is it that you as an IT professional need to be doing about the threat outside your network and the vulnerabilities inside your network? Being an independent information security consultant and seeing things from an outsider’s perspective, it’s clear to me that most IT shops are, in a grand way, woefully unprepared to fight this threat…much less respond in a mature and professional fashion when a breach and subsequent outbreak occurs.

As I write this post, I’m listening to a song on satellite radio with a chorus that says “If we don’t do it, nobody else will.” Wow, that hits the nail on the head – in a spooky kind of way. Indeed, if you don’t address the advanced malware threat today, indeed, nobody else is going to. Executives on mahogany row won’t. Nor will HR. Software developers are doing their own thing. Even your compliance officer and legal counsel aren’t going to understand the real impact of advanced malware.

You, the IT/information security professional, are going to have to step up and make the case that your business can be – and quite likely is – a target. This means taking the proper steps to:

1. determine your risks
2. get management on board
3. document reasonable policies and an incident response plan
…and, most importantly (and often the missing link):
4. enforcing with the right technologies

Don’t give the bad guys a chance. Do something now. Nobody else will.

Read More

My interview in Hackin9 magazine

If you subscribe to Hackin9 magazine, check out this issue where they feature an interviewed with me about how the information security landscape has changed over the past decade, how you can get started in information security, my take on compliance and more.

If you don't subscribe to Hackin9, it's a great trade rag for technical security pros and (especially?) non-technical IT, security and compliance pros...Putting the occasional typographical errors aside, it's a must-read if you want to stay current on the latest information security trends, exploits and so on.

Read More

Quoted in today's SC Magazine feature story on Symantec

Stephen Lawton wrote today's SC Magazine feature news story on the Symantec source code breach in which I'm quoted.

I provided these quotes late last night and it was interesting timing because I was speaking at local university's AITP chapter yesterday evening and I told my audience that no one is immune from hacking - not even IT and security pros...and obviously not information security companies.

It's a crazy world out there. We have to do our best to prevent the issues but also be prepared in the event something does happen.

Read More

Great year for my book Hacking For Dummies, 3rd edition

2011 was a great year for me in so many ways. I feel extremely blessed and very lucky. Part of this was related to my book Hacking For Dummies, which is now in its third edition. I knew that sales were up - I believe in large part due to all the speaking engagements I did for TechTarget and others.

Well, I just found out from my publisher that it's safe for me to continue to say that Hacking For Dummies is one of the best selling books on information security...right up there with those big-name titles that some may feel less embarrassed to buy.

Another neat fact: since its inception, Hacking For Dummies has been translated into five additional languages (Portuguese, Estonian, Italian, Simplified Chinese and German).

Very cool.

I can't thank you all enough for your support! This year's going to be even better - stay tuned...

Read More

New Year's Resolutions merely create gym overcrowding

Be it New Year's resolutions (I'm going to lose weight this year!), career resolutions (I'm going to get a different job this year!) or financial resolutions (I'm going to get out of debt this year!)....traditional resolutions just don't work.

Just check out how your local gym parking lot transforms between now and next month. I can't wait until around mid-February when the crowds will predictably die down and I can get some personal space back when I'm working out!

We've all fallen into the trap of "resolving" to do something but not following through to actually make it happen. You know what's been said about the road to Hell being paved with good intentions. With resolutions we only end up letting ourselves down and planting those seeds of doubt in our mind that certain tasks can never be accomplished. It's just not true...IF you go about it the right way.

Here's a proven method for doing what you say you're going to do and making stick once and for all in order to enhance your job, your career and your personal life for 2012. It has worked for me and I know you can benefit as well if you make it so.

Read More

My Web app security epiphany: The Lysol Effect

I just had an epiphany in the bathroom. I know, I know...bear with me.

I thought to myself, Why is it people use Lysol to cover up, um, smells and such in the bathroom?? Sure Lysol kills the problem at the source but, goodness gracious, there are other means of consideration than to merely cloud up the bathroom covering up something that probably shouldn't be there in the first place! Know what I mean? Why not take preventive measures to keep things in check rather than junk up the bathroom and surrounding areas with yet another foul scent?

Then it hit me...this social dilemma is no different than people relying solely on Web application firewalls for Web security. We know problems like SQL injection, XSS and session management are there. Why not just fix the flaws rather than covering them up? I wrote about this in a piece on PCI DSS 6.6 compliance four years ago and I still see and hear about this a lot...priorities I suppose.

Anyway....apparently I have an uncanny ability to tie bathroom logic in with information security. It's an awful personality flaw. Please don't hold it against me.

Read More

Great quote to live by

Here's one of my favorite #quotes you can apply to your career, regardless of which field you're in:

"A successful life is one that is lived through understanding and pursuing one's own path, not chasing after the dreams of others." -Chin-Ning Chu

Read More

Damballa’s Fight Against Advanced Malware

Malware being out of sight and out of mind often creates the perception that risks aren't present. Just because there’s no perceived risk, doesn’t mean it’s not there. Heads buried in the sand over the real malware threat leads to breaches that most organizations aren't prepared to handle. Having worked on a project involving an APT infection, I’ve seen first-hand how ugly this stuff can get.

Endpoint protection isn’t enough. Analyzing executables isn’t enough. Even standalone monitoring of network communications and or rating of source malware sources isn’t enough to thwart the real problem. Like the core information security principle, you’ve got to layer controls if you’re going to get the most out of your malware protection.

One of my core information security principles I recommend to my clients is to use what you’ve got when it makes sense. By this I mean use the built-in security controls that your operating systems, databases, network infrastructure devices and so on already have. So many of us assume that we need to buy third-party products to keep our environment secure. This is not true in so many cases.

However, when it comes to fighting advanced malware, it’ll behoove you to use the niche technologies that specialize in this area. The market is tiny (relatively speaking) but Damballa’s Failsafe is worth checking out. I’ve seen Failsafe 5.0 in action and it seems to be a comprehensive solution to a widespread problem that I suspect is only going to get worse. As you've heard me say regarding Web application scanners, password cracking and the like, you've got to have good tools if you're going to find (and, in this case, control) what matters.

I’ve written a new paper where I talk more about the advanced malware problem and how Damballa Failsafe 5.0 fits into the overall information risk equation. Check it out.

Read More

Let's make 2012 the year we get past "compliance" as we've known it

I hope your 2012 has gotten off to a grand start! Mine has. I believe this year is going to further demonstrate why we're working in one of the best possible fields in the world.

To get things rolling this year, I wanted to share with you a few new pieces I've written for TechTarget's SearchCompliance.com regarding...well, compliance. It's one of those topics that tends to infuriate me when it comes to government intrusion into the free market and our own personal lives. However you see it, compliance is still something you have to address in your business. Hopefully some of these bits will help take some of the pain out of compliance. Enjoy!

Top compliance questions you need to be asking your network administrators

Address information risk management now — before the going gets tough

How can you avoid a Web security breach? It's all in the preparation.

Seven dangerous assumptions about compliance

A thorough data retention strategy needs more than just IT oversight

Top 5 techniques for management buy-in for your IT governance strategy

As always, be sure to check out www.principlelogic.com/resources.html for links to all of my information security whitepapers, podcasts, webcasts, books and more.

Read More