When evaluating your company security you cannot exclude the human element of security. No matter how secure your technology is, no matter how many products you buy if people are involved you have risk. DLP is one way to mitigate the human element.
Archive for the 'Risk Management' Category
21
Oct
11
The Human Side
05
Oct
11
Testing for Success
How do you know the smoke detectors in your house work? Do you assume they work or have you tested them?
How do you know the brakes on your car work?
I believe that if companies spent a small portion of their current IT budget simply testing their security they would have a better handle on their position and what they need to do next year. Without testing the security, or lack of security, I really don’t understand how they can plan for 2012.
Basing budgets and projects off of instinct and not hard facts is never a good plan.
26
Sep
11
My Switch from BlackBerry
I have recently switched from a BlackBerry to an Android phone. Since I have been with BlackBerry for 7 years I thought maybe it was time to see what all the buzz was about. So here is my secure review summary.
While I do see the appeal of having apps on the phones and the accessibility of information. I have to say the security is atrocious. Simple settings to protect the phone are just not there. I can easily hack around all of the security and extract information. Also it seems so much more complex with Google wanting to force you into their world like wanting you to create a Gmail account. One example is an employee of ours setup his Gmail account in seconds. While these features are beneficial to some I really don’t see the appeal in business.
If your company has mobile security concerns stay tuned to this BLOG for an upcoming event as part of the security blueprint series.
12
Sep
11
Do you Stop When it Works?
When do you stop working on a task, when the thing you are working on works? That is true for most things in life, when the garbage disposal is fixed why keep working on it.
Unfortunately in security that technique doesn’t carry over. IT people often stop working on something when what they are installing works. When the firewall works, they move on. When the system is installed they move on. This is a flawed approach.
In security you have to test mostly for something not working. By that I mean we need to make sure the bad guys can’t get in. If we stop when it works then maybe we opened too much access. Maybe we left a trail of holes in order to get the system installed.
Security practice starts with a simple principle, what is the minimum I need to do.
23
Aug
11
WatchGuard Partner Conference
I recently attended the annual WatchGuard Partner conference in Cabo San Lucas, Mexico. It was a great time and very educational. On the last day a few of us snuck out to go bungee jumping at Wild Canyon. Here is the video from the side of me jumping.
09
Jun
11
Rising Tides in the Mobile World
I read a post by someone recently that had me a bit perturbed. It was in reference to the new features coming out in Apple’s iCloud service. The writer said that everything is over for Rim now that Apple has this service. It was written in a way that was almost cheering their demise on. I almost snapped back and said why did it take Apple so long to do what Rim did 12 years ago? Stephanie set me straight though, you can’t convince a Yankee fan that the Red Sox are a good team too.
The comment was shallow and showed obvious bias. It was probably written by someone who was just bursting with excitement at the new service. It was also ignorant in that if it wasn’t for Rim the iPhone wouldn’t be where it is today. And in 5 years if it wasn’t for the iPhone the next hot phone won’t be where it is. I don’t want any company in the mobile space to go under. I believe a rising tide lifts all boats and healthy competition is ultimately good for the consumer.
I also don’t really have a favorite in this space. My concerns are mainly how these foreign devices are going to affect internal security at the enterprise level.
My question for anyone in the market is what security is built into any of these platforms? Rim has done a phenomenal job of security up until this point and I hope that trend continues. I also hope that track record is forcing Apple engineers to equal or exceed that level of security. Android isn’t doing such a hot job so far but my gut is that will change soon. Open source is great in theory but not a good idea in the case of mobile security where most people have zero protection.
04
Jun
11
Deciphering the Chaos
So if everything is running together and people are tuning out the risks they face, what can be done about it? I am not sure reacting to every breach is the ideal approach. I believe we can take a few simple steps to reduce our risks and control our exposure. The main issue with all of these breaches is the theft of personal information. So let’s just remove that from the equation and be in control of our own information.
Here is a brief list of what you can do to protect yourself online that most people don’t think about. This is of course form the known risks and protections people should take.
- Use a Password Generator – I like and use Last Pass, www.lastpass.com. It is a little plugin for all browsers and devices that creates and maintains all of my passwords. I have no idea what most of my passwords are because I simply login to last pass and it fills in the username and password for me when I want to login. I can view them if I want to but I don’t really need too much. The best part is, no one can see the passwords except me.
- Don’t Be Honest – If I have one reputation in the world it is honesty, I do have others though. But when it comes to internet security I choose to lie most of the time. Take those password reset questions. Why do we always want to be honest and give the real name of your high school or your Dad? Almost any question websites ask the answers could be found by anyone doing a Google search about you. My suggestion is to use made-up answers. You can always use the same answer on different sites so you don’t forget but the key is to never be honest. The website won’t know if your high school wasn’t really called Peanut Butter Crunch or that you weren’t born in Antarctica. But by taking this simple step you can always reset your passwords, but most importantly the bad guys can’t because the information is bogus and only you know it.
- Keep it Personal – You never need to tell personal details about yourself online. You can be social but not specific. For example don’t say “I am going to dinner with John at 131 Main at 8:00.” Two issues there, first I know you will be out of the house and I know where. Say something like “John and I are going to dinner tonight.” Also, avoid using sites that want to broadcast your location like Foursquare. There are sites that tell who in your area is not home or out of town so you can break in. The truth is I don’t really care that you are checked in at the Dunkin Donuts for the fourth time this morning.
03
Jun
11
Do all the Risks Run Together?
If you are like most people trying to keep up with who was breached and hacked today can be a lot to keep up with. There seems to be more cyber break-ins than ever. Today Just looking through some online resources who report on attacks we have Sony (again), Honda of Canada, PBS, Google Android, Apple, and Gmail for starters. All of those are household names and most likely you are tied to one or more of them. Heck my kids are probably at risk too because of PBS (the only good thing on PBS is the kids programming).
So with all this news what do you do? Do you react and aggressively start changing passwords? Do you stop working with these companies? Or do you do nothing?
Any of these have pros and cons you could weigh. The first two are both good ideas but with the increasingly high profile attacks they are not always practical.
I am however growing concerned over the last option, do nothing. I think this is going to become the action most people take. Just like when my Grandpa Don and I start talking (read arguing) about politics my Grandma just waives her arm and tunes us out, giving us very little attention. At the end of our conversation neither of us has changed our opinions and nothing will change. Although I want to believe my Grandma is now on my side.
I could spend every day writing about this breach or that one and most people will just tune me out. When I go to meet with clients I could find the ”Hack of the Day” and use that to try and sell more firewalls. Burt the reality is it probably won’t because people are tired of it.
Remember TJ Maxx? Well I can tell you most people have forgotten and their stores are performing well based on the last time Stephanie made me go in there.
Let me know your thoughts. Tomorrow’s topic will be what to do about it.
01
Jun
11
A Simple Question
Did you spend more on your IT security than these guys? The cost of your security solution doesn’t matter as much as how it is implemented and the policies around it. This stuff definitely isn’t cut and dry.
http://www.foxnews.com/scitech/2011/05/31/northrop-grumman-hit-cyber-attack-source-says/
24
May
11
Phone System Security
This is not a post about mobile phone security, although one would think that is more topical. I had a great conversation today with one of my customers and the subject of phone security came up. Believe it or not people still try to, and succeed, at breaking into phone systems wreaking havoc and making phone calls. During our discussion I was thinking that this sounded like something we would have discussed 10 years or 15 years ago. Some of you may recall the hacker Kevin Mitnick, he writes about doing this in his books the Art of Deception and the Art of Intrusion.
We discussed ways to lock down access to the systems and some of the features WatchGuard offers to shore up his security, since phone system manufacturers are a joke when it comes to security. But what struck me was the fact that you can never take your eye off of the past in terms of security. We always must look forward while making sure all doors are closed behind us.
So my question of the day is, did anyone unlock the door after you closed it?
