Archive for the 'Security Assessments' Category

12
Dec
11

Considerations When Moving to Cloud

By John Stengel Leave a Comment
Categories: Risk Management, Security Assessments and Security Training

WatchGuard recently unveiled their top security predictions for 2012.  This list has been pretty accurate over the years.  One of them that jumped off the page to me was this: A major cloud provider will suffer a significant security breachCloud Computing brings chance of malware-storms

This echo’s one of the items I teach on in our Security Practice class.  There is an increased “blindness” when companies move data and servers to the cloud.  Companies have little or no control over these servers so your security is 100% dependent on someone else’s security practice.

Don’t confuse cloud companies with being technical companies.  They are sale sbased organizations.  While a lot of the services are now and will continue to be secure.  There is a rapid adoption of new businesses popping up and without proper testing.

If you are looking to move your data to the cloud make sure you do your due diligence and properly vet these service providers.  And never give up the keys to your company without having complete access to control who has access.  Doing so blindly is playing with fire.

05
Dec
11

Where are all your eggs stored?

By John Stengel Leave a Comment
Categories: Internal Risks, Risk Management, Security Assessments and Security Training

In my experience very few executives, weather IT or otherwise, know where all their data is stored.  I do not mean this to sound insulting or judgmental.  The reason executives don’t know is that this information is rarely properly documented.  This is a scary thing.  We recently have been involved with a few clients in “getting control” of their IT assets after some turnovers and it is very costly.  Wrangling all of this in is always a challenging and time consuming task.

My advice to any executive that is responsible for IT or other digital assets, is to take time to understand all of the areas where your data resides and make sure that the data is protected and backed up.  There is nothing worse than not knowing something when you are thrown into a situation when you have to know.  These situations could be from employee turnover to employee termination.  Getting access ahead of time is basic continuity planning and needs to be as the top priority for any organization.

09
Nov
11

Projects Delayed

By John Stengel Leave a Comment
Categories: Security Assessments

Below my office they are adding a patio onto the popular restaurant downstairs.  This project started months ago and still continues today.  It seems to me to be never ending.  The workers come in each day, mess with this or that.  They never seem to make great strides.

When the project began this wasn’t the case.  The first day they started building it you would have thought they had a deadline of that weekend.   A lot of action, brick layers, carpenters, concrete trucks, landscapers, etc.

Slowly as the months progressed the work slowed down.  Now that temperatures are around 45 at night here the patio is still being built.  So the investment they made in the additional seating will not be reclaimed for several more months now.

This is often the case with enterprise as well.  Months are spent deciding on a solution.  Once purchased the project starts with great excitement and then fades away.  Another business objective starts and the original project may or may not be finished.  The money was spent though but the goals are never realized or realized later on.

As the year winds down we are in the process of wrapping up our projects and goals and starting to think about 2012.  Our business is not the same as it was 11 months ago I can assure you.  And what I thought I wanted to do has changed as well.  Some things I thought were great ideas were failures.  Some things I didn’t even think about have been a tremendous success.

With a looming recession affecting many businesses and fast changes affecting others, have your projects been reevaluated?  Have the products you are using been reevaluated?

08
Nov
11

Security Projects – Why They Never get Approved

By John Stengel Leave a Comment
Categories: Risk Management, Security Assessments and Security Training

I watched this video a couple weeks ago and immediately shared it with my team.  I think this is a fantastic explanation for why people do or do not do something.  I think this fits in perfectly with what I have been talking about lately, why IT people don’t get security projects approved.  Take a look and I would love to hear your feedback.

http://www.ted.com/talks/lang/eng/simon_sinek_how_great_leaders_inspire_action.html

25
Oct
11

International Considerations

By John Stengel Leave a Comment
Categories: Risk Management, Security Assessments and Security Training

Pakistan will begin enforcing a ban on VPN traffic. The Pakistan Telecommunications Authority delivered a memo in Internet providers asking them to block encrypted VPN traffic, unless permission is obtained.

The concern is that terrorists will try and hide communications. The reality is, in my opinion, they want to snoop on all traffic. I believe this is the same country that was mad at the USA for killing Bin Laden. Are we to believe that now they are interested in only stopping terrorists?

I believe that companies that operate in the middle east and Asia Pacific regions will have these obstacles continuously added. Proper planning for a dynamically changing remote access solution will be necessary to continue to compete. Products, policies, and procedures will need to be continuously reevaluated in this climate.

11
Oct
11

Let’s Talk Phishing

By John Stengel Leave a Comment
Categories: Security Assessments, Security Training and User Awareness Training

Phishing is one of those most dangerous scams on the internet today.  That is not news to anyone who even casually reads news.  When a phishing attack occurs the purpose is to gain access to critical data by attempting to coerce users into disclosing it.  An even more egregious attack is spear-phishing.  That is when an attack is personal to your employees.

When companies test their security they rarely test for phishing success.  Yet it is extremely relevant.  Not testing for phishing success is really just waiting to get your data stolen. 

Your employees don’t know how to react unless you train them.  You can’t train them until you know where you are weakest.

We offer this as a service to our clients.  Because not one test or assessment makes you secure.  It is through several tests can you really know where your security stands.

10
Oct
11

Communication is Key

By John Stengel Leave a Comment
Categories: Security Assessments, Security Training and User Awareness Training

The number one thing to make companies more secure is often overlooked.  It isn’t the firewall, the anti-virus, the, email filter, or even the 2FA process.  It is communication.

For example, if you encrypt a hard drive.  That is a great thing to do…Then an employee tapes the password to the keyboard because it is too complicated to remember.

If the risks and the process is never properly communicated to employees all the devices in the world will not make you 100% secure. 

Join me in Charleston on October 13, 2011 for a one day training class on how to make security a part of your organization. http://www.xtmtraining.com/trainingform.php

05
Oct
11

Testing for Success

By John Stengel Leave a Comment
Categories: Risk Management, Security Assessments and Security Training

How do you know the smoke detectors in your house work?  Do you assume they work or have you tested them?

How do you know the brakes on your car work?

I believe that if companies spent a small portion of their current IT budget simply testing their security they would have a better handle on their position and what they need to do next year.  Without testing the security, or lack of security, I really don’t understand how they can plan for 2012.

Basing budgets and projects off of instinct and not hard facts is never a good plan.

04
Oct
11

Phishing Attacks

By John Stengel Leave a Comment
Categories: Employee Deception, Security Assessments, Security Training and User Awareness Training

Most companies do not test for user reactions to a phishing scam.  This is a mistake.  Not knowing how a user will react to a phishing attack leaves your company vulnerable.

We offer phishing tests to help our clients protect their assets.  Don’t wait for an attack to occur.  Test for it so we can train your team properly.

29
Sep
11

Security Practices Class

By John Stengel Leave a Comment
Categories: Security Assessments and Security Training

Our Security Practices class in Charlotte starts Thursday afternoon.  This day and a half event will kick your butt on security and provide you with the security blueprint you need to plan 2012.  Don’t miss this high impact high energy event.  Only 3 spots remain.

http://www.xtmtraining.com/trainingform.php

« Previous Entries

Enter your email address to subscribe to this blog and receive notifications of new posts by email.

Join 37 other followers

LinkedIn

Follow me on Twitter

  • We just wrapped up another week of WatchGuard training in Charlotte. Thank you to all of our students. We are h…http://t.co/QZGehP5j 19 hours ago
  • Google Wallet Hacked Again. Good thing they forced merchants to use it! http://t.co/mSjheLsi 19 hours ago
Follow

Get every new post delivered to your Inbox.

Join 37 other followers