Archive for the 'Security Assessments' Category

« Previous Entries
Next Entries »
27
Sep
11

When to Outsource

By John Stengel Leave a Comment
Categories: Security Assessments and WatchGuard
Tags:

So when is a good time to outsource a function of IT? I think anyone who has received a call from a Managed Services Company has asked that question of themselves. Some companies absolutely refuse to outsource any function of IT. Others I have seen maybe outsource too much.

Like anything I don’t think there is a clear cut answer. It will depend on the talents of your staff. If your staff is really good at break fix work then higher end functions like firewall management and security should be outsourced. Conversely if your staff is more skilled in the higher end functions than please get the break fix work off their plate. It is unwise to try and do all the work in-house if your staff doesn’t possess the appropriate skills.

Please do not take this as a criticism of anyone’s skills or knowledge level. God knows I am not the one to do a lot of jobs in this world no matter how much I want to. Knowing the limits of your IT team is how you can lead them to what they really want to do. People naturally gravitate towards their skill set anyway. It is the job of the leader to keep the on that path. And outsourcing certain functions of your department is the only way to lead the organization down the correct path.

23
Sep
11

Security Blueprint

By John Stengel Leave a Comment
Categories: Security Assessments and Security Training

Anyone who as ever started a large scale project realizes the planning can be daunting.  But that doesn’t have to be the case with security.  If you have ever wanted to change your organization to be more security focused you need to first start with the basics, the blueprint.

We are busy with writing and speaking engagements helping companies get their security blueprint started.  It isn’t difficult, you just need to know where to start.

We are conducting our first webinar in this series on Wednesday September 28, 2011 titled The Benefits of Penetration Testing.  Join me to help you start down the right road.  Registration is required to attend.

Register @ http://goo.gl/cWvOv

 

12
Sep
11

Do you Stop When it Works?

By John Stengel Leave a Comment
Categories: Risk Management, Security Assessments and Security Training

When do you stop working on a task, when the thing you are working on works?  That is true for most things in life, when the garbage disposal is fixed why keep working on it.

Unfortunately in security that technique doesn’t carry over.  IT people often stop working on something when what they are installing works.  When the firewall works, they move on.  When the system is installed they move on.  This is a flawed approach.

In security you have to test mostly for something not working.  By that I mean we need to make sure the bad guys can’t get in.  If we stop when it works then maybe we opened too much access.  Maybe we left a trail of holes in order to get the system installed.

Security practice starts with a simple principle, what is the minimum I need to do.

02
Sep
11

Hubris and Security

By John Stengel Leave a Comment
Categories: Security Assessments and Security Training

Let’s say you have two groups of people that are involved with your company.  The first group is dedicated to your products religiously.  So dedicated in fact you barely need to market them.  These customers, or fans, wait for you to come out with what’s next.  Almost like mind numbed robots they wait for you to tell them what they need.  They may even line up around the corners on the day your new product is released.  And when they finally get their hands on it they can’t say a bad word.

As a company this is a great position to be in, correct?  I mean who wouldn’t want that.  I know I would as a business owner.

Then let’s say there is this second group of people.  They don’t talk publically.  They use homemade products the first group has never heard of.  They are extremely intelligent but don’t feel the need to show off.  They just quietly work behind the scenes trying to find holes and risks in your company’s products.

The problem with this is your company will be so focused on making their fans happy you will fail to focus on the risks associated with what your company is producing.  As a result of this the risks to your  users will actually increase.

Once upon a time your products may have been more secure, more solid.  But in order to increase your brands popularity you had to remove some of those safety nets.  Maybe changed a few core values.

What also will add to your problem is the raving fans are so loyal they will refuse to be critical of your products, but only at first.  Eventually if you don’t address what the second group is doing, at risk of upsetting the first group, there won’t be any groups worrying about you anymore.  Because your circle of influence will slowly get smaller until another competitor slowly sneaks up on you and next thing you know you are figuring out what happened.

The worst character trait for a company to have is hubris.  Several companies today are demonstrating this characteristic today.  That lasts for a while until you develop a new trait, humility.  Several more have this trait.

01
Sep
11

Communicating the Why

By John Stengel Leave a Comment
Categories: Security Assessments and Security Training

I am in the process of preparing for a company meeting.  I am not big on formal meetings so it is rare when I call one.  The purpose of this one is to communicate what our company is doing and where we are going. 

I think with many companies people are so involved in their part of the business they never see the bigger picture and what the purpose of their part of the business is.  They are so busy rowing the boat they never stop to ask, hey where are we going?

The same is true in most companies when it comes to security. Companies never communicate to their teams why these controls are put into place.  And what is the result?  Less security than before the control was put into place. Why?  Because if people don’t understand the why,  see where the ship is headed then they don’t ever buy into it. They are never fully on board. Therefore, they fight the security measures that are put into place.  They tape encryption keys to laptops and leave the password device on the desk. 

Additionally valuable work time is wasted as employees complain to each other they can’t access Facebook and Twitter.  If the company would just stop and educate the employees on the why and not just the what I believe this would lead to a fundamental shift in how employees react to security measures.  They not only would participate in the measures they would self police and make sure all the co-workers around them were participating as well. 

10
Jun
11

The First Domino’s Fall

By John Stengel Leave a Comment
Categories: Internal Risks and Security Assessments

For years we have heard arguments that Mac is much more secure than Windows.  While looking at the statistics of malware infections that comment is true the figures are not representative of the truth.  Just because no one broke into my car last night doesn’t mean the Jeep I am renting is the safest car in the world.  It just means no one tried last night.

Recently a piece of malware was found to infect Mac computers.  The infection was interesting from a security perspective because it didn’t require admin privileges to execute.  That is pretty serious that someone figured that out.  This exposes a huge hole in User Access Control on the MAC platform.  My feeling is this is the first in a long line of attacks coming for the Mac.  Once a major door is exposed it is easy for others to get on the bus.

Windows users are trained to be cautious on their computers.  Mac users are much more free spirited in that they feel insulated from any attack.  They think that it only happens to those Windows people over there.  This is prime picking for an attacker.

I am sure people will say I am biased towards Windows and I am not.  I believe all devices are at risk because all devices are made by humans.  As the Apple brand grows and gains market share these attacks will increase rapidly.  The risks will be great and the damage may be worse than Windows because they aren’t expecting it.  Policies and controls need to be in place on any platform and in every vertical.

01
Jun
11

A Simple Question

By John Stengel Leave a Comment
Categories: Risk Management and Security Assessments

Did you spend more on your IT security than these guys?  The cost of your security solution doesn’t matter as much as how it is implemented and the policies around it.  This stuff definitely isn’t cut and dry.

http://www.foxnews.com/scitech/2011/05/31/northrop-grumman-hit-cyber-attack-source-says/

01
Apr
11

How Secure Are You?

By John Stengel Leave a Comment
Categories: Risk Management, Security Assessments and Security Training

McAfee.com has a security breach called XSS or Cross-Site Scripting vulnerability.  If that company can get hacked, a leader in security and research, how secure is your site?  For that matter how secure would your employees and client data be?

I am not trying to scare you.  But it is scarier to think that you are safe from any issues.  That is simply not the case.  Can I be so blunt to say naïve?  This story proves that anyone is vulnerable.

The key to good security is proactivity.  Looking and checking all the time.  Just because you did a security assessment 6 months ago means nothing.  Has nothing changed in your business in the last 6 months?  No employee changes?  No new equipment?  All your employees are still happy?

These threats are real.  This isn’t science fiction, they are happening.  The only question left is what is your reaction to it going to be?

http://www.scmagazineus.com/mcafee-working-to-fix-xss-information-disclosure-flaws/article/199505/

10
Nov
10

More Compromise

By John Stengel Leave a Comment
Categories: Risk Management and Security Assessments
Tags: , , ,

Compromise can mean different things to different people.  When I am going to dinner and I ask my daughter where we should go she always says the same thing, Friendly’s.   I hate Friendly’s so I suggest PF Chang’s, she hates that place so we wind up at a place that has something we both like.  That is a compromise.

When President Obama says he wants to work with Republicans on a compromise what is he really saying?  He doesn’t mean compromise he means you should capitulate to his side.  He has his beliefs and he wants to get his agenda through.

James and I were discussing this very point last night.  You can’t secure a little of a network.  We can’t assess a portion of the network and give a client a full report.  We can’t do this but bend here or there.

Complete work has to be a philosophy of any business.  The mission of a business should be to provide X and Y while protecting their clients entire interest.  Would you go to a dentist office whose mission was: “To provide outstanding oral care to the top row of teeth”?

Someone once asked me to setup logging for users so they could see who was logging in.  I said we could do that no problem, but we should do an assessment so we have a complete picture of the network and make sure we capture all of the logins from all the different applications.  He said no we just need the logins enabled for the Windows computers.  I said that it wouldn’t be accurate because of all the MAC computers (half the company uses MAC’s).  He said it was fine just turn it on.  I asked who should we train on the location and reading of the logs?  His response, “We don’t need to train anyone on reading them.  Our auditors just want the logging enabled.”  Security isn’t in the DNA of this IT department.  They are just going through the motions.

02
Nov
10

Disgruntled IT head Sentenced for Hacking Website

By John Stengel Leave a Comment
Categories: Security Assessments
Tags: , ,

Assessments and audits prevent this from happening.  The keys to the company’s security need to be protected higher up the ladder.

Disgruntled IT head sentenced for hacking website

« Previous Entries
Next Entries »

Enter your email address to subscribe to this blog and receive notifications of new posts by email.

Join 41 other followers

LinkedIn

Follow me on Twitter

  • Take the time to secure every user. Leave no crack in the foundation. The smallest one will lead to bigger issues. xtmtraining.com 12 hours ago
  • We often see companies wanting to secure a portion of their users while leaving the door open for others. This just doesn't make sense. 12 hours ago
Follow

Get every new post delivered to your Inbox.

Join 41 other followers