Archive for the 'Security Training' Category

« Previous Entries
Next Entries »
23
Sep
11

Security Blueprint

By John Stengel Leave a Comment
Categories: Security Assessments and Security Training

Anyone who as ever started a large scale project realizes the planning can be daunting.  But that doesn’t have to be the case with security.  If you have ever wanted to change your organization to be more security focused you need to first start with the basics, the blueprint.

We are busy with writing and speaking engagements helping companies get their security blueprint started.  It isn’t difficult, you just need to know where to start.

We are conducting our first webinar in this series on Wednesday September 28, 2011 titled The Benefits of Penetration Testing.  Join me to help you start down the right road.  Registration is required to attend.

Register @ http://goo.gl/cWvOv

 

12
Sep
11

Do you Stop When it Works?

By John Stengel Leave a Comment
Categories: Risk Management, Security Assessments and Security Training

When do you stop working on a task, when the thing you are working on works?  That is true for most things in life, when the garbage disposal is fixed why keep working on it.

Unfortunately in security that technique doesn’t carry over.  IT people often stop working on something when what they are installing works.  When the firewall works, they move on.  When the system is installed they move on.  This is a flawed approach.

In security you have to test mostly for something not working.  By that I mean we need to make sure the bad guys can’t get in.  If we stop when it works then maybe we opened too much access.  Maybe we left a trail of holes in order to get the system installed.

Security practice starts with a simple principle, what is the minimum I need to do.

06
Sep
11

Buying the Skis without the Lessons

By John Stengel Leave a Comment
Categories: Security Training

Simply purchasing a security product does nothing to benefit the company.  Properly deploying and configuring this is the only way any benefits are realized.  Do not discount getting the right people to do the deployment.  Without them you will waste money.

02
Sep
11

Hubris and Security

By John Stengel Leave a Comment
Categories: Security Assessments and Security Training

Let’s say you have two groups of people that are involved with your company.  The first group is dedicated to your products religiously.  So dedicated in fact you barely need to market them.  These customers, or fans, wait for you to come out with what’s next.  Almost like mind numbed robots they wait for you to tell them what they need.  They may even line up around the corners on the day your new product is released.  And when they finally get their hands on it they can’t say a bad word.

As a company this is a great position to be in, correct?  I mean who wouldn’t want that.  I know I would as a business owner.

Then let’s say there is this second group of people.  They don’t talk publically.  They use homemade products the first group has never heard of.  They are extremely intelligent but don’t feel the need to show off.  They just quietly work behind the scenes trying to find holes and risks in your company’s products.

The problem with this is your company will be so focused on making their fans happy you will fail to focus on the risks associated with what your company is producing.  As a result of this the risks to your  users will actually increase.

Once upon a time your products may have been more secure, more solid.  But in order to increase your brands popularity you had to remove some of those safety nets.  Maybe changed a few core values.

What also will add to your problem is the raving fans are so loyal they will refuse to be critical of your products, but only at first.  Eventually if you don’t address what the second group is doing, at risk of upsetting the first group, there won’t be any groups worrying about you anymore.  Because your circle of influence will slowly get smaller until another competitor slowly sneaks up on you and next thing you know you are figuring out what happened.

The worst character trait for a company to have is hubris.  Several companies today are demonstrating this characteristic today.  That lasts for a while until you develop a new trait, humility.  Several more have this trait.

01
Sep
11

Communicating the Why

By John Stengel Leave a Comment
Categories: Security Assessments and Security Training

I am in the process of preparing for a company meeting.  I am not big on formal meetings so it is rare when I call one.  The purpose of this one is to communicate what our company is doing and where we are going. 

I think with many companies people are so involved in their part of the business they never see the bigger picture and what the purpose of their part of the business is.  They are so busy rowing the boat they never stop to ask, hey where are we going?

The same is true in most companies when it comes to security. Companies never communicate to their teams why these controls are put into place.  And what is the result?  Less security than before the control was put into place. Why?  Because if people don’t understand the why,  see where the ship is headed then they don’t ever buy into it. They are never fully on board. Therefore, they fight the security measures that are put into place.  They tape encryption keys to laptops and leave the password device on the desk. 

Additionally valuable work time is wasted as employees complain to each other they can’t access Facebook and Twitter.  If the company would just stop and educate the employees on the why and not just the what I believe this would lead to a fundamental shift in how employees react to security measures.  They not only would participate in the measures they would self police and make sure all the co-workers around them were participating as well. 

23
Aug
11

WatchGuard Partner Conference

By John Stengel Leave a Comment
Categories: Risk Management and Security Training
Tags: ,

I recently attended the annual WatchGuard Partner conference in Cabo San Lucas, Mexico.  It was a great time and very educational.  On the last day a few of us snuck out to go bungee jumping at Wild Canyon.  Here is the video from the side of me jumping.

http://www.youtube.com/watch?v=8QaeO8ulesY&feature=related

11
Apr
11

Email Security Should be Tops on Your List

By John Stengel Leave a Comment
Categories: Security Training

The company that is considered the leader in security software, RSA, was recently hacked.  They were initially very quiet on what the attack was.  Well it finally came out. 

Want to know what took them down?  Adobe Flash.  An employee opened an email containing a Flash movie that installed a Trojan that opened the hole for the attackers.  The email was sent in what is called Spear Phishing attack.

01
Apr
11

How Secure Are You?

By John Stengel Leave a Comment
Categories: Risk Management, Security Assessments and Security Training

McAfee.com has a security breach called XSS or Cross-Site Scripting vulnerability.  If that company can get hacked, a leader in security and research, how secure is your site?  For that matter how secure would your employees and client data be?

I am not trying to scare you.  But it is scarier to think that you are safe from any issues.  That is simply not the case.  Can I be so blunt to say naïve?  This story proves that anyone is vulnerable.

The key to good security is proactivity.  Looking and checking all the time.  Just because you did a security assessment 6 months ago means nothing.  Has nothing changed in your business in the last 6 months?  No employee changes?  No new equipment?  All your employees are still happy?

These threats are real.  This isn’t science fiction, they are happening.  The only question left is what is your reaction to it going to be?

http://www.scmagazineus.com/mcafee-working-to-fix-xss-information-disclosure-flaws/article/199505/

17
Mar
11

WatchGuard Security Portal

By John Stengel Leave a Comment
Categories: Security Training

Check out this great link.  This will assit you with any WatchGuard lookups like WebBlocker, IPS, and Application Blocker.  Also use this to report any false positives.

http://www.watchguard.com/support/security-portal/

09
Mar
11

No Birthday Wishes from Me

By John Stengel Leave a Comment
Categories: Security Training and User Awareness Training

I will withhold my birthday wishes for this one.  This is the 25th anniversary of the computer virus.

According to the article in 1986 Basit and Amjad Farooq from Pakistan circulated Brain, the first computer virus on a floppy disk.

http://content.usatoday.com/communities/technologylive/post/2011/03/documentary-examines-the-inception-of-pc-viruses-25-years-ago/1

« Previous Entries
Next Entries »

Enter your email address to subscribe to this blog and receive notifications of new posts by email.

Join 41 other followers

LinkedIn

Follow me on Twitter

  • Take the time to secure every user. Leave no crack in the foundation. The smallest one will lead to bigger issues. xtmtraining.com 12 hours ago
  • We often see companies wanting to secure a portion of their users while leaving the door open for others. This just doesn't make sense. 12 hours ago
Follow

Get every new post delivered to your Inbox.

Join 41 other followers