InfoReck

Why do we pen test?

A penetration test is a method of evaluating the security of computer systems or networks using manual or automated tools. Basically, we set some experienced folks out with the instruction to figure out a way to break the security of our own systems. This will usually come with some rules of engagement (no testing during business hours, don’t corrupt any of our production data, etc).

I’ve been a part of numerous penetration tests. It seems that every organization has them these days. For the purposes of this article, I am limiting us to internal penetration testing, not … Continue Reading

2012 Enterprise Information Security Resolutions

I can’t believe it’s already been a year since I wrote my last Resolutions post. Overall, I believe those resolutions hold up pretty well. I’ve taken a few minutes to think back over 2011 and see how I did at achieving my resolutions… I am reminded that this ride isn’t a simple pass/fail endeavor. With that in mind, here are my 2012 Enterprise Information Security Resolutions.

1. Successful information security is about making progress. It’s not reasonable or sustainable to expect all risks to be remediated as soon as they are discovered. Instead, my … Continue Reading
   

Successful Enterprise Information Security is about Progress

What does a successful information security program look like in an organization? The traditional answer would be something like, “Technology risks are kept to a level the organization is willing to accept.” That sounds pretty simple right? Find the places where risks are greater than we’re comfortable with, then fix it.

That type of thinking works for a point-in-time evaluation, but comes up lacking when we consider the dynamic nature of enterprise information security. Things change. New vulnerabilities are discovered, new types of technologies are implemented, and new business requirements arise. In reality, there is … Continue Reading

Information Security as the Doctor of the Enterprise

“You don’t have to floss all your teeth, just the ones you want to keep.”

I remember, as a child, going to the dentist and seeing that slogan on a poster on the wall. Between that and the serious questions about my brushing and flossing habits during the appointment, it would have been impossible to walk out of the dentist’s office without a full understanding of the importance of consistent oral hygiene. I would leave the dentist’s office (greatly relieved to be free) but without any commitment to adding flossing to my plans. I … Continue Reading

Black Hat’s Place in Enterprise Information Security

In general, Enterprise information security is planned and discussed in the hallways of high-rise buildings, conference rooms and closed-door meetings. These conversations usually involve men in button-down shirts and polos trying to find ways to use the limited resources available to mitigate the risks available across a huge threat surface. Phrases like “defense in depth,” “return on investment” and “acceptable risk” are the primary areas for conversation.

On occasion, the information security practitioners from these organizations decide to get together and hold much bigger meetings they call conferences. These conferences have basically the same elements. … Continue Reading

I spent last week becoming immersed in the Blackhat experience. It was my first time and a drastically different conference than any I’ve attended before. I’ll have a write-up in this space sometime in the next couple of weeks.

While there I was fortunate to speak to the managing editor of infosecisland.com, and he told me about the training deals they offer over there. Sounds like a pretty good deal to me, so I thought I’d pass it along. This may be something that offers significant value to my enterprise readers.

The ISLAND TRADEWINDS program is designed to offer IT and security … Continue Reading

What does Verizon’s 2011 DBIR mean to your enterprise?

A few weeks ago we looked at Trustwave’s 2011 Global Security Report. This week I want to point out a few of the critical points in Verizon’s 2011 Data Breach report.

I want to start by saying that these lessons are not easy, but they are simple. It’s not easy to ensure that every system in your environment is accounted for, and you know what data is being held where. But it is simple; to ensure that your systems are being properly secured you must know what and where they are. … Continue Reading

How’s Your Relationship with Internal Audit?

Want a quick and easy way to get an idea how well your organization’s risk management program works? Take a look at how the technical staff reacts to and interacts with the internal audit team.

The role of internal audit is to aggregate internal policies, regulatory requirements, and industry best practices and then observe the organization to see how the operational reality stacks up with those goals. This is the chance for us to see if we’re walking the walk or if all our risk management policies and systems are just for show.

When your team hears … Continue Reading

2011 Trustwave Global Security Report: Things I Think

As is my wont, I will be highlighting a few points that I found especially comment-worthy from a security report. Today I’m reviewing the 2011 Trustwave Global Security Report. These may or may not be the highlights of the report, but they seemed worth my attention, and hopefully worth yours as well.

1. More PCI theft came from point of sale (POS) systems than from online shopping. Isn’t this exactly the opposite of what most of us assume? When I enter my credit card information into a website I’m much more diligent about looking … Continue Reading
   

Focusing on success or failure?

This is the second part in the discussion of the difference between IT and Information Security. Click here for Part 1.

You probably think I’m going to say focus on success, don’t you? Well read on, it’s not nearly that simple.

When a system administrator or application developer is working to create a new system, the process usually starts first by identifying what the system is supposed to do. The process will include purchasing hardware, writing code, tweaking settings, and a rollout, all with the intention of meeting a particular objective. The system’s creator is focused intently … Continue Reading