InfoReck

Why do we pen test?

A penetration test is a method of evaluating the security of computer systems or networks using manual or automated tools. Basically, we set some experienced folks out with the instruction to figure out a way to break the security of our own systems. This will usually come with some rules of engagement (no testing during business hours, don’t corrupt any of our production data, etc).

I’ve been a part of numerous penetration tests. It seems that every organization has them these days. For the purposes of this article, I am limiting us to internal penetration testing, not … Continue Reading

Successful Enterprise Information Security is about Progress

What does a successful information security program look like in an organization? The traditional answer would be something like, “Technology risks are kept to a level the organization is willing to accept.” That sounds pretty simple right? Find the places where risks are greater than we’re comfortable with, then fix it.

That type of thinking works for a point-in-time evaluation, but comes up lacking when we consider the dynamic nature of enterprise information security. Things change. New vulnerabilities are discovered, new types of technologies are implemented, and new business requirements arise. In reality, there is … Continue Reading

Information Security as the Doctor of the Enterprise

“You don’t have to floss all your teeth, just the ones you want to keep.”

I remember, as a child, going to the dentist and seeing that slogan on a poster on the wall. Between that and the serious questions about my brushing and flossing habits during the appointment, it would have been impossible to walk out of the dentist’s office without a full understanding of the importance of consistent oral hygiene. I would leave the dentist’s office (greatly relieved to be free) but without any commitment to adding flossing to my plans. I … Continue Reading

Black Hat’s Place in Enterprise Information Security

In general, Enterprise information security is planned and discussed in the hallways of high-rise buildings, conference rooms and closed-door meetings. These conversations usually involve men in button-down shirts and polos trying to find ways to use the limited resources available to mitigate the risks available across a huge threat surface. Phrases like “defense in depth,” “return on investment” and “acceptable risk” are the primary areas for conversation.

On occasion, the information security practitioners from these organizations decide to get together and hold much bigger meetings they call conferences. These conferences have basically the same elements. … Continue Reading

Architecting Secure Information Systems

We have heard for years that security needs to be integrated into a system from conception, because bolt-on security is simply not as effective. So you have struggled with, bargained with and pled with system owners and developers to include security at the beginning of a process. Then you get that first invite to an architecture meeting for a proposed system. “Uh oh,” you think, “now what?”

Creating secure systems from the ground up is a different proposition, and requires different skills than buying and bolting on technologies to implement security after the fact. You have the chance … Continue Reading

Security versus Security: When security requirements conflict

One of the topics I spend quite a bit discussing in this space is the conflict between security and functionality. Often we are forced to make a choice between them; if we allow people to post anonymous comments to our site giving more functionality to more people, but we run the risk of malicious users exploiting our site. That is the traditional security versus functionality dynamic. But sometimes security isn’t nearly so clear cut. I thought it would be fun to explore a situation where the conflict is security versus security.

Consider data in transit. … Continue Reading

Five Things: RSA Conference 2011

Thanks to InfoSec Island I had the opportunity to attend the 2011 RSA Conference in San Francisco, free of charge. It was a unique experience, well worth my time and energy to attend. This week’s blog is Five Things I learned at RSA Conference 2011.

1.       The information security community is huge and diverse. I’ve seen numbers indicating there were anywhere from 11,000 to 20,000 people at the conference. And those attending make up just a small fraction of the information security practitioners around the world. I met attendees from South America, Africa, Australia, … Continue Reading

On being the “Department of No”

When we discuss metaphors for an information security department, we often talk about things like a traffic cop (giving out tickets for breaking the rules), or a referee (looking for those who play dirty). The problem with those examples is that we’re portraying security as something to be avoided, whose primary contribution is punishing negative behaviors. It’s precisely this type of implementation that has led so many information security departments to be thought of as the “Department of No.”

Being known as the “Department of No” is problematic. Once a reputation is established that information security … Continue Reading

Defense in depth: Security Strategy or Security Blanket

There is an interesting phenomenon in the sports world surrounding fans and trades. It goes something like this…

Giants Fan 1, “Man, that Albert Pujols is really something else. I sure would like to have him on our team.”

Giants Fan 2, “We should offer the Cardinals three of our mediocre players for him.”

Giants Fan 1, “That’ll never work, they won’t give him up for three mediocre players.”

Giants Fan 2, “Okay, we’ll give them 5 of them… heck give them 7 mediocre players!”

Giants Fan 1, “Yeah… this is starting to sound real good.” *

The fallacy … Continue Reading

False Positives: The Best Way to Kill a Good Initiative

Or; When Security Departments Cry Wolf

Remember Aesop’s fable “The Boy Who Cried Wolf”? Not only is it a pretty good story, filled with conflict, danger, lying and comeuppance, it has served as a precautionary tale to several generations. Little kids around the world have learned that if you lie, people are going to stop believing you.

This fable speaks directly into our jobs as security practitioners. The more we raise alerts about issues that either don’t exist, or aren’t worth the attention we give them, the less interested people are in hearing … Continue Reading