InfoReck

Why do we pen test?

A penetration test is a method of evaluating the security of computer systems or networks using manual or automated tools. Basically, we set some experienced folks out with the instruction to figure out a way to break the security of our own systems. This will usually come with some rules of engagement (no testing during business hours, don’t corrupt any of our production data, etc).

I’ve been a part of numerous penetration tests. It seems that every organization has them these days. For the purposes of this article, I am limiting us to internal penetration testing, not … Continue Reading

Information Security as the Doctor of the Enterprise

“You don’t have to floss all your teeth, just the ones you want to keep.”

I remember, as a child, going to the dentist and seeing that slogan on a poster on the wall. Between that and the serious questions about my brushing and flossing habits during the appointment, it would have been impossible to walk out of the dentist’s office without a full understanding of the importance of consistent oral hygiene. I would leave the dentist’s office (greatly relieved to be free) but without any commitment to adding flossing to my plans. I … Continue Reading

Focusing on success or failure?

This is the second part in the discussion of the difference between IT and Information Security. Click here for Part 1.

You probably think I’m going to say focus on success, don’t you? Well read on, it’s not nearly that simple.

When a system administrator or application developer is working to create a new system, the process usually starts first by identifying what the system is supposed to do. The process will include purchasing hardware, writing code, tweaking settings, and a rollout, all with the intention of meeting a particular objective. The system’s creator is focused intently … Continue Reading

Architecting Secure Information Systems

We have heard for years that security needs to be integrated into a system from conception, because bolt-on security is simply not as effective. So you have struggled with, bargained with and pled with system owners and developers to include security at the beginning of a process. Then you get that first invite to an architecture meeting for a proposed system. “Uh oh,” you think, “now what?”

Creating secure systems from the ground up is a different proposition, and requires different skills than buying and bolting on technologies to implement security after the fact. You have the chance … Continue Reading

Security versus Security: When security requirements conflict

One of the topics I spend quite a bit discussing in this space is the conflict between security and functionality. Often we are forced to make a choice between them; if we allow people to post anonymous comments to our site giving more functionality to more people, but we run the risk of malicious users exploiting our site. That is the traditional security versus functionality dynamic. But sometimes security isn’t nearly so clear cut. I thought it would be fun to explore a situation where the conflict is security versus security.

Consider data in transit. … Continue Reading

Five Things: RSA Conference 2011

Thanks to InfoSec Island I had the opportunity to attend the 2011 RSA Conference in San Francisco, free of charge. It was a unique experience, well worth my time and energy to attend. This week’s blog is Five Things I learned at RSA Conference 2011.

1.       The information security community is huge and diverse. I’ve seen numbers indicating there were anywhere from 11,000 to 20,000 people at the conference. And those attending make up just a small fraction of the information security practitioners around the world. I met attendees from South America, Africa, Australia, … Continue Reading

On being the “Department of No”

When we discuss metaphors for an information security department, we often talk about things like a traffic cop (giving out tickets for breaking the rules), or a referee (looking for those who play dirty). The problem with those examples is that we’re portraying security as something to be avoided, whose primary contribution is punishing negative behaviors. It’s precisely this type of implementation that has led so many information security departments to be thought of as the “Department of No.”

Being known as the “Department of No” is problematic. Once a reputation is established that information security … Continue Reading

2011 Information Security Resolutions

Think it’s too late for a New Year’s post? You must not have heard that January 12th is the new January 1st.

I’ve never been one for making New Year’s Resolutions. However, a quick search of the web finds that a lot of folks are. An awful lot of people are looking to lose weight, quit smoking, or get a new job this year. This got me to thinking; what are my InfoSec resolutions for 2011? It sounds like the perfect topic for a Five Things article.

1. Don’t be satisfied with doing things ‘the way we’ve always done them.’ … Continue Reading
   

The trend
Since the internet was created users have been using it for connecting to other people. From the very beginning, with dialup bulletin boards, people have sought ways to connect with friends or strangers across the country and around the world. The motivations behind today’s social media are nothing new. It’s simply been a process making connecting easier, thereby getting more and more of the population connected. 25 years ago the only folks connecting online were highly technical. Today grandparents and young children have Facebook accounts.

Considering the momentum in our culture to be more connected to more people, … Continue Reading

In my experience, the biggest impediment to a high quality information security posture at an organization is not money or well informed InfoSec practitioners. The biggest impediment is getting the front-line workers of an organization to believe in the mission of InfoSec. Rather than waiting for an audit finding or a compliance issue to drive us toward security, we want to get workers thinking and acting secure in their day-to-day behaviors.

In trying to get workers to buy into the mission of InfoSec we have several forces we’re fighting against. We’re battling busyness, status quo, … Continue Reading