InfoReck

Why do we pen test?

A penetration test is a method of evaluating the security of computer systems or networks using manual or automated tools. Basically, we set some experienced folks out with the instruction to figure out a way to break the security of our own systems. This will usually come with some rules of engagement (no testing during business hours, don’t corrupt any of our production data, etc).

I’ve been a part of numerous penetration tests. It seems that every organization has them these days. For the purposes of this article, I am limiting us to internal penetration testing, not … Continue Reading

2012 Enterprise Information Security Resolutions

I can’t believe it’s already been a year since I wrote my last Resolutions post. Overall, I believe those resolutions hold up pretty well. I’ve taken a few minutes to think back over 2011 and see how I did at achieving my resolutions… I am reminded that this ride isn’t a simple pass/fail endeavor. With that in mind, here are my 2012 Enterprise Information Security Resolutions.

1. Successful information security is about making progress. It’s not reasonable or sustainable to expect all risks to be remediated as soon as they are discovered. Instead, my … Continue Reading
   

Information Security as the Doctor of the Enterprise

“You don’t have to floss all your teeth, just the ones you want to keep.”

I remember, as a child, going to the dentist and seeing that slogan on a poster on the wall. Between that and the serious questions about my brushing and flossing habits during the appointment, it would have been impossible to walk out of the dentist’s office without a full understanding of the importance of consistent oral hygiene. I would leave the dentist’s office (greatly relieved to be free) but without any commitment to adding flossing to my plans. I … Continue Reading

Black Hat’s Place in Enterprise Information Security

In general, Enterprise information security is planned and discussed in the hallways of high-rise buildings, conference rooms and closed-door meetings. These conversations usually involve men in button-down shirts and polos trying to find ways to use the limited resources available to mitigate the risks available across a huge threat surface. Phrases like “defense in depth,” “return on investment” and “acceptable risk” are the primary areas for conversation.

On occasion, the information security practitioners from these organizations decide to get together and hold much bigger meetings they call conferences. These conferences have basically the same elements. … Continue Reading

What does Verizon’s 2011 DBIR mean to your enterprise?

A few weeks ago we looked at Trustwave’s 2011 Global Security Report. This week I want to point out a few of the critical points in Verizon’s 2011 Data Breach report.

I want to start by saying that these lessons are not easy, but they are simple. It’s not easy to ensure that every system in your environment is accounted for, and you know what data is being held where. But it is simple; to ensure that your systems are being properly secured you must know what and where they are. … Continue Reading

2011 Trustwave Global Security Report: Things I Think

As is my wont, I will be highlighting a few points that I found especially comment-worthy from a security report. Today I’m reviewing the 2011 Trustwave Global Security Report. These may or may not be the highlights of the report, but they seemed worth my attention, and hopefully worth yours as well.

1. More PCI theft came from point of sale (POS) systems than from online shopping. Isn’t this exactly the opposite of what most of us assume? When I enter my credit card information into a website I’m much more diligent about looking … Continue Reading
   

Focusing on success or failure?

This is the second part in the discussion of the difference between IT and Information Security. Click here for Part 1.

You probably think I’m going to say focus on success, don’t you? Well read on, it’s not nearly that simple.

When a system administrator or application developer is working to create a new system, the process usually starts first by identifying what the system is supposed to do. The process will include purchasing hardware, writing code, tweaking settings, and a rollout, all with the intention of meeting a particular objective. The system’s creator is focused intently … Continue Reading

Every Employee, a Security Partner

The information security department is responsible for writing policies, creating awareness training, tracking compliance, and generally leading the data security program at an organization. But when it comes down to it, we are not the ones who do most of the practicing. The ground-level implementation of security in the organization simply cannot be the work of a few information security employees; it needs to be performed by every employee in their day to day tasks.

The information security team is responsible for the creation of the policies and standards. This is the framework that a security program … Continue Reading

Architecting Secure Information Systems

We have heard for years that security needs to be integrated into a system from conception, because bolt-on security is simply not as effective. So you have struggled with, bargained with and pled with system owners and developers to include security at the beginning of a process. Then you get that first invite to an architecture meeting for a proposed system. “Uh oh,” you think, “now what?”

Creating secure systems from the ground up is a different proposition, and requires different skills than buying and bolting on technologies to implement security after the fact. You have the chance … Continue Reading

A Better Defense in Depth Implementation

For previous posts on defense in depth click here and here.

There’s been a lot of conversation lately around how effective our current implementations of defense in depth (DiD) are. There have even been some suggestions that DiD is a broken model, and needs to be replaced. But I believe in the value of DiD. It is essential to an effective security program.

Defense in depth is required, and can be used to create an effective security program that meets your organizational needs. But it can only do so if the layers are implemented … Continue Reading