InfoReck

Why do we pen test?

A penetration test is a method of evaluating the security of computer systems or networks using manual or automated tools. Basically, we set some experienced folks out with the instruction to figure out a way to break the security of our own systems. This will usually come with some rules of engagement (no testing during business hours, don’t corrupt any of our production data, etc).

I’ve been a part of numerous penetration tests. It seems that every organization has them these days. For the purposes of this article, I am limiting us to internal penetration testing, not … Continue Reading

Information Security as the Doctor of the Enterprise

“You don’t have to floss all your teeth, just the ones you want to keep.”

I remember, as a child, going to the dentist and seeing that slogan on a poster on the wall. Between that and the serious questions about my brushing and flossing habits during the appointment, it would have been impossible to walk out of the dentist’s office without a full understanding of the importance of consistent oral hygiene. I would leave the dentist’s office (greatly relieved to be free) but without any commitment to adding flossing to my plans. I … Continue Reading

Focusing on success or failure?

This is the second part in the discussion of the difference between IT and Information Security. Click here for Part 1.

You probably think I’m going to say focus on success, don’t you? Well read on, it’s not nearly that simple.

When a system administrator or application developer is working to create a new system, the process usually starts first by identifying what the system is supposed to do. The process will include purchasing hardware, writing code, tweaking settings, and a rollout, all with the intention of meeting a particular objective. The system’s creator is focused intently … Continue Reading

Every Employee, a Security Partner

The information security department is responsible for writing policies, creating awareness training, tracking compliance, and generally leading the data security program at an organization. But when it comes down to it, we are not the ones who do most of the practicing. The ground-level implementation of security in the organization simply cannot be the work of a few information security employees; it needs to be performed by every employee in their day to day tasks.

The information security team is responsible for the creation of the policies and standards. This is the framework that a security program … Continue Reading

Or, The Difference between Information Security Professionals and those Paid to Perform Information Security

Evidence of people performing accounting has been found as far back as Babylon (circa 4500 BC).  We have records of a civil engineer from as long ago as 2630 BC. It’s fair to say that these are mature, well understood professions. The education and training for their practitioners has been thoroughly tested and documented. If you want to become an accountant you take some classes, learn your craft, and prove you’ve learned it by taking the Certified Public Accountant (CPA) exam. If you want to … Continue Reading

Is DLP A Fit For Your Organization?

Take a moment to consider the most valuable assets your company has. Think about what you have that sets you apart from your competitors. Is it the cutting edge product you sell? Is it the high quality employees you employ? Is it the secret recipe for your delicious salsa? Is it your loyal client base? Go ahead and give it 30 seconds or so. I’ll wait.

As you created that list of your most valuable assets, you’ve also created a rough list of those assets that are most worth defending. These are the things that, … Continue Reading

Five Things: Creating high quality security policies

Security policies are the foundation of an enterprise information security program. Without a solid foundation in place you simply cannot build a sturdy long-lasting structure; be it a building or a security program. Below are five things that can help you ensure your foundation is strong.

1. Use a framework. By starting with a trusted framework you can avoid reinventing the wheel. A framework like ISO2700x will provide you with the areas you need to cover in your policies. Then it’s your job to customize the policies so they fit your environment.
2. Make sure your policies are … Continue Reading
   

Below are the top lessons I’ve learned while providing information security to enterprises. The focus here is on people and process. None of them are technical in nature. Technology is the easy part, almost anyone can get that part right. Below are lessons I believe differentiate an average information security department from an excellent one.

1

Remember, you exist to serve the organization, not to hold it hostage. I have run into many corporations where information security is the bully down the hall who others simply want to avoid. Customer service is not just for customer service … Continue Reading

Until the year 1955, polio was a scary fact of life in the United States. Polio is a disease that is easily transmitted by human to human contact, and can have lifelong debilitating results. Along came Jonas Salk’s wonderful vaccine and the next generation didn’t need to worry about polio anymore. All we needed to do was get a shot. But did you know that there is a section of population that cannot get vaccinated? People who are on chemotherapy or drugs that affect the immune system are unable to get the vaccination. Those people, the unprotected, are relying on … Continue Reading

In my experience, the biggest impediment to a high quality information security posture at an organization is not money or well informed InfoSec practitioners. The biggest impediment is getting the front-line workers of an organization to believe in the mission of InfoSec. Rather than waiting for an audit finding or a compliance issue to drive us toward security, we want to get workers thinking and acting secure in their day-to-day behaviors.

In trying to get workers to buy into the mission of InfoSec we have several forces we’re fighting against. We’re battling busyness, status quo, … Continue Reading