Thursday, June 22, 2017

Stop Lighting to a Successful Audit

So like many organization I have a couple of annual audits performed by third parties. In full disclosure I do it in part because of contractural requirements and part because I like to do it and enjoy the challenge. I can’t get into too many details but we have not always had the best results and luck on these audits. In year one this is something that you would expect as there are always going to be a few bumps and bruises as you start to figure out your controls and how to write them. After the first year the expectation is that you would get better and see cleaner reports. Unfortunately I have not seen that as much as I would like. As we would get better at some aspects of the audit we would struggle in others. This made me take a different approach to getting ready for these audit. Stick with me as you are about to see, it will seem basic but the results have spoken for themselves. 

Tuesday, March 21, 2017

Defense Point Breach - My Thoughts

Last week Brian Krebs of Krebs on Security reported of a Defense Point Security Breach that resulted in employee data being lost. The loss, according to the report, impacted current and former employees of the company during 2016. In his report Brian states that the attack came through a targeted phishing email and that the email asked the victim to send the 2016 tax information of employees of Defense Point Security. Brian goes on to explain how phishing emails such as this normally come to be. In his report he informs readers that, in most cases, the scams target finance and HR employees. He goes on to mention that the email can appear to come from a company executive such as the CEO or CFO. Brian, as he always does, continues the post with a great analysis of the event and ways to protect yourself from being a victim of tax fraud during tax season. I wanted to take a moment to discuss how we as information security professionals can protect our enterprises from these types of emails getting to our end users. At the end of the day, we are not only responsible for protecting our enterprises but we also have a responsibility to protect users from themselves. Keep reading to find out what you can do to protect the enterprise.

Monday, March 20, 2017

Book Review Lights Out by Ted Koppel

Before I get started, if you read this review and decide that you want to give the book a read for yourself, you can find it HERE

So a few months ago (yes it took me that long to find time to write another post) I read Light Out by Ted Koppel. Since finishing the book I have wanted to write and post a review of the book from a cyber security professional's point of view.

Book Overview
For those that may not be familiar with this book here is a real quick run down of what the book is about. So, we all know that critical infrastructure is becoming a target of advisories more and more and as they find ways to attack it we can expect larger and larger impacts! This book goes through the impact of such an attack, in this case the US power grid, and how prepared we are as a country. Ted brings up several interviews he conducted with experts in all fields around this topic. This includes everyone from cyber security experts, former DoD employees, and even Mormon church leadership (more about that later). Ted also does a great job citing examples of similar outages (either from cyber attack or failure) in other countries that lasted an extended period of time. When I found out that a book was written around the possible events following a major cyber security attack on US critical infrastructure I was intrigued and took it for a quick spin.

Friday, December 16, 2016

Security Metrics You Didn't Know you Had!

Ok, it has been awhile since I posted my INFOSEC RANT so I figured it was about time to create a new entry. In my rant FOUND HERE I talked about a lot of things. One of them in particular was the way security professionals and security vendors are going about buying and selling products. One of my biggest call outs was the buzzword bingo tactics that are being used by vendors and are being eaten up by security professionals. I challenged both security professional and security sales people to step back and answer one question, “What is the problem I need to fix?”. I also made a statement about the security profession missing the basics and I would challenge to say that is because many of us in the profession may not know the answer to my magic question. I want to talk today about how to find out how to answer that question using the information you already have with a little bit of effort and little to no additional spend.

Monday, November 21, 2016

My InfoSec Rant! Where we are missing the boat

Since my last post, I have been doing some reading and listening to a few podcasts. If you follow me on Twitter, you know that I am also reading Lights Out by Ted Koppel. Between what I have been reading in the book, some demos that I have been a part of, and the constant sales pitches I have been listening to I feel compelled to blow off a little steam in what I am going to lovingly call an InfoSec rant. As I type this I can see this becoming a normal addition to my blog. Although I have been taking part in the three different activities I spelled out above they all have one thing in common and it is that commonality that I want to dive into a little further. Before we get started I want to point out this is nothing more than a RANT, it is my feelings on a few matters and what I think is causing them. You may or may not agree with what I am about to say but I would love to hear your thought on it on way or another. You can EMAIL ME or post your comments below.  Click the Read More below and let's get started. 

Friday, November 11, 2016

You Can't Fix Stupid...But You Can Find It FREE Training

At one point or another everyone has played the blame the user or blame the admin that made a mistake card when dealing with an incident or something that may have broken. I can't think of many security professionals that have not had to deal with an incident due to a user's actions or poor choices. That brings us to the tried and true "You can't fix stupid"! We try to mitigate stupid, contain stupid, and be ready to act when stupid strikes. Users are going to make mistakes, admins are going to deploy servers and code without keeping security in mind. There is good news though, we can try to give people training. Yes, there are challenges to getting people trained, the two biggest arguments against training are the time it takes and getting funds or budget to get the training done. Unfortunately, I don't have an answer for the need for more time but I can give you a couple of options for FREE training we can give the users. I am sure there are more than the four I am going to discuss in the next section so if you know any free or cheap training options feel free to EMAIL those to me or call them out in the comments below...

Thursday, November 3, 2016

ISSA International Conference - My Takwaway

For those of you that may not know I just spent the last two days at the ISSA International Conference. This is the annual conference that the International Systems Security Association puts on and just like the last time I went it didn’t. disappoint. Seriously, how can you not enjoy a conference where you get to watch the Cubs win a world series during for the first time in 108 years. I am going to try and keep this post short because after two days of talks and information my head feels like it is about to explode all over my iPad. What I do want to highlight are some of the things that really stood out to me. Click read more to find out what those are and feel free to comment on what stuck out to you if you were at the show or if you were not at the show any topics you would like to have me cover more in depth in future posts.