232 posts categorized "General Security"

February 13, 2012

Wombat Continues To Make Learning About Security Fun

wombatI last wrote about Wombat a few months back.They are a company that was spun out of Carnegie-Mellon University and based on some work done under a US Government grant. Based on game theory, they had developed some really fun games that would teach people the do and don’ts of phishing. Now they have expanded beyond phishing to cover other areas of security. The games have also matured and are more contagious then ever.

After seeing Wombat’s phishing Phil and Phyllis last time I checked in with them, I introduced my 12 year old son Landon to them. He did a science project based on phishing and educating his classmates (and their parents) about phishing and wound  up with a 3rd place county wide finish in his project.

I spoke to Joe Ferrara, CEO of Wombat about their new offerings. Moving beyond phishing the team now has training on smart phone use, social media and creating strong passwords and password security.  Of course they still have phishing and email security as well.  Also Joe and his expanded team have moved beyond some of the cartoon figures in phishing Phil to a bit more sophisticated look and feel.  You can sign up for free demos of the products on their web site.

Best of all for Joe and Wombat, the market is warming up to their" “making security training fun” approach. They recently announced that food giant Del Monte had chose Wombat for their security training program for employees. Joe is growing the team pretty quickly at Wombat. Between ramping up the sales team, as well as adding new modules and areas of training, Wombat is hopping right now.

It is good to see a security start up doing so well. Will keep watch on Wombat’s progress, but if you are in need of security training for your organization, you should give them a look.

Posted at 08:37 AM in education, General Security, other security companies, security tips, the security industry | | TrackBack (0)

January 31, 2012

Now It’s B-sides and RSA

When I last wrote about B-sides a few weeks ago there was the drama of “show me the money”, as some folks questioned where money from sponsors was going. As a result the B-sides group seems to have emerged stronger with a definitive board of directors, more transparency in their finances and the better for the experience. However, now there is more drama around B-sides, this time around whether RSA Conference is trying to stamp out B-sides San Francisco by refusing to grant waivers to companies that sponsor both RSA and B-sides.

When I first heard the story on Twitter and read the post they put up I have to say I was skeptical. Let me say right up front that RSA Conference sponsors the Security Bloggers Network and sponsors our Security Bloggers Meet up every year at RSA. On top of that I have found the conference team to be the most professional, on the ball group of folks to work with. They care about the security community and this just doesn’t sound like their style.

I reached out to a contact there to find out what the real story was behind this new B-Sides drama today. From what I can ascertain here are the facts:

RSA Conference has not denied a waiver to any sponsor that asked to sponsor B-sides also. In fact this is not the first year that RSA Conference has worked with B-Sides on this.

So I am not sure where this is all coming from. If the folks at B-sides have been told differently, I would like someone there to stand up and say so. Let’s have a great RSA Conference week. A week big enough for Security B-sides, Americas Growth Capital Conference, Cloud Security Alliance conference and all of the other great security stuff that takes place in San Fran that week!

In the bigger picture, B-sides is a great idea and I love watching it grow. But drama is not conducive to growing B-sides. I hope that this will not be a reoccurring pattern.

Posted at 01:21 PM in General Security, security bloggers network, the security industry, tradeshows | | TrackBack (0)

December 14, 2011

The Sleazy Dark Side of Product Reviews

Yesterday I wrote in response to Bill Brenner’s Salted Hash post about the Google-funded, Accuvant conducted browser security study which found (surprise) Chrome on top.

In my post yesterday I mentioned that one company that I thought is doing product  reviews right was NSS Labs.  Well Rick Moy of NSS Labs wrote me last night, having read my post.  The NSS Labs folks have had a look at what was publicly available.

Vik Phatak, CTO of NSS Labs has a blog post up on the subject here. More importantly Vik and team have put out a more complete analysis of problems they see with the way this study was conducted and some issues in Google’s behavior. You can read the analysis here.

It is a very interesting read and you should take a look for sure.  It certainly raises some questions about what went on with this browser study and calls into question some very questionable practices by Google. 

It just proves that product reviews are a dirty business and why any reader has to look at and weigh all factors in deciding how much faith to put in them.

Related articles
Enhanced by Zemanta

Posted at 08:33 AM in General Background, General Security, the security industry, Web/Tech, Weblogs | | TrackBack (0)

December 13, 2011

The Death of Product Reviews

English: This is a logo owned by Google Inc. f...

Image via Wikipedia

My friend Bill Brenner has a post up on his Salted Hash blog today about a recent browser security study done by Accuvant LABS. The study shows that Google Chrome was the safest browser tested. Like Bill, I use Chrome too and agree with the Accuvant study.

The problem for Bill is that the study was sponsored by Google, the makers of Chrome. The fact that they paid for this study in Bill’s mind and in many other people’s minds calls the legitimacy of the entire study into question. Even if it is correct, it just doesn’t sit well with Bill.

Frankly I have the same problems with most product reviews, bake offs, analysis reports, etc. I have written about this before as well. In my mind it is a big reason why no one seems to pay attention to product reviews anymore.

It doesn’t make a difference if it is an “independent lab” doing the testing, a magazine’s testing department, industry awards or an analyst firm analyzing the market, the first thing I look at is who is paying for it. Sometimes finding out who is paying for it is not so easy or transparent either.

To be fair, some firms like Securosis for instance will say upfront that some research they are doing is being financed by a paying customer. Such was the case when Mike, Rich and Adrian did a dive on “fact based security security metrics”. The boys said upfront and at the bottom of the page that they thanked Red Seal for sponsoring the research.

Now does that mean that everything they wrote was for the benefit of Red Seal? I know Rich, Mike and Adrian too well to believe that. But it does give me pause when I read the report to remember that fact.

But I will say that over time I have come to soften my attitude on this issue (I must be getting old). For me it is a case of forewarned is forearmed and I take that disclosure in terms of evaluating how much weight to give the research. The same way a juror has to weigh the testimony of a witness depending on their believability.

In the case of Bill’s browser study, same thing. The chances that Google had a heavy hand in the study by Accuvant is pretty low, but it is something to consider. That is just the way it is.

But for Bill and the other doubting Thomas’s out there, what is the alternative?

One alternative is what Rick Moy and the guys at NSS Labs are doing. They have turned this equation on its head. They make their money from the end user, so the vendors being tested have little to no influence.

As Bill says just because Google paid for it doesn’t mean the study is wrong, but it does give you something else to consider. But since no one wants to do these tests or studies for free, someone has to pay and that is the truth of it.

Related articles
Enhanced by Zemanta

Posted at 03:57 PM in awards and PR, General Background, General Security, marketing, rich mogull, Security Incite | | TrackBack (0)

October 13, 2011

Marketing Security

No this is not about a new VP of marketing at some security vendor. I was reading an article today about a presentation at RSA Europe by Lee Parrish, VP and CISO of construction firm Parsons Corporation. At a time when most of the departments and budgets in his company where shrinking, Parsons nearly doubled his security budget and was hiring more people. 

I know you think they must have had a really poor security department, suffered a breach and so finally security got the attention it deserved.  You would be wrong.  How did Parrish accomplish this feat?  Easily, he “marketed security” internally to the board and stakeholders at his company.

This is a topic I have written about over the years before.  Too many times we hear security folks lament the fact that they just can’t get management to take the threats seriously. They just don’t care enough to approve the budget and resources needed to do security right.

Usually these same people will turn their nose up at marketing types. The marketing and sales people are as reptilian as Queen Anna was in the V series to these folks.  Whether it be security vendors or not, often times security admins will want to take a long hot shower after spending time with marketing and sales types.  What a mistake!

The point Parrish makes is that you need to market security. In the case of security admins you have to market to your own buyers. The decision makers and purse holders at your own company.

Parrish gives a great example of seeing that apps were being downloaded that were not approved and presented a security issue.  But these rogue apps also were driving help desk call numbers through the roof.  So instead of talking about the security threat of these rogue apps he talked about buying technology that would thwart the downloading of rogue apps which would drive help desk calls down by X% saving Y$ per year.  That is the kind of message the business managers understood and they gladly approved the budget.

If you are going to sell (and as I have said before we are all sales people in one way or another) you have to understand your customer. What is it that keeps him up at night, what are his buttons.  So start thinking of your stakeholders internally as your customers and you have to sell them. Before the sale, you have to market to them.  Think like a marketing person and you just might get the security budget you need to make your job fun again.

Related articles
Enhanced by Zemanta

Posted at 02:08 PM in Current Affairs, General Security, security tips, the security industry | | TrackBack (0)

August 23, 2011

Help A Student With Her MMIS In Infosec

A local student here in South Florida needs some help. Renata Bergman needs some C-level, preferably CISOs to fill out a survey about what constitutes a “worthwhile security compliance program”.

Renata is seeking:

C-level executive’s viewpoint:

· Their “take” on what security governance is.

· Recommended reporting structure for best success

· Ideal governance model(s) recommended

· Challenges and constraints in evolving a functional security governance program

· Best practices to assure organizational security culture

· What works best for governing security?

· Components of “model” program, budget recommendations, etc.

· Experience with what works best

· Measuring the success of security governance in an organization

· What are the key elements of security governance?

You can download the questionnaire here. All information will be kept confidential.  Renata is a great person and really needs the help. So if you can please lend a hand!

Posted at 10:48 AM in education, General Background, General Security | | TrackBack (0)

July 27, 2011

The Case For Breach Insurance

For the last year or so at The CISO Group in addition to helping payment processors with their merchants PCI compliance needs we have been offering a low cost, no deductible breach insurance policy. 

For literally a few dollars a month, a small merchant can obtain a no questions asked breach insurance policy that will cover even the costs of a forensic audit in case of a suspected breach.

It amazes me how processors and merchants resist this no-brainer.  Of course the most common retort is that they don’t need it because a breach “would never happen to them”. Still others though try to claim that they already have insurance under their general liability insurance. I have told them repeatedly “go check the fine print” I don’t think it covers data breach.

Well now the Sony case is showing that indeed general liability insurance does not cover data breaches. My friend Ericka Chickowski had an article about this in Dark Reading the other day detailing how Sony’s insurers are stepping back from defending the various class action suits being filed against Sony.

In the case of processors and ISOs there is even more of a compelling reason. If any of their merchants can not meet the fines, losses and costs of a breach incident, they could be responsible. Spread that out over the thousands of merchants the represent and their exposure becomes pretty significant. Why would one not want to sleep well at night?

Anyway, anyone selling security knows what it is like to sell insurance. Even though it seems to be an easy decision, it is not always so easy.

Related articles
Enhanced by Zemanta

Posted at 09:37 AM in CISO, compliance, General Security | | TrackBack (0)

July 01, 2011

Marketing 2007 Security in 2011 or LCD Security Marketing

I was reading an interview with an executive from a nameless security vendor the other day and the point he was making was that their security products are necessary because “hacking is now a for profit enterprise”. How absolutely 2007.

Most of the examples of hacking incidents he brought up were attributed to LulzSec or Anonymous. Those are not examples of “for profit enterprises”. They were exactly the malicious and “to show we can” type of attacks that he said disappeared 15 years ago. Not to mention that while cyber-war, cyber-terror and cyber-espionage all have a “profit” in mind, it is not exactly the same “for profit" as the Albert Gonzalez gang stealing credit card data.

In fact recent attacks if anything show that we may in fact be entering a new era of hacking and security that calls the whole responsible disclosure and “ethical hacking” issues into a new light. So why talk about security drivers circa 2007 halfway through 2011?

At first I chalked it up to having people who really don’t have any security background and not living security being put in a position where they are forced to talk about it. But then I thought about it some more. It is more than just another empty suit talking about security, it is a chronic problem in the security industry.

I have heard it from other security executives too. When speaking to customers and the public they don’t think the audience is sophisticated enough to really “get it”. So instead of giving it to them straight, lets give them what they can understand. It is LCD (least common denominator) security marketing. Give them something simple enough that they can put their mind around it, that has examples that have already been established in the public consciousness. This way we don’t have to explain too much and we don’t have to open the kimono about our solutions being perhaps only an inch deep. KISS, keep it simple stupid. If only the world really worked like that though.

But why should we be surprised with least common denominator security marketing when too many security companies sell least common denominator security solutions. You know, the check box security that allows people to say they have complied, but leaves them defenseless when LulzSec and the like put them in their sites.

I think the whole thing is an outgrowth of the old enterprise security vendor approach of watering and “dumbing down” their solutions for the mid-market.  It didn’t work then and LCD security and LCD security marketing doesn’t work now. 

Yes, you may fool some people for some of the time, but you can’t fool all the people all the time and sooner or later it catches up with you.  The people and organizations relying on the security industry deserve better and we as an industry should be better than that!

Related articles
Enhanced by Zemanta

Posted at 04:44 PM in compliance, General Background, General Security, other security companies, Security Consulting, the security industry | | TrackBack (0)

May 06, 2011

Sophos Moves Beyond The Endpoint With Astaro Buy

Image representing Astaro as depicted in Crunc...

Image via CrunchBase

Saw the news today about Sophos buying Astaro.  My initial reaction was “is this good for Jack Daniel”.  But beyond that I think it is a good move for Sophos. For years they have successfully been competing with Symantec and McAfee in the endpoint security game. But they needed to move beyond the endpoint.

Sophos has been known to been lighter and more nimble than some of their bigger competition. But what the bigger guys had was more than the endpoint. They had network security as well.  Other than NAC, Sophos had nothing to compete.  If they were truly going to compete with the bigger companies in the security space they had to move to the network too.

In Astaro they picked up a good one. Astaro has quietly become a player in the UTM market. Their growth has been steady and considerable. They were out in front with virtual appliances. They are a solid company in the network security market with a diverse customer base.  I think it is a perfect fit for Sophos.

Now the important stuff, what does this mean for Jack? I hope they continue Astaro’s practice of letting Jack run community and continue the support of B-sides events.

Congratulations to all of my friends at Astaro and to all of the great bloggers at Sophos. I think together, this will be a new powerhouse in security.

Related articles
Enhanced by Zemanta

Posted at 07:40 AM in General Security, MandA, UTM | | TrackBack (0)

April 19, 2011

FireMon Leapfrogs Competition In Risk Analysis

FireMon (formerly Secure Passage) today announced the acquisition of a company called Saperix Technology. Saperix Technology’s major asset it seems is some patented risk analysis technology that was developed by the MIT Lincoln Labs over the last 10 years.

Of course FireMon is in the firewall/security device management space that I follow pretty closely.  I wrote about the space last shortly after RSA. At the time I noted that some of the players in the space had moved into risk analysis, while others actually came from the risk analysis space into device management (Skybox Security, Red Seal).

At the time I though that FireMon had not kept pace with the others on that front. With today’s move and from what I have seen and been told, it would seem FireMon may have in fact leapfrogged the competition with this smart buy.

I had a chance to sit down and talk with Jody Brazil, President of FireMon last week about the acquisition.  Jody wrote a great blog on the details behind the deal on the FireMon blog today too.

Suffice to say that according to Jody the real thing holding back wider adoption of this type of risk analysis at the enterprise to this point was that frankly it didn’t scale. It wasn’t fast enough or scalable.  That is where this government lab developed technology is different. According to Brazil this technology is enterprise ready in terms of scalability and responsiveness.

The FireMon folks say they have really got something here and will be integrating it into the FireMon product line in a very short time (read that in weeks, not months).

Gary Fish of Fishnet Security is the CEO of FireMon and Gary knows a thing or two about acquiring companies. He says that he is not done yet with acquisitions.  He thinks the future of FireMon is to continue to grow organically, as well as by strategic acquisition. Gary is pretty pumped up about this acquisition as well. 

It sounds like FireMon is going to reassert itself as the leader in this space. With Gary Fish behind it and a solid technology base that they are adding to, it might be a wise bet to bet on FireMon.

Related articles
Enhanced by Zemanta

Posted at 09:34 AM in General Security, MandA, other security companies | | TrackBack (0)

Next »
My Photo

Subscribe to my blog

Enter your email address:

Delivered by FeedBurner

Lijit Search

Blog Networks

Creative Commons License
This work is licensed under a Creative Commons Attribution-Share Alike 2.5 License.

Search

Lijit Search

Attend a Computer Forensics Boot Camp to better your skills and become a better worker

Categories

Track my blog stats

Blog powered by TypePad
Member since 10/2005

About