April 26, 2013

If IBM X-Force were running the IT department

IBM’s X-Force research team recently released their “2012 Trend and Risk Report”. The report is a great look back at last year and is full of metrics and analysis on the kinds of threats and risks seen across the spectrum of different verticals last year in information security. It also has some excellent advice on how to institute and operate a successful information security and risk management program. If you are interested in security (and who isn’t?) you should definitely download and give it a read. xforce report graphic

One section I wanted to highlight and expand on though was the “If IBM X-Force were running the IT department” section. Here is the X-Force’s top 10 list to make you more secure. This is especially relevant for mid-market companies who may not have the budget or resources to do everything they might like around risk and threats. If you could check each of these ten off you would have the foundation of a solid strategy

1. Perform regular third party external and internal security audits – Many organizations are so reluctant to bring in an outside party to conduct security audits. I am not sure if it is a case of now wanting to share dirty laundry with outsiders or a case of “ignorance is bliss”, but either way it is a mistake. Having a security expert come in on a regular basis to give you a “hacker’s eye view” is one of the best ways to see really how your security plan holds up. My recommendation is a full internal and external audit annually, with external only audits quarterly if possible.

2. Control your endpoints – This used to be a whole lot easier. The advent of BYOD has made control of your endpoints more like being the sheriff in the Wild West. Of course it is probably futile to try and prohibit BYOD devices from accessing your network, data and applications. A more realistic goal may be to at least have a mobile device management solution in place. The first step is to have policies defining what is acceptable in terms of endpoints, what configurations are required, what applications can be accessed and what security should be installed on them. Regular security scanning, including vulnerability and configuration testing should be mandatory across the board! Of course traditional company owned devices are a lot easier to manage and control.

3. Segment sensitive systems and information – You need to treat your high value assets as high value. That means giving them an extra level of protection. This starts with segmenting them off from rest of the network. Too many mid-size organizations run flat networks where once you have access to the network, you can see and access everything on the network. This is obviously a mistake. High value assets should be segregated out from the rest of the network. Access and even visibility to these networks should be on a “need to know” basis. This can be accomplished using VLANs, firewalls and identity and access control.

4. Protect your network via basics (firewalls, anti-virus, intrusion prevention devices, etc.) – Too many of us are always lusting after and chasing the latest and greatest shiny new technology widgets. A perfect example of this is the latest infatuation with some of the newest threat detection technologies that run incoming packets in sandboxes before allowing them into the network. While new technologies can be exciting and effective, they should not be instituted at the expense of the “meat and potatoes” of your security program. They may not be sexy, but firewalls, AV and IPS are still front line tools for the defense. A recent report by 451 Research about the “Real Cost of Security” by Wendy Nather showed that most CISOs would still pick AV and firewall among their top choices in building out a security program. You should too!

5. Audit your web applications – Web application security is perhaps the hottest area of security today. An increasing percent of attacks are targeting web applications. SQL injection, cross-site scripting, drive by attacks have all become all too common in the news. There are different aspects to securing web applications. It starts with secure code development. Building security into the development process is a great way to start with a strong foundation. Just as having a 3rd party audit is a must, an audit of your web, including not only the code but the implementation as well should be performed before an app is deployed and after every change to code and infrastructure. There are any number of firms that can perform this type of test for you.

6. Train end users about phishing and spearphishing – This sounds like a no brainer, but you would be surprised how many companies don’t take the time for security awareness training. It is even more important today when so many of the most sophisticated attacks actually start with a targets spearphish aimed at a key person in your organization. Recognizing phishing attempts and not to click on links in email, social media or anywhere unless you are sure of who sent it and where it goes is a must if you hope to keep your organization out of the next headlines.

7. Search for bad passwords – This can be automated and strong password requirements can be built into many applications today. Passwords still represent one of the weakest links in our security technology. At some point hopefully 2-factor authentication, biometrics and other technologies may make passwords obsolete. But until then we are stuck with them. Passwords like 123456 and password are just not acceptable and should not be allowed. Password managers offer lots of choices so that users don’t have to remember strong passwords. Also requirements to change passwords regularly should be instituted and enforced.

8. Integrate security into every project plan – Microsoft did this years ago with their Trustworthy Computing initiative and it forever changed Windows. Security is too important to be an afterthought bolted on after the fact. Everything you do or plan to do has to be seen through the prism of security. Failing to do so could wind up putting your organization at dire risk.

9. Examine the policies of business partners – We live in an interconnected world, no one exists in a vacuum. However, our partners often have to have access to our data and systems in order to work with us. However, they can also represent a vector into our systems for hackers and criminals. You must institute a policy on what and how 3rd parties have to show before they are given access to your network. Also this should be regularly audited and re-examined.

10. Have a solid incident response plan – It is not a question of if, but when something is going to happen. Do not let your pride and ego get in the way of putting in a place a plan to do when you have an incident. While you are at it, you should have a worst case scenario as part of your planning. Today’s threat and risk landscape means you should assume that you will have security incidents. How you respond to these incidents as a mid-market company could mean the difference between survival or not of the organization. Well thought out incident response plans make all of the difference in the world in the fluid, fast moving situations that follow discovery of a security incident.

There is a whole lot more in this great report from the IBM X-Force team. Go download it and read it at least twice!


This post was written as part of the IBM for Midsize Business program, which provides midsize businesses with the tools, expertise and solutions they need to become engines of a smarter planet. I’ve been compensated to contribute to this program, but the opinions expressed in this post are my own and don't necessarily represent IBM's positions, strategies or opinions

Enhanced by Zemanta

April 22, 2013

Webinar: Who Moved the Cheese in Security

image Tomorrow, April 23, 2013 at 2pm eastern time my friend Dominique Karg of Alien Vault and I are doing a webinar on “Who Moved the Cheese in Security”.  It should be a lot of fun and I invite everyone to listen in and participate.

This grew out of a conversation Dominique and I had after RSA. It was amazing to us that some security executives actually believed that the Cloud, BYOD and such were passing fads. That soon we would return to traditional networks and traditional security. Talk about putting your head in the sand.

We will discuss that not only has the technology changed but how. We will also discuss how attacks and attack vectors have changed.  Finally what should you do and how is success defined.

It should be a great webinar. If you can make it please do.  If not you will be able to listen in to a recording of the webinar, but of course no live questions.  You can register down below or by going to: http://www.alienvault.com/resource-center/tech-talks/who-moved-the-cheese-in-security

A BrightTALK Channel
Enhanced by Zemanta

April 15, 2013

What is the Real Cost of Security?

You were just hired as the Chief Information Security Office (CISO) of a mid-market one thousand employee company. Your first day on the job you are told that the company really hasn’t done anything about information security to this point. You need to submit your prioritized plan and budget by the end of the week! What do you do? This is exactly the scenario that Wendy Nather, Senior Research Director of 451 Research put to literally dozens of CISOs. What they picked, what they think it may cost and the actual cost may really surprise you. Wendy’s new report, “The Real Cost of Security” (warning this is not free unless you are a 451 client) details her findings and analysis.

I had a chance to sit down and chat with Wendy about the report and its findings for Network World. Below you can listen to our conversation where Wendy provides some detail and depth to the report.

Despite all of the buzz about new and more sophisticated attacks, it was surprising that for the top priorities the oft-maligned technologies of firewall and AV were most often picked. In fact of the top 7 choices among CISOs, almost all of them are tried and true traditional products. I guess the old “no one ever gets fired for buying IBM” is still true today. According to the report, these are the top 7 recommended technologies


Figure 1 courtesy of 451 Research

The difference between the purple and gold lines is those that would recommend the technology if all they had was enough for the bare minimum (purple) versus if they had a blank check (gold).

Beyond the top 7, the next tier of choices represent a little more diversity:


Figure 2 courtesy of 451 Research

What was interesting about these next 6 is the wider disparity between the gold and purple lines. This indicates that many CISOs considered these more of an optional choice, but not bare minimum.

I was surprised that App Security and App firewalls were not in the top tier of solutions, given that so many attacks today use Port 80 and Web Apps as their vector of choice.

Bringing up the rear in the survey were the following:


Figure 3 Courtesy of 451 Research

You can see here the very wide disparity between some the minimum requirements and blank check scenario. This plainly labels some of these technologies as “nice to haves” but not required. GRC, NAC and Risk Management and Analysis seem to fall into this category by the widest margin. I was disappointed to see Training have such a wide disparity between minimum and blank check. I think dollar for dollar, security awareness training for your organization is some of the most effective security you can buy.

Beyond picking what technologies to buy, the cost of security as detailed in the report may surprise you. 451 Research looked at not only the cost of the technologies (not easy getting prices out of vendors), but also added in the cost of actually running these security solutions. When the total cost was figured in at a minimum an organization is looking at a budget of $250k. A more realistic budget for a 1000 person organization is probably somewhere between $500k and $800k. If you went all the way, you are closer to $1.2m dollars for security! Another metric from the report is that most organizations have about one security admin for every 500 employees.

What about your organization? What technologies have you deployed and what you are planning to deploy? What is your budget? Do you match the 1 to 500 ratio? There is a ton of great info in this report if you buy it or are lucky enough to be a 451 Research customer.

My full conversation with Wendy is here:



This post was written as part of the IBM for Midsize Business program, which provides midsize businesses with the tools, expertise and solutions they need to become engines of a smarter planet. I’ve been compensated to contribute to this program, but the opinions expressed in this post are my own and don't necessarily represent IBM's positions, strategies or opinions.

Enhanced by Zemanta

April 11, 2013

BYOD Security Scanning

My friends Carl Banzhof and Billy Austin continue to make it happen at iScan Online. This is one of my most favorite companies to work with. They are always thinking of new ways to solve problems and fun ways to get the word out. They have been pretty busy too.

After releasing their Android App around RSA, they have been heads down developing the next versions of their apps.  Also they announced that David Raphael, who has worked with Carl and Billy at Citadel and McAfee has joined the team as Director of engineering.

Additionally the company exhibited at the MSPWorld event in Orlando last month.  MSPWorld is run by the MSPAlliance which has over 20,000 members.  iScan Online won the prestigious MSPWorld Cup 2013 as the conference MVP.  The BYOD security scanning message was very near and dear to the attendees.

Now this past week the company released what I think is coolest marketing video I have seen in a while. 

I really like this one! You can get a free scan for your Windows, Mac or Android device right now too by heading over iscanonline.com

The company will be rolling out some more news soon so stay tuned. In the meantime the mobile and BYOD security market continues white hot.  Keep your eye on iScan Online.

Enhanced by Zemanta

April 04, 2013

European Security Blogger Meetup and Awards

security-blogger-meetup-logoI am happy to report that Brian Honan with a big hand from Jack Daniel and our good friends at Tenable Network Security are putting on the 2nd annual Security Bloggers Meet up during Infosec Europe.

The European Bloggers Meetup is of course based on the RSA Conference Bloggers Meet up that we hold every year.  From what I understand it was a nice get together last year thanks to Firemon for sponsoring it.  Now in this second year they are going to try and add European Security Blogger Awards to the mix as well.

I am both flattered and pleased to see the idea being franchised over across the pond. I am waiting to hear all about it and hope to make it out to the event next year!

In the meantime head over to Brian’s blog for details and links to register for the event, nominate blogs and vote.

Enhanced by Zemanta

March 07, 2013

In Search of . . . the Elusive, Serious, Security Professional

CBOSS girls. I'm not usually the kind of a per...

(Photo credit: Wikipedia)

I read with a smile Winn Shwartau’s rant in SC Magazine about his disappointment at the RSA show floor. While much of what Winn said is true, instead of blaming the people exhibiting on the show floor, maybe Winn and the rest of the attendees should take a good look in the mirror.

Blaming the exhibitors to me is the same as blaming the spammers for spam. There really is a very easy solution here. The same way that spammers would not be in business if people would not click on spam, exhibitors at trade shows like RSA would adopt different methods if they were not getting the results they want using current methods. The facts are that most every exhibitor at RSA gets the leads they want. On top of this as you saw, RSA had to open another exhibit hall this year. I also hear that perhaps as many as 50 other vendors inquired but were shut out of exhibit space.

As my brother used to say when I gained weight on a diet and claimed I wasn’t getting any food in the house, “someone is sneaking it in”. Whatever they are doing it is working, so why change it? Here is a fact for Winn and those who consider themselves security pros, who are beneath what is dished out on the floor at RSA. You are in the minority and perhaps not even the target of the exhibitors.

On the other hand the attendees at RSA Conference exhibits are quite a bunch. I can’t tell you how many people I see walking around with multiple bags full of chotchkes and swag. I call them adult trick or treaters. Then there are the guys who take pictures with the booth babes to show their friends. There are the lottery players who get their badge scanned at every booth in the hopes of getting that free iPad. What about the people drawn to the motorcycles and the cars? What does that have to do with security? For far too many of the people walking that show floor, a sales guy collecting their lead info is all that is required. They don’t want to speak to an engineer.

On top of this do you know how much arm twisting you would have to do to get a sales engineer or similar talent to spend the week on the show floor? There is a reason that the people at these booths are the people they are. They are good enough to do the job. As a security company executive how many engineers should I tie up for the week for the 3 or 4 “real security pros” who might walk by? 

Here is the bottom line, RSA is a good place to find out about new companies and technologies. But if you want a deeper dive, you should set up a time after the craziness of the show to do so. 

Now don’t get me wrong. I have written for years about the fact that we don’t need booth babes. On top of that I understand that most of the booths are manned by marketing and junior sales people who don’t know enough about the technology. Too many of the marketing people try to cover up not having a good message about what they do and why we must have their product with fancy, glitzy marketing.

The fact is that the exhibits at RSA are not any different than the exhibits at Black Hat, Infosec or any number of large security conferences. The tracks at RSA are in my opinion superior, but that is neither here nor there. As an exhibit floor, RSA represents the industry only maybe bigger. Just because it is larger, why should we expect a higher level of technical prowess at the booth?

Speaking as an executive of a firm who exhibited at RSA for more than a few years, I can tell you that getting real live “security pros” like Winn to the booth is a pretty rare occurrence. The best we could hope for was collect names and sift through them separating the real leads from the fluff. We would take one sales engineer (usually the west coast guy) in case someone had a real question. Other than that we made sure everyone could demo the product and knew the high points.

I am not sure what Winn wants, but I know that what the show floor represents at RSA is what the attendees respond to. It is the free market at work. If enough so called security pros stay away from the booth babes, refuse to be scanned and truly walk away from Joe the sales guy, the exhibitors will change their tactics. But until that happens the blame rests squarely in the mirror.

Enhanced by Zemanta

APT – It can happen to anyone, especially you

This past RSA was a memorable one for several reasons. First of all I was glad to see the security industry move off of compliance as its reason for being. Compliance had taken the industry hostage for too many years. It seems that we are now finally focusing back on security and preventing breaches rather than some least common denominator check box model. I think in the long run we will all be more secure for this.

Another thing I saw at RSA was the idea of security using virtualization. It is not just securing virtual environments, but it is using hardened virtual containers to run code and apps to make sure they are not malware and they can’t do any harm to our devices. These hardened virtual containers run on our devices or they can run in the cloud or anywhere in between. The important thing is they can’t (supposedly anyway) get to anything valuable on our networks. If this pans out, it could have a profound impact on the way we secure our data in every segment of the market.

Perhaps one of the biggest trends though was the realization that we are under attack by very sophisticated forces, perhaps even nation states who are using very sophisticated and highly organized techniques. The report by security company Mandiant on the alleged acts by a unit of the Chinese PLA codenamed APT1 was chilling.

The thing about APT attacks is that no matter whether you are a big company or small, government related or not, you are a target. Midmarket companies should not be fooled into a false sense of security that these attacks are not aimed at you. They are! If you have IP that could be valuable, you are a target. Manufacturing, media, technology and financial companies are all potential targets. Not to be an alarmist, but if you are not doing something about defending yourself against this type of breach¸ you are foolish.

The good news is that many of these attacks while they use 0 day attacks and other unknown exploits almost always start with a simple spearphishing attempt or something similar. Most of these attacks still take place because the weakest link is still the person behind the keyboard. In this regard security awareness training is still a strong tool. If you can afford a 3rd party to come in an implement a security training program, you should do so. If not there are plenty of web resources available that you can put together and make your own. So much of this is common sense about not clicking on links you aren’t sure about.

Of course there is no guarantee that even with all of the security awareness training in the world you will prevent an attack from being successful. That is why it is also important to have a plan in place for what to do when something happens. Don’t wait until something happens to figure out what you should do. Assume something is going to happen.

Planning for a breach is as important as trying to prevent a breach. Again this is as important for a midsize firm as it is for a large firm. In fact many security experts say that midsize firms are more of a target than some of the larger organizations. So again, not to be a scaremonger, but you should be planning this for your company right now. Again there are 3rd parties who can really help with this. IBM and their partners have lots of options. But there are plenty of resources available on the web that you can use to craft your own plan as well. Don’t let budget stand in the way of your preparedness.

I will write up some more news from RSA around BYOD, Big Data and the Cloud in my next report so stay tuned.


This post was written as part of the IBM for Midsize Business program, which provides midsize businesses with the tools, expertise and solutions they need to become engines of a smarter planet. I’ve been compensated to contribute to this program, but the opinions expressed in this post are my own and don't necessarily represent IBM's positions, strategies or opinions.

Enhanced by Zemanta

March 06, 2013

Webcast on User Activity Monitoring with Spectorsoft and SC Magazine

Image representing SpectorSoft as depicted in ...

Image via CrunchBase

My friends at Spectorsoft makers of Spector 360 have invited me to participate in a webinar next Wednesday, the 13th at 2pm eastern time, 10am pacific time.  The webinar is entitled “Getting More Out of DLP”.  It will cover how using Spector 360 can enhance your DLP coverage and give you greater control over controlling your confidential data.

The webinar is being conducted along with the great people over at SC Magazine. 

If you can’t make it live, there will be taped versions available, but no questions then.  You can register for the webinar here.

Hope to hear or see you next Wednesday!

Enhanced by Zemanta

March 02, 2013

Microsoft Trustworthy Computing Sponsors Security Bloggers Network

I am very pleased to report that once again the good folks over at Microsoft's Trustworthy Computing Group have agreed to sponsor the Security Bloggers Network.  The SBN has a long history of working with TWC and we are happy to work with them again.


Microsoft is holding their second annual Security Development Conference in San Francisco, May 14-15, 2013. The conference will feature Scott Charney, Corporate VP Trustworthy Computing, Microsoft; Edna M Conway, Chief Security Strategist Global Supply Chain, Cisco Systems; Brad Arkin, Senior Director of Security Adobe Secure Software, Engineering Team (ASSET).

Conference specialty tracks target three different types of professionals: Engineers, Project Management, and Leadership. Combining keynotes from thought leaders as well as specialized breakout sessions, this conference is a can’t-miss for security professionals at any level. You can register now and USING THIS CODE AND SAVE $300 OFF THE REGISTRATION PRICE: SBN@SDC#13!

tim rainesI had a chance to chat with director of TWC Tim Raines. We were going to talk about the conference, but Tim and I started talking about the TWC, the world of security and what the challenges on the horizon are. By the time we were done, we never got to the conference, LOL!

Anyway, I think you will find the conversation very interesting. Enjoy and if you can go to the conference.

Enhanced by Zemanta

March 01, 2013

Security Blogger Award Winners 2013

Well it was an epic Security Blogger Meetup and awards this year. In many ways it was the best one we have had. But nothing is perfect and we are already planning to be bigger, better and more inclusive next year.  In the meantime I know many folks have been waiting to see who the winners of the Social Security Blogger Awards were.  So without further adieu, for the record here are the nominees and winners:

Best Corporate Security Blog

Other nominees:

McAfee Blog: click here

CloudFlare Blog: click here

SecureWorks Blog: click here

Solutionary Minds Blog: click here

Kaspersky Lab Securelist Blog: click here

Veracode Blog: click here

Trend Micro Blog: click here


Naked Security Blog: click here

Best Security Podcast

Other nominees:

Liquidmatrix Security Digest: click here

EuroTrashSecurity: click here

SANS Internet Storm Center: click here

Southern Fried Security: click here

Risky Business: click here

Sophos Security Chet Chat: click here

And the winner is:

Paul Dotcom: click here

The Most Educational Security Blog

Other nominees:

BH Consulting's Security Watch Blog: click here

Security Uncorked Blog: click here

Dr. Kees Leune's Blog: click here

Securosis Blog: click here

Social-Engineer.org Blog: click here

Critical Watch Blog: click here

The Security Skeptic Blog: click here

The New School of Information Security Blog: click here

And the winner is:

Krebs On Security: click here

The Most Entertaining Security Blog

Other nominees:

Packet Pushers Blog: click here

Securosis Blog: click here

Errata Security Blog: click here

Naked Security Blog: click here

Uncommon Sense Security Blog: click here

PSilvas Blog: click here

And the winner is:

J4VV4D's Blog: click here

The Blog That Best Represents The Security Industry

Other nominees:

SpiderLabs Anterior Blog: click here

1 Raindrop Blog: click here

Naked Security Blog: click here

The Firewall (Forbes) Blog: click here

Threat Level (Wired) Blog: click here

Securosis Blog: click here

Michael Peters Blog: click here

And the winner is:

Krebs On Security Blog: click here

The Single Best Blog Post or Podcast Of The Year

Other nominees:

The Epic Hacking of Mat Honan and Our Identity Challenge: click here

Application Security Debt and Application Interest Rates: click here

Why XSS is serious business (and why Tesco needs to pay attention): click here

Levelling up in the real world: click here

Secure Business Growth, Corporate Responsibility with Ben Tomhave: click here

And the winner is:

Meet The Hackers Who Sell Spies The Tools To Crack Your PC (And Get Paid Six-Figure Fees): click here

The Security Bloggers Hall Of Fame

The other nominees are:

Richard Bejtlich

Gunnar Peterson

Naked Security Blog

Wendy Nather

And the winner is:

Jack Daniel

Congratulations to all of the nominees and of course congrats to the winners.  See you next year at the Security Bloggers Meetup. If you did not get an invite this year, be sure to write to info@securitybloggersnetwork.com requesting to add your blog and be on the list!

Special thanks to our sponsors: Qualys, Sourcefire, Akamai, Fortinet, Barracuda Networks and Jeanne Friedman and the RSA Conference!  Also a special shout out to Trainer Communications for helping with the voting as always!

My Photo

Subscribe to my blog

Enter your email address:

Delivered by FeedBurner

Lijit Search

Blog Networks

Creative Commons License
This work is licensed under a Creative Commons Attribution-Share Alike 2.5 License.


Lijit Search

Blog powered by TypePad
Member since 10/2005