May 05, 2014

Better communication between security and executive team key to better security

Better communication between security and executive team key to better security

A new survey from the Ponemon Institutue about security metrics and the interaction between security teams and executives sheds some great insights on the communication or rather the lack thereof between security teams and senior executives. After reviewing the results it might help explain why security at many midmarket firms is not as good as it should be.

Without even getting into what metrics you should measure and what you should report, the survey shows some startling findings around how security admins and the executive team interact (or at least how they perceive each other to interact).

There would seem to be a disconnect about how strong the organizations security posture was as perceived by the security pros versus what they though the executives thought. Security pros felt that 66% of executives thought that their organizations were either very strong or well above average. While only about 39% of security pros felt that their organizations were very strong or well above average.

clip_image002

Looking further into why executives don’t have a realistic view of the security posture of the organization, respondents cited several factors that all scored more than 50%.

clip_image004

Interestingly over 70% of respondents think communication is at too low a level (I assume on the executive side). Does this mean high level executives are not engaged? The next most popular choice, only communicating when there is an incident is a classic issue and in more than just security. Two of the popular answers that information is too technical and negative facts are filtered, are two that I have heard many times.

Many security pros tell me they have to “dumb down” security metrics to allow executives to understand them. Others have said that any technical information just shuts executives down from paying attention. My issue is there are some things that are important and can’t be dumbed down without losing its importance. We need to convey the real importance and it may take a little deeper understanding. This screams to why you need a security person in the executive room. However, even today most midsize organizations do not have a CISO or equivilent as part of their executive team.

Filtering out negative facts is another common problem. No one wants to be the bearer of bad news. Security has gotten a sky is falling reputation. Afer a while we move from chicken little to the “boy who cried wolf” and no one pays attention. This is certainly borne out in the survey answers.

Perhaps the most surprising responses were on when does the executive team meet with the security team:

clip_image006

Over 50% of respondents said they meet with the senior executives only when a serious risk is revealed or that they don’t communicate at all. That is scary. Scarier still is that only 13% of organizations have regularly scheduled meetings.

The rest of the report is chocked full of more great information and insights. .

Until security teams can get their heads around which information is important and then tackle how to best show it to the executive team, we are destined to repeat many of the failures of the past. That is too bad. Let’s hope for all of our sakes that we begin to answer these questions soon.

IBM

This post was written as part of the IBM for Midsize Business program, which provides midsize businesses with the tools, expertise and solutions they need to become engines of a smarter planet. I’ve been compensated to contribute to this program, but the opinions expressed in this post are my own and don't necessarily represent IBM's positions, strategies or opinions

March 11, 2014

DevOps.com – Where the world meets DevOps

DevOps-Logo Tagline-RGB_flat I am very proud to announce that DevOps.com launched today. I and my co-founder, Martin Logan have been working on getting this new site and business up and running for many months now.  DevOps.com tagline is “where the world meets DevOps.” 

This is truly is our mission as well.  DevOps.com will offer the most original content on DevOps in the world. We will have content for everyone. From the most technical issues, to general business questions, we will be posting a big tent for DevOps.

We have assembled a dream team of writers and bloggers who have already written outstanding stories that will be published over the next weeks and months. We will soon have some great community features as well that will help the entire DevOps community.Writers are not the only dream team part of DevOps.com. In the coming days and weeks we will announce our all star board of advisors, sponsors and other important members of the DevOps.com family.

But today there are two people I want to point out. One is Martin Logan, my co-founder. When I originally started thinking about doing a site on DevOps, I really wanted the DevOps.com domain.  I reached out to Martin to see if he would consider a reasonable offer. A few hours later we were partners.  Martin has a great DevOps resume and his behind the scenes work has made this day possible.

The second person I want to shout out to is my long time friend, Rajat Bhargava.  Raj and I have worked together since my Interliant days back in the dotcom boom.  We did StillSecure together. With DevOps.com Raj has rolled up his sleeves and helped me in anyway he could.  While he is busy with his own new startup, JumpCloud, he always had time to answer a uestion, think through an issue or make an introduction. Couldn’t do this without him.

I have been following the growing DevOps movement since I met Gene Kim 3+ years ago.  This past fall I attended my first DevOps conference and saw first hand how DevOps was changing the way IT worked. I read The Phoenix Project and it all came together for me. 

I recognized that I had a mission  with DevOps.com to bring DevOps across the chasm from early adopters and visionaries to the mainstream. 

I am grateful for the support of so many of my friends who have helped and supported this effort. The site you see today is just the beginning. In true DevOps fashion we will continue to iterate and make the site better.  Give us time.

In the meantime, please check out the site. Sign up for our newsletter. Follow us on twitter @devopsdotcom or on facebook or Linkedin or Google+.

February 20, 2014

The votes are cast, the invites are out, get ready for RSA

bloggersmeetup Well the last vote has been tallied for the Security Blogger Awards.  We had more votes this year than ever.  And the winners are . . .  Sorry you will have to wait until they are announced at the Security Bloggers Meetup at RSA. 

You can be there live, in person to hear the winners announced and enjoy one of the best parties of RSA, but only if you already received your invite and RSVP’d.  The last day to request an invite was yesterday.  So if you haven’t by now, see you next year. If you did request an invite you only have until Friday to RSVP and then the list is closed. So don’t wait.

Of course whether you are going to the Bloggers Meetup or not, if you are an SBN member you can still stop by the SBN lounge at RSA in Moscone South during the show.  I will be there most days and looking forward to seeing many of you there too.

We will post the winners as we always do, after the award and meetup.  So if you can’t make it to RSA this year, you will know who won. 

This should be our biggest, best bloggers meetup yet.  Looking forward to seeing friends old and new.  Also thanks to our sponsors!

 

sbm_sponsor_group_silver_2014

Enhanced by Zemanta

February 04, 2014

Security Bloggers Network Lounge at RSA

sbnlogo Yesterday we sent out an email to those SBN members who we have contact info for.  The email announced that our friends at RSA Conference have set up a special Security Bloggers Network Lounge for our members this year!  All SBN members are welcome regardless of what type of badge you have (yes even expo only).

At the lounge you will have plenty of seating, power, access and we will try to bring in some refreshments.  Taking a break in between sessions, tired of walking the show floor, need a break from bustle and hustle, come take a load off at the SBN  Lounge.

The lounge will be located near  the entrance to South Hall on the central "bridge" off of South Lobby - behind the Information Desk. The lounge will be open:

*                Monday: 9am - 8pm

*                Tuesday: 7am - 6pm

*                Wednesday: 8am - 6pm

*                Thursday: 8am - 6pm

*                Friday: 8am – 3pm

Many thanks to Jeanne Friedman and our friends at RSA Conference for making this available to us. If you have not received your email and you blog for an SBN member security blog or would like to join the SBN please write to info@securitybloggersnetwork.com for information.

See you at RSA!

Enhanced by Zemanta

January 28, 2014

Anyone Using POS Is At Risk

posMost of you reading this have heard about the holiday time breaches at national retailers. Since then we have heard that as many as six other leading retailers may also have suffered breaches during the same period under similar circumstances. Word on the street is that these breaches are much more wide spread and just about any POS may be at risk. The culprit is something they are calling BlackPOS.

So if you think POS breaches are something that just large retailers need to worry about think again. It seems like this BlackPOS is some new Trojan/remote control malware that is infecting POS systems, giving criminals the ability to steal your customer’s data every time you swipe their credit card. Worse even, it seems that this malware can give the bad guys the ability to also gain access to your databases where your customer information is kept. This malware has been called BlackPOS in various reports.

From reports I have read and heard from my friends in the security industry it seems the malware behind these attacks was available for sale to the cyber-crime industry at large and cheap too. It was a land grab with everyone trying to get it on as many POS systems as they could. If you think your business would not be a target you are dead wrong. I am not trying to scare you here. But if you use a POS system you should make sure that you test it for malware. Especially if your POS is Windows based.

As a result of this breach I fully expect the industry to move full speed ahead with the Pin and Chip standard that is scheduled to go into effect in the US next year and is already standard in Europe. Where many of these initiatives are often delayed, with this kind of pressure I don’t think the credit card companies have a choice.

Historically fraud has accounted for about five cents out of every 100 dollars spent via credit card. That was realistically speaking not worth the greater effort required to move to a new system. But now I think the genie is out of the bottle.

Of course no guarantee that chip and pin is a panacea. There will be new vectors and methods developed to circumvent those systems as well. But in the meantime you should be planning to move to equipment that supports the new standard. You should also be planning on what it means for your business. If you partner with IBM or others they have the expertise to make your upgrade smooth and quick with minimal disruption. If not put the time and effort in now to plan your migration.

Also now may be a good time to review your breach plans. You should have in place a plan to follow on what to do if you are the victim of a breach. Don’t make it up as you go along in the heat of the moment. Take the time now to plan out what you need to do if indeed you are breached. How you react to the breach could be the difference between being in business after a breach versus not surviving.

Anyone and everyone could be the victims of a breach. No one is immune or under the radar. The way to succeed after a breach is to plan on when not if you are breached what you are going to do. In the meantime check your POS to make sure you are not already a victim.


IBM

This post was written as part of the IBM for Midsize Business program, which provides midsize businesses with the tools, expertise and solutions they need to become engines of a smarter planet. I’ve been compensated to contribute to this program, but the opinions expressed in this post are my own and don't necessarily represent IBM's positions, strategies or opinions

Enhanced by Zemanta

January 26, 2014

2014 Social Security Blogger Award Voting Is Now Open

OK, we’ve made the list, checked it twice and it is time to vote!  After much back and forth, a lot of thought by our judges and a lot of work by Joe Franscella and the Trainer Communications team, we are ready for you to vote. 

Voting will be open only until February 14, 2014, so please don’t wait. Only one vote per person and we are checking IPs, addresses, etc.  Any attempted ballot box stuffing will result in DQ! Winners will be announced at the Security Bloggers Meetup at RSA.

Before I give you the link to vote, let me also thank our judges for this years Blogger Awards:

1. Kelly Jackson-Higgins of Dark Reading

2. Wendy Nather of 451 Research

3. Illena Armstrong of Haymarket Media and SC Magazine

In addition to our judges nominations some blogs self-nominated.  Good luck to all of the nominees!

Here is the link to vote: https://www.surveymonkey.com/s/SBNawards2014

BTW, here is the list of nominees. There are links to the blogs on the voting page.

Security Bloggers Network Social Security Awards 2014

Best Corporate Security Blog

Juniper’s Security & Mobility Now: http://forums.juniper.net/t5/Security-Mobility-Now/bg-p/networkingnow

Norse Blog: http://norse-corp.com/blog-index.html

RedSeal Networks: http://blog.redsealnetworks.com/

Solutionary Minds: http://www.solutionary.com/resource-center/blog/

VioPoint: http://www.viopoint.com/blog/

WhiteHat Security: https://blog.whitehatsec.com

TripWire: The State of Security: http://www.tripwire.com/state-of-security/

Veracode Blog: http://www.veracode.com/blog/

Mandiant M-unition: https://www.mandiant.com/blog/

Fortinet Blog: http://blog.fortinet.com/

F-Secure Blog: http://www.f-secure.com/weblog/

Trend Micro Security Intelligence Blog: http://blog.trendmicro.com/trendlabs-security-intelligence/

Kaspersky Lab Securelist: http://www.securelist.com/en/blog

Akamai Blog: https://blogs.akamai.com/security/

Bit9: https://blog.bit9.com/

IOActive: http://blog.ioactive.com/

Best Security Podcast

SANS Daily Internet Storm Center Stormcast: https://isc.sans.edu/podcast.html

Podcasts from the MiSec, OWASP Detroit, and BSides Detroit communities: http://podcast.michsec.org/

Security Slice: http://www.tripwire.com/state-of-security/topics/security-slice-podcast/

Threat Post: https://www.threatpost.com

Security Ledger: https://securityledger.com/category/podcasts/

The Risk Science Podcast: http://riskscience.net/

SecurityWeekly: http://pauldotcom.com/

Securosis, Firestarter: https://securosis.com/blog/firestarter-the-nsa-and-rsa

The Most Educational Security Blog

RedSeal Networks: http://blog.redsealnetworks.com/

Terebrate: http://terebrate.blogspot.com/

EFF’s Deep Links: https://www.eff.org/deeplinks

Security Bistro: http://www.securitybistro.com/

Graham Cluley: http://grahamcluley.com/

Krebs on security: http://krebsonsecurity.com/

Identropy Blog: http://blog.identropy.com/

Dell SecureWorks Security and Compliance Blog: http://www.secureworks.com/resources/blog/

Securosis: https://securosis.com/blog

Solutionary Minds Blog: http://www.solutionary.com/resource-center/blog/

Rapid7 SecurityStreet: https://community.rapid7.com/content#filterID=all~objecttype~objecttype[blogpost]

The Most Entertaining Security Blog

Krypt3ia: http://krypt3ia.wordpress.com/

Kevin Townsend: Security centric issues, news, rants – and other things: http://kevtownsend.wordpress.com/

Matt Blaze’s Exhaustive Search: http://www.crypto.com/blog

The New School of Information Security Blog: http://newschoolsecurity.com/

Uncommon Sense Security: http://blog.uncommonsensesecurity.com/

Errata Security Blog: http://blog.erratasec.com/

Securosis Blog: https://securosis.com/blog

Tripwire’s State of Security: http://www.tripwire.com/state-of-security/

The Blog That Best Represents The Security Industry

RedSeal Networks: http://blog.redsealnetworks.com/

Securosis: https://securosis.com/blog

Schneier on Security: https://www.schneier.com/

Naked Security: http://nakedsecurity.sophos.com/

SANS Internet Storm Center Diary: https://isc.sans.edu/diary.html

Liquidmatrix Security Digest: http://www.liquidmatrix.org/blog/

Emergent Chaos: http://emergentchaos.com/

Infosecisland: http://infosecisland.com/

The Single Best Blog Post or Podcast Of The Year

Making Security Work: The pragmatic guide to network security management: https://event.on24.com/eventRegistration/EventLobbyServlet?target=registration.jsp&eventid=720707&sessionid=1&key=12AADDB88B4B10EFA1829537392F1722&sourcepage=register

Book Review: “We Are Anonymous: Inside the Hacker World of LulzSec, Anonymous and the Global Cyber Insurgency (2012)” by Parmy Olson: http://terebrate.blogspot.com/2013/05/book-review-we-are-anonymous-inside.html

Krebs on Security: Adobe To Announce Source Code, Customer Data Breach: http://krebsonsecurity.com/2013/10/adobe-to-announce-source-code-customer-data-breach/

Schneier On Security: Why It's Important to Publish the NSA Programs: https://www.schneier.com/blog/archives/2013/10/why_its_importa.html

CERIAS: On Competitions and Competence: https://www.cerias.purdue.edu/site/blog/post/on_competitions_and_competence/

Security Uncorked: CISSPs: Call to Action for (ISC)2 Elections (Nov 16-30): http://securityuncorked.com/2013/11/cissp-call-to-action-isc2-elections/

Police-Led Intelligence, Informing Intelligence-Led Policing: http://policeledintelligence.com/2013/07/11/banning-feds-from-defcon-is-self-defeating-heres-why/

IOActive: "Broken Hearts": How plausible was the Homeland pacemaker hack?: http://blog.ioactive.com/2013/02/broken-hearts-how-plausible-was.html

The Security Bloggers Hall Of Fame

The hackers post: www.thehackerspost.com

J4VV4D: http://www.j4vv4d.com/

Dan Kaminsky (Or: The Blog Formerly Known As DoxPara Resarch) - http://dankaminsky.com/category/security/

Martin McKeay Network Security Blog: http://www.mckeay.net/author/martin/

Andy Greenberg, Forbes: http://www.forbes.com/sites/andygreenberg/

Lori MacVittie, F5 DevCentral: https://devcentral.f5.com/users/38/my-contributions/typeid/9

Emergent Chaos: http://emergentchaos.com/

Tracy Kitten: The Fraud Blog: http://www.bankinfosecurity.com/blogs/fraud-blog-b-18

Eric Chabrow: The Public Eye: http://www.govinfosecurity.com/blogs/public-eye-b-13

Best New Security Blog

Gunter Ollmann, Dark Reading, Attacks and Breaches: http://www.darkreading.com/attacks-breaches

Jitender's Perspective: http://jitenderarora.co.uk/blog/

OMENS Blog: http://musectech.com/OMENSPortal/omens-blog.aspx

Cyb3r Assassins: https://cyb3rassassin.wordpress.com/

Security Management HQ: http://www.securitymanagementhq.com/

Exploring Possibility Space: http://exploringpossibilityspace.blogspot.com/

USA TODAY, CyberTruth: http://www.usatoday.com/blog/cybertruth/

January 23, 2014

RSA Security Bloggers Meet up and Security Blogger Awards Update

We are about a month out from this years RSA Conference and related events.  For those of you who write about security in blogs or media we are still accepting invite requests for this years Security Bloggers Meetup, which will be our biggest and best yet.  If you have not gotten an invite and think you should, please go to: https://docs.google.com/forms/d/1ibXn64AzlOWF7LX5wsv4qMTTNvmkYX7xQu8Gqnei6iU/viewform to request one.

A reminder that though we have increased capacity this year, the meetup is still only open to bloggers and those who podcast or write about security.  If you are invited, it doesn’t mean you can bring your marketing team, friends and anyone else.  One of the things that has made the Bloggers Meetup as popular as it has become is the fact that it is by the bloggers, for the bloggers.  So please don’t make Rich Mogull the bad guy ;-) If you are a blogger or podcaster, come hang out with your peers. Eat, drink and be merry.bloggersmeetup

I know many of you are asking when does voting for the Blogger Awards start.  Well first of all sorry that it has taken this long to get the nominees up.  We should have voting open in the next day or two.  Stay tuned for info on this very soon.  Voting will be open for two weeks and you will need to have a valid email address to be eligible.

See you all at RSA!

Enhanced by Zemanta

December 17, 2013

2014 Security Blogger Meetup Details

bloggersmeetup Wow, 2014!  Let that roll off of your tongue a few times. Well time and security blogging march on. This year the planning committee for the RSA Conference Security Bloggers Meetup has been hard at work to make this the biggest and best Bloggers Meetup and Blogging Awards event ever.  

We have doubled the capacity of our venue so we will not have to turn down anyone who wants to come join us and is eligible to do so.  We have also made sure we have great entertainment, great food and drink.  But the real secret to the Bloggers meetup is the people.  For those of you who have attended in the past, you know this is the case.  So this year there will be more people at the meetup then ever.

Invites to this years bash will be sent out after New Years.  If you are on our mailing list already, you should get an invite. If you are not and would like to be you need to be writing/blogging about security.  If you do, you can contact Jennifer Leggio at mediaphyter@gmail.com after New Years.

Of course all of this increased capacity and good stuff doesn't come cheap.  None of this would be possible without the generous support of our sponsors.  Most of our sponsors have been with us for many years, almost back to the first bloggers meetup.  

Please join us in thanking and supporting our 2014 Security Bloggers Meetup and Blogger Award sponsors:

Platinum Sponsors

Kaspersky

Sourcefire, (Now Part of Cisco)

Gold Sponsors

Akamai

Fortinet

Tripwire

Silver Sponsors

Barracuda

Qualys

RSA Conference

I know some of you have inquired about additional sponsorships for the event, but sponsorships are all sold out for this year.  We can put you on a list for next year if you like, but no guaratees or if you like you can sponsor the Security Bloggers Network.  You can write to info@securitybloggersnetwork.com if you are interested

What about the Security Blogging and Podcasting Awards?  You bet we will announce them at the meetup.  We are also very happy to announce our judges for this years awards.  Please join un in thanking:

Kelly Jackson Higgins of Dark Reading

Wendy Nather of 451 Group

Illena Armstrong of SC Magazine

and special guest judge

Chris "Beaker" Hoff

We will announce where to vote for the winners after the first of the year.  Again this year Trainer Communications will be helping with tabulating the voting.  Thanks to Trainer.

So the time is growing near.  Merry Christmas and Happy New Year to you all and in just a few weeks see you in San Francisco! 

Enhanced by Zemanta

November 20, 2013

Mitchell Ashley returns to Podcasting

ashley My friend Mitchell Ashley reached out to me a few weeks ago and said “we had a great time when we used to do podcasts, we should do them again.”  Well he didn’t have to twist my arm.  Mitchell and I sat down to record a quick 20 minute show. We caught up with what he has been up to over the last few years.  We also discussed the recent AWS re:Invent conference out in Las Vegas and how big public cloud and the Cloud in general has become.

We discussed DevOps, security automation and a bunch of other trends that Mitchell and I are seeing in the market.  It was great having Mitchell back to podcast with again.  We have already planned next weeks show which will feature a special guest as we discuss APT.

We mentioned a couple of links and articles in the podcast. Here are the links to these:

Mitchell’s blog post on CIO role: http://goo.gl/fzH5K The CIO Role - From Tech Manager to IT Services Broker

AWS reference architectures -

- cloud bursting - https://devcentral.f5.com/articles/aws-reinvent-2013-cloud-bursting-reference-architecture-feat-pearce

- cloud migration - https://devcentral.f5.com/articles/aws-reinvent-2013-cloud-migration-reference-architecture-feat-pearce#.UoZvkGRgZIA

Welcome back to Mitchell, hope you enjoy and stay tuned for our next show.

Enhanced by Zemanta

November 18, 2013

You know what time it is? Security Bloggers Meetup and Security Blogger Awards!

bloggersmeetup I know it is hard to believe, but it has been that long.  It seems like just last week RSA Conference in San Fransisco was ending and we said we need to start planning next years Security Bloggers Meetup and Security Blogger Awards.  But no it has been more than just a week or two. We are just 2 to 3 months away from RSA Conference 2014!

Luckily the organizing committee of the Security Bloggers Meetup and Blogger awards have been hard at work. This years event is going to be our biggest and best yet.  We have substantially increased our budget which will allow us to have more room, food, drink and fun.  We will also be able to accomodate more of you.  We will be making more informatio available in the next few weeks.

Before I forget I want to thank my fellow committee members for all of their hard work.  Jennifer Leggio continues to be the workhorse of our group even though she is now an executitive at Cisco ;-).  Our Securosis friends have doubled down their commitment to the event as now officially have both Rich Mogul and Mike Rothman helping out and of course Jeanne Friedman of RSA Conference itself remains our rock.  With Martin Mckeay moving to London, he has not been as involved with this years planning.  Together, this group has lots of good times in store for our attendees, so stay tuned.

I have received more than a few notes about this years Security Bloggers and Podcast Awards.  Of course we will be holding them at the meetup once again.  We are going to have the same categories as last year:

Best Corporate Security Blog

Best Security Podcast

The Most Educational Security Blog

The Most Entertaining Security Blog

The Blog That Best Represents The Security Industry

The Single Best Blog Post or Podcast Of The Year

The Security Bloggers Hall Of Fame

This year we will again have a blue ribbon panel of judges, but like last year we will accept nominations from public.  The highest amount of votes wins.  Nominations are open now, so if you would like to be considered write to info@securitybloggersnetwork.com with your blog or podcast name, what category you want to be considered for and contact information. Voting will be held after the first of the year. So get your nominations in now!

Stay tuned for more information on this years extravaganza soon. If you are not on the mailing list, please email info@securitybloggersnetwork.com to be added.

Hope to see you all this years Security Bloggers Meetup.

Enhanced by Zemanta

October 01, 2013

PCI 3.0 Spells More Risk Management for Midsize Business

pci.ai_ The PCI DSS standards have been around for more than a few years now and right or wrong they have found their way into the day to day business functions of most business that accept credit cards or those that service merchants who do. Many in the security industry have lamented that PCI has wrought a culture of “checkbox” security where merchants and others in the PCI ecosystem seek a lowest common denominator level of security. For years the PCI Council has been seeking to raise the minimum levels of earlier PCI data security standards by introducing more a Risk Management approach to PCI.

The latest draft of the PCI DSS, version 3.0 is due out shortly. Due to the elongated implementation cycles adopted a while back, this newest version won’t be in effect until January of 2014 and won’t be fully in effect until June of 2014.

While smaller merchants may not see many changes in the day to day management of PCI, midsize organizations should see PCI merge with their existing security and risk management processes and policies. For instance the requirement for Penetration Testing should not be a new exercise for most midsize companies.

Overall the trend behind PCI 3.0 is more towards a holistic risk management approach. Understanding vulnerabilities, prioritizing them in light of the business and remediation were all introduced in PCI 2.0 and expanded upon in 3.0.

Moving away from point in time requirements towards a continuous process of compliance and risk management is to me perhaps the biggest theme in this new version. Recognizing that you can’t just say that you were PCI compliant one day and not the next because a breach occurred is a step in the right direction.

Of course if you are new to PCI or up to this point have only been doing the minimum to meet the requirements, PCI 3.0 may represent a wakeup call to you and your organization. Frankly though if this is what it takes to make your organization take security and risk management seriously, it is not a bad thing.

Another thing that I see with the new DSS is that it would seem that for Level 1 merchants and even larger Level 2 merchants, it will require more hands on PCI expertise from consultants or PCI experts. Could be a case of job security built in.

The PCI Council has put out a PDF noting some of the key changes in the new requirements. You can access it at: https://www.pcisecuritystandards.org/documents/DSS_and_PA-DSS_Change_Highlights.pdf. In the meantime January and June 2014 will be here before you know it. You should start brushing up on the new requirements for PCI 3.0 to make sure your organization does not start out behind the eight ball on this.

One other piece of good news is that with the new cycles, there won’t be another revision to the PCI DSS for a couple of years after this. Long enough to get your head wrapped around this one. Good Luck!

IBM

This post was written as part of the IBM for Midsize Business program, which provides midsize businesses with the tools, expertise and solutions they need to become engines of a smarter planet. I’ve been compensated to contribute to this program, but the opinions expressed in this post are my own and don't necessarily represent IBM's positions, strategies or opinions

Enhanced by Zemanta

September 16, 2013

What does the US Department of Interior moving to the cloud mean for midsize business?

DOI The recent announcement that the US Department of Interior (DOI) is undertaking a 10 year migration to the cloud through IBM made headlines because of its potential One Billion Dollar ($1b) value. One can read that number and immediately assume that it is a big deal for a large government agency without much appeal to the midsize market. But if you know anything about the DOI you would realize that this move has significant impact to the midmarket as well.

While the DOI collectively rivals the size of many large enterprises, it is actually comprised of over a dozen agency and bureaus. Among them are:

· Bureau of Indian Affairs

· Bureau of Land Management

· Bureau of Ocean Energy Management

· Bureau of Reclamation

· Bureau of Safety and Environmental Enforcement

· National Park Service

· Office of Surface Mining, Reclamation and Enforcement

· U.S. Fish and Wildlife Service

· U.S. Geological Survey

While some of these are large organizations unto themselves, others are smaller and more closely resemble a midsize organization. The fact that they are “putting all of their eggs” in the cloud is a powerful statement indeed.

The fact that IBM is providing the cloud infrastructure as an integral part of this program is perhaps one reason why the DOI has decided to shift so much of their IT infrastructure to the cloud. But while IBM assets may be an enabler, the bigger picture is that the time for the cloud has come. Companies concerns over security and visibility into cloud deployments have been answered in many respects.

Up until now it was actually the enterprise who was leading the way in adopting the cloud. Almost counter-intuitively they were quicker to move development and some non-critical IT infrastructure to the cloud. They have the in-house security resources to supplement what they need to have to trust the cloud. On the other end of the spectrum, small companies do not have the resources to supplement the cloud, but could not compete against the cost savings that the cloud offers. So they moved to the cloud quicker as well. This left the midmarket organization in a reverse Goldilocks situation. Not enough resources to make the cloud secure enough for them, but too much to lose in using the cloud in an insecure manner.

Now companies like IBM are leading the way in offerings that will allow midmarket companies to adopt the cloud in a secure manner. By having security built into the offering like the IBM smart cloud, midmarket organizations have off the shelf solutions available.

To be clear the DOI is not making this move just to ride the wave of popularity. By moving to the cloud they are not only getting a secure environment to work in, but they are also saving a ton of very precious budget dollars. In today’s economic conscious environments the dollar savings of the cloud probably make it imperative that you take a new look about moving more of your IT infrastructure to the cloud as well. The fact that you may be getting even better security capability than you do with your own premises infrastructure is the cherry on the cake.

So if is good enough for the DOI and other parts of our security conscious government, isn’t it time that you take a fresh look at the cloud? You may find that is more than secure enough for your midmarket needs, as well as adding dollars to your bottom line.

IBM

This post was written as part of the IBM for Midsize Business program, which provides midsize businesses with the tools, expertise and solutions they need to become engines of a smarter planet. I’ve been compensated to contribute to this program, but the opinions expressed in this post are my own and don't necessarily represent IBM's positions, strategies or opinions.

August 28, 2013

Would You Like To Be An Accelerator Mentor?

I was trying to think of the most efficient way of doing this.  With so many Facebook, Linkedin, Twitter and other connections, how do I reach out to them to let them know what I am working on and see if they can help? Then I remembered, I blog ;-)  So no matter how this is reaching you, please have a look.

I have been consumed over these last few months working with some friends here in South Florida on launching a Techstars/Global Accelerator Network modeled startup accelerator.  We are already far down the road on this. Fundraising, location, local community involvement are all moving along really well.  It has been a lot of fun getting the start up juices flowing again in bringing this new venture to reality.  I forgot how exhilarating it is to start something new

The key to this model as you may know though is that it is a “mentor driven” model.  We have signed up lots of local entrepreneurs and business folks from here in South Florida, but we need more. While mentors based in Florida are ideal, they don’t have to be based here. More important is your ability and inclination to help new companies reach success. There are lots of fringe benefits to mentoring. If you are not familiar with it, let me know.

Mentors should “have been there and done that” in terms of starting businesses. They are willing to roll up their sleeves to help these new companies get started. Giving advice, making your own networks available and pitching in with your experience and expertise.  It is not a full time gig, but you might have to give 8 or 9 hours a week to companies you mentor.

If you would like to be involved with this exciting new adventure I am embarking on, reach out to me. I am hesitant to put too much out here before we are ready to launch, but by the time I do that it may be too late for some of you to get involved.

I always pride myself on having a great network of friends and associates.  I would like to see many of you involved in this great new business with me. Let me know if you are interested.

July 24, 2013

Pay No Attention To The Men In The Green Room

the-man-behind-the-curtain-01I just got done reading a blog post by Seth Levine at Foundry Group. I know Seth for quite a number of years from my days in Boulder and StillSecure.  Seth wrote about an email encounter with a entrepreneur looking for funding that Seth rejected. The guy obviously was a little upset about the rejection and wrote Seth a nasty-gram which Seth responded to.  Knowing Seth though, I can tell it got under his skin a bit though. Frankly who can blame him. You or I might have responded the same way.

But I can also understand where the antagonist (is that the right word here?) is coming from. He is frustrated, he has been turned down in his request and most of all he has not taken the time or effort to truly understand why.  To him he has come to Emerald City for an audience with the Wizard.  The Wizard has told him he will not grant his wish.  He doesn’t know that the man behind the black curtain is pulling the levers.  He sees only the illusion or reflection. He doesn’t get why the Wizard turned him down.

I remember back in my days working for a public Internet company during the dotcom bubble. The executive team used to meet in this ornate green conference room.  They would meet in there for hours at a time.  Coming out of these meetings it seems like the company was always off on a new course, with a new strategy and it meant big changes in my role and livelihood.  I didn’t understand the reasons for these changes most of the time. They seemed pretty arbitrary to me.  I had no insight into why they made these decisions. Because I had no insight into these decision, I imagined the worse.

One day I was promoted to become part of the executive team.  Now I was in the Green Room myself.  All of a sudden I was making those decisions.  There were people outside the room wondering what the hell was I thinking in making these decisions. It gave me a totally different perspective on the people in the green room. 

They are people just like you and me. The decisions they make are usually for rational reasons. If they say they are going to read something, they generally are. You may not understand why they decided something, but that doesn’t mean you should assume evil connotations.

My advice to the guy who wrote to Seth is “before you go off on something, understand what it is to be in the Green Room”

June 05, 2013

What Does IBM Acquiring SoftLayer Mean for Mid-Market Security?

In case you haven’t heard yet, IBM has bought hosting and cloud provider SoftLayer for two ($2b) billion dollars. That is a lot of money by anyone’s measuring stick. Much has been written about how this gives IBM a real cloud offering to its customers and partners.

Of course IBM already operated data centers (10 of them actually, compared to SoftLayer’s 13), but SoftLayer is major brand and player in the hosting marketplace and an up and comer in cloud hosting. While not an Amazon or Rackspace in terms of public cloud, they have built a sizeable private cloud hosting practice up over the last few years. They use both CloudStack from the Apache Foundation, as well as the open source OpenStack, which IBM has backed. But what about security?

Perhaps unbeknownst to many, SoftLayer had built a great security offering into their cloud and hosting solutions. I have had the chance to interview SoftLayer CTO Duke Skarda several times. I have learned that security has been built into the DNA of the SoftLayer cloud and infrastructure. While they also offered security as a service offerings from several third parties, there was substantial security technology in the SoftLayer plumbing itself.

As a result IBM customers and partners can rest assured that using the SoftLayer platform will afford them the ability to utilize a secure, scalable and battle-tested platform. On top of this it should not be long until we see IBM’s own security services integrated into the SoftLayer solutions.

In the long run this means that IBM customers and partners will see benefits from the deal pretty quickly. Longer term I think IBM has set a mark for the market to follow. Service providers like IBM and others offered cloud solutions. However, many of these were deployed on third party hosting platforms. Now that IBM has made the move, others will follow. These service providers will offer cloud services on their own platforms.

We will probably see some me too moves here with large IBM competitors buying other hosting and cloud providers. Conversely it may be that large cloud and hosting providers seek to acquire service businesses that they can leverage as a result of their hosting business.

Specifically on security though few hosting providers have SoftLayers quality. If security is important to you (and who is security not important to?), you will be hard pressed to find a better offering than SoftLayers’. Now with IBM behind it, it represents a great choice for midmarket companies.

IBM

This post was written as part of the IBM for Midsize Business program, which provides midsize businesses with the tools, expertise and solutions they need to become engines of a smarter planet. I’ve been compensated to contribute to this program, but the opinions expressed in this post are my own and don't necessarily represent IBM's positions, strategies or opinions.

Enhanced by Zemanta

May 31, 2013

Ashimmy’s Top Ten Tips to Successfully Existing in a Co-Working Space

As I wrote about in my Network World column last week, I have invested in a co-working space here in Boca Raton called Caffeine Spaces. Having spent a few weeks now spending a considerable amount of time in the co-working space I thought I would put together a top 10 list of tips to successfully work in such an environment. Some are do’s, some are don’ts, but following these will certainly make you more productive, popular with your fellow co-working space tenants and maybe even happier all around.

Of course basic office protocols should be followed as well. Below is a vintage video of proper office etiquette. Though the technology has changed a little bit, as well as office fashions, many of the rules still apply. Many of these apply to all office situations, but co-working spaces make them more important.

Here are my Top Ten co-working space rules:

1. Bring headphones – headphones are a must for numerous reasons. First of all with everyone talking in the common area and networking going on if you have any real work to do you need to shut out the noise. Even if you don’t have any music playing through the headphones, it will take you out of the public discourse and allow you to focus on your work.

2. If someone has headphones on, leave them alone – by the same token if you see someone wearing headphones think of it as a “do not disturb” sign. If they wanted to join in the conversation they would take their headphones off. They have them on for a reason. Yes there might be an emergency, but otherwise leave the dude alone.

3. Conference rooms are for conferences – they are not storage rooms, a resting stop for your equipment or your private office. Most conference space is at a premium in co-working spaces. Don’t be a conference room hog and use them for conferences.

4. White boards can be read and should be erased – Just about every time I have used a conference room over the last few weeks I have walked into find a white board filled with information. Sometimes it is confidential or proprietary information, sometimes not. Sometimes it is just doodles frankly. The issue is, when I walk in the room and need to use the whiteboard, what should I do? I have seen people take smartphone pics of whiteboards to capture what they have on them. That is great. But when you leave the conference room, erase the board. If you don’t have the courtesy to do that, assume the next person will.

5. Speaker phones and public areas don’t work – I actually haven’t seen many people use speaker phones in the public areas, but they speak loud enough and have the volumes on their phones turned up where they might as well be. If you get a call and you are going to speak loud, get up, walk to a private area and have at it. Don’t keep the volume on your phone turned to the max.

6. Soda and snacks cost money – Unless it is figured into the rent you pay, all of the food and drink is not free. Someone is going out and stocking that fridge with cold drinks. If you are going to consume, you should replenish. Also make sure snacks and drinks aren’t noxious.

7. Today’s hello, could be tomorrow’s partner or customer – The amount of people you meet in a co-worker space can be extraordinary and overwhelming. Co-working is a social environment. While you can pick a corner and wait for people to come to you, if you are not going to be open about meeting people, you are losing out on a big part of the co-working experience. I am not saying you need to give out “hello my name is . . .” tags or accost people as they enter. A smile and hello as people approach or make eye contact is I find more than enough to put people at ease and kick things off.

8. Don’t be a stalker– There is a thin line between outgoing and becoming a stalker. Don’t be a stalker. If people don’t seem like they are looking for your input, help or interaction, don’t force yourself on them. Be cognizant of body language and non-verbal clues. Know when to step out and away. Be mindful that not everyone is here to interact with you all of the time.

9. Pay it forward – Something I have heard many talk about in the startup community. It may even sound corny, but it is true. I am finding that if you don’t wait for people to do for you, but go out and do for them, without immediate expectation of payback either, it comes back in spades.

10. Business cards still count – They may be old fashioned, but you still need to give people a way to contact you. They may scan them into Google Goggles or any number of places, but we have not come to a point where the card is obsolete. Of course this begs the question as to what to do with all of these business cards. After just a few weeks I noticed I have over 75 different business cards on my night table. What a waste of paper! Maybe the thing to do is return the card after you scan it? There is probably a good solution and business there somewhere. But for now be sure to bring business cards!

There you have it, culled from just a few weeks working in a co-working space. Did I miss any big ones? What has your experience been?

May 06, 2013

BYOD Security Scanning

My friends at iScan Online, Billy Austin and Carl Banzhof have just released their latest whitepaper on BYOD Security Scanning.  This is an area of vulnerability scanning and compliance management that is not really being covered by any particular company today. 

Where mobile device management and anti-malware for mobile devices meet, there is a gap. This gap is filled by iScan Online. They can do on demand full vulnerability scans on mobile devices, configurations scans for misconfigurations and data discovery scans for credit card numbers, social security numbers and other personal or confidential data.

This paper highlights the 5 reasons why BYOD security scanning is a must have and what a good BYOD security scanning solution must do.

You can view the paper below or head over to iScan Online to download it.

Enhanced by Zemanta

May 03, 2013

Special Offer for Security Bloggers Network Members: The Plateau Effect: Getting from Stuck to Success

Book ImageAn exclusive offer for the Security Bloggers Network - Hugh Thompson Invites you to celebrate the release of the book The Plateau Effect by NYT bestselling author Bob Sullivan and RSA Conference Program Chair Dr. Hugh Thompson.

You can get a free signed bookplate from the authors to insert into your book if you: 

1. Tell your readers about the book’s publication using the hashtag #PlateauEffect on your social media before May 4th

2. Send a link to your tweet or screenshot of your blog or Facebook post to PlateauContest@gmail.com

3. For the first 50 we receive (sorry, U.S. only), we'll mail you the book plate!

The book will be available on May 2nd at bookstores and through Amazon.

Hugh Thompson is a friend of the SBN, so if you can give it a shout out and help a friend out!

Enhanced by Zemanta

May 01, 2013

Great Customer Service Cannot Overcome Mediocre Products

Image representing Shutterfly as depicted in C...

Image via CrunchBase

This is a great question for a business school class, but there are also real life situations where this is more than a mental exercise. The very survival of a business and the livelihood of all its employees can hang in the balance.

My case in point for this blog post is Shutterfly.  I have been a Shutterfly member/customer since it first started around the time my younger son was born. Over the years I have stored literally thousands of pictures and videos on Shutterfly, ordered prints and recently created share sites for all of the sports teams I coach. 

Shutterfly has some great things you can do and buy with your digital pictures. I never bought a lot of products, but they looked very nice. 

The situation changed a couple of months ago when I decided to order some photo products with photos from oldest son’s Bar Mitzvah.  I ordered some larger prints, leather bound photo books, acrylic prints, etc.  I think the prices Shutterfly charges are fair and didn’t have a problem with them.

Unfortunately about half of the products I have ordered have had to be refunded or returned.  Each and every time the folks at Shutterfly have been great. In fact on one of them they said my photo book was being delayed, but they were sending me a free cheaper photo book to make up for it. That one came with a mistake and they sent me another free one.  After a few weeks they finally sent me the original book I ordered and when it came, it was literally falling apart. 

Again the customer service folks were very nice. They gladly refunded the price and told me to keep the book. But frankly after spending 10’s of hours working on the book, I was disappointed that it was all for nothing.

I really want to keep using Shutterfly. I want to be a customer and buy products so they stay in business. I like the company and think their customer service is tops. But how long and how many times can you put up with sub-quality products before enough is a enough?  What do you think?  Customer service can make up for some product issues, but when does it tip over to the point of no return?

Am interested to you hear your thoughts on this.

Enhanced by Zemanta

April 30, 2013

What and How to tell your customers about a Data Breach

Data-Breach-Photo If your midmarket enterprise is like most, sooner or later you will be the victim of a data breach. Data breaches are never fun, but how and what you tell your customers can be the difference between minimizing the impact to your company’s bottom line and a full-fledged disaster.

Informing your customers about everything you know and taking reasonable precautions will always work better than sugar coating and trying to minimize the potential damage. Trying to minimize the situation to your customers so as to not panic them could wind up costing you customers in the long run.

As a case in point I want to contrast two recent data breach cases. One is the case of local deals vendor LivingSocial and the other is the video rental service Vudu.

I recently received the following email from Living Social:

IMPORTANT INFORMATION

LivingSocial recently experienced a cyber-attack on our computer systems that resulted in unauthorized access to some customer data from our servers. We are actively working with law enforcement to investigate this issue.

The information accessed includes names, email addresses, date of birth for some users, and encrypted passwords -- technically 'hashed' and 'salted' passwords. We never store passwords in plain text.

Two things you should know:

1.     The database that stores customer credit card information was not affected or accessed.

2.     If you connect to LivingSocial using Facebook Connect, your Facebook credentials were not compromised.

You do not need to take any action at this time, but we wanted to be sure you were fully informed of what happened.

The security of your information is our priority. We always strive to ensure the security of our customer information, and we are redoubling efforts to prevent any issues in the future.

Please note that LivingSocial will never ask you directly for personal or account information in an email. We will always direct you to the LivingSocial website - and require you to login - before making any changes to your account. Please disregard any emails claiming to be from LivingSocial that request such information or direct you to a website that asks for such information.

If you have additional questions about this process, the "Create New Password" button on LivingSocial.com will direct you to a page that has instructions on creating a new password and answers to frequently asked questions.

We are sorry this incident occurred, and we look forward to continuing to introduce you to new and exciting things to do in your community.

Sincerely,
Tim O'Shaughnessy, CEO

Now, I understand that LivingSocial wants to minimize the potential damage here. To me though they have made two crucial errors. One is that they are giving their customers the impression that because their passwords were encrypted (actually salted and hashed), there is a low likelihood that they would be useable. This is not necessarily true. In fact there have been several cases and much written about the relative ease that hackers have in cracking these passwords.

Based upon their opinion that there is a low likelihood of these passwords being compromised, they tell their customers that they do not have to do anything at this time, but if they want to change their passwords they can. Knowing that these passwords could be compromised why not make everyone change their passwords? It would seem a rather trivial thing to do and ensure the integrity of your customer’s accounts to force a password change. In a similar situation you should strongly lobby for mandatory password resets.

Secondly again LivingSocial is telling their customers that they don’t have to do anything. But clearly customer names, email addresses and dates of birth were stolen. It doesn’t take much for a criminal to take that, match it up with public record information and quickly gather enough information to start using a false identity for nefarious purposes.

While some states mandate complimentary credit watch services for customers in these kinds of cases, at least suggesting to be on the lookout for fraudulent credit transactions and suggesting a credit watch service seems called for here.

Again in the interest of keeping customers calm and downplaying this breach, customers could be potentially at greater risk. The breach happened already, breaches happen. Good security practice and customer service should require you to place the bar high in terms of protecting and warning your customers.

As I mentioned earlier, Vudu also recently had a breach. Here is the email I received regarding that one:

Dear alan,
We want to let you know that there was a break-in at the VUDU offices on March 24, 2013, and a number of items were stolen, including hard drives.
Our investigation thus far indicates that these hard drives contained customer information, including names, email addresses, postal addresses, phone numbers, account activity, dates of birth and the last four digits of some credit card numbers. It's important to note that the drives did NOT contain full credit card numbers, as we do not store that information. Additionally, please note if you have never set a password on the VUDU site and have only logged in through another site, your password was not on the hard drives.
While the stolen hard drives included VUDU account passwords, those passwords were encrypted. We believe it would be difficult to break the password encryption, but we can't rule out that possibility given the circumstances of this theft. So we think it's best to be proactive and ask that you be proactive as well.
SECURITY PRECAUTIONS:
If you had a password set on the VUDU site, we have taken the precaution of expiring and resetting that password. To create a new password, go to
www.vudu.com. Click the "Sign In" button at the top of the page. Enter your current username and current password when prompted, then follow the instructions to reset your password securely. Also, if you use your expired VUDU password on any other sites, we strongly recommend that you change it on those sites as well.
As always, remember that VUDU will never ask you for personal or account information in an e-mail. Please use caution if you receive any emails or phone calls from anyone asking for personal information or directing you to a web site where you are asked to provide personal information.
As an added precaution, we are arranging to have AllClear ID protect your identity for one year at no cost to you. We have
FAQs on our web site (vudu.com/passwordreset) to answer questions on the incident and to more fully describe how to use the AllClear ID service. We have reported this incident to law enforcement and are cooperating fully with their investigation. We want you to know that we take this matter very seriously, and we apologize for any inconvenience this may have caused you.
Thank you,
Prasanna Ganesan
Chief Technology Officer, VUDU

Can you see the difference? VUDU also states that the passwords were encrypted and unlikely to be cracked, but nevertheless they have expired everyone’s password forcing you to pick a new one. They are also making arrangements for ID protection for one year.

This makes me feel that VUDU is serious about protecting me and is not sugar coating or minimizing the consequences of the data breach. To me this is text book on how to communicate a breach to your customers.

In both cases I don’t blame VUDU or LivingSocial for being victims of data theft. It can and does literally happen to everyone. Also both companies are successful businesses. But as a midsize enterprise how you communicate a breach to your customers can communicate an awful lot.

If your company is the victim of a breach, follow best practices to inform and most importantly protect your customers.

IBM

This post was written as part of the IBM for Midsize Business program, which provides midsize businesses with the tools, expertise and solutions they need to become engines of a smarter planet. I’ve been compensated to contribute to this program, but the opinions expressed in this post are my own and don't necessarily represent IBM's positions, strategies or opinions.

Enhanced by Zemanta

April 26, 2013

If IBM X-Force were running the IT department

IBM’s X-Force research team recently released their “2012 Trend and Risk Report”. The report is a great look back at last year and is full of metrics and analysis on the kinds of threats and risks seen across the spectrum of different verticals last year in information security. It also has some excellent advice on how to institute and operate a successful information security and risk management program. If you are interested in security (and who isn’t?) you should definitely download and give it a read. xforce report graphic

One section I wanted to highlight and expand on though was the “If IBM X-Force were running the IT department” section. Here is the X-Force’s top 10 list to make you more secure. This is especially relevant for mid-market companies who may not have the budget or resources to do everything they might like around risk and threats. If you could check each of these ten off you would have the foundation of a solid strategy

1. Perform regular third party external and internal security audits – Many organizations are so reluctant to bring in an outside party to conduct security audits. I am not sure if it is a case of now wanting to share dirty laundry with outsiders or a case of “ignorance is bliss”, but either way it is a mistake. Having a security expert come in on a regular basis to give you a “hacker’s eye view” is one of the best ways to see really how your security plan holds up. My recommendation is a full internal and external audit annually, with external only audits quarterly if possible.

2. Control your endpoints – This used to be a whole lot easier. The advent of BYOD has made control of your endpoints more like being the sheriff in the Wild West. Of course it is probably futile to try and prohibit BYOD devices from accessing your network, data and applications. A more realistic goal may be to at least have a mobile device management solution in place. The first step is to have policies defining what is acceptable in terms of endpoints, what configurations are required, what applications can be accessed and what security should be installed on them. Regular security scanning, including vulnerability and configuration testing should be mandatory across the board! Of course traditional company owned devices are a lot easier to manage and control.

3. Segment sensitive systems and information – You need to treat your high value assets as high value. That means giving them an extra level of protection. This starts with segmenting them off from rest of the network. Too many mid-size organizations run flat networks where once you have access to the network, you can see and access everything on the network. This is obviously a mistake. High value assets should be segregated out from the rest of the network. Access and even visibility to these networks should be on a “need to know” basis. This can be accomplished using VLANs, firewalls and identity and access control.

4. Protect your network via basics (firewalls, anti-virus, intrusion prevention devices, etc.) – Too many of us are always lusting after and chasing the latest and greatest shiny new technology widgets. A perfect example of this is the latest infatuation with some of the newest threat detection technologies that run incoming packets in sandboxes before allowing them into the network. While new technologies can be exciting and effective, they should not be instituted at the expense of the “meat and potatoes” of your security program. They may not be sexy, but firewalls, AV and IPS are still front line tools for the defense. A recent report by 451 Research about the “Real Cost of Security” by Wendy Nather showed that most CISOs would still pick AV and firewall among their top choices in building out a security program. You should too!

5. Audit your web applications – Web application security is perhaps the hottest area of security today. An increasing percent of attacks are targeting web applications. SQL injection, cross-site scripting, drive by attacks have all become all too common in the news. There are different aspects to securing web applications. It starts with secure code development. Building security into the development process is a great way to start with a strong foundation. Just as having a 3rd party audit is a must, an audit of your web, including not only the code but the implementation as well should be performed before an app is deployed and after every change to code and infrastructure. There are any number of firms that can perform this type of test for you.

6. Train end users about phishing and spearphishing – This sounds like a no brainer, but you would be surprised how many companies don’t take the time for security awareness training. It is even more important today when so many of the most sophisticated attacks actually start with a targets spearphish aimed at a key person in your organization. Recognizing phishing attempts and not to click on links in email, social media or anywhere unless you are sure of who sent it and where it goes is a must if you hope to keep your organization out of the next headlines.

7. Search for bad passwords – This can be automated and strong password requirements can be built into many applications today. Passwords still represent one of the weakest links in our security technology. At some point hopefully 2-factor authentication, biometrics and other technologies may make passwords obsolete. But until then we are stuck with them. Passwords like 123456 and password are just not acceptable and should not be allowed. Password managers offer lots of choices so that users don’t have to remember strong passwords. Also requirements to change passwords regularly should be instituted and enforced.

8. Integrate security into every project plan – Microsoft did this years ago with their Trustworthy Computing initiative and it forever changed Windows. Security is too important to be an afterthought bolted on after the fact. Everything you do or plan to do has to be seen through the prism of security. Failing to do so could wind up putting your organization at dire risk.

9. Examine the policies of business partners – We live in an interconnected world, no one exists in a vacuum. However, our partners often have to have access to our data and systems in order to work with us. However, they can also represent a vector into our systems for hackers and criminals. You must institute a policy on what and how 3rd parties have to show before they are given access to your network. Also this should be regularly audited and re-examined.

10. Have a solid incident response plan – It is not a question of if, but when something is going to happen. Do not let your pride and ego get in the way of putting in a place a plan to do when you have an incident. While you are at it, you should have a worst case scenario as part of your planning. Today’s threat and risk landscape means you should assume that you will have security incidents. How you respond to these incidents as a mid-market company could mean the difference between survival or not of the organization. Well thought out incident response plans make all of the difference in the world in the fluid, fast moving situations that follow discovery of a security incident.

There is a whole lot more in this great report from the IBM X-Force team. Go download it and read it at least twice!

IBM

This post was written as part of the IBM for Midsize Business program, which provides midsize businesses with the tools, expertise and solutions they need to become engines of a smarter planet. I’ve been compensated to contribute to this program, but the opinions expressed in this post are my own and don't necessarily represent IBM's positions, strategies or opinions

Enhanced by Zemanta

April 22, 2013

Webinar: Who Moved the Cheese in Security

image Tomorrow, April 23, 2013 at 2pm eastern time my friend Dominique Karg of Alien Vault and I are doing a webinar on “Who Moved the Cheese in Security”.  It should be a lot of fun and I invite everyone to listen in and participate.

This grew out of a conversation Dominique and I had after RSA. It was amazing to us that some security executives actually believed that the Cloud, BYOD and such were passing fads. That soon we would return to traditional networks and traditional security. Talk about putting your head in the sand.

We will discuss that not only has the technology changed but how. We will also discuss how attacks and attack vectors have changed.  Finally what should you do and how is success defined.

It should be a great webinar. If you can make it please do.  If not you will be able to listen in to a recording of the webinar, but of course no live questions.  You can register down below or by going to: http://www.alienvault.com/resource-center/tech-talks/who-moved-the-cheese-in-security

A BrightTALK Channel
Enhanced by Zemanta

April 15, 2013

What is the Real Cost of Security?

You were just hired as the Chief Information Security Office (CISO) of a mid-market one thousand employee company. Your first day on the job you are told that the company really hasn’t done anything about information security to this point. You need to submit your prioritized plan and budget by the end of the week! What do you do? This is exactly the scenario that Wendy Nather, Senior Research Director of 451 Research put to literally dozens of CISOs. What they picked, what they think it may cost and the actual cost may really surprise you. Wendy’s new report, “The Real Cost of Security” (warning this is not free unless you are a 451 client) details her findings and analysis.

I had a chance to sit down and chat with Wendy about the report and its findings for Network World. Below you can listen to our conversation where Wendy provides some detail and depth to the report.

Despite all of the buzz about new and more sophisticated attacks, it was surprising that for the top priorities the oft-maligned technologies of firewall and AV were most often picked. In fact of the top 7 choices among CISOs, almost all of them are tried and true traditional products. I guess the old “no one ever gets fired for buying IBM” is still true today. According to the report, these are the top 7 recommended technologies

clip_image002

Figure 1 courtesy of 451 Research

The difference between the purple and gold lines is those that would recommend the technology if all they had was enough for the bare minimum (purple) versus if they had a blank check (gold).

Beyond the top 7, the next tier of choices represent a little more diversity:

clip_image003

Figure 2 courtesy of 451 Research

What was interesting about these next 6 is the wider disparity between the gold and purple lines. This indicates that many CISOs considered these more of an optional choice, but not bare minimum.

I was surprised that App Security and App firewalls were not in the top tier of solutions, given that so many attacks today use Port 80 and Web Apps as their vector of choice.

Bringing up the rear in the survey were the following:

clip_image004

Figure 3 Courtesy of 451 Research

You can see here the very wide disparity between some the minimum requirements and blank check scenario. This plainly labels some of these technologies as “nice to haves” but not required. GRC, NAC and Risk Management and Analysis seem to fall into this category by the widest margin. I was disappointed to see Training have such a wide disparity between minimum and blank check. I think dollar for dollar, security awareness training for your organization is some of the most effective security you can buy.

Beyond picking what technologies to buy, the cost of security as detailed in the report may surprise you. 451 Research looked at not only the cost of the technologies (not easy getting prices out of vendors), but also added in the cost of actually running these security solutions. When the total cost was figured in at a minimum an organization is looking at a budget of $250k. A more realistic budget for a 1000 person organization is probably somewhere between $500k and $800k. If you went all the way, you are closer to $1.2m dollars for security! Another metric from the report is that most organizations have about one security admin for every 500 employees.

What about your organization? What technologies have you deployed and what you are planning to deploy? What is your budget? Do you match the 1 to 500 ratio? There is a ton of great info in this report if you buy it or are lucky enough to be a 451 Research customer.

My full conversation with Wendy is here:

 

IBM

This post was written as part of the IBM for Midsize Business program, which provides midsize businesses with the tools, expertise and solutions they need to become engines of a smarter planet. I’ve been compensated to contribute to this program, but the opinions expressed in this post are my own and don't necessarily represent IBM's positions, strategies or opinions.

Enhanced by Zemanta

April 11, 2013

BYOD Security Scanning

My friends Carl Banzhof and Billy Austin continue to make it happen at iScan Online. This is one of my most favorite companies to work with. They are always thinking of new ways to solve problems and fun ways to get the word out. They have been pretty busy too.

After releasing their Android App around RSA, they have been heads down developing the next versions of their apps.  Also they announced that David Raphael, who has worked with Carl and Billy at Citadel and McAfee has joined the team as Director of engineering.

Additionally the company exhibited at the MSPWorld event in Orlando last month.  MSPWorld is run by the MSPAlliance which has over 20,000 members.  iScan Online won the prestigious MSPWorld Cup 2013 as the conference MVP.  The BYOD security scanning message was very near and dear to the attendees.

Now this past week the company released what I think is coolest marketing video I have seen in a while. 

I really like this one! You can get a free scan for your Windows, Mac or Android device right now too by heading over iscanonline.com

The company will be rolling out some more news soon so stay tuned. In the meantime the mobile and BYOD security market continues white hot.  Keep your eye on iScan Online.

Enhanced by Zemanta

April 04, 2013

European Security Blogger Meetup and Awards

security-blogger-meetup-logoI am happy to report that Brian Honan with a big hand from Jack Daniel and our good friends at Tenable Network Security are putting on the 2nd annual Security Bloggers Meet up during Infosec Europe.

The European Bloggers Meetup is of course based on the RSA Conference Bloggers Meet up that we hold every year.  From what I understand it was a nice get together last year thanks to Firemon for sponsoring it.  Now in this second year they are going to try and add European Security Blogger Awards to the mix as well.

I am both flattered and pleased to see the idea being franchised over across the pond. I am waiting to hear all about it and hope to make it out to the event next year!

In the meantime head over to Brian’s blog for details and links to register for the event, nominate blogs and vote.

Enhanced by Zemanta
My Photo

Subscribe to my blog

Enter your email address:

Delivered by FeedBurner

Lijit Search

Blog Networks

Creative Commons License
This work is licensed under a Creative Commons Attribution-Share Alike 2.5 License.

Search

Lijit Search

Blog powered by TypePad
Member since 10/2005