January 28, 2016

2016 Social Security Blogger Award Voting is Open Now!

OK everyone, the Social Security Blogger Award Voting is now open! You can vote for the winners at: https://www.surveymonkey.com/r/TMRP8Z5

A couple of things about voting this year:

  1. Anyone can vote in the awards. However, a valid email is required and it will be verified. Only one vote per IP
  2. Any nominee caught trying to "game the system" will be disqualified. Please try to play by the rules and may the best blog win! 
  3. A huge thanks to our judges for nominating the finalists. Ericka Chickowski, George Hulme, Dan Raywood, Kelly Jackson-Higgins and Rich Mogull.
  4. We hope to see you all at RSA this where the winners will be announced at the Security Bloggers Meetup.
  5. If you are going to RSA be sure to register for the Rugged DevOps event on Monday at the Moscone Center. Free to anyone with any type of RSA ticket (even just expo pass holders). You can register for the event on the RSA Conference website

The nominees this year are:

Most Entertaining Security Blog: 

Security Ledger https://securityledger.com/about-security-ledger/

Graham Cluley https://www.grahamcluley.com/

J4vv4d http://www.j4vv4d.com/

Liquid Matrix http://www.liquidmatrix.org/

Uncommon Sense Security http://blog.uncommonsensesecurity.com

Erratasec http://blog.erratasec.com/

Emergent Chaos http://www.emergentchaos.com/

Most Educational Security Blog:

Errata Security/Rob Graham

Trend Micro Security Intelligence blog http://blog.trendmicro.com/trendlabs-security-intelligence

Graham Cluley https://www.grahamcluley.com/

Cryptography Engineering http://blog.cryptographyengineering.com/

Troy Hunt http://troyhunt.com/

Journey into IR http://journeyintoir.blogspot.com/

Best New Security Blog or Podcast:

Infospectives http://Infospectives.co.uk

Techdragons http://techdragons.wales/blog/

TechNet JE Payne http://blogs.technet.com/b/jepayne/

Digital Shadows Blog https://www.digitalshadows.com/blog-and-research/

Best Security Podcast:

SANS StormCast https://isc.sans.edu/podcast.html

Wh1t3rabbit http://podcast.wh1t3rabbit.net/

Risky Business http://risky.biz/netcasts/risky-business

The Southern Fried Security Podcast http://www.southernfriedsecurity.com/

The Irari Report http://www.irarireport.com/

The Standard Deviant http://www.thestandarddeviant.com/

Best Blog Post of the Year:

Hackers Remotely Kill a Jeep on the Highway—With Me in It, Andy Greenberg, WIRED, http://www.wired.com/2015/07/hackersremotely-kill-jeep-highway/

Troy Hunt - It’s 2016 already, how are websites still screwing up these user experiences? (http://www.troyhunt.com/2016/01/its-2016-already-how-are-websites-still.html)

Sony attributed to http://sony.attributed.to/

Troy Hunt - Here's what Ashley Madison members have http://www.troyhunt.com/2015/08/heres-what-ashley-madison-members-have.html

Chris Nickerson How to ruin your life by getting everything you ever wanted http://www.irongeek.com/i.php?page=videos/derbycon5/teach-me14-started-from-the-bottom-now-im-here-how-to-ruin-your-lifeby-getting-everything-you-ever-wanted-chris-nickerson

Troy Hunt, When children are breached inside http://www.troyhunt.com/2015/11/when-children-are-breached-inside.html

Best Corporate Security Blog:

Symantec http://www.symantec.com/connect/symantec-blogs/sr

Kaspersky Lab Securelist https://securelist.com/

Malwarebytes Blog https://blog.malwarebytes.org/

Naked Security https://nakedsecurity.sophos.com/

Veracode Blog https://www.veracode.com/blog

On the Wire https://www.onthewire.io/

Vectranetworks http://blog.vectranetworks.com/blog

Tripwire Blog http://www.tripwire.com/state-of-security/

Congrats and good luck to all of the nominees!


May 06, 2015

Security Bloggers Meetup and Awards at InfoSecurity Europe

Sbnrsa logoHappy to tell you all about this years Security Bloggers Meetup and Blogger awards at the InfoSecurity Europe Conference.  The event will take place on Wednesday, June 3 at the Olympia in London. More details are available at the Eventbrite page. 

Eventbrite - 2015 Security Bloggers Meetup and Awards @Infosecurity Europe

While this is the venue for the entire conference, the Bloggers Meetup and Awards are open to just bloggers, podcasters, analysts and journalists in the information security industry. Please don't try to game the system. We check each registration to verify.

This is the third annual Bloggers Meetup and Awards in Europe. For the past two years Jack Daniels and Brian Honan have taken on the job of organizing. This year working with the Information Security team, the SBN is organizing and expanding the program. The idea is to put it more on line with what we do at the RSA Conference each year.

We will have more room for more bloggers this year. Hopefully great food and lots of drink, as well as a good time for all.

The awards for Europe will again be handled this year by Brian Honan. Nominations are now open at: https://www.surveymonkey.com/s/eubloggerawards2015.

We are still seeking a few more sponsors to cover the costs for the event.  Sponsorships are 2000 pounds. Please contact me at ashimmy@devops.com for details.  Sponsors like at the RSA event will be mentioned in all communications with the blogging community, signage at the event, the ability to send one message via email, 4 tickets to the event itself and other promos.

If you are attending Infosecurity Europe you don't want to miss this!


February 08, 2015

SBN Security Blogger Awards at RSA Conference

sbn 2015Security peeps, I am happy to announce that once again this year we will be conducting the Security Bloggers Network Security Blogger Awards to be presented at the Security Bloggers Meet-up at RSA Conference.  Most of you know we have been holding our bloggers meet-up and awards for years now and it is one of the most popular events of RSA Week. This year promises to be no different. More news on the meet-up will be forthcoming, but for now here is the deal with the blogger awards.

We are going to back to basics on the awards this year. We have appointed a blue ribbon panel of your peers who will be nominating the finalists in all categories. Once the judges have made their selections voting will be open to bloggers (around February 20th).  Voting will be open for one month. Winners announced at the bloggers meet-up.

The judges this year are:

1. Rich Mogull, CEO, Securosis

2. Illena Armstrong, VP editorial, SC Magazine

3. Kelly Jackson Higgins, Executive editor, Dark Reading

4. George V. Hulme, award winning writer and journalist

5. Ericka Chickowski, award winning security journalist

Some of the judges are “crowdsourcing” their nominations and looking for input from knowledgeable security folks. They will announce if they are looking for input.

The categories for this years awards are:

Best Corporate Security Blog

Best Security Podcast

The Most Educational Security Blog

The Most Entertaining Security Blog

The Single Best Blog Post or Podcast Of The Year

Best New Security Blog

Finalists will be announced around February 20th, so stay tuned.

Good luck to all of you bloggers out there and hope to see you all in San Fran at the Bloggers meetup at RSA Conference!

sbnrsa logo

December 18, 2014

Don’t Kowtow to Cyber Terrorists

When we let the terrorists win, we all lose.

This whole affair around Sony’s “The Interview” has just made me more angry and dismayed. Besides Sony once again being hacked too easily it seems, I am disgusted that we are going to acquiesce to cyber blackmail and allow a small group of thugs censor our freedom of speech and expression. Have we become so easily in-timid-ated, that we are going to allow this? I wouldn’t. I would like to buy my ticket, get in line and go see “The Interview” today just to show that threats and intimidation will not have us give up our beliefs and rights.

First on the hack of Sony, I say shame on Sony. Yes anyone can get hacked, but the fact is in Sony’s case it is getting old already. Their security policies, processes and management have proven time and time THE INTERVIEW Teaser Posteragain to be lacking. I had some firsthand knowledge of Sony’s security some years back and it was frankly pretty bad then and it looks like it hasn’t improved much since, despite being the victim (and I use that term loosely) of several high profile breaches in the past.

The next thing that I disagree with is the categorization of the alleged North Korean attackers as cyberwarriors, as a unit of 1800 or so, some new version of the “yellow horde” and of the sophistication of this attack and their ability to bring a 9/11 type of event down on every movie theater here in the US. Nuts to all of that!

First off a unit of 1800 or so is not exactly an army. A large bank will have as many cyber security people on the payroll. Let’s not even imagine what some US agencies or DoD units have. Both in number and sophistication of technology, we are not talking major leagues here.

The same could be said of their ability to launch an attack here in our country. The North Korean’s have been historically big talkers, making outrageous claims about their abilities and aims. It used to be that we were confident enough to laugh at their threats as the ranting of a madman, if not some petulant child upset with not getting their way.

They have threatened to launch nuclear strikes against us, they released a video last year with NYC in flames. They constantly threaten Armageddon every time we have a joint military exercise with South Korea. These guys make Saddam Hussein and his “Mother of All Wars” rhetoric look like a reasonable person.

They have made statements like:

“If the US imperialists threaten our sovereignty and survival… our troops will fire our nuclear-armed rockets at the White House and the Pentagon – the sources of all evil.”

Read more at http://www.westernjournalism.com/north-korea-threatens-to-nuke-white-house-and-pentagon/#IPl0bcPmc4ruPIJK.99

Who wrote this about President Obama:

“You can also tell this by his appearance and behavior, and while it may be because he is a crossbreed, one cannot help thinking the more one sees him that he has escaped from a monkey's body,"

And had these lovely words for the leader of South Korea:

“What she did this time reminds one of a disgusting old prostitute raising even her skirt, not feeling any shame to bring a stranger into her bedroom.

It is a shame and disgrace of the Korean nation that there is such a pro-U.S. indecent philistine and vile prostitute serving the U.S. as Park Geun Hye.”

This is also the regime that in building up the image of their leaders publish things like:

Divine birth -Legend has it that a double rainbow and a glowing new star appeared in the heavens to herald the birth of Kim Jong Il, in 1942, on North Korea's cherished Baekdu Mountain. Soviet records, however, indicate he was born in the Siberian village of Vyatskoye, in 1941. The people of North Korea, many of whom are reportedly battling famine, are apparently told that Kim's birthday is celebrated throughout the world.

High achiever - Official records reportedly show that Kim learned to walk at the age of three weeks, and was talking at eight weeks. While at Kim Il Sung University, he apparently wrote 1,500 books over a period of three years, along with six full operas. According to his official biography, all of his operas are "better than any in the history of music." Then there's his sporting prowess. In 1994, Pyongyang media reported that the first time Kim picked up a golf club, he shot a 38-under par round on North Korea's only golf course, including 11 holes-in-one. Reports say each of his 17 bodyguards verified the record-breaking feat. He then decided to retire from the sport forever.

Didn't defecate - It is reported that Kim's official biography on the North Korean state web site, which has since been taken down, claimed that Kim did not defecate.

So you are going to talk to me about liability. Who wants to take the risk of showing the movie and then being sued when something happens? I understand how risk adverse we are in litigious America. But there are other ways this movie can be released which would show that you cannot intimidate us into giving up our freedom of speech.

Fred Wilson in his AVC blog today has a great idea. Rather than locking The Interview film in a vault and eating the 10’s of millions of dollars sunk into it, release it for the world to see. Put it on Bit Torrent and let vaunted North Korean cyberwarriors try to stop that. Let Netflix or some other streaming service distribute it. Show these hoodlums that they will not silence us with threats and cyber-attacks.

It is at times like this and when these things happen that we are reminded of what another American President said to the people of Berlin at a time their freedoms were being threatened:

“All free men, wherever they may live, are citizens of Berlin, and, therefore, as a free man, I take pride in the words "Ich bin ein Berliner!" Today all free men should stand up and demand that this movie be released, that we stand up for what is right, that we don’t let evil terrorists dictate to us.

July 22, 2014

BlueMix Brings Enterprise DevOps to the MidMarket

SaaS pricing model bring PaaS to everyone

A couple of weeks ago I went up to Orlando for the IBM Innovation conference. The event was at the Swan/Dolphin resort in Disney World. IBM knows how to throw a conference and Innovate had all of the bells and whistles. But most of all it had great learning opportunities by hearing from some leading thinkers on what the future of development and software innovation looks like.

One thing on prominent display was IBM’s BlueMix PaaS. Hosted on IBM’s SoftLayer hosting platform but portable enough to play on other cloud infrastructure, BlueMix is an entire ecosystem of building blocks allowing you to build fully functional applications rapidly.

In typical IBM fashion BlueMix is a really deep, well thought out development platform. It is the kind of offering that midmarket companies typically look at yearningly, but know that price wise it may be out of their reach. For good reason, that kind of functionality typically doesn’t come cheap. But we live in amazing times.

Thanks to the SaaS model that BlueMix is based on, this great PaaS platform is priced for everyone. Speaking to IBM I was told that BlueMix pricing probably won’t be announced until the end of June. However I was assured that the pricing will very reasonable for even small organizations.

That is the promise of the SaaS model. Since it is hosted and you just “pay as you go” the best IBM has to offer is now within the grasp of smaller organizations. The cloud and DevOps are the ultimate equalizers.

So what can BlueMix do for you, now that you can afford it? Let’s start with exactly what BlueMix is:

Bluemix is an implementation of IBM’s Open Cloud Architecture, leveraging Cloud Foundry to enable developers to rapidly build, deploy, and manage their cloud applications, while tapping a growing ecosystem of available services and runtime frameworks. 

BlueMix allows you to literally build a full featured app in minutes. The best way to show you I think is through one of the excellent videos the BlueMix team has put up. Here is a great demo of BlueMix in action:

http://youtu.be/ZR_jDitw0Sc (will be embedded in blog)

This kind of ease of use and power in building apps was only the stuff of dreams for even the biggest companies just a few years ago. Now this class of solution is within your reach.

If you haven’t already you should check out a BlueMix demo during IBM’s 200 days of BlueMix which are being held all over the world. I saw several demos during Innovate and was surprised how much was layered into BlueMix.

Of course Innovate wasn’t all BlueMix. There was lots of great stuff on DevOps.  My personal highlights were the keynote presentation by Gene Kim, author of the Phoenix Project and a friend of mine and the presentation by the CIO of GE Capital Bank, Vasanthi Sekhar.  Both were excellent!

Overall a big theme of the show was that IBM is a leader in DevOps and that DevOps was not just for the Googles and Facebooks of the world. Big banks, insurance companies and other large organizations are all benefiting from using DevOps in their IT organizations. This was in direct contrast to a recent story in the Wall Street Journal that DevOps was not ready for the enterprise yet.  Based on what I saw there is no doubt.

There was a lot of talk that next year IBM may be consolidating several of their larger shows like Innovate into one super show.  If so, it will be a do not miss event.

In the meantime BlueMix pricing will be out around the end of the month and available to everyone. It could change the way you develop applications whether you are a large enterprise or a midmarket team.


This post was written as part of the IBM for Midsize Business program, which provides midsize businesses with the tools, expertise and solutions they need to become engines of a smarter planet. I’ve been compensated to contribute to this program, but the opinions expressed in this post are my own and don't necessarily represent IBM's positions, strategies or opinions

May 05, 2014

Better communication between security and executive team key to better security

Better communication between security and executive team key to better security

A new survey from the Ponemon Institutue about security metrics and the interaction between security teams and executives sheds some great insights on the communication or rather the lack thereof between security teams and senior executives. After reviewing the results it might help explain why security at many midmarket firms is not as good as it should be.

Without even getting into what metrics you should measure and what you should report, the survey shows some startling findings around how security admins and the executive team interact (or at least how they perceive each other to interact).

There would seem to be a disconnect about how strong the organizations security posture was as perceived by the security pros versus what they though the executives thought. Security pros felt that 66% of executives thought that their organizations were either very strong or well above average. While only about 39% of security pros felt that their organizations were very strong or well above average.


Looking further into why executives don’t have a realistic view of the security posture of the organization, respondents cited several factors that all scored more than 50%.


Interestingly over 70% of respondents think communication is at too low a level (I assume on the executive side). Does this mean high level executives are not engaged? The next most popular choice, only communicating when there is an incident is a classic issue and in more than just security. Two of the popular answers that information is too technical and negative facts are filtered, are two that I have heard many times.

Many security pros tell me they have to “dumb down” security metrics to allow executives to understand them. Others have said that any technical information just shuts executives down from paying attention. My issue is there are some things that are important and can’t be dumbed down without losing its importance. We need to convey the real importance and it may take a little deeper understanding. This screams to why you need a security person in the executive room. However, even today most midsize organizations do not have a CISO or equivilent as part of their executive team.

Filtering out negative facts is another common problem. No one wants to be the bearer of bad news. Security has gotten a sky is falling reputation. Afer a while we move from chicken little to the “boy who cried wolf” and no one pays attention. This is certainly borne out in the survey answers.

Perhaps the most surprising responses were on when does the executive team meet with the security team:


Over 50% of respondents said they meet with the senior executives only when a serious risk is revealed or that they don’t communicate at all. That is scary. Scarier still is that only 13% of organizations have regularly scheduled meetings.

The rest of the report is chocked full of more great information and insights. .

Until security teams can get their heads around which information is important and then tackle how to best show it to the executive team, we are destined to repeat many of the failures of the past. That is too bad. Let’s hope for all of our sakes that we begin to answer these questions soon.


This post was written as part of the IBM for Midsize Business program, which provides midsize businesses with the tools, expertise and solutions they need to become engines of a smarter planet. I’ve been compensated to contribute to this program, but the opinions expressed in this post are my own and don't necessarily represent IBM's positions, strategies or opinions

March 11, 2014

DevOps.com – Where the world meets DevOps

DevOps-Logo Tagline-RGB_flat I am very proud to announce that DevOps.com launched today. I and my co-founder, Martin Logan have been working on getting this new site and business up and running for many months now.  DevOps.com tagline is “where the world meets DevOps.” 

This is truly is our mission as well.  DevOps.com will offer the most original content on DevOps in the world. We will have content for everyone. From the most technical issues, to general business questions, we will be posting a big tent for DevOps.

We have assembled a dream team of writers and bloggers who have already written outstanding stories that will be published over the next weeks and months. We will soon have some great community features as well that will help the entire DevOps community.Writers are not the only dream team part of DevOps.com. In the coming days and weeks we will announce our all star board of advisors, sponsors and other important members of the DevOps.com family.

But today there are two people I want to point out. One is Martin Logan, my co-founder. When I originally started thinking about doing a site on DevOps, I really wanted the DevOps.com domain.  I reached out to Martin to see if he would consider a reasonable offer. A few hours later we were partners.  Martin has a great DevOps resume and his behind the scenes work has made this day possible.

The second person I want to shout out to is my long time friend, Rajat Bhargava.  Raj and I have worked together since my Interliant days back in the dotcom boom.  We did StillSecure together. With DevOps.com Raj has rolled up his sleeves and helped me in anyway he could.  While he is busy with his own new startup, JumpCloud, he always had time to answer a uestion, think through an issue or make an introduction. Couldn’t do this without him.

I have been following the growing DevOps movement since I met Gene Kim 3+ years ago.  This past fall I attended my first DevOps conference and saw first hand how DevOps was changing the way IT worked. I read The Phoenix Project and it all came together for me. 

I recognized that I had a mission  with DevOps.com to bring DevOps across the chasm from early adopters and visionaries to the mainstream. 

I am grateful for the support of so many of my friends who have helped and supported this effort. The site you see today is just the beginning. In true DevOps fashion we will continue to iterate and make the site better.  Give us time.

In the meantime, please check out the site. Sign up for our newsletter. Follow us on twitter @devopsdotcom or on facebook or Linkedin or Google+.

February 20, 2014

The votes are cast, the invites are out, get ready for RSA

bloggersmeetup Well the last vote has been tallied for the Security Blogger Awards.  We had more votes this year than ever.  And the winners are . . .  Sorry you will have to wait until they are announced at the Security Bloggers Meetup at RSA. 

You can be there live, in person to hear the winners announced and enjoy one of the best parties of RSA, but only if you already received your invite and RSVP’d.  The last day to request an invite was yesterday.  So if you haven’t by now, see you next year. If you did request an invite you only have until Friday to RSVP and then the list is closed. So don’t wait.

Of course whether you are going to the Bloggers Meetup or not, if you are an SBN member you can still stop by the SBN lounge at RSA in Moscone South during the show.  I will be there most days and looking forward to seeing many of you there too.

We will post the winners as we always do, after the award and meetup.  So if you can’t make it to RSA this year, you will know who won. 

This should be our biggest, best bloggers meetup yet.  Looking forward to seeing friends old and new.  Also thanks to our sponsors!



Enhanced by Zemanta

February 04, 2014

Security Bloggers Network Lounge at RSA

sbnlogo Yesterday we sent out an email to those SBN members who we have contact info for.  The email announced that our friends at RSA Conference have set up a special Security Bloggers Network Lounge for our members this year!  All SBN members are welcome regardless of what type of badge you have (yes even expo only).

At the lounge you will have plenty of seating, power, access and we will try to bring in some refreshments.  Taking a break in between sessions, tired of walking the show floor, need a break from bustle and hustle, come take a load off at the SBN  Lounge.

The lounge will be located near  the entrance to South Hall on the central "bridge" off of South Lobby - behind the Information Desk. The lounge will be open:

*                Monday: 9am - 8pm

*                Tuesday: 7am - 6pm

*                Wednesday: 8am - 6pm

*                Thursday: 8am - 6pm

*                Friday: 8am – 3pm

Many thanks to Jeanne Friedman and our friends at RSA Conference for making this available to us. If you have not received your email and you blog for an SBN member security blog or would like to join the SBN please write to info@securitybloggersnetwork.com for information.

See you at RSA!

Enhanced by Zemanta

January 28, 2014

Anyone Using POS Is At Risk

posMost of you reading this have heard about the holiday time breaches at national retailers. Since then we have heard that as many as six other leading retailers may also have suffered breaches during the same period under similar circumstances. Word on the street is that these breaches are much more wide spread and just about any POS may be at risk. The culprit is something they are calling BlackPOS.

So if you think POS breaches are something that just large retailers need to worry about think again. It seems like this BlackPOS is some new Trojan/remote control malware that is infecting POS systems, giving criminals the ability to steal your customer’s data every time you swipe their credit card. Worse even, it seems that this malware can give the bad guys the ability to also gain access to your databases where your customer information is kept. This malware has been called BlackPOS in various reports.

From reports I have read and heard from my friends in the security industry it seems the malware behind these attacks was available for sale to the cyber-crime industry at large and cheap too. It was a land grab with everyone trying to get it on as many POS systems as they could. If you think your business would not be a target you are dead wrong. I am not trying to scare you here. But if you use a POS system you should make sure that you test it for malware. Especially if your POS is Windows based.

As a result of this breach I fully expect the industry to move full speed ahead with the Pin and Chip standard that is scheduled to go into effect in the US next year and is already standard in Europe. Where many of these initiatives are often delayed, with this kind of pressure I don’t think the credit card companies have a choice.

Historically fraud has accounted for about five cents out of every 100 dollars spent via credit card. That was realistically speaking not worth the greater effort required to move to a new system. But now I think the genie is out of the bottle.

Of course no guarantee that chip and pin is a panacea. There will be new vectors and methods developed to circumvent those systems as well. But in the meantime you should be planning to move to equipment that supports the new standard. You should also be planning on what it means for your business. If you partner with IBM or others they have the expertise to make your upgrade smooth and quick with minimal disruption. If not put the time and effort in now to plan your migration.

Also now may be a good time to review your breach plans. You should have in place a plan to follow on what to do if you are the victim of a breach. Don’t make it up as you go along in the heat of the moment. Take the time now to plan out what you need to do if indeed you are breached. How you react to the breach could be the difference between being in business after a breach versus not surviving.

Anyone and everyone could be the victims of a breach. No one is immune or under the radar. The way to succeed after a breach is to plan on when not if you are breached what you are going to do. In the meantime check your POS to make sure you are not already a victim.


This post was written as part of the IBM for Midsize Business program, which provides midsize businesses with the tools, expertise and solutions they need to become engines of a smarter planet. I’ve been compensated to contribute to this program, but the opinions expressed in this post are my own and don't necessarily represent IBM's positions, strategies or opinions

Enhanced by Zemanta

January 26, 2014

2014 Social Security Blogger Award Voting Is Now Open

OK, we’ve made the list, checked it twice and it is time to vote!  After much back and forth, a lot of thought by our judges and a lot of work by Joe Franscella and the Trainer Communications team, we are ready for you to vote. 

Voting will be open only until February 14, 2014, so please don’t wait. Only one vote per person and we are checking IPs, addresses, etc.  Any attempted ballot box stuffing will result in DQ! Winners will be announced at the Security Bloggers Meetup at RSA.

Before I give you the link to vote, let me also thank our judges for this years Blogger Awards:

1. Kelly Jackson-Higgins of Dark Reading

2. Wendy Nather of 451 Research

3. Illena Armstrong of Haymarket Media and SC Magazine

In addition to our judges nominations some blogs self-nominated.  Good luck to all of the nominees!

Here is the link to vote: https://www.surveymonkey.com/s/SBNawards2014

BTW, here is the list of nominees. There are links to the blogs on the voting page.

Security Bloggers Network Social Security Awards 2014

Best Corporate Security Blog

Juniper’s Security & Mobility Now: http://forums.juniper.net/t5/Security-Mobility-Now/bg-p/networkingnow

Norse Blog: http://norse-corp.com/blog-index.html

RedSeal Networks: http://blog.redsealnetworks.com/

Solutionary Minds: http://www.solutionary.com/resource-center/blog/

VioPoint: http://www.viopoint.com/blog/

WhiteHat Security: https://blog.whitehatsec.com

TripWire: The State of Security: http://www.tripwire.com/state-of-security/

Veracode Blog: http://www.veracode.com/blog/

Mandiant M-unition: https://www.mandiant.com/blog/

Fortinet Blog: http://blog.fortinet.com/

F-Secure Blog: http://www.f-secure.com/weblog/

Trend Micro Security Intelligence Blog: http://blog.trendmicro.com/trendlabs-security-intelligence/

Kaspersky Lab Securelist: http://www.securelist.com/en/blog

Akamai Blog: https://blogs.akamai.com/security/

Bit9: https://blog.bit9.com/

IOActive: http://blog.ioactive.com/

Best Security Podcast

SANS Daily Internet Storm Center Stormcast: https://isc.sans.edu/podcast.html

Podcasts from the MiSec, OWASP Detroit, and BSides Detroit communities: http://podcast.michsec.org/

Security Slice: http://www.tripwire.com/state-of-security/topics/security-slice-podcast/

Threat Post: https://www.threatpost.com

Security Ledger: https://securityledger.com/category/podcasts/

The Risk Science Podcast: http://riskscience.net/

SecurityWeekly: http://pauldotcom.com/

Securosis, Firestarter: https://securosis.com/blog/firestarter-the-nsa-and-rsa

The Most Educational Security Blog

RedSeal Networks: http://blog.redsealnetworks.com/

Terebrate: http://terebrate.blogspot.com/

EFF’s Deep Links: https://www.eff.org/deeplinks

Security Bistro: http://www.securitybistro.com/

Graham Cluley: http://grahamcluley.com/

Krebs on security: http://krebsonsecurity.com/

Identropy Blog: http://blog.identropy.com/

Dell SecureWorks Security and Compliance Blog: http://www.secureworks.com/resources/blog/

Securosis: https://securosis.com/blog

Solutionary Minds Blog: http://www.solutionary.com/resource-center/blog/

Rapid7 SecurityStreet: https://community.rapid7.com/content#filterID=all~objecttype~objecttype[blogpost]

The Most Entertaining Security Blog

Krypt3ia: http://krypt3ia.wordpress.com/

Kevin Townsend: Security centric issues, news, rants – and other things: http://kevtownsend.wordpress.com/

Matt Blaze’s Exhaustive Search: http://www.crypto.com/blog

The New School of Information Security Blog: http://newschoolsecurity.com/

Uncommon Sense Security: http://blog.uncommonsensesecurity.com/

Errata Security Blog: http://blog.erratasec.com/

Securosis Blog: https://securosis.com/blog

Tripwire’s State of Security: http://www.tripwire.com/state-of-security/

The Blog That Best Represents The Security Industry

RedSeal Networks: http://blog.redsealnetworks.com/

Securosis: https://securosis.com/blog

Schneier on Security: https://www.schneier.com/

Naked Security: http://nakedsecurity.sophos.com/

SANS Internet Storm Center Diary: https://isc.sans.edu/diary.html

Liquidmatrix Security Digest: http://www.liquidmatrix.org/blog/

Emergent Chaos: http://emergentchaos.com/

Infosecisland: http://infosecisland.com/

The Single Best Blog Post or Podcast Of The Year

Making Security Work: The pragmatic guide to network security management: https://event.on24.com/eventRegistration/EventLobbyServlet?target=registration.jsp&eventid=720707&sessionid=1&key=12AADDB88B4B10EFA1829537392F1722&sourcepage=register

Book Review: “We Are Anonymous: Inside the Hacker World of LulzSec, Anonymous and the Global Cyber Insurgency (2012)” by Parmy Olson: http://terebrate.blogspot.com/2013/05/book-review-we-are-anonymous-inside.html

Krebs on Security: Adobe To Announce Source Code, Customer Data Breach: http://krebsonsecurity.com/2013/10/adobe-to-announce-source-code-customer-data-breach/

Schneier On Security: Why It's Important to Publish the NSA Programs: https://www.schneier.com/blog/archives/2013/10/why_its_importa.html

CERIAS: On Competitions and Competence: https://www.cerias.purdue.edu/site/blog/post/on_competitions_and_competence/

Security Uncorked: CISSPs: Call to Action for (ISC)2 Elections (Nov 16-30): http://securityuncorked.com/2013/11/cissp-call-to-action-isc2-elections/

Police-Led Intelligence, Informing Intelligence-Led Policing: http://policeledintelligence.com/2013/07/11/banning-feds-from-defcon-is-self-defeating-heres-why/

IOActive: "Broken Hearts": How plausible was the Homeland pacemaker hack?: http://blog.ioactive.com/2013/02/broken-hearts-how-plausible-was.html

The Security Bloggers Hall Of Fame

The hackers post: www.thehackerspost.com

J4VV4D: http://www.j4vv4d.com/

Dan Kaminsky (Or: The Blog Formerly Known As DoxPara Resarch) - http://dankaminsky.com/category/security/

Martin McKeay Network Security Blog: http://www.mckeay.net/author/martin/

Andy Greenberg, Forbes: http://www.forbes.com/sites/andygreenberg/

Lori MacVittie, F5 DevCentral: https://devcentral.f5.com/users/38/my-contributions/typeid/9

Emergent Chaos: http://emergentchaos.com/

Tracy Kitten: The Fraud Blog: http://www.bankinfosecurity.com/blogs/fraud-blog-b-18

Eric Chabrow: The Public Eye: http://www.govinfosecurity.com/blogs/public-eye-b-13

Best New Security Blog

Gunter Ollmann, Dark Reading, Attacks and Breaches: http://www.darkreading.com/attacks-breaches

Jitender's Perspective: http://jitenderarora.co.uk/blog/

OMENS Blog: http://musectech.com/OMENSPortal/omens-blog.aspx

Cyb3r Assassins: https://cyb3rassassin.wordpress.com/

Security Management HQ: http://www.securitymanagementhq.com/

Exploring Possibility Space: http://exploringpossibilityspace.blogspot.com/

USA TODAY, CyberTruth: http://www.usatoday.com/blog/cybertruth/

January 23, 2014

RSA Security Bloggers Meet up and Security Blogger Awards Update

We are about a month out from this years RSA Conference and related events.  For those of you who write about security in blogs or media we are still accepting invite requests for this years Security Bloggers Meetup, which will be our biggest and best yet.  If you have not gotten an invite and think you should, please go to: https://docs.google.com/forms/d/1ibXn64AzlOWF7LX5wsv4qMTTNvmkYX7xQu8Gqnei6iU/viewform to request one.

A reminder that though we have increased capacity this year, the meetup is still only open to bloggers and those who podcast or write about security.  If you are invited, it doesn’t mean you can bring your marketing team, friends and anyone else.  One of the things that has made the Bloggers Meetup as popular as it has become is the fact that it is by the bloggers, for the bloggers.  So please don’t make Rich Mogull the bad guy ;-) If you are a blogger or podcaster, come hang out with your peers. Eat, drink and be merry.bloggersmeetup

I know many of you are asking when does voting for the Blogger Awards start.  Well first of all sorry that it has taken this long to get the nominees up.  We should have voting open in the next day or two.  Stay tuned for info on this very soon.  Voting will be open for two weeks and you will need to have a valid email address to be eligible.

See you all at RSA!

Enhanced by Zemanta

December 17, 2013

2014 Security Blogger Meetup Details

bloggersmeetup Wow, 2014!  Let that roll off of your tongue a few times. Well time and security blogging march on. This year the planning committee for the RSA Conference Security Bloggers Meetup has been hard at work to make this the biggest and best Bloggers Meetup and Blogging Awards event ever.  

We have doubled the capacity of our venue so we will not have to turn down anyone who wants to come join us and is eligible to do so.  We have also made sure we have great entertainment, great food and drink.  But the real secret to the Bloggers meetup is the people.  For those of you who have attended in the past, you know this is the case.  So this year there will be more people at the meetup then ever.

Invites to this years bash will be sent out after New Years.  If you are on our mailing list already, you should get an invite. If you are not and would like to be you need to be writing/blogging about security.  If you do, you can contact Jennifer Leggio at mediaphyter@gmail.com after New Years.

Of course all of this increased capacity and good stuff doesn't come cheap.  None of this would be possible without the generous support of our sponsors.  Most of our sponsors have been with us for many years, almost back to the first bloggers meetup.  

Please join us in thanking and supporting our 2014 Security Bloggers Meetup and Blogger Award sponsors:

Platinum Sponsors


Sourcefire, (Now Part of Cisco)

Gold Sponsors




Silver Sponsors



RSA Conference

I know some of you have inquired about additional sponsorships for the event, but sponsorships are all sold out for this year.  We can put you on a list for next year if you like, but no guaratees or if you like you can sponsor the Security Bloggers Network.  You can write to info@securitybloggersnetwork.com if you are interested

What about the Security Blogging and Podcasting Awards?  You bet we will announce them at the meetup.  We are also very happy to announce our judges for this years awards.  Please join un in thanking:

Kelly Jackson Higgins of Dark Reading

Wendy Nather of 451 Group

Illena Armstrong of SC Magazine

and special guest judge

Chris "Beaker" Hoff

We will announce where to vote for the winners after the first of the year.  Again this year Trainer Communications will be helping with tabulating the voting.  Thanks to Trainer.

So the time is growing near.  Merry Christmas and Happy New Year to you all and in just a few weeks see you in San Francisco! 

Enhanced by Zemanta

November 20, 2013

Mitchell Ashley returns to Podcasting

ashley My friend Mitchell Ashley reached out to me a few weeks ago and said “we had a great time when we used to do podcasts, we should do them again.”  Well he didn’t have to twist my arm.  Mitchell and I sat down to record a quick 20 minute show. We caught up with what he has been up to over the last few years.  We also discussed the recent AWS re:Invent conference out in Las Vegas and how big public cloud and the Cloud in general has become.

We discussed DevOps, security automation and a bunch of other trends that Mitchell and I are seeing in the market.  It was great having Mitchell back to podcast with again.  We have already planned next weeks show which will feature a special guest as we discuss APT.

We mentioned a couple of links and articles in the podcast. Here are the links to these:

Mitchell’s blog post on CIO role: http://goo.gl/fzH5K The CIO Role - From Tech Manager to IT Services Broker

AWS reference architectures -

- cloud bursting - https://devcentral.f5.com/articles/aws-reinvent-2013-cloud-bursting-reference-architecture-feat-pearce

- cloud migration - https://devcentral.f5.com/articles/aws-reinvent-2013-cloud-migration-reference-architecture-feat-pearce#.UoZvkGRgZIA

Welcome back to Mitchell, hope you enjoy and stay tuned for our next show.

Enhanced by Zemanta

November 18, 2013

You know what time it is? Security Bloggers Meetup and Security Blogger Awards!

bloggersmeetup I know it is hard to believe, but it has been that long.  It seems like just last week RSA Conference in San Fransisco was ending and we said we need to start planning next years Security Bloggers Meetup and Security Blogger Awards.  But no it has been more than just a week or two. We are just 2 to 3 months away from RSA Conference 2014!

Luckily the organizing committee of the Security Bloggers Meetup and Blogger awards have been hard at work. This years event is going to be our biggest and best yet.  We have substantially increased our budget which will allow us to have more room, food, drink and fun.  We will also be able to accomodate more of you.  We will be making more informatio available in the next few weeks.

Before I forget I want to thank my fellow committee members for all of their hard work.  Jennifer Leggio continues to be the workhorse of our group even though she is now an executitive at Cisco ;-).  Our Securosis friends have doubled down their commitment to the event as now officially have both Rich Mogul and Mike Rothman helping out and of course Jeanne Friedman of RSA Conference itself remains our rock.  With Martin Mckeay moving to London, he has not been as involved with this years planning.  Together, this group has lots of good times in store for our attendees, so stay tuned.

I have received more than a few notes about this years Security Bloggers and Podcast Awards.  Of course we will be holding them at the meetup once again.  We are going to have the same categories as last year:

Best Corporate Security Blog

Best Security Podcast

The Most Educational Security Blog

The Most Entertaining Security Blog

The Blog That Best Represents The Security Industry

The Single Best Blog Post or Podcast Of The Year

The Security Bloggers Hall Of Fame

This year we will again have a blue ribbon panel of judges, but like last year we will accept nominations from public.  The highest amount of votes wins.  Nominations are open now, so if you would like to be considered write to info@securitybloggersnetwork.com with your blog or podcast name, what category you want to be considered for and contact information. Voting will be held after the first of the year. So get your nominations in now!

Stay tuned for more information on this years extravaganza soon. If you are not on the mailing list, please email info@securitybloggersnetwork.com to be added.

Hope to see you all this years Security Bloggers Meetup.

Enhanced by Zemanta

October 01, 2013

PCI 3.0 Spells More Risk Management for Midsize Business

pci.ai_ The PCI DSS standards have been around for more than a few years now and right or wrong they have found their way into the day to day business functions of most business that accept credit cards or those that service merchants who do. Many in the security industry have lamented that PCI has wrought a culture of “checkbox” security where merchants and others in the PCI ecosystem seek a lowest common denominator level of security. For years the PCI Council has been seeking to raise the minimum levels of earlier PCI data security standards by introducing more a Risk Management approach to PCI.

The latest draft of the PCI DSS, version 3.0 is due out shortly. Due to the elongated implementation cycles adopted a while back, this newest version won’t be in effect until January of 2014 and won’t be fully in effect until June of 2014.

While smaller merchants may not see many changes in the day to day management of PCI, midsize organizations should see PCI merge with their existing security and risk management processes and policies. For instance the requirement for Penetration Testing should not be a new exercise for most midsize companies.

Overall the trend behind PCI 3.0 is more towards a holistic risk management approach. Understanding vulnerabilities, prioritizing them in light of the business and remediation were all introduced in PCI 2.0 and expanded upon in 3.0.

Moving away from point in time requirements towards a continuous process of compliance and risk management is to me perhaps the biggest theme in this new version. Recognizing that you can’t just say that you were PCI compliant one day and not the next because a breach occurred is a step in the right direction.

Of course if you are new to PCI or up to this point have only been doing the minimum to meet the requirements, PCI 3.0 may represent a wakeup call to you and your organization. Frankly though if this is what it takes to make your organization take security and risk management seriously, it is not a bad thing.

Another thing that I see with the new DSS is that it would seem that for Level 1 merchants and even larger Level 2 merchants, it will require more hands on PCI expertise from consultants or PCI experts. Could be a case of job security built in.

The PCI Council has put out a PDF noting some of the key changes in the new requirements. You can access it at: https://www.pcisecuritystandards.org/documents/DSS_and_PA-DSS_Change_Highlights.pdf. In the meantime January and June 2014 will be here before you know it. You should start brushing up on the new requirements for PCI 3.0 to make sure your organization does not start out behind the eight ball on this.

One other piece of good news is that with the new cycles, there won’t be another revision to the PCI DSS for a couple of years after this. Long enough to get your head wrapped around this one. Good Luck!


This post was written as part of the IBM for Midsize Business program, which provides midsize businesses with the tools, expertise and solutions they need to become engines of a smarter planet. I’ve been compensated to contribute to this program, but the opinions expressed in this post are my own and don't necessarily represent IBM's positions, strategies or opinions

Enhanced by Zemanta

September 16, 2013

What does the US Department of Interior moving to the cloud mean for midsize business?

DOI The recent announcement that the US Department of Interior (DOI) is undertaking a 10 year migration to the cloud through IBM made headlines because of its potential One Billion Dollar ($1b) value. One can read that number and immediately assume that it is a big deal for a large government agency without much appeal to the midsize market. But if you know anything about the DOI you would realize that this move has significant impact to the midmarket as well.

While the DOI collectively rivals the size of many large enterprises, it is actually comprised of over a dozen agency and bureaus. Among them are:

· Bureau of Indian Affairs

· Bureau of Land Management

· Bureau of Ocean Energy Management

· Bureau of Reclamation

· Bureau of Safety and Environmental Enforcement

· National Park Service

· Office of Surface Mining, Reclamation and Enforcement

· U.S. Fish and Wildlife Service

· U.S. Geological Survey

While some of these are large organizations unto themselves, others are smaller and more closely resemble a midsize organization. The fact that they are “putting all of their eggs” in the cloud is a powerful statement indeed.

The fact that IBM is providing the cloud infrastructure as an integral part of this program is perhaps one reason why the DOI has decided to shift so much of their IT infrastructure to the cloud. But while IBM assets may be an enabler, the bigger picture is that the time for the cloud has come. Companies concerns over security and visibility into cloud deployments have been answered in many respects.

Up until now it was actually the enterprise who was leading the way in adopting the cloud. Almost counter-intuitively they were quicker to move development and some non-critical IT infrastructure to the cloud. They have the in-house security resources to supplement what they need to have to trust the cloud. On the other end of the spectrum, small companies do not have the resources to supplement the cloud, but could not compete against the cost savings that the cloud offers. So they moved to the cloud quicker as well. This left the midmarket organization in a reverse Goldilocks situation. Not enough resources to make the cloud secure enough for them, but too much to lose in using the cloud in an insecure manner.

Now companies like IBM are leading the way in offerings that will allow midmarket companies to adopt the cloud in a secure manner. By having security built into the offering like the IBM smart cloud, midmarket organizations have off the shelf solutions available.

To be clear the DOI is not making this move just to ride the wave of popularity. By moving to the cloud they are not only getting a secure environment to work in, but they are also saving a ton of very precious budget dollars. In today’s economic conscious environments the dollar savings of the cloud probably make it imperative that you take a new look about moving more of your IT infrastructure to the cloud as well. The fact that you may be getting even better security capability than you do with your own premises infrastructure is the cherry on the cake.

So if is good enough for the DOI and other parts of our security conscious government, isn’t it time that you take a fresh look at the cloud? You may find that is more than secure enough for your midmarket needs, as well as adding dollars to your bottom line.


This post was written as part of the IBM for Midsize Business program, which provides midsize businesses with the tools, expertise and solutions they need to become engines of a smarter planet. I’ve been compensated to contribute to this program, but the opinions expressed in this post are my own and don't necessarily represent IBM's positions, strategies or opinions.

August 28, 2013

Would You Like To Be An Accelerator Mentor?

I was trying to think of the most efficient way of doing this.  With so many Facebook, Linkedin, Twitter and other connections, how do I reach out to them to let them know what I am working on and see if they can help? Then I remembered, I blog ;-)  So no matter how this is reaching you, please have a look.

I have been consumed over these last few months working with some friends here in South Florida on launching a Techstars/Global Accelerator Network modeled startup accelerator.  We are already far down the road on this. Fundraising, location, local community involvement are all moving along really well.  It has been a lot of fun getting the start up juices flowing again in bringing this new venture to reality.  I forgot how exhilarating it is to start something new

The key to this model as you may know though is that it is a “mentor driven” model.  We have signed up lots of local entrepreneurs and business folks from here in South Florida, but we need more. While mentors based in Florida are ideal, they don’t have to be based here. More important is your ability and inclination to help new companies reach success. There are lots of fringe benefits to mentoring. If you are not familiar with it, let me know.

Mentors should “have been there and done that” in terms of starting businesses. They are willing to roll up their sleeves to help these new companies get started. Giving advice, making your own networks available and pitching in with your experience and expertise.  It is not a full time gig, but you might have to give 8 or 9 hours a week to companies you mentor.

If you would like to be involved with this exciting new adventure I am embarking on, reach out to me. I am hesitant to put too much out here before we are ready to launch, but by the time I do that it may be too late for some of you to get involved.

I always pride myself on having a great network of friends and associates.  I would like to see many of you involved in this great new business with me. Let me know if you are interested.

July 24, 2013

Pay No Attention To The Men In The Green Room

the-man-behind-the-curtain-01I just got done reading a blog post by Seth Levine at Foundry Group. I know Seth for quite a number of years from my days in Boulder and StillSecure.  Seth wrote about an email encounter with a entrepreneur looking for funding that Seth rejected. The guy obviously was a little upset about the rejection and wrote Seth a nasty-gram which Seth responded to.  Knowing Seth though, I can tell it got under his skin a bit though. Frankly who can blame him. You or I might have responded the same way.

But I can also understand where the antagonist (is that the right word here?) is coming from. He is frustrated, he has been turned down in his request and most of all he has not taken the time or effort to truly understand why.  To him he has come to Emerald City for an audience with the Wizard.  The Wizard has told him he will not grant his wish.  He doesn’t know that the man behind the black curtain is pulling the levers.  He sees only the illusion or reflection. He doesn’t get why the Wizard turned him down.

I remember back in my days working for a public Internet company during the dotcom bubble. The executive team used to meet in this ornate green conference room.  They would meet in there for hours at a time.  Coming out of these meetings it seems like the company was always off on a new course, with a new strategy and it meant big changes in my role and livelihood.  I didn’t understand the reasons for these changes most of the time. They seemed pretty arbitrary to me.  I had no insight into why they made these decisions. Because I had no insight into these decision, I imagined the worse.

One day I was promoted to become part of the executive team.  Now I was in the Green Room myself.  All of a sudden I was making those decisions.  There were people outside the room wondering what the hell was I thinking in making these decisions. It gave me a totally different perspective on the people in the green room. 

They are people just like you and me. The decisions they make are usually for rational reasons. If they say they are going to read something, they generally are. You may not understand why they decided something, but that doesn’t mean you should assume evil connotations.

My advice to the guy who wrote to Seth is “before you go off on something, understand what it is to be in the Green Room”

June 05, 2013

What Does IBM Acquiring SoftLayer Mean for Mid-Market Security?

In case you haven’t heard yet, IBM has bought hosting and cloud provider SoftLayer for two ($2b) billion dollars. That is a lot of money by anyone’s measuring stick. Much has been written about how this gives IBM a real cloud offering to its customers and partners.

Of course IBM already operated data centers (10 of them actually, compared to SoftLayer’s 13), but SoftLayer is major brand and player in the hosting marketplace and an up and comer in cloud hosting. While not an Amazon or Rackspace in terms of public cloud, they have built a sizeable private cloud hosting practice up over the last few years. They use both CloudStack from the Apache Foundation, as well as the open source OpenStack, which IBM has backed. But what about security?

Perhaps unbeknownst to many, SoftLayer had built a great security offering into their cloud and hosting solutions. I have had the chance to interview SoftLayer CTO Duke Skarda several times. I have learned that security has been built into the DNA of the SoftLayer cloud and infrastructure. While they also offered security as a service offerings from several third parties, there was substantial security technology in the SoftLayer plumbing itself.

As a result IBM customers and partners can rest assured that using the SoftLayer platform will afford them the ability to utilize a secure, scalable and battle-tested platform. On top of this it should not be long until we see IBM’s own security services integrated into the SoftLayer solutions.

In the long run this means that IBM customers and partners will see benefits from the deal pretty quickly. Longer term I think IBM has set a mark for the market to follow. Service providers like IBM and others offered cloud solutions. However, many of these were deployed on third party hosting platforms. Now that IBM has made the move, others will follow. These service providers will offer cloud services on their own platforms.

We will probably see some me too moves here with large IBM competitors buying other hosting and cloud providers. Conversely it may be that large cloud and hosting providers seek to acquire service businesses that they can leverage as a result of their hosting business.

Specifically on security though few hosting providers have SoftLayers quality. If security is important to you (and who is security not important to?), you will be hard pressed to find a better offering than SoftLayers’. Now with IBM behind it, it represents a great choice for midmarket companies.


This post was written as part of the IBM for Midsize Business program, which provides midsize businesses with the tools, expertise and solutions they need to become engines of a smarter planet. I’ve been compensated to contribute to this program, but the opinions expressed in this post are my own and don't necessarily represent IBM's positions, strategies or opinions.

Enhanced by Zemanta

May 31, 2013

Ashimmy’s Top Ten Tips to Successfully Existing in a Co-Working Space

As I wrote about in my Network World column last week, I have invested in a co-working space here in Boca Raton called Caffeine Spaces. Having spent a few weeks now spending a considerable amount of time in the co-working space I thought I would put together a top 10 list of tips to successfully work in such an environment. Some are do’s, some are don’ts, but following these will certainly make you more productive, popular with your fellow co-working space tenants and maybe even happier all around.

Of course basic office protocols should be followed as well. Below is a vintage video of proper office etiquette. Though the technology has changed a little bit, as well as office fashions, many of the rules still apply. Many of these apply to all office situations, but co-working spaces make them more important.

Here are my Top Ten co-working space rules:

1. Bring headphones – headphones are a must for numerous reasons. First of all with everyone talking in the common area and networking going on if you have any real work to do you need to shut out the noise. Even if you don’t have any music playing through the headphones, it will take you out of the public discourse and allow you to focus on your work.

2. If someone has headphones on, leave them alone – by the same token if you see someone wearing headphones think of it as a “do not disturb” sign. If they wanted to join in the conversation they would take their headphones off. They have them on for a reason. Yes there might be an emergency, but otherwise leave the dude alone.

3. Conference rooms are for conferences – they are not storage rooms, a resting stop for your equipment or your private office. Most conference space is at a premium in co-working spaces. Don’t be a conference room hog and use them for conferences.

4. White boards can be read and should be erased – Just about every time I have used a conference room over the last few weeks I have walked into find a white board filled with information. Sometimes it is confidential or proprietary information, sometimes not. Sometimes it is just doodles frankly. The issue is, when I walk in the room and need to use the whiteboard, what should I do? I have seen people take smartphone pics of whiteboards to capture what they have on them. That is great. But when you leave the conference room, erase the board. If you don’t have the courtesy to do that, assume the next person will.

5. Speaker phones and public areas don’t work – I actually haven’t seen many people use speaker phones in the public areas, but they speak loud enough and have the volumes on their phones turned up where they might as well be. If you get a call and you are going to speak loud, get up, walk to a private area and have at it. Don’t keep the volume on your phone turned to the max.

6. Soda and snacks cost money – Unless it is figured into the rent you pay, all of the food and drink is not free. Someone is going out and stocking that fridge with cold drinks. If you are going to consume, you should replenish. Also make sure snacks and drinks aren’t noxious.

7. Today’s hello, could be tomorrow’s partner or customer – The amount of people you meet in a co-worker space can be extraordinary and overwhelming. Co-working is a social environment. While you can pick a corner and wait for people to come to you, if you are not going to be open about meeting people, you are losing out on a big part of the co-working experience. I am not saying you need to give out “hello my name is . . .” tags or accost people as they enter. A smile and hello as people approach or make eye contact is I find more than enough to put people at ease and kick things off.

8. Don’t be a stalker– There is a thin line between outgoing and becoming a stalker. Don’t be a stalker. If people don’t seem like they are looking for your input, help or interaction, don’t force yourself on them. Be cognizant of body language and non-verbal clues. Know when to step out and away. Be mindful that not everyone is here to interact with you all of the time.

9. Pay it forward – Something I have heard many talk about in the startup community. It may even sound corny, but it is true. I am finding that if you don’t wait for people to do for you, but go out and do for them, without immediate expectation of payback either, it comes back in spades.

10. Business cards still count – They may be old fashioned, but you still need to give people a way to contact you. They may scan them into Google Goggles or any number of places, but we have not come to a point where the card is obsolete. Of course this begs the question as to what to do with all of these business cards. After just a few weeks I noticed I have over 75 different business cards on my night table. What a waste of paper! Maybe the thing to do is return the card after you scan it? There is probably a good solution and business there somewhere. But for now be sure to bring business cards!

There you have it, culled from just a few weeks working in a co-working space. Did I miss any big ones? What has your experience been?

May 06, 2013

BYOD Security Scanning

My friends at iScan Online, Billy Austin and Carl Banzhof have just released their latest whitepaper on BYOD Security Scanning.  This is an area of vulnerability scanning and compliance management that is not really being covered by any particular company today. 

Where mobile device management and anti-malware for mobile devices meet, there is a gap. This gap is filled by iScan Online. They can do on demand full vulnerability scans on mobile devices, configurations scans for misconfigurations and data discovery scans for credit card numbers, social security numbers and other personal or confidential data.

This paper highlights the 5 reasons why BYOD security scanning is a must have and what a good BYOD security scanning solution must do.

You can view the paper below or head over to iScan Online to download it.

Enhanced by Zemanta

May 03, 2013

Special Offer for Security Bloggers Network Members: The Plateau Effect: Getting from Stuck to Success

Book ImageAn exclusive offer for the Security Bloggers Network - Hugh Thompson Invites you to celebrate the release of the book The Plateau Effect by NYT bestselling author Bob Sullivan and RSA Conference Program Chair Dr. Hugh Thompson.

You can get a free signed bookplate from the authors to insert into your book if you: 

1. Tell your readers about the book’s publication using the hashtag #PlateauEffect on your social media before May 4th

2. Send a link to your tweet or screenshot of your blog or Facebook post to PlateauContest@gmail.com

3. For the first 50 we receive (sorry, U.S. only), we'll mail you the book plate!

The book will be available on May 2nd at bookstores and through Amazon.

Hugh Thompson is a friend of the SBN, so if you can give it a shout out and help a friend out!

Enhanced by Zemanta

May 01, 2013

Great Customer Service Cannot Overcome Mediocre Products

Image representing Shutterfly as depicted in C...

Image via CrunchBase

This is a great question for a business school class, but there are also real life situations where this is more than a mental exercise. The very survival of a business and the livelihood of all its employees can hang in the balance.

My case in point for this blog post is Shutterfly.  I have been a Shutterfly member/customer since it first started around the time my younger son was born. Over the years I have stored literally thousands of pictures and videos on Shutterfly, ordered prints and recently created share sites for all of the sports teams I coach. 

Shutterfly has some great things you can do and buy with your digital pictures. I never bought a lot of products, but they looked very nice. 

The situation changed a couple of months ago when I decided to order some photo products with photos from oldest son’s Bar Mitzvah.  I ordered some larger prints, leather bound photo books, acrylic prints, etc.  I think the prices Shutterfly charges are fair and didn’t have a problem with them.

Unfortunately about half of the products I have ordered have had to be refunded or returned.  Each and every time the folks at Shutterfly have been great. In fact on one of them they said my photo book was being delayed, but they were sending me a free cheaper photo book to make up for it. That one came with a mistake and they sent me another free one.  After a few weeks they finally sent me the original book I ordered and when it came, it was literally falling apart. 

Again the customer service folks were very nice. They gladly refunded the price and told me to keep the book. But frankly after spending 10’s of hours working on the book, I was disappointed that it was all for nothing.

I really want to keep using Shutterfly. I want to be a customer and buy products so they stay in business. I like the company and think their customer service is tops. But how long and how many times can you put up with sub-quality products before enough is a enough?  What do you think?  Customer service can make up for some product issues, but when does it tip over to the point of no return?

Am interested to you hear your thoughts on this.

Enhanced by Zemanta

April 30, 2013

What and How to tell your customers about a Data Breach

Data-Breach-Photo If your midmarket enterprise is like most, sooner or later you will be the victim of a data breach. Data breaches are never fun, but how and what you tell your customers can be the difference between minimizing the impact to your company’s bottom line and a full-fledged disaster.

Informing your customers about everything you know and taking reasonable precautions will always work better than sugar coating and trying to minimize the potential damage. Trying to minimize the situation to your customers so as to not panic them could wind up costing you customers in the long run.

As a case in point I want to contrast two recent data breach cases. One is the case of local deals vendor LivingSocial and the other is the video rental service Vudu.

I recently received the following email from Living Social:


LivingSocial recently experienced a cyber-attack on our computer systems that resulted in unauthorized access to some customer data from our servers. We are actively working with law enforcement to investigate this issue.

The information accessed includes names, email addresses, date of birth for some users, and encrypted passwords -- technically 'hashed' and 'salted' passwords. We never store passwords in plain text.

Two things you should know:

1.     The database that stores customer credit card information was not affected or accessed.

2.     If you connect to LivingSocial using Facebook Connect, your Facebook credentials were not compromised.

You do not need to take any action at this time, but we wanted to be sure you were fully informed of what happened.

The security of your information is our priority. We always strive to ensure the security of our customer information, and we are redoubling efforts to prevent any issues in the future.

Please note that LivingSocial will never ask you directly for personal or account information in an email. We will always direct you to the LivingSocial website - and require you to login - before making any changes to your account. Please disregard any emails claiming to be from LivingSocial that request such information or direct you to a website that asks for such information.

If you have additional questions about this process, the "Create New Password" button on LivingSocial.com will direct you to a page that has instructions on creating a new password and answers to frequently asked questions.

We are sorry this incident occurred, and we look forward to continuing to introduce you to new and exciting things to do in your community.

Tim O'Shaughnessy, CEO

Now, I understand that LivingSocial wants to minimize the potential damage here. To me though they have made two crucial errors. One is that they are giving their customers the impression that because their passwords were encrypted (actually salted and hashed), there is a low likelihood that they would be useable. This is not necessarily true. In fact there have been several cases and much written about the relative ease that hackers have in cracking these passwords.

Based upon their opinion that there is a low likelihood of these passwords being compromised, they tell their customers that they do not have to do anything at this time, but if they want to change their passwords they can. Knowing that these passwords could be compromised why not make everyone change their passwords? It would seem a rather trivial thing to do and ensure the integrity of your customer’s accounts to force a password change. In a similar situation you should strongly lobby for mandatory password resets.

Secondly again LivingSocial is telling their customers that they don’t have to do anything. But clearly customer names, email addresses and dates of birth were stolen. It doesn’t take much for a criminal to take that, match it up with public record information and quickly gather enough information to start using a false identity for nefarious purposes.

While some states mandate complimentary credit watch services for customers in these kinds of cases, at least suggesting to be on the lookout for fraudulent credit transactions and suggesting a credit watch service seems called for here.

Again in the interest of keeping customers calm and downplaying this breach, customers could be potentially at greater risk. The breach happened already, breaches happen. Good security practice and customer service should require you to place the bar high in terms of protecting and warning your customers.

As I mentioned earlier, Vudu also recently had a breach. Here is the email I received regarding that one:

Dear alan,
We want to let you know that there was a break-in at the VUDU offices on March 24, 2013, and a number of items were stolen, including hard drives.
Our investigation thus far indicates that these hard drives contained customer information, including names, email addresses, postal addresses, phone numbers, account activity, dates of birth and the last four digits of some credit card numbers. It's important to note that the drives did NOT contain full credit card numbers, as we do not store that information. Additionally, please note if you have never set a password on the VUDU site and have only logged in through another site, your password was not on the hard drives.
While the stolen hard drives included VUDU account passwords, those passwords were encrypted. We believe it would be difficult to break the password encryption, but we can't rule out that possibility given the circumstances of this theft. So we think it's best to be proactive and ask that you be proactive as well.
If you had a password set on the VUDU site, we have taken the precaution of expiring and resetting that password. To create a new password, go to
www.vudu.com. Click the "Sign In" button at the top of the page. Enter your current username and current password when prompted, then follow the instructions to reset your password securely. Also, if you use your expired VUDU password on any other sites, we strongly recommend that you change it on those sites as well.
As always, remember that VUDU will never ask you for personal or account information in an e-mail. Please use caution if you receive any emails or phone calls from anyone asking for personal information or directing you to a web site where you are asked to provide personal information.
As an added precaution, we are arranging to have AllClear ID protect your identity for one year at no cost to you. We have
FAQs on our web site (vudu.com/passwordreset) to answer questions on the incident and to more fully describe how to use the AllClear ID service. We have reported this incident to law enforcement and are cooperating fully with their investigation. We want you to know that we take this matter very seriously, and we apologize for any inconvenience this may have caused you.
Thank you,
Prasanna Ganesan
Chief Technology Officer, VUDU

Can you see the difference? VUDU also states that the passwords were encrypted and unlikely to be cracked, but nevertheless they have expired everyone’s password forcing you to pick a new one. They are also making arrangements for ID protection for one year.

This makes me feel that VUDU is serious about protecting me and is not sugar coating or minimizing the consequences of the data breach. To me this is text book on how to communicate a breach to your customers.

In both cases I don’t blame VUDU or LivingSocial for being victims of data theft. It can and does literally happen to everyone. Also both companies are successful businesses. But as a midsize enterprise how you communicate a breach to your customers can communicate an awful lot.

If your company is the victim of a breach, follow best practices to inform and most importantly protect your customers.


This post was written as part of the IBM for Midsize Business program, which provides midsize businesses with the tools, expertise and solutions they need to become engines of a smarter planet. I’ve been compensated to contribute to this program, but the opinions expressed in this post are my own and don't necessarily represent IBM's positions, strategies or opinions.

Enhanced by Zemanta
My Photo

Subscribe to my blog

Enter your email address:

Delivered by FeedBurner

Lijit Search

Blog Networks

Creative Commons License
This work is licensed under a Creative Commons Attribution-Share Alike 2.5 License.


Lijit Search

Blog powered by TypePad
Member since 10/2005