Why Do I Blog?

I get a few questions now and then, in person, over facebook, through LinkedIn, or using email, asking why it is that I blog here, and am I really blogging at all if most of my posts are just short synopses and links to “real articles”.

In my humble opinion, which is the only one that regularly appears here, yep, I’m blogging.  The posts that you will find here are posted with the intention of increasing security awareness, prompting discussions, and to provide me and anyone else that reads this blog with a quick, searchable source of information.

There is an over-abundance of information on the Internet, in news groups, email lists, forums, blogs and webpages.  I scan through this plethora of useful, interesting and other information to filter and capture what information I believe is a worthwhile read, and most likely to be referred to in the future. 

I got into IT 25+ years ago because there was so much to learn.  I’ve stayed in IT all these years because there is still so much to learn.  There is also the opportunity afforded to those so inclined, to discuss, argue, or otherwise elaborate on the topic, article or information, educating me, you and others that may stumble upon it later. 



Shift Focus Back To Policy

Ipswitch warns that companies who focus on quick-fix security tools instead of strengthening and enforcing information security policies risk devastating consequences in 2011.   “Organisations in many industries were hit hard by data breaches in 2010, a trend that’s sure to continue in 2011,” said Frank Kenney, VP of Global Strategy at Ipswitch File Transfer.  “As attacks grow more sophisticated and outsmart many security tools on the market, the most savvy companies will shift their focus to policy creation, management and enforcement to prevent both intentional and accidental data breaches.”

I strongly believe that all solutions to security problems should begin with policy.  The purpose of policy is to outline clearly what is expected and what is prohibited within the corporate environment.  These basic rules should guide employees in maintaining the vision, mission and values of the company.  All other rules, including those found in tool rulesets,  should be based upon and supporting these foundational rules.


-=[FREE]=- Microsoft Attack Surface Analyzer

Microsoft’s Attack Surface Analyzer is an SDL verification tool for developers and IT professionals to identify whether newly developed or installed applications inadvertently change the attack surface of a Microsoft Operating System.  The free tool is downloadable from Microsoft’s website and is the same tool used by internal Microsoft product development teams.

Can’t wait to get home and download this tool, and see what it can do.  Microsoft will offer consulting services pertaining to SDL beginning in February.  The goal is to improve software security and reduce both customer risk and costs of development.  Other free tools (SDL Binscope Binary Analyzer, SDL Threat Modeling Tool) were also updated.

Microsoft is also releasing a report it commissioned from Forrester Consulting, entitled “State of Application Security,” studying the current state of application development practices and  investigating the potential return on investment by incorporating holistic security methodologies into product development life cycles.  The findings in the report validate the notion that addressing security early makes good business sense.   You can find a copy of the report on the Microsoft Download Center.


Avian Access Control Lessons

I received a hard lesson in security administered by an unlikely source the other day.  A couple of toddlers taught me that my controls need to be properly deployed, effectively monitored, and that the defaults are never best practice.  The lesson was costly, claiming the life of my 8-year-old budgie, Pinball, named for his renowned inability to negotiate the air, and practice of landing hard after using walls and windows to slow down his forward momentum.

I hate to make light of the passing of Pinball who was one of the family and will be missed.  There is a very large empty space where his cage used to stand in our living room.  There will be no further avian acquisitions in the near future, and his cage has been disposed of.

The lesson came after my 2-year-old grandson and 4-year-old granddaughter observed my procedures for preparing the main floor for one of Pinball’s regular flights.  First, the cat is located and removed from the house.  Backyard is the typical destination for the ferocious feline offender who would eagerly lick his chops and swat at the windows during the exercise.  Next, turn off and cover any hot stove elements, light fixtures or other potential causes of spontaneous birdie combustion.  Flip up the cage’s built-in locking mechanism consisting of a flexible bar over a metal knob.  Open the cage door, and either insert hand or allow the floundering fowl to hop out under his own power.  Pickup the streamlined brick as he unceremoniously comes to rest somewhere in the house, and allow him to try, try again.

Once the procedures were observed, they could be repeated, with the suspected aid of the 4-year-old accomplice who loved to watch Pinball fly and would laugh as he made a “landing”.  They could also be short cutted, because no one likes to spend minutes to hours chasing a cat that flees at the mere sight or scent of tail-tugging toddlers.  So, skipping over the first couple of steps in the procedures led to the demise of the great Pinball. 

The root cause of the incident was a lack of stringent access controls on the door, the defaults are NEVER EVER sufficient, and an inaccurate assumption that a stern “Don’t do what I am about to show you” would be adequate to an inquisitive and misguided cast of pre-school characters.  A simple rubber band could have been used to reinforce the closure of the cage, complicate extraction of the prized contents, and defeat many attempts to gain unauthorized access.  The danger was real, the outcome unpleasant, and the grandkids now see the empty space left by the great bird’s departure.

Sad day, Pinball, you will be missed.