Tuesday, December 25, 2012

A Few of My Favorite Things - Apps

   I recently (finally) got modern smartphone.  My previous phone was the "free" phone from over 2 years ago.  Even when I had a basic smartphone I very quickly found useful apps that used everyday.

   Someone was recently asking me what apps I use on my phone.  I thought it would be useful to make a list of some of my favorites here and focus on those that I use most.

Tuesday, December 18, 2012

Tis The Season - Holiday Spams and Scams

   We have always had the need to be careful online. We always have to be aware of what sites we are visiting and what apps were using. I've written about this in my series on Online Self-Defense.

   But at this time of year you have to be even more careful. The amount of online trouble increases. Your volume of work may increase, you're often stressed during the holidays and may not pay as much attention to what you're doing online.

   There are also many e-cards and "cute" pictures and videos that have to be shared.  This, and other information, floods our inboxes, social media timelines and chat/text lists. Many of these have links. And unfortunately, far too many of these links go to malicious sites.

   Here's a great list of some common holiday spams/scams. Here's another.

Monday, December 10, 2012

We're All In This Together

   You are not alone. I've written on topics relevant to parents, families, digital citizens, computer users, security professionals, IT professionals, leaders. No matter what your questions or concerns, whether you are a parent trying to decide if your child is old enough for a smart phone or a Facebook account, or a security professional trying to move your program forward, you're in good company.

   Last week I was at the NG Security Summit in Austin Texas. One of the great things about a security leadership conference like this is that we get to talk with, and hear from, people from many organizations and situations who have security responsibility. In particular, regardless of industry segment, size of organization, locality or product, we all have similar challenges.  The topics and challenges resonate. Common themes emerge.

Tuesday, December 4, 2012

Keeping Up and Podcasts

   Recently I was talking with a colleague about keeping up with information. We actually were comparing smartphones. During the conversation we talked about podcasts and podcatching software. I'll talk about what I use below.
   We are talking about what podcasts we listen to.  One thing that was surprised me was that he mentioned that many technical people he interacts with don't listen to podcasts! I found that surprising. I figured most technical and security people know all about podcasts. Podcasts are hardly new.
   There are podcasts for all kinds of subjects. I listen to podcasts about security, technology, sports, news, science, leadership, getting things done/productivity and other subjects.
   I think that listening to podcasts is one of the best ways to both learn and keep up.

Tuesday, November 27, 2012

Read With Your Ears

   I remember an old joke from when I was a kid. Someone would hold an item and say "look at this". Then when you reach out to take whatever they had, they would pull it back and say "you see with your eyes". That's only funny to a kid. But here's a different take on that... I read with my ears.

   I really love audiobooks. Since discovering audiobooks a few years ago my reading has gone way up.  I've read a bunch of books over the past few years including business books, science fiction, fiction, nonfiction/history, and all kinds of interesting things. But sometimes I'll mention that I just read a book, or I'm reading a book, but some people don't necessarily consider that "reading".

Tuesday, November 20, 2012

Stuff I Say - People Want To Do The Right Thing

   In the security field we hear a lot about the insider threat.  There have been plenty of well publicized incidents of internal employees, contractors or ex-employees stealing information, or deleting information or leaving some other kind of destruction before they leave an organization   I'll cover this topic in more detail in a future post.

   While this certainly does happen, it's not prevalent.  Call me an optimist... but I think that people generally want to do the right thing.

   And this is where the problems begin.  Sometimes those who make the rules and enforce the rules just make it too difficult to do the right thing!

Tuesday, November 13, 2012

Stuff I Say - You Pay by the Word

   This is a continuation of a series of posts on some of my philosophies about security strategy.  These ideas are covered in a fun talk entitled #*%! My CISO Says, covering a range of security governance and management topics.  Slides are on my slideshare page.  The first two posts are here and here.

   In that second post I was talking about policy.  Traditionally many organzations have staff sign a form that says that they have read and understood policy.  Perhaps the organization has some kind of new employee orientation at which policy is reviewed.  Among the problems is that policy is usually too long and too complicated.  It then becomes a TL;DR document (Too Long; Didn't Read).  I'm sure that both policy writers and policy readers/recipients can relate to this.
   So what to do?  I like to say that "you pay by the word", because you can pay now or pay later...

Tuesday, November 6, 2012

Reputation Management 101

   In October and November I’ve had a number of opportunities to present to groups of parents about Internet Safety, Social Networks and kids.  I try to do this regularly.  It’s a great way to give back to the community and talk about subjects I enjoy.

   One of the themes I often cover is Reputation Management.

   Parents are concerned that their kids share too much information online.  So much of what our kids do is documented online.  Everyone is carrying a camera and video camera with them and it all gets posted online.  For those of you who are parents with kids… imagine if there were cameras everywhere when you were young and everything you did was photographed or videoed and available for anyone to see!

Tuesday, October 30, 2012

Online Self-Defense - Part 4 of 3 - Don't Phall for Phishing!

   I said in part 1 that this would be a 3 part series, because everything comes in 3's.  Well... it's still Cyber Security Month and I would be remiss if I didn't write about phishing.  So we'll just call this part 4 of 3!  Here are parts 1, 2 and 3.

   As you probably know, phishing refers to an attempt to fraudulently get your personal information by masquerading as a trusted source. Examples include: a fake email that looks like it came from your bank; a fake fraud warning message that looks like it came from your credit card company, or; a distress message that looks like it came from a "friend" asking for money.

Tuesday, October 23, 2012

Online Self Defense - Part 3 - Don't Click!

   This is the third post in my series on Online Self-Defense.  We've covered malware and passwords, two key issues effecting your online privacy and security.  If you've tried the simple tips I gave on those two subjects then you are now safer than most web surfers.

   Now, to keep you and your computer safe... don't click on that link!

Tuesday, October 16, 2012

Online Self Defense - Part 2 - Passwords

   Last week I started a series on themes I covered in a talk entitled "Online Self-Defense".  In part 1 of that series, posted here, I talked about protecting your computer. This week we'll look at passwords.

   Passwords are a mess!  A "good" password has these features:

  • hard to create
  • hard to remember
  • hard to enter
  • probably has to be changed as soon as you memorize it
  • plus other inconsistent, random rules depending upon the site

Tuesday, October 9, 2012

Online Self Defense - Part 1 - Your Computer

   Happy US Cyber Security Month!  This partnership between Homeland Security, NCSA and MS-ISAC is an opportunity to recognize the importance of information security.  How are you celebrating?

   Last week I ran a couple of sessions at work on awareness and security.  Over the next few posts I will be reviewing some of the 3 themes I covered in a talk entitled "Online Self-Defense". You can view the slides on my slideshare page. (actually, the talk focuses on just 2 of the themes but that's OK!). Since everything comes in threes (omne trium perfectum), I will give 3 easy tips for each theme (and some bonus tips as well).

   The first theme is protecting your computer or device.

Tuesday, October 2, 2012

Stuff I Say - No One Has Ever "Read and Understood"

   Most organizations have policies.  Most medium-to-large sized organizations have security policies.  I hope that yours does!  Policies are a cornerstone to a security program.  People need to know what to do and policy is that high-level guidance.

   Of course, people need to read those policies!

   Many organizations will have staff sign a form that states they have read and understood the policies.  Sometimes this happens just once.  Sometimes it's annually, perhaps at the same time as an annual performance review.  Sometimes it's when a person joins the organization, or shortly thereafter.

   But does that work?  What is the goal?  I say that doesn't work!  No one has ever "read and understood"!

Tuesday, September 25, 2012

Stuff I Say - KISS - Keep It Simple Security

   This is the first of a series of posts covering themes I talk about all the time.  The theme today is keeping things simple.

   Last week I spoke at the Interface conference in St. Paul.  It was a fun talk entitled #*%! My CISO Says, covering a range of security governance and management topics.  Slides are on my slideshare page.  In that talk I frequently referenced keeping our security program simple.

Tuesday, September 18, 2012

Just Say No to "Just Say No"!

   Last week I spoke at The Security Standard conference put on by CSO Magazine.  While not the main point of my talk, one key theme that I addressed is that in Security and IT we cannot use "Just Say No" as an operating strategy.

   Five, Ten or more years ago, security and IT divisions were often considered to be roadblocks.  In many organizations, security and IT existed for self-fulfilling reasons... to support the technology they chose.  IT and security would dictate to the business.  But that's not the right way...

Tuesday, September 11, 2012

Mobility not just Mobile

   Yesterday I gave a talk at CSO Magazine's The Security Standard conference in NY.  There was a great group of attendees and the conference has been excellent.  My talk was on the Embracing the IT Consumerization Imperative.  You can view the slides on the conference site or my slideshare site.

   One of the important points I made, and a frequent theme for me, is the need for alignment between business and security and IT.  It's too easy for those of us in the technology space to get caught up with the devices, toys and tech solutions.  We too often get disconnected from the business need.  Security and IT groups exist to service the business.  Business drives security; business drives IT... not the other way around.

Tuesday, September 4, 2012

Ineffective Security

   This is my 2nd favorite picture to use in a presentation. (I'll talk about my favorite picture in a future post!) It shows a classic security failure... the use of an ineffective security control.

Tuesday, August 28, 2012

And the Password is... Monkey!

   If you've been following the news about hackers and cracked passwords, then you know that one of the most often used passwords for online sites and services is: Monkey.  Who would have guessed?!

   All the buzz is about an article appearing in ArsTechnicaWhy passwords have never been weaker - and crackers have never been stronger, by Dan Goodin.  It's an eye-opening piece about how the state of the art in password cracking has been greatly advanced by the security information intelligence gained from recent hacks, and password file disclosures, from LinkedIn, eHarmony, Battle.net and others.

   Everyone "knows" they should be using strong passwords - yet passwords like 123456, password and Monkey are routinely on the top of the list of the most used passwords on hacked sites.  Similarly, everyone "knows" they should not reuse passwords between sites (is your Facebook password the same as your online banking password???).  But the article refers to a 2007 Microsoft study which reports that the average web user has accounts on 25 different sites, but protected by only 6.5 unique passwords!

   Here's my take...

Tuesday, August 21, 2012

Inspiration, Aspiration and Perspiration

   I recently read the book, "Start With Why" by Simon Sinek.  Actually, as I usually do with books, I listened to the audiobook.

   One of the key points in the book, and one that I am using, is what Sinek calls the Golden Circle.

Tuesday, August 14, 2012

Is the Help Desk the New Perimeter?

    Unless you've been under a rock, you've read about the unfortunate hack of tech jounalist Mat Honan's home iPhone, iPad, Mac, Gmail, iCloud, Amazon and Twitter accounts (not necessarily in that order).  You can read the details in Mat's Wired article here.  Also, some great twit.tv podcast coverage on TWIT, TWIG and Security Now!.

   I won't rehash what others have said on this matter.  But I do have a couple of different thoughts.  A number of people have written takes on what you should do to protect yourself.  I have some thoughts on this that I'll share in a future post.

Tuesday, August 7, 2012

The Case for Security Awareness

   There have been a number of articles lately talking about the value of Security Awareness. In particular, this post, by CSO Online blogger Dave Aitel makes the case that Security Awareness training is not useful or effective. A number of examples are listed trying to show that even in supposedly "enlightened" companies, like RSA, simple mistakes like opening a malicious email attachment, still happen.

   I think this is too simplified a view.

   It's hard to quantify how many things don't happen, prevented by basic awareness training. But, a big problem could be the training itself.  From this Dark Reading post:

Tuesday, July 31, 2012

Think Before You Tweet

   I love listening to audio podcasts. One of my favorites is The Social Hour on the TWIT network. On a recent episode, hosts Sarah Lane and Amber MacArthur started off the show talking about a couple of instances of people using very poor judgement when posting on Twitter.

   First, top Greek triple-jumper and former Olympic team member Voula Papachristou showed very poor judgement, tweeting a racist message in the weeks leading up to the London Olympic games. You can read the tweet as well as some commentary here and here. There are a few things that make this case interesting.

Tuesday, July 24, 2012

Excellent Service Every Time

   Perhaps you've heard of Seth Godin. He's an author and speaker who usually covers subjects like marketing and leadership. You should follow him on twitter and read his blog.  Watch his TED talks (you do watch TED talks... right?)

   In a recent post entitled "Marketers with Power", Seth discusses situations when we have no choice in an action, such as when:
I have to fill out this form before the doctor will see me

Tuesday, July 17, 2012

Customer or the Product?

   The idea has been talked about before here, here and here.

demotivational posters - FACEBOOK & YOU
see more Very Demotivational

   There are many free services out there.  Don't get me wrong... many are quite useful and I use many myself.  But people get upset when there is an outage (like this).  And more than one social network has had issues over changes in privacy policy (I'll talk more about this in a future posting).

Tuesday, July 10, 2012

Put that in your Vault
   The other day we were having a family meal (that doesn't happen too often) and the conversation turned to passwords (and that never happens! :-).

   Of course, everyone in the family has accounts on various social media sites as well as other sites.  I've given the parental/security advice about passwords.  In particular, we were discussing not reusing passwords among websites.

   We've all heard about the LinkedIn password breach.  Basically, the LinkedIn hashed password file was stolen via a SQL injection attack.  LinkedIn did not do a good job salting (to add randomization) or hashing the stored password files.  So with the encrypted password file in hand, the attackers can throw all their computing power at cracking passwords.  Included in the value of cracking these passwords is the high odds that many users have reused these same passwords on other sites, such as their online banking.

Tuesday, July 3, 2012

Texting and Driving

   Mashable ran a powerful infographic on texting and driving.  Among the scary stats were that 23% of 2011 auto collisions involved cell phones; at 55 MPH you can travel 100 yds while glancing at your phone, and; 27% of adults have sent or received texts while driving (it's not just teens and 20-somethings).

   It's plainly obvious that there are dangers here.  But what are the solutions?

   The infographic suggests three solution areas: 1. laws; 2. tech (including driver-monitoring cameras or anti-texting apps), and/or; 3. education/social-media campaigns.

   But I think all these ideas are missing a key point... they do not take into account the always-connected society in which we live.  It's easy to say that someone should, for example, pull over before texting or making a call, but that's just not practical.