How do you buy groceries? Do you buy based on brand, what you know? Do you consider the price? Or do you have someone else handle it for you? Making An Investment While routine, groceries aren’t expensive. When we consider larger investments, however, the calculus changes. Most hesitate a bit when buying a new computer or tablet. We’d want to make sure the system meets our requirements and we’re not paying too much. Since they are a commodity item, you can shop around without difficulty. Buying a car or a house requires more time to be spent in the due diligence process. At some point it becomes less about “buying” and more about “making an investment”. Smart entrepreneurs consider their exit.[…]

What is the bare minimum amount of work that can be done that can be considered making a system more secure? What items must all individuals, all organizations, and all systems address in order to improve security? I often tell people that security is not one-size-fits-all, but what is the one-size-fits-most equivalent? What is the 20% of minimum viable security implementation that will address 80% of vulnerabilities? In 2006, NIST released special publication 800-69, Guidance for Securing Microsoft Windows XP Home Edition, a series of recommendations on how individuals could secure their home computers. Weighing in at 175 pages, it was not for the faint of heart. If you stick with it until Appendix A, you’ll find this interesting quote: Appendix A contains step-by-step instructions for implementing the[…]

By default, the installation of VMware’s vCenter and ESXi use self-signed certificates with hardcoded passwords to protect the private keys of their SSL web services. While it gets you services that work out of the box, it is really bad form and a poor security practice. If you install (or update to) version 5.1 of the VMware infrastructure components, you will be left with a bunch of warning windows like the ones on the left. If you’re lucky enough to have access to your own public key infrastructure, you can issue your own certificates to replace those provided by VMware so you don’t see constant warnings. However, if you undertake this effort be forewarned: VMWare’s guidance (Replacing Default vCenter 5.1[…]

The term “black swan event” was introduced by Nassim Nicholas Taleb in the book Fooled By Randomness. Black swan events have three major characteristics: they are rare, they cause a significant or extreme impact, and upon retrospection, they are actually predictable. As described very well in this Wired article, “getting hacked” is a black swan event. While “getting hacked” can mean many different things, let’s take the example as used in the Wired article of having your identity stolen by hackers. It is rare enough that many of us will probably never experience it. Some cases have an extreme impact such as having your identity stolen, losing funds from your bank account, or having your computer or mobile devices wiped. And as this blog and any number of[…]

I read a good article a few weeks ago, by Tom Mendoza of NetApp called 6 Powerful Ways to Embrace Change. It’s worth the short read. It got me thinking about how the Information Security industry is really in the business of change management. Change management seems a business term for “doing everything you can to avoid embracing change”. I’m going to take Tom’s 6 ways and rewrite them from an information security perspective. 1) Don’t look back Unfortunately, in the information security industry, not looking back is a sure key to failure. If you don’t continue to address the risks presented by your legacy system which no longer gets security patches, or pay attention to information that was long[…]

The tl;dr summary for those with short attention spans – Don’t open the attachment, be quick to delete anything you’re not sure about, and if you want to help in the fight against phishing, report it using the guidelines I’ve outlined below. I received a pretty awesome phishing email today. It included a significant attachment that I’m looking forward to analyzing at a later date. Since it will take me a while before I’ve got the time to run the analysis, I decided I wanted to forward it around to the appropriate organizations to ensure that they take some time and analyze it and make sure other individuals can be protected from it. It turns out that there are more places[…]