In a week or two (or 3 or 4), I’ll be leaving on at least two months of maternity leave. Short/Long term leave is a pretty common scenario, whether for maternity leave, disability, or a sabbatical. People who have accounts and company knowledge are just “gone” for extended periods of time. Sometime, there’s advance notice, sometimes there’s not. What can you (or your company) do to make the transition easier from a security perspective? Availability is one area of security – aka business continuity. If you know you’re leaving for an extended period of time, let your employer know as soon as reasonable. I know for maternity leave, many women and their partners wait until after the first trimester –[…]

Here are 5 New Year Security Resolutions that may be useful to adopt in 2011. 1) Upgrade your password swagger Several security incidents involving leaked passwords occurred in 2010. As long as passwords continue to be ubiquitous to single-factor security online, they will be huge targets for attackers. Beef up your account security by using different passwords for different accounts. Use a password manager to organize them, and use randomly generated passwords to make it hard for an attacker to guess their way in. Even starting a simple password rotation schedule for your own accounts can add some decent protection against password breaches. 2) Keep up with updates and patches It’s not ideal to postpone things that are time-sensitive and[…]

Forget about everything that’s been made of password strength; it’s a red herring. True, you shouldn’t be using one common password across all sites, but that’s not a password selection issue. Should you pick good quality passwords that aren’t easily guessable? Absolutely. That being said, let’s forget about the rest of the rules, with perhaps the exception of length, and talk a bit about what actually happened with Gawker.

A number of our employees are currently spending a fairly large amount of their time helping a customer with a task.  In a perfect world, this task would be completely unnecessary.  Suffice it to say that there is some maintenance that must be performed on a number of systems before the year is out, and they are having trouble getting responses from the system administrators who are responsible for the systems. When we perform assessments, we often ask our customers about whether they have a configuration management database (CMDB) or something similar.  While CMDB systems may be useful for performing a physical inventory of your systems, that isn’t the real benefit. The real power of a CMDB comes in being[…]

Recently I changed my personal firewall software. I was using the default Windows7 Pro firewall, which is fine for basic stuff, but I found a deal on one of my favorite security suites, so I went ahead and sprung for it. One main befuddlement people have with additional firewall software is the amount of nagging it often does when it’s first installed. You open your email client – popup – “program X is trying to communicate on port Y would you like to allow this?” You click yes, and move on. You open your instant messaging client and again – popup – “program X is trying to communicate on port Y would you like to allow this?” This can be[…]

One of the most common vulnerabilities in web applications is known as HTML injection or cross-site scripting, and one of the simplest ways of showing such a problem exists involves loading a JavaScript alert dialog. Those who understand the ramifications of such an issue know that it creates the potential for far more malicious activity, but the alert box is an easy demonstration that the application can be automatically manipulated. Other vulnerability, though, may be more subtle and not as readily visualized. Take cross-site request forgery, for example. It’s easy to understand that there’s a problem when an application lets you manipulate the data of other users – the site should validate the account making requests before executing them. What[…]