Use risk management for reasonable information asset protection

February 19th, 2007

Selecting the right security controls can be a daunting task.  By applying the principles of risk management, however, security managers can meet the challenge with confidence.

 Read the article

Holy Toledo! The iPod did it!

February 17th, 2007

Unbelievable.  It’s even more unbelievable because I live near the community of Oregon, Ohio where a police detective called a student’s iPod a “criminal tool”. 

In an article in the Toledo Blade,  Robin Erb describes an incident in which a former Clay High School student was charged with a felony for accessing school employee and student records.  Not only did he access them, he downloaded them to his iPod.  In addition to being charged with unauthorized use of a computer, he was also charged with possessing a criminal tool–i.e. the iPod.  Nice police work, Oregon.  Will I still be able to carry my iPod concealed when I cross the city line?

Although the former student used a school computer lab to access the sensitve records, no mention was made in the article about how this was even possible.  It probably didn’t take much cracking of system security if access was gained in a classroom with High School staff supervision.   Instead of vilifying the venerable iPod–or any other mobile storage device for that matter–it might be better to ask serious questions about how this was even possible.  What steps is the school system taking to ensure this doesn’t happen again?  Or will the school board simply add mobile storage devices to the list of criminal tools so it can assure parents and teachers that their information is now secure?

Calling endusers stupid isn’t helpful

February 17th, 2007

I was reading a Tim Wilson article at Dark Reading this morning in which he asked the question, “So are users hopeless?  Are they inherently brainless and/or evil?”  My first reaction to the question was raucous laughter.  When I finally regained my senses, I read the rest of the article in which Wilson makes a lot of sense.

As a security director, I have days when I believe the users are all out to violate as many security policies as they can, either intentionally or because they are brain dead.  But this attitude isn’t helpful.  I agree with Wilson that most end users are intelligent individuals who want to do the right thing.  Keeping that in mind, helping users help themselves is a key element in any security program.

For years I’ve been a proponent of user education as a first step.  If there is chaos in the halls of security compliance, then part of the blame usually lies with the lack of effectiveness of an organization’s security awareness efforts.   This is always the first step, but it isn’t enough.

Employees will always make mistakes.  Yes, they’re human beings not robots.  So there are steps security professionals must take to mitigate the impact of those mistakes.  Content monitoring for data transfers, locking down the desktop, and Internet access controls are three good places to start.  Not only will this help stop the bleeding from an accidental incident, it will also help minimize the probability of malicious activities.

Wilson does finish his article with the assertion that end users are hopeless.  OK.  Maybe.  But IT security shouldn’t be. 




February 16th, 2007

Yes, the title is in all caps.  Yes, I’ll yelling as loudly as I can.  In a recent column at, Bill Brenner reiterates the dangers of using Telnet over connections that are not secure.  The principle problem is that Telnet communicates user IDs and passwords in clear text between workstation and server.  Secure Shell (SSH) is a much better choice.

Reflections on Vista security

February 16th, 2007

In a recent blog entry at, Joanna posted her comments on Vista UAC and integrity levels after having used the OS for more than a month.  Interesting reading.

Scan AJAX for XSS entry points

February 16th, 2007

Cross site scripting (XSS) is a big problem in web application environments.  In fact, the 2007 OWASP Top Ten list of web application vulnerabilities has XSS at #1.  In a recent paper, Shreeraj Shah, founder of Net Square, describes in detail the process for protecting applications developed using the AJAX framework.  It also includes scripts to automatically scan code for XSS vulnerabilities.  The paper can be found here.

Transfer risk when mitigation costs are too high

February 16th, 2007

According to security best practices, there are four things you can do when risk to an information asset is identified and business impact assessed.  You can reject/ignore the risk.  This is not a smart move in most cases.  You can mitigate the risk to an acceptable level.  You can accept the risk.  And finally, you can transfer the risk.  Transferring risk usually takes the form of purchasing insurance to soften the impact of a security incident.  It’s occasionally less expensive to purchase insurance than it is to implement controls to significantly reduce risk.

In a February 15 Dark Reading article, Tim Wilson looks at the benefits and opportunities for security breach protection through the purchase of insurance.

Lock it down: Use the revised OWASP Top Ten to secure your Web applications — Part 1

February 15th, 2007

For the first time since 2004, the Open Web Application Security Project (OWASP) is updating its Top 10 Vulnerabilities list. As a supplement to an previously published article on the 2004 OWASP Top 10, this is the second in a series of articles in which I explore the 10 vulnerabilities the OWASP believes present the highest risk to Web application environments.

Personal, gratuitous post…

February 15th, 2007


Check out my book, Just Enough Security, at

Additional security management resources are available at

My podcasts –>

Free security training –>

Soft versus hard security

February 15th, 2007

In this Geekzone article, Darryl Burling ponders the value of putting risk management on the user.  I don’t know about you, but relying on users to protect data, even their own, is typically a losing proposition.  Read the artcle and you decide.