-
30 Apr 2019Healthcare’s latest (ridiculous) proposal to improve security in that industry
For years, I've ranted about the rebranding of information security to "cybersecurity". This strategy is nothing more than a means to redirect attention - even create confusion - over what we do so that something shiny, new, and sexy can be sold to those who are buying. It's bad for what we're trying to accomplish in this field. We need less confusion rather than more. Well, here's a new set ...
Continue Reading... -
27 Sep 2017SEC, Equifax, what’s next? Focus on – and fix – the stuff that matters in security.
I recently consulted with a client on the SEC and Equifax breaches and had some thoughts that I left with that I wanted to share here: Your security program is only as good as your day-to-day processes and people. No amount of policies, plans, and technologies is going to prevent you from getting hit. Reactive security is apparently the new norm, at least according to SEC chairman Jay Clayton. I ...
Continue Reading... -
15 May 2017
The real reasons behind the WannaCry ransomware
As we continue down the path of yet another major security breach - this time with the ransomware WannaCry - let us remember that it's not just about the criminal hackers, out-of-control government agencies such as the NSA, or vendors such as Microsoft putting out vulnerable software. Every single one of us working in IT, security, and business today are complicit in these challenges. Outdated/unsupported operating systems are running. We ...
Continue Reading... -
13 Apr 2017
Why SOC audit reports can be misleading, mobile app security gotchas, and more…
Here are some links to recent articles I've written regarding application security...if you take anything away from this, it's that you can't afford to take this part of your security program lightly. Dealing with vendors who want to push their SOC audit reports on you Explaining discrepancies in different security assessment reports Why DAST and SAST are necessary if software is solid from the get-go Nixing credential re-use across unrelated ...
Continue Reading... -
06 Feb 2017
Getting to know your network with Managed Switch Port Mapping Tool
In my years performing independent network security assessments, one thing that has really stood out to me is the lack of network insight. Regardless of the size of the organization, the industry in which they operate, and the level of security maturity, in most cases, I see IT and security shops with very little:documentationinventoryconfiguration standardslogging and alerting outside of basic resource monitoringWhat this means – and what it can easily ...
Continue Reading... -
03 Jan 2017
Keys to a great 2017
Welcome to 2017! It's another year and another great opportunity to get security right in your organization. As you return to work with a cleared mind and good intentions, building (or maintaining) an effective information security program in the New Year is not unlike my favorite passion: car racing. You not only need to get off to a good start but you also need to keep up your momentum...lap after lap ...
Continue Reading... -
19 Sep 2016
People Behaving Badly and information security’s tie-in
Last week, I had the opportunity to travel to the Bay Area in California to record an information security video (thanks Intel and TechTarget!). Of course, I couldn't travel across the country and not see the sights of San Francisco. A most excellent highlight of the trip was for my son and I to meet television and social media celebrity, Stanley Roberts. My son is a huge fan of Stanley's, ...
Continue Reading... -
19 Sep 2016
What, exactly, is reasonable security? The state of California knows!
With all that's happening in the world of information security, it seems that there's never enough regulation. From to HIPAA to the state breach notification laws to PCI DSS and beyond, there are rules - and guidance - around every corner. Oddly enough the breaches keep occurring. As if what we've been told up to this point is not reasonable enough. Some people, mostly federal government bureaucrats and lawyers who ...
Continue Reading... -
05 May 2016
Twitter hack–NFL draft consequences
I recently received this press release regarding Ole Miss offensive tackle Laremy Tunsil's Twitter account and how it affected his NFL draft:Amazing.Will someone please tell me how the consequences of basic security weaknesses surrounding social media, passwords, and malware do not impact us all personally and professionally....
Continue Reading... -
04 May 2016
Yet another over-hyped security flaw making the headlines
For years now, I've ranted here and elsewhere about the nonsensical niche security "flaws" uncovered by researchers and academic scholars that often have no real bearing on business or society. There are always caveats, always reasons why these super-complicated exploits won't work, yet they make the headlines time and again. The recent Waze app discovery is a great example:Vulnerability in Google's Waze app could let hackers track you, researchers sayLook ...
Continue Reading...
Resources
Client Testimonials
“A business associate referred our company to Principle Logic when we were seeking a resource to perform vulnerability /penetration testing for our external and internal networks. We found Kevin Beaver to be professional, well informed, and easy to work with. His testing did not disrupt our networks, and his progress updates were timely.
His final report was very thorough and included security recommendations for our network environment. The executive leadership was so impressed with Kevin’s security expertise, they have extended their agreement to continue to perform periodic testing. We highly recommend Kevin Beaver and Principle Logic as a resource for network security testing.”
(IT managed services firm)
I’ve written/co-written 12 books on information security including:
