• 04 May 2011

    From culture to products to malware to breaches – where do you stand?

    Here are some new opinion pieces on information security management that I wrote for Security Technology Executive magazine that you may be interested in:Don’t end up on the wrong side of a data breachFighting the malware fight all over again9 good reasons not to buy information security productsSecurity best practices without question?How's your security culture?Enjoy!As always, be sure to check out www.principlelogic.com/resources.html for links to all of my information security ...

    Continue Reading...
  • 04 May 2011

    SecureWorld Expo better than ever

    I attended this week's SecureWorld Expo in Atlanta and must say that the show is better now than ever before. I cut my professional speaking teeth with these guys speaking at dozens of their events between 2003 and 2007. I've taken some time off since but going back and seeing some of the same friendly faces brought back good memories.The best session I attended was William Hugh Murray's keynote on ...

    Continue Reading...
  • 17 Feb 2011

    Are you focusing on the infosec basics where it counts?

    Here's a good read from @arstechnica on the HBGary story. It's a fascinating story in and of itself. But the oversights related to information security "best practices" is amazing. What is it going to take to get people to focus on the basics? Seriously, folks...Forget about all the fancy hack attacks and complex exploits for now and fix the low-hanging fruit. It's basic triage - stop the bleeding first. Focus ...

    Continue Reading...
  • 09 Feb 2011

    Is it possible to do more with less?

    In this era of limited budgets and "wait and see" leadership you still have to do something to manage IT and information security. I've always had trouble understanding why people can't focus on the basics and solve these problems using solutions already at their disposal. I guess the marketing machine is just doing its job.Here's a good article about this very thing written by my colleague and publisher Steve Lasky ...

    Continue Reading...
  • 02 Sep 2010

    Crunch risk numbers or fix the obvious?

    My colleague Ben Rothke (@benrothke) recently wrote a good piece on basing information security decisions on good data. I like his approach - it'll make you think. It's true we do need good data so we can make better decisions. Sadly, we often don't have the data or, if we do, we're not qualified to interpret it.Maybe it's just me but I don't believe my degrees in computer engineering and ...

    Continue Reading...
  • 15 Apr 2010

    CSRF doesn’t matter?? The sky is falling!

    Here's a great piece where something I wrote put a grown man with a hacker handle's boxers in a bunch. With all due respect to what Robert has contributed to our field, he is missing the point of my 8 sentence statement about cross-site request forgery (CSRF) not being a top priority (formerly published on SearchSoftwareQuality.com). It reminds of me when I wrote about Changes coming to the OWASP Top ...

    Continue Reading...
  • 08 Nov 2009

    The real deal with the SSL/TLS flaw

    Over the past few days Twitter, security blogs, and news columns have been going crazy with the newly-discovered SSL/TLS flaw. Man, you'd think it's the next WEP exploit discovery. The security sky is falling...we must retreat.Seriously, is this thing a big deal? Not in my opinion - at least not in all but 99.9% of any given situation. But what do I know? I'm just the security guy that sees ...

    Continue Reading...
  • 27 Jul 2009

    My latest security content

    Here's my latest information security article I wrote for SearchSMBStorage.com you may be interested in:Making sense of regulatory compliance and data storage for SMBs As always, be sure to check out www.principlelogic.com/resources.html for all of my information security articles, podcasts, webcasts, screencasts, my Twitter updates, and more....

    Continue Reading...
  • 16 Jun 2009

    Getting back to the basics – what’s it going to take?

    With all the worry about budgets and all the marketing hype over some of these fancy vendor security solutions, I still see so many simple/silly/stupid things related to IT that need to be fixed before a penny is ever spent or a single new technology is ever deployed. Things like: --Network shares sharing out entire drives full of sensitive files - accessible by anyone with just a basic network login ...

    Continue Reading...
  • 26 May 2009

    Perfect example of an unknown app becoming a known target

    A while back I wrote about a great email server called Icewarp. It wasn't bloatware - it had just what SMBs needed in an email server...Oh, and it wasn't a target for security exploits - an obvious added benefit. But as with anything else, you grow bigger, your app becomes more complex, and you'll no doubt become a bigger target for attacks. As of late Icewarp has grown a lot ...

    Continue Reading...