• 09 Feb 2011

    Is it possible to do more with less?

    In this era of limited budgets and "wait and see" leadership you still have to do something to manage IT and information security. I've always had trouble understanding why people can't focus on the basics and solve these problems using solutions already at their disposal. I guess the marketing machine is just doing its job.Here's a good article about this very thing written by my colleague and publisher Steve Lasky ...

    Continue Reading...
  • 02 Sep 2010

    Crunch risk numbers or fix the obvious?

    My colleague Ben Rothke (@benrothke) recently wrote a good piece on basing information security decisions on good data. I like his approach - it'll make you think. It's true we do need good data so we can make better decisions. Sadly, we often don't have the data or, if we do, we're not qualified to interpret it.Maybe it's just me but I don't believe my degrees in computer engineering and ...

    Continue Reading...
  • 15 Apr 2010

    CSRF doesn’t matter?? The sky is falling!

    Here's a great piece where something I wrote put a grown man with a hacker handle's boxers in a bunch. With all due respect to what Robert has contributed to our field, he is missing the point of my 8 sentence statement about cross-site request forgery (CSRF) not being a top priority (formerly published on SearchSoftwareQuality.com). It reminds of me when I wrote about Changes coming to the OWASP Top ...

    Continue Reading...
  • 08 Nov 2009

    The real deal with the SSL/TLS flaw

    Over the past few days Twitter, security blogs, and news columns have been going crazy with the newly-discovered SSL/TLS flaw. Man, you'd think it's the next WEP exploit discovery. The security sky is falling...we must retreat.Seriously, is this thing a big deal? Not in my opinion - at least not in all but 99.9% of any given situation. But what do I know? I'm just the security guy that sees ...

    Continue Reading...
  • 27 Jul 2009

    My latest security content

    Here's my latest information security article I wrote for SearchSMBStorage.com you may be interested in:Making sense of regulatory compliance and data storage for SMBs As always, be sure to check out www.principlelogic.com/resources.html for all of my information security articles, podcasts, webcasts, screencasts, my Twitter updates, and more....

    Continue Reading...
  • 16 Jun 2009

    Getting back to the basics – what’s it going to take?

    With all the worry about budgets and all the marketing hype over some of these fancy vendor security solutions, I still see so many simple/silly/stupid things related to IT that need to be fixed before a penny is ever spent or a single new technology is ever deployed. Things like: --Network shares sharing out entire drives full of sensitive files - accessible by anyone with just a basic network login ...

    Continue Reading...
  • 26 May 2009

    Perfect example of an unknown app becoming a known target

    A while back I wrote about a great email server called Icewarp. It wasn't bloatware - it had just what SMBs needed in an email server...Oh, and it wasn't a target for security exploits - an obvious added benefit. But as with anything else, you grow bigger, your app becomes more complex, and you'll no doubt become a bigger target for attacks. As of late Icewarp has grown a lot ...

    Continue Reading...
  • 26 Mar 2009

    How long will we be talking about this?

    I saw this bit and wondered to myself: how long will we be talking about the basics of security and the ramifications when they're ignored? 10, 20 years more maybe?...

    Continue Reading...
  • 26 Jan 2009

    A primer on WEP/WPA hacks & why it doesn’t matter

    If you can't justify spending $18.99 on the book I co-authored Hacking Wireless Networks For Dummies, then there's an alternative resource for you to at least be able learn about how WEP and WPA can be exploited. In this recent SearchNetworking.com tip, Lisa Phifer has taken the volumes and volumes of technical jabber about the known attacks against WEP and WPA and distilled them into a simple 5 minute read. ...

    Continue Reading...
  • 18 Mar 2008

    The book that started it all for me

    I've gotten several inquiries from people lately regarding what book or books they should read to help get them started down the information security career path. Well, believe it or not, here's the one book that really got the ball rolling for me:Yep - I learned the basics of TCP/IP during many a lunch break way back when this book was in its first edition...and I *still* use that stuff.Sure, ...

    Continue Reading...