• 26 Jan 2020

    Learning to be a better security speaker with Brian Tracy

    I recently had the most amazing opportunity to learn more about becoming a better speaker. I got to spend two full days sitting around a conference table and in the studio with the one and only Brian Tracy. I've been speaking professionally for the past decade and a half. As with many of the important things in my life such as information security consulting, car racing, and personal relationships, I've ...

    Continue Reading...
  • 30 Aug 2019

    SQL injection is lurking…Are you looking for it?

    I don't always find SQL injection vulnerabilities in the web applications I test but I have been seeing it more and more recently. I can't figure out why... When I do uncover this grandest of all vulnerabilities, it's usually pretty ugly as it was with this recent finding: Using Acunetix Web Vulnerability Scanner to uncover SQL injection across various web pages and parameters Look for this flaw. Use good tools ...

    Continue Reading...
  • 23 Aug 2019

    Cities + hacking & ransomware: what’s really going on?

    I do a lot of work for municipalities - cities, towns, and county governments - and I've concluded one thing: I don't envy those in charge of their IT and security. Apparently, municipal hacking is all the rage. At least that's what the media is currently portraying. For example, it's on the front page of today's New York Times: https://www.nytimes.com/2019/08/22/us/ransomware-attacks-hacking.html Ransomware Attacks Are Testing Resolve of Cities Across America The ...

    Continue Reading...
  • 18 Jul 2019

    How does your incident response program measure up?

    I've heard it said that experience is something you don't get until just after you need it. Incident response is one of those things. How do you fully prepare for something that you've never had to deal with? Well, there are ways, but you have to prepare before the going gets rough. The best thing you can do is to define what "incident" means, think through the scenarios, and create ...

    Continue Reading...
  • 13 Jul 2019

    IT and computer security career tips & resources

    In preparation for my upcoming webinar on information security careers (check that out, by the way!), I was updating my website with IT and security career-related articles. Since I last updated my careers page, I've written 35 new pieces...35! Wow, apparently I need to go back and read some of my own tips on time management. :-) Enjoy and I hope to see you this coming Tuesday (July 16, 2019) ...

    Continue Reading...
  • 04 Jun 2019

    Here’s a BIG mobile security exposure you may be overlooking

    With security, if your goal is to minimize your maximum regret, there's a lot to be thinking about. User behaviors involving mobile devices are at the heart of some of the larger business risks, especially if you're like the majority of businesses I see and support bring your own device (BYOD) For phones and tablets. Well, here's something that you may have thought about in passing but haven't done anything ...

    Continue Reading...
  • 30 May 2019

    Networking + learning at the 2019 SecureWorld Atlanta show

    Before I went out on my own and started my own information security consulting business, I learned two things: 1) I work in information security but I'm really a sales professional (everyone is in sales whether they like to believe it or not) 2) It's not about who I know but also who knows me I found that practicing and growing these aspects of my career is as important as ...

    Continue Reading...
  • 30 Apr 2019

    Healthcare’s latest (ridiculous) proposal to improve security in that industry

    For years, I've ranted about the rebranding of information security to "cybersecurity". This strategy is nothing more than a means to redirect attention - even create confusion - over what we do so that something shiny, new, and sexy can be sold to those who are buying. It's bad for what we're trying to accomplish in this field. We need less confusion rather than more. Well, here's a new set ...

    Continue Reading...
  • 29 Apr 2019

    I’m IT…Respect my authoriTAH!

    If you've watched the animated TV show, South Park, you'll appreciate this. I just came across an article titled The Importance of Respecting Expertise in IT Professionals by Michelle Rakoczy. It's a thoughtful and well-researched piece on why people outside of IT need to respect the guidance/opinions of IT professionals (yet often don't). In my years of information security consulting and observing human behaviors as they relate to the field, ...

    Continue Reading...
  • 11 Apr 2019

    WP Security Audit Log – a must for WordPress security oversight and resilience

    Not long ago I moved my information security consulting business website to WordPress - something I thought I'd never do. The burden of hosting it myself combined with the hassles of working with Dreamweaver forced the change. I wasn't initially a big fan of WordPress...it's almost too much to take on. This coming from a technical guy who hosted Apache on Windows and did most of my administration at the ...

    Continue Reading...