• 17 May 2017

    My new content on preventing ransomware + infosec leadership and careers

    From ransomware to IT and security leadership and careers - they all sort of go hand-in-hand. Here's some new content for you to check out:Five ways to prevent a ransomware infection through network securityAn unfunded mandate is not a mandate How top IT pros stand apartUsing unrealized IT talent to your advantageGreat ways to get management on your side with application securityThe side-effects of miscommunication between IT and security prosSecurity mistakes ...

    Continue Reading...
  • 15 May 2017

    The real reasons behind the WannaCry ransomware

    As we continue down the path of yet another major security breach - this time with the ransomware WannaCry - let us remember that it's not just about the criminal hackers, out-of-control government agencies such as the NSA, or vendors such as Microsoft putting out vulnerable software. Every single one of us working in IT, security, and business today are complicit in these challenges. Outdated/unsupported operating systems are running. We ...

    Continue Reading...
  • 08 May 2017

    My CSO interview/story: What it takes to be an independent information security consultant

    I'm very honored to have been interviewed recently for CSO Magazine about my background and what it takes to stand out - and survive - as an independent security consultant. Check it out here:Thanks for the nice write-up, Bob Violino!...

    Continue Reading...
  • 01 May 2017

    Thoughts on the 2017 Verizon DBIR, hacking security policies, breaking into the infosec field, ransomware and more

    Here are some recent pieces I've written for the good people at IANS:Verizon DBIR shows why we’re still struggling with securitySecurity policies don’t get hacked. Why do they get all the attention?Strategies for Thwarting State-Sponsored HacksRooting out RansomwareWhere, exactly, is your information? 10 Tips for Breaking into the Infosec FieldCEO Spoofing - Don't get fooled Take responsibility for vendor product securityAre you making this mistake with your phishing awareness campaign?As ...

    Continue Reading...
  • 13 Apr 2017

    Why SOC audit reports can be misleading, mobile app security gotchas, and more…

    Here are some links to recent articles I've written regarding application security...if you take anything away from this, it's that you can't afford to take this part of your security program lightly.Dealing with vendors who want to push their SOC audit reports on youExplaining discrepancies in different security assessment reports Why DAST and SAST are necessary if software is solid from the get-goNixing credential re-use across unrelated systemsCommon oversights in ...

    Continue Reading...
  • 03 Apr 2017

    People will violate your policies all day long…if you let them.

    I recently saw this out in front of a local restaurant where management was trying to resolve parking, sidewalk access, and traffic issues. Their "control" obviously doesn't work:Be it parking cars or using computers, instant gratification is the name of the game. People want what they want. They want it right now. And, they will take the path of least resistance - and violate your policies in the process to ...

    Continue Reading...
  • 31 Mar 2017

    Outsourcing security monitoring, guest wireless network risks, and more infosec content to help your business

    I can't believe that I recently submitted my 1,000th article...it's been a long time coming! I first started writing in 2001 and it has been one of the best things I ever did. Thanks so much for your support over the years!Here's some new content I've written for the nice folks over at Toolbox.com (Ziff Davis) that you might be interested in:  Outsource your security monitoring/alerting and be done with ...

    Continue Reading...
  • 13 Mar 2017

    Web and mobile application security vulnerability and penetration testing resources

    Application security is no doubt one of the most important aspects of a security program. Here are some new pieces I've written that can help keep your web and mobile app vulnerabilities in check and your application security program on the right track...pay special attention to the last one regarding security assessments and reality:Keeping your Web applications in check with HIPAA complianceMobile app security risks could cost you millionsCommon oversights ...

    Continue Reading...
  • 03 Mar 2017

    Email phishing services: Just what you need to know to start mastering the task

    Got phished? Of course you have...whether you know it or not! As with penetration and vulnerability testing and any other form of security assessment, you need to be performing email phishing tests on your users – all of them, including executive management – on a periodic and consistent basis. I'm doing more and more of this work and the results that I'm finding are astounding...to the point that all other security ...

    Continue Reading...
  • 06 Feb 2017

    Getting to know your network with Managed Switch Port Mapping Tool

    In my years performing independent network security assessments, one thing that has really stood out to me is the lack of network insight. Regardless of the size of the organization, the industry in which they operate, and the level of security maturity, in most cases, I see IT and security shops with very little:documentationinventoryconfiguration standardslogging and alerting outside of basic resource monitoringWhat this means – and what it can easily ...

    Continue Reading...