-
09 Dec 2011Reactive security at its finest
I've been hearing on the news about Georgia State University (@GeorgiaStateU) installing 50 new security cameras. No doubt, universities in downtown Atlanta (one of the highest-crime cities in the nation) are not fairing so well with security these days so somebody needs to do something, no?Well, Georgia State's solutions was to install more security cameras. Is this security theater at it's finest? Not totally, but it is security theater like ...
Continue Reading... -
08 Dec 2011
Are CIOs not doing their jobs?
In the past week I've come across three different articles on how CFOs are getting more involved in IT. For example, in last week's Atlanta Business Chronicle feature CFOs take on increasing roles in IT department stated: "CFO involvement with IT has been largely driving by the need to upgrade reporting functions and the general inability of many legacy systems to provide the kind of data the C-suite needs." According ...
Continue Reading... -
07 Dec 2011
BitLocker, Passware…heads in sand everywhere!
Three times in the past three weeks. That's how many conversations I've had people who have blown off any sort of technical or operational weaknesses associated with Microsoft BitLocker when using it as an enterprise full disk encryption solution. They're well-documented. I highlighted these issues in my recent whitepaper The Hidden Costs of Microsoft BitLocker as well.I've said it before and I'll continue saying it: I've sung the praises of ...
Continue Reading... -
07 Dec 2011
Information security quote
Don't expect short-term perfection in your security program. Instead, aim for incremental improvements over time. -KB...
Continue Reading... -
07 Dec 2011
Join me live online today with TechTarget & ISACA
Today is our live virtual seminar Making the Case for the Cloud: The Next Steps. Join me, Urs Fischer, Dave Shackleford, Andrew Baer and Diana Kelley to hear about various aspects of cloud computing you may not have thought about.Starting at 11:15am ET, I'll be presenting on Incident Response in Cloud Computing. I'll talk about common incident response weaknesses I see in my work, questions you must ask your cloud ...
Continue Reading... -
06 Dec 2011
School staff members and porn – Why you should care
Here's an interesting read on government employees trying to make an extra buck by serving up pornography on their high school-issued computers. What a lovely story.Don't think this kind of behavior is random. I've seen this very thing at the university level during a security assessment I did early on in my information security consulting venture.You see, one thing I do during my internal security assessments is connect a network ...
Continue Reading... -
05 Dec 2011
What happens when third-party patches are ignored
The majority of people I speak with claim they have no means for patching third-party software. As Kelly Jackson Higgins mentions in her recent Dark Reading blog post regarding the rash of Java exploitations, when third-party software goes unmanaged, bad things can happen.It's great that Metasploit has a a module for Java exploitation - something that'll not only benefit me in my security assessments but will also help bring to ...
Continue Reading... -
01 Dec 2011
You’re in charge of your own crisis
Whether or not you - or your management - believes you'll suffer a security incident it certainly pays to be prepared. Odds are that something is going to occur.Does your business have a solid incident response plan? What about a communications plan? Is an executive or business PR representative going to say "Um, well, uh you know - we got hacked and stuff..." to the eager media or are they ...
Continue Reading... -
29 Nov 2011
HDMoore’s Law, revisited
Here's a good read by Mike Rothman (@securityincite) on how we tend to bury our heads in the sand over the most obvious things including HD Moore's Law. For years, I've had a slide in my presentations titled "Future Trends" where I've talked about how exploits are getting easier for those with ill intent:Easier access to toolsLittle knowledge neededLess elaborate “hacks”More internal breachesMobile business → less controlGreater complexity → more ...
Continue Reading... -
27 Nov 2011
Don’t get mired striving for perfection
As we wind down 2011, here's a quote that relates to information security, incident response and overall risk management:“The person who insists upon seeing with perfect clearness before he or she decides, never decides.” -Henri Frederic AmielSo, do something to better your information security program. Any positive step forward - anything - is much better than getting mired in the desire for perfection and doing nothing at all....
Continue Reading...
Resources
Client Testimonials
“A business associate referred our company to Principle Logic when we were seeking a resource to perform vulnerability /penetration testing for our external and internal networks. We found Kevin Beaver to be professional, well informed, and easy to work with. His testing did not disrupt our networks, and his progress updates were timely.
His final report was very thorough and included security recommendations for our network environment. The executive leadership was so impressed with Kevin’s security expertise, they have extended their agreement to continue to perform periodic testing. We highly recommend Kevin Beaver and Principle Logic as a resource for network security testing.”
(IT managed services firm)
I’ve written/co-written 12 books on information security including:
