• 29 Nov 2007

    Don’t expect to get paid for what you have on paper

    Don't fall into the misperception that just because you've earned a college degree (especially one in infosec) or the CISSP certification that money, respect, and a great job will fall right into your lap. I thought this same thing coming out of school, but as I found out, it doesn't work that way in the real world. I hear people often say "I've got to to hurry up and finish ...

    Continue Reading...
  • 28 Nov 2007

    Welcome to my new blogging platform

    You may have noticed a lull since my last posting. Believe it or not, I've been fighting and fighting and fighting some more with my previous blog software/platform that I was hosting on my own to get it to do what I needed. After many iterations of trying to edit templates, change styles, installing and re-installing MySQL, PHP, Apache, Perl...you name it, I realized that I wasn't spending my time ...

    Continue Reading...
  • 26 Oct 2007

    My articles from this week

    A new thing I'm going to start doing on my blog is linking to any articles I've recently written for TechTarget and other trade publications. Sort of an added bonus to what I write here in my blog. For all of my past content be sure to check out www.principlelogic.com/resources.html. Here are this week's entries: Eight reasons to do source code analysis on your web application Database security testing terms: ...

    Continue Reading...
  • 17 Oct 2007

    Don’t test your Web applications because they’re too critical…? What!?

    I can't tell you how many times I've come across network managers who choose to ignore their most critical business applications - all in the name of system uptime. I had a recent event that sparked this very post. The general perception is "We haven't tested our e-commerce/online banking/employee portal/ fill-in-the-blank Web application for security vulnerabilities - we're afraid it may go down if it's hit too hard..." My initial ...

    Continue Reading...
  • 11 Oct 2007

    The industry’s first patch management program?

    Apparently I was ahead of my time. Way back in 1996 I wrote and sold a program called LANUP through a consulting company a buddy of mine and I ran on the side. LANUP - short for local area network update - was designed for NetWare operating systems. I wrote it out of desperation because I was administering so many NetWare servers at the time - I needed some automation. ...

    Continue Reading...
  • 08 Oct 2007

    Are you open minded?

    One thing I talk about when speaking on information security careers is something that many overlook yet it can make or break our success in this field. It's learning from others and continually educating yourself throughout your career. A lot of us in IT are pretty closed-minded. It's not just toddlers and teenagers that think they know it all - it's often ourselves and our peers. A typical mindset is ...

    Continue Reading...
  • 02 Oct 2007

    What’s it going to take to encrypt laptop drives?!

    So, the latest in the lost laptop world is that 800,000 job applicants of Gap, Inc. now have their personal information exposed. Apparently the laptop was stolen from the office of an "experience third-party vendor". Experienced in what? Not taking security seriously? Apparently the contractor wasn't using encryption which was in violation of an agreement it had with Gap, Inc. You mean contracts aren't enough to protect information? Go figure.Gee ...

    Continue Reading...
  • 28 Sep 2007

    Is Your Wireless Encryption Enough?

    After reading this piece about the recently released report on the TJX breach from the Office of the Privacy Commissioner of Canada and the office of the Information and Privacy Commissioner of Alberta, I had a thought about the false sense of security that wireless encryption gives us. TJX was apparently using both WPA and WEP for wireless encyrption but it was the WEP that got them into trouble. The ...

    Continue Reading...
  • 27 Sep 2007

    Security is a Choice

    As the saying goes, the more things change they more they stay the same. It suits what's happening with security just perfectly. It's common knowledge that computer security is a problem that affects every business and every individual in some way. Security best practices are available. The rules have been laid down. Why are breaches still occurring?I think to myself, on the surface there's:information systems complexityuntrained IT staffpeople not using ...

    Continue Reading...
  • 07 Sep 2007

    How secure is your law firm’s extranet?

    Do you work for a law firm that provides a client Web portal that houses extremely sensitive case information (or other similar system that allows a client to manage their own data)? If so, chances are there are weaknesses in the system waiting to be exploited. Be it the commonly-used SharePoint or any other commercial or home-grown system, all it takes for someone with ill intentions to create a problem ...

    Continue Reading...