Friday, October 6, 2017

@securityguy23:

If you're only listening to respond and not to comprehend -- you're missing (at least) half of the conversation. . .

Thursday, October 5, 2017

@securityguy23:

Hope never has -- and never will be -- an effective risk management strategy. . .

Thursday, September 28, 2017

@securityguy23:

The best way to gauge the effectiveness of an organization's approach to risk management and response all too often comes down to three simple canary questions:

1) When the building caught fire, why did they respond by pointing the hose at the parking lot?
2) Were they surprised when the building still burned down?
3) Did they learn from the mistake and change the approach before somebody brought in the next box of matches?

Friday, August 11, 2017

@securityguy23:

Now Heptaconta Certified with Certified Information Privacy Professional / Canada (CIPP/C) Goodness. . .

Thursday, August 3, 2017

@securityguy23:

Monitoring is vastly different than just logging.

And if you're doing only the latter despite claiming the former -- you've neither got security, nor a remotely defensible position when the auditors and lawyers come-a calling. . .

Tuesday, August 1, 2017

@securityguy23:

There's no crying in baseball or information security. . .

Monday, July 31, 2017

No, I Do Not Have a FedEx Package Pending Delivery

Had my new office line for only 245 days, and usually don't have a reason to give it out since I just use the cel for convenience. . .

But still got tagged by the FedEx Delivery Scam today on the office line this morning claiming that [I] "had a package ready to be delivered to [Our Seattle Corporate Address] and needed to confirm delivery information".

Specific flags:
1) FedEx doesn't do this
2) Foreign accent with broken english on unsolicited call
3) Caller ID popped up a Sri Lanka phone number (+94 90161370) (I assume is bogus)
4) Call logs show it was forwarded out of a San Jose, California number (1-408-907-1818) (Marked as unsafe/spam call in online searching)
5) When I asked for the tracking number, they gave me a 10 digit number (FedEx Track numbers are 12 or 14 digits)
6) When I asked for the sender info, they said it was a bank (could not understand the name due to accent)
7) Said details would be in the email they would send me
8) When I asked for a call back number, they said I could go by my local FedEx Office

Good times

Friday, July 14, 2017

@securityguy23:

Now Nonahexaconta Certified with GIAC Advanced Smartphone Forensics (GASF) Goodness. . .

@securityguy23

(Listening to Respond) ≠ (Listening to Comprehend)

Monday, April 24, 2017

@securityguy23:

Back from Paternity Leave -- returning to regularly scheduled programming, already in progress. . .

Wednesday, March 8, 2017

A Teachable Moment about Usernames, Passwords, Whiteboards, and Live Television

(Update 6:25P)
The later live shot went out of their way to not show the section of the whiteboard with the usernames and passwords. What was shown had the wifi password erased clean without any after image.

Good on them.

Bad security to have the info posted in the first place.

But the Organization reacted quickly to minimize the security incident. That's the right next move to be sure.

Hopefully, they are also (at a minimum):
1) Immediately changing all the affected passwords to new complex equivalents (while masked in my screenshot, the original passwords did not appear to follow such standards)

2) Establish/maintain a formal policy prohibiting the sharing of usernames and passwords in open mediums (post-it notes, whiteboards, etc)

3) Require unique usernames and passwords be assigned and used by all authorized individuals (as activity on shared accounts cannot be tracked/monitored without repudiation to a specific offender)

4) Establish/maintain a password expiration mechanism that forces all users to reset their passwords every 60-90 days (at a maximum)

5) Codify mandatory username and password lifecycle management requirements and limitations within a formal Access Control Policy (if it hasn't already been)

6) Include username and password requirements and limitations within Awareness Training and Acceptable Use Policy (AUP) provided to all organization stakeholders

Bonus points if they are also (at a minimum):
7) Creating new accounts replacing those which were wrongly shown to the live tv audience

8) Disabling and removing all assigned privileges from the existing now replaced accounts (including any remote access abilities)

9) (Regardless of points 6 and 7 are followed) Monitoring all accounts, both the newly established and the replaced disabled, for any misuse attempts

10) Establish/maintain a policy which reviews an internal/restricted area for confidential information -- removing/masking any identified -- prior to being accessible by the public (whether onsite, via a recorded video, or during a live TV shot)



(Original Post 4:38P)
Clearly no nefarious act here with the company or the news station. . . but. . .

If you're going to let a local news crew into your office to do a live shot praising your service - please remember to remove your admin and wifi passwords from the whiteboard in the background.

Or just don't put them there to begin with. That's a far better plan.

And also please only use complex passwords and accounts tied to an individual user so the activity can be fully tracked.

So much badness here. Not good times.



Wednesday, February 15, 2017

@securityguy23:

Gotten more email asking if I'm at RSA this year than I ever recall before. . . Wondering if I'm missing something really good. Like free puppy giveaway good.

For the record, if anybody I know is there *and* they're giving away puppies, please feel free to take mine and give him/her a good home. I ask only that you name them 'Puddles' and treat them with a kind playful heart (even if they live up to their moniker).

Tuesday, January 17, 2017

@securityguy23:

Now starting year 20, day 1 of the information security career. . .

Sunday, January 1, 2017

@securityguy23:

Now a member of the International Association of Privacy Professionals (IAPP) Advisory Board for CIPT Exam Development. . .