Enterprise IT Watch Blog


September 28, 2010  6:00 AM

Would you like some snake oil with that network assessment?

Kevin Beaver Kevin Beaver Profile: Kevin Beaver

There are many IT services firms – including some run by friends and colleagues of mine – that perform something called “network assessments.” The purpose of these assessments, which are usually aimed at SMBs, is to determine the overall health of your network and computing environment, supposedly including security.

First, let me be clear that these are legitimate services to see where your network stands. That’s fine and dandy – a useful service indeed. The problem is that these network assessments are being pushed/sold under the guise of security assessments that, at least on paper, would compete with more in-depth security vulnerability assessments. But they’re not the same.

I saw recent descriptions of such services that claim to “check the security environment of your network” and “help ensure your sensitive data remains protected.” In discussions with my friends and colleagues, none of them have ever claimed to be security experts, yet they still offer these services. I don’t believe “in-depth security assessments” are their intent, but what exactly are such companies purporting to do? Many are just visual inspections or basic questionnaires and may incorporate rudimentary security scanning tools such as Microsoft Baseline Security Analyzer.

My point is: Be careful. Just because a network engineer “checks” your systems, recommends some software updates or network design changes, and ultimately installs a few new security products in your environment, don’t assume that you’ve had a proper information security assessment or that your information is truly secure. Your best bet is to determine what you want and then ask specific questions to help ensure you’re getting the deliverable you really need before you start the project.

Here are some information security assessment articles, screencasts, podcasts, and webcasts you can peruse to help you fine-tune your requirements the next time this comes up.

Kevin Beaver is an independent information security consultant, expert witness, author, and professional speaker with Atlanta-based Principle Logic, LLC and a contributor to the IT Watch Blog. You can reach Kevin through his website at www.principlelogic.com and follow him on Twitter at @kevinbeaver.

September 28, 2010  5:09 AM

Is a new Obama mandate putting IT security at risk?

Kevin Beaver Melanie Yarbrough Profile: MelanieYarbrough

We’re not here to discuss politics, but one of the big stories today is the Obama administration’s development of plans to require that backdoors be placed on Internet-based communication services, allowing for compliance to federal wiretap orders.

The bill, slated for 2011, would require communication service providers to have the capability to intercept and decrypt messages. The proposal, as related to the Communications Assistance to Law Enforcement Act (CALEA), which requires telecom providers to provide interception capabilities for law enforcement, is an extension into the realm of the Internet. In the New York Times article on the bill, FBI’s Valerie Caproni said:

We’re not talking expanding authority. We’re talking about preserving our ability to execute our existing authority in order to protect the public safety and national security.

But does “public safety and national security” come at the cost of personal and enterprise security? Extending interception capabilities to the Internet could prove disastrous if not executed correctly. Computer science professor at Columbia University Steven Bellovin thinks “it’s a disaster waiting to happen. If they start building in all these back doors, they will be exploited.” Just like in 2005, he cites, when “hackers [took] advantage of a legally mandated wiretap function to spy on top officials’ phones, including the prime minister’s.”

On the flipside, there may be side-effects to adding to the already overwhelming honey-do lists of enterprise IT. Former Sun Microsystems engineer Susan Landau worries that the mandate would hinder the progress of small startups. Engineers would be dedicated to incorporating wiretapping capabilities rather than innovation and product release dates.

Federal response to the privacy community’s uproar is hardly comforting: Service providers would be the sole carriers of the decryption capabilities, for which the agency would need a court order to utilize. Ira Winkler, president of the Internet Security Advisors Group told Computerworld that his main concern isn’t the “government’s ability to intercept communications for legitimate law enforcement purposes, the real concern should be over continued compromise of personal data online.”

Melanie Yarbrough is the assistant community editor at ITKnowledgeExchange.com. Follow her on Twitter or send her an email at Melanie@ITKnowledgeExchange.com.


September 27, 2010  6:15 AM

Two simple but essential steps for all laptop owners

Kevin Beaver Kevin Beaver Profile: Kevin Beaver

Not too long ago I experienced the equivalent of a disaster for larger businesses: My laptop computer died. I’m a technical guy and so I was able to limp along with some workarounds at first. I had an old laptop that I could use for most things, but it wasn’t pretty.

Little did I know that in the process of recovering, I was going to be consumed with other unrelated computer problems. All in all, I lost three full days of work troubleshooting and getting things rebuilt back to normal. I got behind on articles I needed to write. I neglected my blogs. I missed out on some consulting work, and I even missed a book deadline.

But it could’ve been much worse. Through thick and thicker, I saved my rear end by doing two things:

1) Warranty it up: When I purchased my laptop, I paid $295 for an on-site warranty. This not only got me next-day service, but it also kept me from having to spend a couple thousand dollars on a new laptop. I had to have my processor and system board replaced – arguably the best $250 I’ve ever spent. This also kept me from having to send my computer off loaded with sensitive information, something I simply can’t do in my line of work.

2) Back it up: I had a backup; it’s something I do religiously every day. It’d be hypocritical of me, an information security consultant, to not have one, right?

Imagine how much time I would’ve lost had I not done these two things.

So do yourself a BIG, BIG favor and backup your laptop. Do it now. Most laptop users I see in my work are required to do their own backups and guess what? Very few people are backing up their laptops. Use Windows Backup, purchase TrueImage, or just manually copy your data to an external drive (make sure you get everything though!). Just do something.

In the future, spend the extra money for the on-site warranty; pay extra for the drop/spill coverage too. If you’re like me, you will need it (I’ve needed this coverage three times with Dell, IBM, and HP), and you’ll kick yourself for not having it when that day comes down the road.

Even if you work for someone else who’s calling the shots on this stuff, ask for it or buy it yourself. It’s money well invested.

Here’s to planning ahead!

Kevin Beaver is an independent information security consultant, expert witness, author, and professional speaker with Atlanta-based Principle Logic, LLC and a contributor to the IT Watch Blog. You can reach Kevin through his website at www.principlelogic.com and follow him on Twitter at @kevinbeaver.


September 24, 2010  6:58 AM

Security, huh! What is it good for?

Kevin Beaver Kevin Beaver Profile: Kevin Beaver

Not too long ago an ad for a mortgage company on my local radio station said something that caught my ear. The owner of the company was talking about identity theft and the need to be careful with the sensitive information you hand over to people, especially when it comes to getting a mortgage. He said, “You’ve got to differentiate between a mortgage company and a mortgage professional or your information is at risk.”

I’ve always said that information security can be a competitive differentiator, and this business is capitalizing on it. Good for them!! It’s about time some business owners step up to the plate with enough confidence in their information security that they can use it to their advantage. Of course, talk is cheap, so who knows the reality of what they’re advertising. At least their thinking is on the right track.

On a related note, some companies in the financial sector tout their “fraud and identity theft insurance” – something I’m not too keen on since it can be used as a crutch to cover up otherwise poor information security practices. But if your business has gone past the checklist audits and is performing in-depth security assessments of your network, your Web applications, and your IT operations on a periodic and consistent basis, then providing such insurance as an option certainly won’t hurt. Yet another competitive differentiator that’s ultimately good for all of us.

Kevin Beaver is an independent information security consultant, expert witness, author, and professional speaker with Atlanta-based Principle Logic, LLC and a contributor to the IT Watch Blog. You can reach Kevin through his website at www.principlelogic.com and follow him on Twitter at @kevinbeaver.


September 23, 2010  2:21 PM

ISSA International Conference Recap: More of the same

Kevin Beaver Kevin Beaver Profile: Kevin Beaver

The 2010 ISSA International show was just here in my hometown of Atlanta. With the experienced speakers – many of whom work for highly-visible companies and government agencies – I was expecting some new ideas and solutions around security. The quality of the speakers was good; the problem was with the messages that I heard (at least in the keynotes). It was the same old stuff we’ve been hearing since the beginning of “Internet security” as we know it. “You need to have policies,” “You need to train  your people,” “You can’t rely on vendor products completely,” “You need to take a risk-based approach,” “The cloud is our great savior” – blah, blah, blah. Looking around, I could tell that others in the audience were tiring of the same old messages as well.

Is this the way information security is going to be from here on out? I’m not so sure that preaching the same old stuff is viable long-term. Maybe I’m just being impatient; perhaps there is no good solution. Maybe we’re just going to have to keep doing what we’re doing and trust that it’ll eventually sink in. Time will tell.

Although it’s a never-ending and frustrating cycle, it’s good for job security, so I guess I shouldn’t complain.

Kevin Beaver is an independent information security consultant, expert witness, author, and professional speaker with Atlanta-based Principle Logic, LLC and a contributor to the IT Watch Blog. You can reach Kevin through his website at www.principlelogic.com and follow him on Twitter at @kevinbeaver.


September 22, 2010  3:21 PM

Stop fearing your smartphone: Mobile encryption & your security policy

Kevin Beaver Melanie Yarbrough Profile: MelanieYarbrough

From possibly causing cancer to posing a major security risk to the enterprise, the smartphone just can’t cut a break. The truth is, smartphones are here to stay, especially in the enterprise. Like many other IT versus the world conflicts, the solution isn’t a yes or no policy to their usage, but a set of security policies and guidelines just like with any other technology adapted by the enterprise. Smartphone security and encryption can be a tricky road to navigate, so take a few things under consideration before deciding.

Assessing the Situation

Like any other policy, there are several factors that go into the crafting of mobile security. Here are a few points to consider when discussing options amongst your team:

  • Rather than looking for the cheapest (or the free-est) application available, assess your company’s mobile encryption needs before beginning the search. Minimizing time wasted will minimize the frustration and loss when incorporating mobile phone security into corporate policy. If you need support for multiple smartphone operating systems, start your search with that detail.
  • Part of your assessment should include your enterprise’s primary security focus and needs. Whether you need the option of remote data-wiping or authentication, knowing these details ahead of time will help to increase efficiency.
  • Once you’ve decided the features your users and data need, you need to allocate some of your security budget to ensuring the data on and accessed by these smartphones is secure.
  • Just like endpoint security has lowered the risk of laptops remotely accessing networks, smartphone encryption software can help you adapt to the changing nature of the enterprise. To better ensure the smooth incorporation of these devices into your operations, you’ll need to incorporate them into the in-place central management system. Treat mobile devices as normal factors in everyday operations (rather than a device sent solely to cause your headaches) and implement its use and security like any other enterprise-level product.

Some smartphone encryption options after the jump. Continued »


September 18, 2010  10:13 PM

Mobile device security – we keep spinning our wheels

Kevin Beaver Kevin Beaver Profile: Kevin Beaver

It’s been a year since I contributed to a piece on mobile security for the Wall Street Journal and was thinking about how things have changed since then. In a nutshell: They’re gotten more complex and less secure.

It’s amazing – and scary – given all the sensitive electronic information scattered everywhere across any given network. Be it workstations, servers, databases, smartphones, mobile storage devices – you name it – it’s so often they go unprotected. By that I mean there are no access controls to prevent unruly employees from doing bad things with your data and no access controls to prevent outsiders from doing bad things, either.

I’m not just talking about corporate intellectual property either. I’m talking about healthcare records, SSNs, credit cards, and other personal information…personal information belonging to me and you! This isn’t just a business issue – it’s a privacy and identity issue that affects us personally.

This is backed by story after story, breach after breach, and study after study. Just Google “mobile security breach” and you’ll see what I mean. The Privacy Rights Clearinghouse Chronology of Data Breaches reveals such breaches practically every week.

If you’re responsible for information security, audit, or compliance in your organization … this subject/dilemma should be on your short list of priorities for the coming year. Rather than just ranting, let me share with you some solutions and further reading:

..and finally, some of my blog posts on the subject.

Kevin Beaver is an independent information security consultant, expert witness, author, and professional speaker with Atlanta-based Principle Logic, LLC and a contributor to the IT Watch Blog. You can reach Kevin through his website at www.principlelogic.com and follow him on Twitter at @kevinbeaver.


September 16, 2010  8:36 AM

The Seven Deadly Enterprise Security Sins, Part II

Michael Morisy Michael Morisy Profile: Michael Morisy

Last week, the IT Watch Blog took a look at the first three of the Seven Deadly Security Sins. Today, we reveal the other transgressions that are costing companies millions of dollars and putting the privacy and security of their employees and customers at risk.

Continued »


September 16, 2010  6:07 AM

What are certifications worth? Much less than you think!

Kevin Beaver Kevin Beaver Profile: Kevin Beaver

In our current situation with the economy and people going back to get their certifications to increase their value, I thought this post from my Security On Wheels blog was fitting: What’s your IT certification worth? Nothing.

The psychology behind certifications is interesting. A piece of paper showing that you’ve passed a test is a worthy accomplishment, but without practical experience and a whole slew of other skills, a piece of paper is merely that.

It’s easy to be book smart. Study long and hard, memorize the material, and you can pass tests, convey it to others through teaching and so on. But when the time comes for actionable expertise in the real world, such knowledge doesn’t go very far.  There are a handful of certifications that are exceptions to the rule (Cisco’s CCIE comes to mind), but they’re few and far between. Keep all of this in mind if you’re on the other side of the equation working as a hiring manager.

The reality is: Certifications can create a false sense of value. More certifications don’t automatically make a prospective employee more valuable. It could just mean that they’ve accumulated a lot of debt and don’t have much hands-on experience to show for it.

Bottom line: As a hiring manager, you have to look past certifications and see what else the person brings to the table. And as an IT professional, you have to pad your skill set with more than paper. Being successful in IT and information security requires so much more.

Kevin Beaver is an independent information security consultant, expert witness, author, and professional speaker with Atlanta-based Principle Logic, LLC and a contributor to the IT Watch Blog. You can reach Kevin through his website at www.principlelogic.com and follow him on Twitter at @kevinbeaver.


September 15, 2010  6:35 AM

It’s 10 PM. Where’s your network administrator?

Kevin Beaver Kevin Beaver Profile: Kevin Beaver

Microsoft’s sixth law of Immutable Laws of Security states that “a computer is only as secure as the administrator is trustworthy.” How does your administrator rank on the trust scale? Working with systems/network administrators in my security assessments – and having been one in the past – their level of access is typically unlimited. And no one seems to be watching.

I’m not saying you should micromanage your IT folks; that’ll only run them off. But don’t let your guard down either. There have been some highly-publicized cases of admins doing misdeeds or simply being sloppy with security when they shouldn’t have been. This is probably something you’re not ready to take on.

If you’re a business manager or internal auditor, never lose sight of the fact that the master key to everything electronic is in your administrator’s hands.  It seems obvious, but it’s something many take for granted, trusting that all’s well in IT-land just because the administrator says everything’s okay. That’s not always the case.

For further reading, I delve into this topic further in the following piece I wrote for SearchWinIT.com:

Are your IT administrators trustworthy?

Kevin Beaver is an independent information security consultant, expert witness, author, and professional speaker with Atlanta-based Principle Logic, LLC and a contributor to the IT Watch Blog. You can reach Kevin through his website at www.principlelogic.com and follow him on Twitter at @kevinbeaver.


Forgot Password

No problem! Submit your e-mail address below. We'll send you an e-mail containing your password.

Your password has been sent to: