Top 7 Ways Employees Compromise IT Security

Posted on October 18, 2012 by dstrom

Just in time for the trick-or-treaters comes this infographic from security company Trustwave that describes some of their recent research about IT vulnerabilities. Would you pick up a random USB drive in a parking lot and see what is on it? Or leave your desk without logging out first? Trustwave did investigations of more than 300 security breaches worldwide, and found that an overwhelming 87 percent of businesses that had been breached did not have security policies at all. And only about half of new hires get any information about security practices, according to the IT folks at these companies. That is more scary than a black cat crossing under a ladder.

You can read the rest of my take on Eaton’s The Plug Blog here.

How to run your IT department like SEAL Team 6

Posted on September 11, 2012 by dstrom

This past week we’ve heard from “Mark Owen,” the name attached to a new book called No Easy Day about his experiences as a SEAL and specifically about the raid on Osama bin Laden’s compound last May. It was an interesting read, along with his interview on 60 Minutes on Sunday. I thought that he has a lot of good pointers for ordinary businesses that are trying to make a killing of the non-lethal kind. So what are some of the takeaways that IT managers and staff can learn from the SEALs?

Collaborate and communicate. It is all about the team, not just about you. In his book Owen mentions how his motivation for writing came from hearing the distorted narratives around the raid as well as the dissatisfaction of his fellow SEALs in getting their own story out. What impressed me about his descriptions were that weren’t “individual egomaniacs” but instead were “team players who tried to do the right thing.” The various deployments that Owen describes in his book involve a lot of careful coordination and constant communication about methods and results, something that we all can learn from. How often do we say we are going to collaborate on some project but what that really means is that I am taking over and you are just going to rubber-stamp my work?
Don’t go into unknown territory with guns a blazing, but proceed with caution and deliberation. Several times Owen was faced with a completely unknown landscape in searching for terrorists or potential suicide bombers and he and his cronies would carefully move into position. He makes it clear that the old cowboy stereotypes no longer apply.
Training is essential to any smoothly run operation. Make contingency plans when things fail, and rehearse them before the failure happens. The raid on bin Laden’s compound was practiced close to 100 types in a special life-size mock-up facility on a base in North Carolina so the team could get used to working together and having the mental memory of what they needed to do. As we all know by now, those plans went awry almost from the start as one of the helicopters crashed inside the compound and the team had to improvise. How many IT projects get this kind of rehearsal? Not as many as should be.
Know the limitations of your equipment and what it can’t do for you. But also don’t be afraid to ask for the best gear either. For their various deployments, the SEALs could requisition whatever tools, guns, and other devices they needed, no questions asked. Granted we all live in the real world and budgets prevail, but how many times have projects been aborted because of some aging server or defective network card? Get the gear that you need for your job up front.
Don’t fall victim to the ‘good idea fairy.’ Owen mentions in his book this concept, when large committees get caught in suggesting ideas to supposedly improve an already solid plan. “Officers and planners [who have too much time on their hands] start dreaming up unrealistic scenarios that we may have to deal with on a mission. She isn’t our friend.” Know when enough is enough and don’t get taken into her clutches. “If we had all the time back we wasted fighting the fairy, we might regain a few years of our lives,” he says.

Whitepaper: Adventures in Secure Email

Posted on August 13, 2012 by dstrom

Sending and receiving encrypted email with sensitive data should be a lot easier to do. But it ends up being something painful, and as a result we tend to avoid this protection. Haven’t we all been schooled that sending emails in plain text is like having a post card plastered to the wall of your local coffee bar? Haven’t all the various exploits with stolen credit cards and hackers breaking into various Web-based email services been warning enough? Apparently not.

Oddly, this summer marks the eleventh year anniversary of identity-based message encryption with more than a billion secure messages being exchanged annually. But that still pales in comparison to the many insecure messages containing sensitive data being exchanged in the clear. You can read my whitepaper that I prepared for Voltage Security here.

Picking the right mobile device management tool for your enterprise

Posted on July 23, 2012 by dstrom

One of the consequences of bringing your own device to work is in having to keep the work-related files on it secure once it enters the enterprise. This can be a challenge, and a dozens of vendors are now wrapping themselves in the trendy category of “mobile device managers” or MDMs. But trying to understand whether these products help secure the device, the user, the applications or the various files stored on each device can be vexing, and the vendors don’t make things easy for you to readily compare their features.

In my article posted today on ITworld, I examine several of these products, review what should be in your next RFP if you are in the market to buy an MDM, and what is involved from both the IT manager and the end user perspectives when deploying these tools.

Anatomy of A Well-Planned Phishing Attack

Posted on July 20, 2012 by dstrom

We all know not to open email attachments, and to suspect odd emails that arrive at random from seemingly legit places. The bloggers at Solutionary have put together this rather interesting analysis of a phishing email that one of their staffers received recently. I talk about what they found in my latest entry on Dice’s Security Talent Community here.

If you haven’t been on Dice.com in a while, it is worth checking out some of the other resources that are listed, including links to security news, certifications and notable bloggers and podcasters. And that is just in one of many other communities that they have going on.

Three new SMB-oriented video screencasts for Symantec

Posted on June 13, 2012 by dstrom

This month I put together a series of three video screencasts on Symantec’s small business oriented cloud-managed services line. These are for folks that don’t have a dedicated IT person, but know enough to be dangerous. They represent a new direction for Symantec: packing a bunch of features, but making them dirt simple to deploy and manage. Two of them leverage the same SaaS-based agents and a Web-based console that means that a VAR can manage your network without even being physically present. The three videos are all very short and to the point and show the ease of use quite vividly. They are:

How small businesses can use Symantec Backup Exec 2012 to recover lost files and systems

Posted on June 8, 2012 by dstrom

This is my third video of Symantec Backup Exec, an enduring product that has withstood the test of time and multiple vendors over more than a decade. I took a look at the latest 2012 version of the product which has a very different interface and has simplified the process of backup and recovery.

The links to the various video versions can be found:

Using Symantec’s Backup Exec.Cloud To Protect Your Small Business

Posted on May 23, 2012 by dstrom

My latest screencast review video from Webinformant.tv is posted, on how to use Symantec’s Backup Exec.Cloud to make backups to their cloud-based service. It is relatively inexpensive, easy to setup, and supports both Windows desktops and servers too. You can watch it here.

Three ways to use the TPM chip

Posted on April 18, 2012 by dstrom

I bet you didn’t know that your laptop has a built-in encryption device that can be used for all sorts of goodness, including creating an encrypted hard disk partition using Bitlocker and for managing the overall security of the laptop itself. But you can watch my latest screencast video here that I did for Wave Systems (who makes software that leverages this wonder chip) and in three minutes learn three different ways that this Trusted Platform Module chip can work to keep your mobile computers safe.

Securing the iPad in the Enterprise

Posted on March 28, 2012 by dstrom

It is one of the Internet’s extreme ironies: you can search for just about anything, but can’t always find what you are looking for. The same can be said when it comes to keeping track of your corporate documents. While you might think they are secured behind your firewalls and other protective hardware, chances are every day you are leaking data in multiple directions. And as more user-owned devices such as tablets and smartphones appear on your corporate network, finding out where your mission-critical files reside is getting harder and harder.

You can register and download the white paper that I did for ionGrid here, where I talk about solutions to manage user devices on the corporate network.

Web Informant

David Strom's musings on technology

Category Archives: security