This led me to back to thinking about the new normal again. Things are changing rapidly and continuously, as we all know. And in getting back to normal, that is not going to change. That is one of the aspects of getting back to normal that is here to stay. So, we see things like the Exchange Server attacks by Hafnium (a Chinese threat actor) that we learned about in February, 2021, or the Solarwinds attack that we first learned of in December, 2020. These things are going to continue to happen. And faster, more rapidly than ever before.

Side note: In the Solarwinds attack, 18,000 entities globally were vulnerable. But only 10% or so were actually breached by malicious actors. In the Exchange Server breaches, over 70,000 entities were vulnerable and it appears that 30,000, or so, were breached by malicious actors. The changes in magnitude are quickly exploding.

At the same time, so is the change in our own networks, applications, and infrastructure supporting our schools, governments, companies, and homes. Over the last 12 months we have seen organizations move ALL of their data and applications to cloud computing, whether to something like Amazon Web Services or to Software as a Service like Sales Force or to Storage as a Service like Dropbox. They are moving, or have entirely moved, their traditional network infrastructure (authentication, file services, email, office productivity) to the cloud as well: Google Drive, Microsoft Azure, Apple iCloud have all been great beneficiaries of this. Many of these organizations are maintaining crazy hybrid environments. All in a quest to support their business that is seeking to survive this insane time we are going through.

But all of this leads us to how do we, security professionals, deal with the inevitable problems that this is going to introduce in to our networks. Unpatched systems, poorly configured authentication, new vulnerabilities, and more. How do we deal with the cyber hygiene problems?

I’m going to suggest that now is the time for even more of the basics than ever before. Every vendor under the sun is going to try and sell you some miraculous tool to solve your problems. It will be magical for the low, low price of just XXXX. And I’m going to tell you that your first instinct should not to be to buy some magic silver bullet. We’ve been chasing the silver bullet in security for decades now. If that was going to work, wouldn’t it have worked already?

What I can tell you from decades in the business, as both a practitioner and a vendor, is that the organizations that solve the basics are the ones that do the best when confronted by security challenges.

But, just like everything else about Getting Back To Normal, there are going to be changes you need to make to the basics. You have to patch faster. You have to look deeper into your environment. You have to connect on-prem and cloud systems better. You need more resiliency in your defensive layers. And, most importantly, you have to figure out how to detect and respond to bad things much faster.

If you do, your organization stands a chance in the new normal.  

Facebook 0 Twitter 0 LinkedIn 0Shares

The post Getting Back To New Normal and Good Security Hygiene appeared first on Security & Cigars.

And that really means all sorts of things. We are going to see people returning to working in offices, children back in schools, bars open, regular travel again.

However, the world changed dramatically 12 months ago. Businesses transitioned to a completely remote work force and no travel. Schools moved to online education. Bars are allowed to send you cocktails via Uber Eats. The genie of a modern, networked, computerized world is well and truly out of the bottle. In our desire to “get back to normal”, we haven’t realized that there is no going back. You can’t stuff the genie back in the bottle.

And this new world is going to be difficult and challenging, fast paced, and ever changing. March 11, 2020 is as much a world changing day in the history of the world as November 11, 1918 or September 11, 2001 or August 6, 1945.

I will be seeing the Mariners play baseball in person, working from home, supporting clients globally, and traveling somewhere this summer with my family. And perhaps all of that explains my thinking in joining Milton Security a few weeks ago. I had literally left my previous employer just a few days prior. In the past, I’d always taken a little while to figure out what is next, what I want to do, where I want to go. This time, though, it happened very quickly, just a couple days.

And that is part of this “new normal”. Things change. Rapidly. You have to adjust and adapt just as quickly. An opportunity to do really great things in this brave new world popped up and I jumped on it. A company by veterans, dedicated to supporting veterans, and committed to the mission of protecting clients. What could be better?

So, here I am …. and yes, there will be cigars and FUD, not just blah blah about security stuff. Meanwhile, I’m the Chief Operating Officer of a great company, working with one of my best friends, taking care of great people.

As Jim McMurry and I say to each other … #BLESSED

Facebook 0 Twitter 0 LinkedIn 0Shares

The post Back to Normal appeared first on Security & Cigars.

I know the other day I was somewhat flip, and absolutely critical, of a common social media behavior used by many in the sales, business development, and marketing professions. But, perhaps, I wasn’t clear on two things. First, why this behavior is so wrong and second, that I absolutely like, need, and want good sales folks in my ecosystem.

What has happened is that many folks in sales, marketing and business development have turned to using social media in the same way that they conduct direct email marketing. When I…

Read more

When I shot her a quick note this morning about the bonus offer, Katie got excited all over again. I asked her if she had a travel credit card, and she said that was next on her “being a grown-up” list of things to do. Thinking about what travel credit card to advise her to get, I asked if she was loyal to a specific hotel chain. After saying “wow, imagine being fancy enough to prefer a particular hotel chain”, then Katie said to me “please advise” ….. hence the new blog tags of “please advise”, “being a grown-up” and “doing adulting right”.

Millenials are the biggest group of new travelers, with cash in hand, that the a…

Read more

Facebook 0 Twitter 0 LinkedIn 0Shares

The post Trolls appeared first on Security & Cigars.

Read more

Courion acquires Core Security

Facebook 0 Twitter 0 LinkedIn 0Shares

The post Eric Update appeared first on Security & Cigars.

Read more

One of the things that was going to be key was to share my experiences on tanks and to show pictures of tanks. And, because of the awesome contributions of Adrian Crenshaw, I am able to share not just the slides and pictures of tanks, but the entire presentation with you.

Everything I Know About Information Security, I Learned Shooting Tank Guns!

Facebook 0 Twitter 0 …

Read more

Homeland Security And Cyber Threats

Facebook 0 Twitter 0 LinkedIn 0Shares

The post Emergency Preparedness and Cyber Security appeared first on Security & Cigars.

Read more

Be that as it may, I’ve been thinking about something and thought I would put it out there.

I often hear that perfection when it comes to risk is critical for airlines and the aviation industry. But that perfection is not possible for the security industry and we just have to do our best. Now, let’s think about this for a minute. Does it really makes sense to just blithely say we can’t do it, throw our hands in the air and give up?

When I was a kid growing up I remember roughly an airplane crash almost once a week on the evening news. It was sort of common place. Today? We are shocked …

Read more

His question revolved around what a board member should be asking to get informed about the security program of the company he was responsible for as a Director. This is a fantastic question. One I think more Directors need to think about. After all, they have a fiduciary responsibility for that company.

I wrote my former CEO a long (for me) email around all of this. After thinking about it a bit, I realized that this is something that should be shared more broadly. So, stripping the personal content out, I am including my answer to John in full fo…

Read more

I’ve been writing and presenting on what is going on for years now. For example, there is this piece I wrote in July. In it I said that you could reduce 80-90 percent of the risk you face by doing the following:

• Patch and Update (yep, they listed it first)

• Good fundamental policies

• Security education

• Encryption where it’s warranted

• Serviceable perimeter protection

• Identity and Access Management

Based on the onslaught of breaches since then, this hasn’t sunk in yet. Nor the 14 other times I wrote some variation of that piece. In Jan, 2008 I gave this presentation to the ISSA CISO Forum …. notice that most …

Read more

Lagavulin, Graycliff and a Montecristo

Facebook 0 Twitter 0 LinkedIn 0Shares

The post Cigars appeared first on Security & Cigars.

Read more

What’s the value?

By moving through this model, organizations will simultaneously 1) reduce risk exposure and the likelihood of a breach 2) gain ongoing visibility into true business risk, improving future decision-making 3) align IT, information security, and the rest of the organization in the direction of strategic business goals and 4) significantly increase operational efficiency. It’s not merely an ideal model from a security perspective; it’s a no-brainer for the business.

So take a look. What do you think? Can you easily identify where your organization stands on the model, and steps for advancing to the next level? Looking forward to your thoughts and feedback!

PS This is free to the security community and completely focused on how security programs improve t…

Read more

Below the fold are some of the pictures I took while I was up there.

Yes, I was 1480 feet above Dubai.

Burj Khalifa is the world’s tallest building

Read more

23 years is a long time. I left Saudi Arabia on April 14, 1991. And I was prepared then to say that I would never go back to the Middle East. In fact, until a few months ago I would have told you that the only country in the Middle East I would ever willingly visit, unless things changed dramatically, was Israel. Obviously, now I find myself in the Middle East again.

It’s really an interesting experience. So many things are similar. The smells and sounds are the same. The color of the sky, the way the town and the horizon and the colors look. They are different here. It’s more brown, less green, of course. But r…

Read more

Brian Krebs announced last night that there has been a huge data leak at MBIA, the nation’s largest bond insurer. On Monday, he notified MBIA Inc. that a misconfiguration in a company Web server had exposed countless customer account numbers, balances and other sensitive data. Much of the information had been indexed by search engines. That includes a page listing administrative credentials that attackers could use to access data that wasn’t accessible via a simple Web search: https://krebsonsecurity.com/2014/10/huge-data-leak-at-largest-u-s-bond-insurer/

Let’s be honest, a misconfigured webserver simply should not happen. This is what makes this a preventable breach. This is the same class of problem as connecting a test server with a default password to the internet, like happened at Health…

Read more

Most people in the information security field … know that I am firmly convinced that the bad guys are currently winning the war we are engaged in. This move is, in many ways, because I want to do even more to change the situation. One key area where we can do that is by providing security professionals with tools that allow them to reduce the attack surface they have to worry about. Right now, organizations have to defend everything. CORE Security can help with how to defend what is critical in ways that are meaningful. Frederick the Great said, “he who defends everything defends nothing” … and that applies now in information security as much as it did in the 1700’s during Frederick’s military campaigns.

And that has really turned out …

Read more

I should also note that we appear to be ahead of most folks in this line of thinking. I read an article on financial services cyber risk today where it appears that someone (the SEC, perhaps) is developing risk management standards that “firms in the industry could better use to spot and block cyber-attacks.” Sounds an awful lot like our Maturity Model. Nice to know we aren’t the only folks thinking about this and glad to see others following where we are already at. 

I thought I’d share the mostly final graphic of the Maturity Model. This is something that anyone is free to use for their security program as long as you provide attribution to Core Security and I for…

Read more

On Monday, with a little rest and a weekend under my belt, Core’s Communications Manager asked me what I thought about BlackHat and how it was different from the past. A couple folks chimed in, not just me, and there’s a good write up on the Core blog. I thought I’d put my relevant thinking in a quote here and invite you to read the whole thing, as well.

Sure, the conference has become much more mainstream,” noted our VP of Advanced Security and Strategy Eric Cowperthwaite. “Some have started to refer to it as ‘RSA Lite.’ I think that is unfair. This is a conference dealing wit…

Read more

Then I’m gonna get some sleep, get on a plane tomorrow and head home now that Security Summer Camp is over with.

So far have seen many good friends, like RSnake, Bill Brenner, Alex Hutton, Katie Moussouris, Wendy Nather, Mortman, McKeay, Adam Shostack, Richard Stiennon, Mark Weatherford, Mike Yaffe, MattJay, Michael Farnum, Cindy Valladares, ThatDwayne … hmmmmm, not sure I can catalog everybody. Sorry for those I missed. It’s been great to see you, chat with you, get caught up and generally enjoy summer camp.

Facebook 0 Twitter 0 LinkedIn 0Shares

The post Just A Few Things Left appeared first on Security & Cigars.

Read more