Quick Cookie Notification

This site uses cookies, including for analytics, personalization, and advertising purposes. For more information or to change your cookie settings, click here.

If you continue to browse this site without changing your cookie settings, you agree to this use.


View Cookie Policy for full details

kevinbeaver  

It takes more than resolve to manage an effective security program

I've never been one for New Year's resolutions. I've seen how they tend to exist only for short-term motivation rather than long-term achievement. Resolutions are just not specific enough and there's no tangible means for accomplishing anything of real value. Just check out your local…

How to make your security assessments actionable

One of the greatest challenges in security is getting the right information so that educated decisions can be made. It happens across many facets of security such as network monitoring, incident response, and user training. However, there's one (big) exception: security assessments. Assuming you're using…

IT turnover and its contribution to security challenges

Turnover in IT isn't something we hear about very often given the demand for such expertise. But it does happen and it often creates unintended consequences for the business in terms of information risks. I've got many colleagues that often jump ship in IT looking…

The path to a false sense of security: Leave your security controls enabled during testing

In my work performing vulnerability assessments and penetration tests, I'm often confronted with the dilemma of dealing with a pesky intrusion prevention system (IPS) or web application firewall (WAF). Sometimes we know they're there. Other times, they rear their ugly heads and force a days-long…

It can be dangerous assuming a vulnerability is not a vulnerability

I once worked on a project where an injection vulnerability was uncovered on a web application that allowed an attacker to create special HTTP requests that can enumerate directories and see the contents of most files on the system. Everything from autoexec.bat to digital…

What constitutes a "critical" security flaw?

With security, like most areas of life, everything is relative. A security vulnerability uncovered by a security admin or penetration tester working for a company in the financial industry might be a big deal. The same security finding in, say, a manufacturing company might not…

Everything happens for a reason in security

Richard Carlson, author of Don't Sweat the Small Stuff, said “It's critical to remember that if you go on doing what you've always done, you will go on getting what you've always gotten.” You've no doubt heard the saying “everything happens for…

With security, being periodic and consistent is key

Being periodic and consistent – that's the formula for success in every aspect of life. From practicing a sport, such as golf or tennis, to examining our personal health with check-ups with a doctor, to analyzing the financial well-being of our businesses, doing these things…

Rely on data center audits alone and you'll get hit eventually

A couple years ago I had a discussion with an acquaintance regarding the security of his company's Web application. The gentleman told me that quite often prospective customers would ask them whether they had done any penetration testing. His canned response was essentially: rather than…

Why starting from scratch with security is delusional

There's nothing really new in the world in which we work. Every problem you face in information security has already been solved by someone else. Why not use that to your advantage? There's no time for baby steps in security. Sure, you need to “…

The relationship between data breaches and lost business

There are a lot of things we cannot quantify in information security. How risky certain system configurations are and specific information lost in a breach come to mind. Even the things we can quantify often fall on deaf ears because the information is not presented…

Perspectives on the 2014 Verizon DBIR

Verizon's 2014 Data Breach Investigations Report (DBIR) is here. I love it because each year the DBIR not only provides good insight into what's taking place before our eyes but it also reaffirms my philosophy about information security that most security risks originate from a…

Moving Beyond RSA Conference and Into the Real 2014

Well, RSA Conference 2014 has come and gone. Now that the somewhat motivating keynotes, informative sessions, and William Shatner's hideous singing are over, we'll see the true test of what people learned at the show and just how important it is to them. I won't…

When's history going to repeat itself in your organization?

Thanks to the Target breach, information security is as front and center as ever. That's great for those of us working in IT and information security. Obviously, it's not a good sign for businesses. As most things tend to happen, the type will die down,…

Famous quotes and their bearing on information security

I love reading the works of the achievement and leadership greats. Their words, some of which date back centuries, not only provide insight and motivation for my career, they also validate many of the challenges we face in IT and information security today. These ideas…

Never miss a blog

Get the latest stories, expertise, and news about security today.