Don’t Use GRC app to do Workpapers!

I consulted with a company that implemented a new GRC package, and unfortunately they are using an application designed for GRC to do audit workpapers.

That wasn’t the only move that was questionable…

Continue reading →

Advertisement

Twitter Hacked Again, Change Password

Twitter said that it was hacked again on Friday, 2/1/13, and attackers gained access to 250,000 accounts and passwords.

Twitter says the passwords were encrypted, the intrusion was limited, and and everyone’s taxes are going down soon (okay, I was kidding about the last one). It’s always hard to sort out what is true and how much of the truth is told, so regardless of what Twitter says, change your password.

Continue reading →

User Productivity/Security Rant

I have heard enough about how security practices keep users from being productive. I constantly hear people complain about the evils of complex passwords (or any password on a smart phone), password expiration, encryption, web filters, lack of admin access on laptops, etc., and how they are such a drag on user productivity and the bottom line.

Continue reading →

Teach Yourself Security

What does it take to get started in information security? Can you teach yourself security?

This field requires you to understand how PCs, mobile devices, applications, servers, protocols, and networks operate. It helps to have a lot of curiosity and a good sense of where trouble lurks. And don’t forget Unix/Linux (more on that later).

I started as a PC support guy, became a server administrator, managed a network, and then became a security analyst. For me, it was a natural progression, but that’s the “old school” way of doing it. Security training was scarce, and there were few to no institutions offering training specific to that area. Also, the internet was still growing, and there were few security websites or blogs to learn from.

Continue reading →

My Favorite Windows Software

In Top 100 Network Security Tools and Easy Windows Scanner, I described a few Windows tools that every auditor or security analyst should know or know about. In this post, I highlight some of my other favorite Windows tools (both security and general utility software). ALL OF THEM ARE FREE.

12/26/14 Update: These are STILL my favorite programs. The only one I don’t use anymore is CutePDF Writer,  which I replaced with the FREE Sumntra PDF  Foxit Reader (I no longer recommend FOXit). But if you only want a PDF printer, CutePDF is still a great solution.

I also added 2 new tools: PSPad and File Splitter (see my links at the bottom).

Continue reading →

How to do an Easy Server Share Audit

Okay, so you’re not up to a wastebasket audit? Too demeaning, too sneaky, too many sticky candy wrappers? How about a simple server share audit?

Many companies have shared drives, and then they have “over-shared” drives, those locations where anyone who needs a space to store files that they share with a couple departments. Or perhaps your company just doesn’t lock their shares according to the least privilege principle.

Continue reading →

IT Security Pioneers

SC Magazine had a good article back in November (I am a bit behind in my reading and my blogging) about industry pioneers in IT security. Listed below are quotes by a select few of the people the mag profiled. If you find their quotes interesting, or you are not familiar with them, I suggest you check out the article and perhaps do some extra reading about some of them.

I thought cryptography was a technique that did not require your trusting other people…” – Whitfield Diffie

Continue reading →

What Needs to be on a GOOJ Card?

If you probe networks, systems, and applications, you need a GOOJ card to protect yourself and your job.

In How to Stay Out of Jail, I recommended that anyone who scans, probes, or pokes networks, systems, or devices should always carry a get-out-of-jail (GOOJ) card. I also provided some reasons why such a card is critical.

Continue reading →

Blowfish Bruce-Forced

Bruce Schneier’s Blowfish encryption algorithm was mangled again on the Fox show 24. According to Schneier’s Crypto-Gram blog, the show claims that Schneier put a backdoor in the algorithm. Based on reader comments on the Crypto-Gram blog, people will believe anything said on TV (or posted on the ‘net).

Continue reading →