Thursday, August 15, 2013

Shame on you Doctor Ponemon

Gosh, I always respected the Ponemon institute. However today, I got the same SPAM for the second time; no way to unsubscribe, "take me off your list" resulted in an undeliverable response. How much did you sell out for Doctor P?

When I was growing up, the black sheep of my family told me to never break the law or risk ruining my reputation for anything less than a million and that would have been 1965 dollars.

By the way, you probably are not the "pre-eminent" research center dedicated to information security policy, that would be either Information Shield ( Charles Cresson Woods/David Lineman) , Princeton, or SANS (Michelle Guel/Stephen Northcutt). Google doesn't lie; type in "Information Security Policy" and see if you make the top slot. And guess what; none of us at the top brag and Shield and SANS make efforts to help one another, ( and I would be honored to work with Princeton).

Doctor, I think you owe the information security community an apology. Don't do it on my account. Don't even do it because your partnership SPAMed me ( twice). Do it to preserve your reputation and fly straight from now on. Stephen
SPAM is pasted below:
Security training has long been criticized for being boring, unengaging and lacking the ability to measure success. Organizations have found it difficult and are often reluctant to invest in unproven programs.

Today there is a better option - an innovative security education solution that is proven to get results.

The Ponemon Institute, the pre-eminent research center dedicated to privacy, data protection and information security policy, released the Executive Summary of a research study evaluating the effectiveness of SecurED®.

Key findings include:

SecurED outperforms the alternative training intervention by 300% in long term gains
Subjects perceive SecurED as more relevant to their job functions than the alternate
Subjects perceive SecurED as more enjoyable than the alternative intervention
Additionally, the research provided interesting findings specific to gender, age, employee role, industry and more.

To download the summary report CLICK HERE!

Final report will be available mid-August.


Tuesday, August 6, 2013

SCAM? Strategic Business Communications

I received an email from one of my bosses saying please define the job code for this invoice.

I knew nothing about them so I wrote back and copied Diane. She did some research and then Tiffany found some links that assert their invoices are fraudulent. Diane followed up with some additional research and found:

Apparently, their business model is to send out fake invoices. Glad the company was so diligent to research. Wow!

Thursday, June 6, 2013

20 Critical Controls

I finished teaching the vLive version of MGT 512 yesterday and I think it was a good experience. This was the second time in a row the students hung around to chat after class and I treasure that. One of them brought up the 20 CC. He was concerned since he had five guys assigned to the project, but it seemed to be going slowly.

Maybe I was speaking out of school as they say, but I shared that it was slow going at SANS as well. He told me that really made him feel better.

Then he said what was freaking him out was attending a presentation from Dr. Eric Cole, where he said, the 20 CC, are really the minimum things we need to do to accomplish what is reasonable and prudent.

Smile. Such is the life of security, the bad guys only have to win every once in a while, we have to win every time.

Saturday, April 27, 2013

The increasingly documented world

Since I do not watch TV, I miss a lot and fail to chronicle events that many people see. I was reading a Forbes article on a recent Apple commercial. Fortunately there is a copy on Youtube. The punch line was more photos are taken every day with the iPhone than with any other camera.

Next week in San Diego I am part of a panel on emerging trends. The fact that everyone with a smart phone is a journalist is hardly news, but the trend gets stronger every week. Where did the photos and videos of the Boston bombing shootout largely come from and what were they posted to?

Tuesday, April 23, 2013

Daemon - Book Review

I do not normally read fiction, it is so hard to keep up with security as it is. However Wesley McGrew recommended the book and he is one sharp cookie, so I ordered it from Amazon. The premise, at least I think it is the premise, this is a complex book, is that a video game genius dies ( are we sure he is dead; this we is not, I saw Swordfish ) and leaves a computer program that is essentially taking over the world for its own purposes.

There was a detective involved, (Sebeck), but they frame him and kill him off ( not sure why). As the book comes to a close we are down to two people with a clue, a smart pretty girl at NSA, (Phillips), and a mysterious hacker, (Ross).

We do not really seem to come to a conclusion, but Wesley also recommended I buy Freedom which I did. Here is hoping we get to some conclusion for Daemon Industries LLC in the second book.

It is a dangerous book for a geek to read, make no mistake about it. 632 pages means when you realize you are hooked, you are going to pull an all nighter because you can't put the book down. There is no chance I am going to pick up Freedom today, tonight I have to sleep and I have an important meeting tomorrow. Thank heavens for the $20.00 bag of 100% Kona coffee at Costco. First pot of coffee for the year, but I really need it.

Monday, April 22, 2013

Phone Spear Phishing?

Just got a phone call and it was not on the office phone line, it was on our backup line. The incoming phone number was blocked.

Indian sounding accent. I am from the Microsoft Systems Support, may I speak to the owner of the computer.

Well sir, we have a number of computers here, which one.

The one that belongs to Kathy.

Kathy was also in the office, so I handed her the phone.

Ma'am you have downloaded a malicious file and we need to help you clean it up.

Thank you sir, what do I need to do.

Boot your computer.

It is already running.

OK, do you see the start button?

No, do you mean finder?

Ma'am it looks like a flag and it is on the bottom left side of your screen.

The thing on my computer on the bottom left side of the screen looks like a happy face.

Ma'am you should have a flag shaped icon to start your Windows computer.

But sir, it is a Mac.

Sorry to have troubled you Ma'am; goodbye.

Mike Poor turned me on to this link that shares a lot more information:

Wednesday, March 27, 2013

Mobile Device Management (MDM)

I started a poll on LinkedIn to try to understand which MDM people are using.

Alan wrote in and said they use MaaS360 from FiberLink.

Andre wrote: "My company uses Sybase Afaria but we've app-pen-tested AirWatch, MobileIron, and Good (in that order -- from most prevalent to least prevalent) for our customers, too. I have not even heard of the others and I've been doing mobile app pen-tests for 2 years now"