By Jim Reavis

The people who own corporate information security programs have spent the last few years playing a game of regulatory catch up, while for the most part spinning their wheels when it comes to implementing new and actually useful concepts to mitigate evolving threats and justifying their existence.  Meanwhile, exploiting information security vulnerabilities for financial gain has never been easier and is now big business, with sophisticated tools, mature distribution channels, stable malware pricing and even some slick marketing.  The gap between good and evil is as wide as I can recall in my years in the business, and if it turns out that the recent Estonia bashing business was actually coordinated in part by the Russian government, well, it ain’t getting prettier.  Yet, with all the bad news, you do hear about a lot of good ideas being bandied about to make changes in the way we protect information assets.  Ok, I am also hearing a few bad ideas as well, but at this point I think change for change’s sake isn’t necessarily the worst thing to do.  Here, in no particular order, is my list of Ten Ascendant Trends for the Next Chapter of Information Security:     

(more…)

By Ira Winkler

There is a current article from Fortune describing some more accusations of “Pretexting” against HP. HP’s response is that they did not perform any pretexting. Sadly the reporter either didn’t question any further or didn’t have the opportunity to ask more questions. Nobody said that direct HP employees performed illegal pretexting themselves. The fact is that they paid to have the crimes committed.

The whole plausible deniability excuse is ridiculous. The HP Executives knew exactly what was going to be done, and they paid to have it done. Just as paying someone to commit a murder makes a person an integral part of a crime, knowingly paying someone to commit a criminal act is makes that person equally responsible for the crime. It is time that reporters and the criminal justice system started to treat things that way. Just because it is HP’s policy not to perform pretexting, it doesn’t mean that they are off the hook when they pay others to do it for them.

By Ira Winkler

In my new book, Zen and the Art of Information Security, I have a chapter titled, If You Have to Ask, You Shouldn’t Be Asking. The catalyst for this chapter was that someone once attended a presentation that I gave on penetration testing, and then contacted me a year later with an e-mail that basically said, “I finally talked a client into letting me perform a pen test. I don’t know what to do, how to do it, what to charge, or any special legal language that should be in the contract.” My response was basically, “You shouldn’t do the work.”

Today, I was hit with another e-mail message that wreaked of the same problem. In today’s message, a consultant from a very large integration firm sent out a message saying that one of their clients wants to scope out integration of a NOC/SOC. He gave a very wide variety of requirements for the facility, and then wanted feedback from a wide variety of people not associated with his company. While I am normally all for helping out a colleague, this person should have either sought this info inside his own organization, which has access to such experts, or just told the client he doesn’t have a clue and to go elsewhere.

(more…)