Author Archives: Matthew.Nappi@stonybrook.edu

Breach Irony: Experian

Posted on by
4

Another breach, you say? Yawn.

How many this time? 10,000 records? 20,000? 1 Million?

No, those numbers are small potatoes. How about 15 million? Caught your attention yet? Probably not. But stay tuned from some breach irony!

Experian, was breached. They are a large credit check company. Perhaps you’ve used one of their websites before, namely freecreditreport.com, an Experian company. Have no fear if you did! You are likely unaffected by the breach, unless of course you are also a T-Mobile customer. You see, T-Mobile used them to credit check their potential customers, and those individuals make up the list of victims this time around.

GREAT NEWS THOUGH! If you are one of those poor saps, you have qualified for TWO COMPLETELY FREE YEARS OF CREDIT MONITORING by…ahem…am I reading this right??? Ahh, I love the irony…

Screen Shot 2015-10-01 at 11.34.09 PM

 

How many free years of credit monitoring have you accumulated? Share some details in the comments below.

Thanks for reading and don’t forget to subscribe.

Free Tech Support? NO WAY?! No, really, no way.

Posted on by
7

A coworker received the below pop-up while using Google Chrome.

virus-scannerBeing the helpful guy that I am, I made the phone call for him and did a little bit of recon at the same time. Here’s the good news…sort of. They hung up on me twice when I told them I was using a work computer. It seems they are only interested in personally owned computers. Good news if you are an IT guy/gal, bad news for Grandma.

Here’s some more bad news…they were using a legitimate service, support.me to connect remotely. This is bad because it looks safe and wholesome to an unsuspecting victim. Plus, it likely has legitimate uses on your network, which means it may be hard to globally block.

Also, the approach of letting people call them, is very effective. After all, if you are initiating the conversation, you already have your guard down. This is a really good social engineering tactic. Bait the victim, but let them “think” that they initiated the transaction. On the other hand, if you receive a phone call out of the clear blue from someone with a foreign accent telling you that your computer is infected with a virus, well, that’s a harder sell. Still, it’s not uncommon for members of our campus community to receive calls from “Microsoft” and “Google.” Sometimes, they are just looking for an IP address to target from the outside. “Hello, we are trying to fix your copier. Can you please tell me what the IP address is?” If you ever get an unsolicited call like that, just tell them it is 265.548.175.15. The geeks out there will get why that IP is safe to share.

Interestingly, they didn’t have me connect to that website through my browser. They had to me go to Start –> Run and then type “hh web” which opened an “HTML Help” window.

html_helpFrom there, you can press that little yellow question mark at the top left of the box and choose “jump to url.” I would imagine that they do this to bypass browser security and plug-ins. Pretty clever, I suppose. The rest of the call consisted of him trying to get me to type in the session code to allow him remote access to my computer. I just could not get it right…

What was the end game? I’m not sure. Clearly they would have charged me to “clean” my computer, although I was assured repeatedly that the diagnosis would be free. Would they then steal that credit card number altogether? Install additional malware to ensure my credentials are uploaded to the grasp of an excited hacker? Probably yes and yes, but for today, I’m fine being in the dark on that!

Have any of your coworkers or family members fallen victim to this scam? Share the details in the comments below.

Thanks for reading and don’t forget to subscribe.

Linux Security: No Room For Cockiness

Posted on by
6

Hello All. Today, I am very happy to share with you a post written by a guest blog writer, Shawn Powers. Shawn has been teaching IT for more than a decade. His specialties are Linux, Chef, and integrating multiple platforms for larger networks. Early in his career, he started a Cisco Academy for a local school district where he taught networking (CCNA & CompTIA A+) to high school students. He has a passion for teaching others, and his enthusiasm comes through in his courses. He is an associate editor for Linux Journal and instructor for CBT Nuggets.

Linux Security: No Room For Cockiness, By Shawn Powers

https://themmindset.files.wordpress.com/2011/04/windows_vs_linux.jpg

                  https://themmindset.files.wordpress.com/2011/04/windows_vs_linux.jpg

One of the biggest selling points for using Linux is its inherent security advantage. Some people claim it’s due to a better modular security structure in its design. Others claim it’s compromised less often because it’s not targeted as much. I think the truth lies somewhere in the middle. Wherever you think Linux has an edge, the worst thing a system administrator can do is depend on the percentages game and assume a Linux system is invulnerable.

A Linux server is not invulnerable.

Even if Linux itself is secure, the applications installed on top of the operating system might not be. One prime example is the Code Red worm that affected Apache web servers. It didn’t matter that Linux system was secure. After an application with elevated privilege got compromised, the system was done for.

What does this mean for the person in charge of Linux Security? Several things.

1) Keep your system updated.

We make fun of Windows users for the hundreds of security updates that need to be installed on a regular basis. Truth be told, Linux systems have just as many updates! Yes, some are feature changes, but on most systems there is a special “security” channel in the update mechanism that is crucial to keep up to date. Don’t wait for a security problem before installing those updates. Make them a part of your regular routine.

http://www.libertycolumns.com/images/os-updates-windows-mac-linux.jpg

                http://www.libertycolumns.com/images/os-updates-windows-mac-linux.jpg

2) Don’t install services you don’t intend to use.

When you’re setting up a server, whether it’s a virtual machine, bare metal, or a cloud instance, don’t install services unless you actually need to use them. If you’re not going to host web pages on your MySQL server, don’t install Apache on it! Not only are services more vectors for compromise; if you don’t use them, you’re less likely to notice if they fall behind in updates. An idle Apache server is just as vulnerable as an active one. Install what you need, but no more.

3) Firewalls are your friend.

There was a time somewhere between Windows XP and Windows Vista where the first thing I did on a desktop system was turn off the firewall. It seems like the built in firewalling system on Windows was so flaky, that it broke more than it solved. That’s not the case anymore with Windows, and it’s absolutely not the case with Linux. Whether you’re using a GUI tool, or the super simple “Uncomplicated FireWall” (UFW) in Ubuntu from the command line, use a firewall! And like with the applications you install, only open the ports you need, and no more.

Linux security is generally rock solid, and is fairly easy to maintain. One of the biggest problems Linux system administrators face is the tendency to neglect updates. So take security seriously, and Linux will be painless to keep safe. Leave it on its own, and hackers will happily check for vulnerabilities on your behalf!

-Author, Shawn Powers

(images and formatting added by Matthew Nappi)

 

Do you agree with Shawn’s viewpoint on Linux security? Is there anything else you would add to this list? Let us know in the comments below.

Thanks for reading and don’t forget to subscribe.

Credit Card Skimmers Close to Home?

Posted on by
14

Do you have an alarm system? If you do, did you get one before or after your neighbor was robbed? Few of us are proactive enough to get one without something hitting close to home.

These are the thoughts that came to mind when I saw this:

pic2

That, my friends, is a gas pump. Do you notice anything strange about it.  Look a little bit closer:

security tape on credit card swipe

That security tape is similar to the plastic seal on a bottle of Diet Pepsi. If broken, do not drink! In other words, that tape was put on the credit card swipe of this gas pump as a detective control to identify tampering, like the installation of a skimmer device for example. I won’t name the particular gas station I was at, but it’s green and white about 5 miles from the University. And I have several of their toy trucks in my office. I know that doesn’t narrow it down much, so please don’t try to pull out the geo-location data embedded in the above photos. In actuality, they should be commended for putting something like this in place, but it begs the question…was this proactive or reactive? Things that make you go hmmmm….

That’s why I like credit cards and debit cards that offer $0 liability protection. Combine one of those with Apple Pay, and you’re in pretty good shape. Of course, cash will always be king.

Have you ever had a run-in with a credit card skimmer? If so, where?

Thanks for reading and don’t forget to subscribe.

UPDATE 5/20/15: To be fair, I noticed that this particular chain of gas stations has security tape on their pumps at most locations I’ve visited… So I guess there IS a possibility they are being proactive, or had a bad experience at a subset of locations and then deployed the tape widely. Things that make you go hmmm…

REVIEW: CSI: Cyber

Posted on by
36
http://en.wikipedia.org/wiki/CSI:_Cyber#mediaviewer/File:CSI-Cyber-Logo.jpg

http://en.wikipedia.org/wiki/CSI:_Cyber#mediaviewer/File:CSI-Cyber-Logo.jpg

This week was the beginning of a new CSI television series, CSI: Cyber. I am not a CSI fan by nature. In fact, I’m not a big fan of television dramas at all. I try to like them. I really do, but it’s hard for me to get passed mediocre acting and low budget explosions. However, I had to give CSI: Cyber a chance. After all, it promised to deliver on a theme that is near and dear to me, cyber security. Did it deliver?

To start on a positive note, I thought the technology aspects of the show were only moderately exaggerated, so kudos for that. I think it’s a positive thing that they are highlighting real world consequences of hacker activity. It is not a harmless pastime or a victimless crime. This show can potentially serve as a nationwide public awareness campaign. Hopefully, they will work in some useful reminders for viewers, like the importance of antivirus and the like, rather than simply inciting FUD (fear, uncertainty and doubt).

http://commons.wikimedia.org/wiki/File%3AMBP36_-_Digital_Video_Baby_Monitor_MBP36.jpg

http://commons.wikimedia.org/wiki/File%3AMBP36_-_Digital_Video_Baby_Monitor_MBP36.jpg

With that said, the first episode was named Kidnapping 2.0, making reference to the next generation of kidnapping that incorporates hacking into internet connected baby monitors. The “baby auction” plot may be farfetched, but the idea of some weirdo hacking into your baby monitor is one based on fact. It happens, and for that reason I advise my friends to avoid buying an internet connected baby monitor unless they really have a need for it. Even the ones without Wi-Fi are relatively easy to access, but you need to be in physical proximity to the camera.

I thought the title of the episode, Kidnapping 2.0, was appropriate because they kidnapped one hour of my life with no remorse. The casting choice is just unreal. Lil’ Bow Wow is a rhyming hacker being rehabbed by the FBI. To quote my wife, “STRIKE 1.” The action star of the show is none other than the star of Dawson’s Creek, James Vanderbeek. I never thought I would live to see Dawson kick down a door, but network television has blown my mind yet again. The “best white hat hacker” in the world is a stereotypical “heavyset” gentleman and at one point the FBI director tells his staff that they can “go home to their parents basements.” Really? LOL.

All things considered, I will probably watch this show again. Not because it was a good show, but I find the random technical references extremely entertaining. I love how the writers jam technical jargon into sentences that do not require it at all. It’s just hilarious. And I find the security talk extremely entertaining. There is nothing better than hearing acronyms explained by bad actors. Unfortunately, I doubt the mildly entertained IT crowd can keep this series afloat for very long.

In any case, if you’re looking for a mediocre drama with a mixture of technical chatter and law enforcement, you’ve found it! I will let it record on my DVR and from time to time I’ll check out an episode. More so for a laugh than a thrill, but at the end of the day it served its purpose of entertainment…for one reason or another.

Note to Producers: This show can still be saved by adding a key guest star or two. Namely, Jack Bauer or Liam Neeson (he has a very particular set of skills).

Did you catch the first episode? Tell me what you thought in the comments below.

Thanks for reading and don’t forget to subscribe.

 

Security Conference Round-Up

Posted on by
3

Just about once a year, I start to explore the various security conferences that are available, their approximate cost and when they are usually held.  There are a few summaries out there on the web, but most are exhaustive with way too much information or simply not enough. So, here’s a summary of conferences on my radar, based on 2015 data. Fortunately, the data does not change much from year to year so this will be a good point of reference in the future. This is far from an exhaustive list, though. There are smaller hacker conventions, like Derby Con and Hope X, which I did not thoroughly investigate, but are definitely worth a nod. The costs are estimated (assuming no discounts) and the descriptions are highly subjective, mostly based on hearsay. How is that for minimizing the usefulness of this post?!

http://en.wikipedia.org/wiki/File:DEF_CON_17_CTF_competition.jpg

http://en.wikipedia.org/wiki/File:DEF_CON_17_CTF_competition.jpg

Conference Location $$$ Timing Description
Blackhat Vegas $5500 August All the corporate heavies will be here, leans towards a hacker theme. Conference without any training is about $2500.
Defcon Vegas $250 August Hacker convention. Cash only, starts right after Blackhat, lots of bad words. If you’re going to Blackhat, Defcon is a must do.
Educause Security Pro Minnesota $500 May Security within the higher ed vertical, peer preso heavy, REN-ISAC meetup.
Gartner Security Summit Maryland $3,000 June Calling all CISO’s, managers and CISSP’s! Strategic thinking and networking.
Interop Vegas $3000 April/May General IT conference with security track. Some tech, vendor heavy.
(ISC)2 Security Congress Anaheim $1000 Sept/Oct Calling all CISO’s, managers and CISSP’s, with some technical mixed-in.
RSA Conference San Fran $5000 April All the big shots will be here. Corporate with broad security coverage. Conference without any training is about $2500.
SANS Various $5000 Various More training than conference, top-notch educational opportunity. Heavy technical with some strategy mixed in. SANS 2015 in Orlando is a main attraction.

You can check out my 2014 Interop NY review here, but there will not be a NY version this year. Vegas only, so my guess is that quite a few people agreed with my assessment.

I’m sure I missed some really good ones. Please add them to the comments below. Thanks for reading and don’t forget to subscribe!

Educause Security Professionals Conference – Proposal Accepted

Posted on by
3

virtual

I am excited to share that I will be presenting at the 2015 Educause Security Professionals Conference by means of an online-only session.  It will take place on May 5th from 9:15-10:15 AM.  Although I am not a complete stranger to public speaking, this will be my first presentation at Educause and my very first online presentation.  It should be an adventure!

Title:  Good Enough Security: When is it good enough?

Session Abstract:  While many security professionals focus on “best” practices, in many cases “good enough” security would suffice for deflecting the majority of threats.  In an effort to maintain a balanced viewpoint and avoid becoming myopic regarding security requirements, it is important that we come to terms with what level of security is “good enough” within the culture of higher education.  Join us for an interactive, spirited and subjective discussion regarding what level of security is “good enough” in areas such as password complexity and change requirements, network architecture, endpoint security, and many other specific scenarios.

Session Participant Engagement Strategies:  After a brief discussion surrounding the selfish herd principal and why risk based “good enough” security should not be discounted, I will present various multiple choice examples and scenarios.  Each participant will vote on what option they feel is “good enough” by means of live polling via the internet.  After voting is completed, I will offer my own perspective / experience and then go through each choice one by one.  As time allows, advocates for each option will have the opportunity to justify their choice and others will have the opportunity to express why they disagree.  The intention is to stimulate a meaningful discussion and help participants reach a reasonable viewpoint regarding what configurations, standards and designs are likely “good enough.”

What do you think of the session topic?  Do you have any ideas regarding what I should cover during this session?  Any strong opinions regarding what is “good enough security” in the environments you support or work in?  Are there security measures you have encountered that seem unnecessary or overkill? 

Share your thoughts in the comments below and don’t forget to subscribe!

New School Malware Wipes Hard Drives Old Skool Style

Posted on by
3

hard driveThis story has been over-reported on already, so I figured I would join the party! The FBI issued a warning regarding malware that completely wipes all data on a computer’s hard drive. Destructive malware is nothing new, but it has fallen out of favor with malware writers probably because there isn’t much to gain by destroying someone’s data. Of late, it seems that most destructive malware has been targeted, so for the most part the average person doesn’t need to worry about that risk. However, that may be about to change.

All evidence indicates that this malware wreaked havoc on Sony pictures recently. If I can find a bright side to this type of news, it’s the fact that people tend to listen up when they hear that they can potentially loose family photos and videos forever if they click on the wrong link. Low probability perhaps, but very high impact! So I will take this opportunity to make a few recommendations.

I am not going to tell you to install anti-virus, even if you are a Mac user, because I know that my blog readers already have AV installed…right?!  And I know you would never log in to your local workstation as an administrator to check email and surf the web, so no need to mention that!

Consider installing and using EMET if you are a Windows user. I have been running it on my Windows desktop set to “Maximum security settings” with no adverse effects.  Well, that’s not entirely true.  There was one patch recently that caused EMET to crash IE continually, but updating EMET resolved the problem.

Backup, backup, backup. Oh and don’t forget to backup your data. Make sure your data is backed up too. And if you are really smart, you will backup your data.

One more thing…AUTOMATE your backup. Don’t rely on remembering to manually copy your data to a USB drive. Automate the process otherwise when you need your backup, it will be 1 year old. I guarantee it!

Did I mention the importance of backing up your data?

Technical Details published by Symantec about Backdoor.Destover:  http://www.symantec.com/security_response/writeup.jsp?docid=2014-120209-5631-99&tabid=2

Thanks for reading and don’t forget to subscribe!

Interop NY 2014 In a Nutshell

Posted on by
3


interop-ny-logoThis week I attended Interop NY for 5 days and thought I would share some highlights from the week.  The daily commute was painful, but Javitz is only a brisk 15 minute walk from Penn Station and a pretty cool venue overall.

Day One:  The first day I attended an all day workshop consisting of an intro to web application penetration testing.  It was a nice review of some of the popular exploits today, and if you are responsible for writing or supporting a web app I would highly recommend you become familiar with the OWASP top 10.

hihackerHint:  If typing <script>alert(‘Hi Hacker’)</script> in an input box on your website produces a pop up box, be afraid.  Be very afraid… Some useful tools reviewed included sqlmap, Burp, and an awesome cross-site scripting checker called XSS-Me.

Day Two:  On the second day I attended another all day workshop which focused on components of a risk management program.  The preso was very well put together and the speaker made some interesting points.  For example, the cloud should be defined as anything out of our direct control. There is no such thing as a “best” practice. Refer to industry recommended practices instead. IT security is subset of Information Security which is a subset of Enterprise Risk Management.

Days 3-5:  Vendor Expo and Educational Sessions

20141001_102642-MOTION

The following day was the kickoff of the expo and began with the first of two keynotes.  The headliner was Seth Myers and he did a 30 minute stand-up with some technology jokes peppered throughout.  He shared a story about that one time he jumped on his friend’s computer and typed the first few words of a search and the terrifying search history of his friend appeared…AWKWARD. There were some other great keynote guests like a VP from CBS and HBO.  The founder of Gilt was there and the CTO from Obama’s campaign in 2012.  There were some others as well.  Overall, they had some very insightful comments prepared and even some non-orthodox ways of running their enterprises.  For example, Gilt makes changes to production every 15-30 minutes by breaking apart their website into hundreds of small applications managed by different groups.  Essentially, they are mimicking open source development within the enterprise.  Several company execs agreed that there is a major talent shortage and believe strongly in developing talent internally and keeping your employees content.

Throughout the keynotes and the 1 hour sessions over the next 3 days, I heard many technology buzz words absolutely destroyed.  Can I get an amen?!

  • Big Data is just data.  We need Big Answers.  – Harper Reed (Formally Obama 2012 CTO; Modest, Inc.)
  • Big Data is just business analytics with lipstick. – John Pironti (IP Architects, LLC.)
  • Cyber, Cyber, Cyber, Cyber, Cyber…stop it! – David Rhoades (Maven Security)
  • The cloud is just adding another data center that you don’t manage. – Elliot Glazer (Dunn and Bradstreet)

The vendors came out in DROVES.  I heard one vendor throwing around a new term I can imagine picking up speed, “encryption in-use.” The irony of it all is that one of the ongoing messages throughout the Information Security and Risk Management track was to stop buying “widgets” you will not make full use of before first making full use of the “widgets” you have.  With that said, the expo was a very effective way to get up to speed quickly on a wide range of vendor offerings.  Although, I think I will need a new work number because I have no doubt that it will be ringing off the hook from now on.  Good thing I registered with my CISO’s phone number instead of my own…

In addition to chatting with many vendors and sitting through several vendor specific presentations, below is a list of the sessions I attended.  Feel free to reach out if you want more information about any of them, but the slides from every presentation is available right HERE.

Session ID Title
830131 Hands-On Web Application Penetration Testing
829636 Acknowledge the Inevitable: How to Prepare For, Respond To, and Recover From a Security Incident
100001 Wednesday Keynotes
830310 A CISO’s Perspective: Friend or Foe? Effectively Managing Third Party Information Security Risks
830317 Emerging Tools and Trends in Hacking
830315 Cloudy with a Chance of Encryption
100004 Thursday Keynotes
830313 Next-Generation Firewalls: Results from the Lab
830314 The Threat Within: Managing Insider Risks and Building a Culture of Security
830311 What’s Next? Emerging Trends in Information Risk Management and Security
830316 Is Your Data Really Safe? A Security Checklist Everyone Must Implement
830318 Next Line of Defense: Internet of Things

Rating:  Fair – I’d go back for the keynotes and expo, but I felt like they were trying awfully hard to stretch a 2 day conference into a 5 day conference.

Thanks for reading and don’t forget to subscribe!

Risky Business: Who decides?

Posted on by
9

At our recent DoIT all-hands meeting, it was mentioned that thanks to my blog it is possible to know what I’m thinking about. That has been true to some extent. As I reflected on that statement though, I realized that most of this blog has centered around facts and ways to secure your computing environment. I haven’t really used this platform to share my viewpoints or opinions. That is partially due to the fact that I am not, by nature, a blogger. This blog was my first venture into sharing information in such a public forum and I’m still trying to strike a balance between opaque and transparent. After all, discretion is the better part of valor, is it not? Mostly true, but lack of discretion has a time and place too. By the way, for some reason I hate the word blog. Blog Blog Blog.

riskgameWith over a year here on West Campus I thought today is a good day to break the self-imposed mold for this blog and talk about my thoughts on risk. No, not RISK the strategic board game. Risk as in “the potential of losing something of value.”

Did you know that risk has a formula? That’s right, my academic brethren. Here it goes: Risk = Threat x Vulnerability. Let that sink in for a minute. Read it again. Risk = Threat x Vulnerability. Which of those two factors can we control? The threat? Nope. We only have control only over the vulnerability aspects of that equation. Every organization has a risk posture. What is ours? What is yours? What needs to change?

What is our risk posture?

Before we talk about risk posture, we need to talk about risk tolerance. Some organizations are risk adverse and try to address every known vulnerability regardless of cost. Others tend to be more risk tolerant and allow certain inefficiencies to remain. Where do we sit on that spectrum as an organization? Well, most institutions of higher education tend to have relatively high risk tolerance. The extent of tolerance varies from institution to institution. Consistently, though, risk tolerance is decreasing across the board. The threat has changed. The world has changed. At Stony Brook our risk tolerance is decreasing in like manner. Is our tolerance decreasing as quickly as the threat is increasing? We need to move fast.

risktolerance

This blog is not the place to discuss our risk posture. Sorry to disappoint. I will say this, though. Our risk posture is strong in some areas and weak in others. That is true for all organizations. Then there are areas that have an unknown risk posture. Those worry me. There are too many of those.

What is your risk posture?

In other words, how are we doing as individuals in regards to assessing and managing risk. The sensitivity and tolerance to risk varies greatly. Let me give you a handful of character profiles found around campus and while you read it, try to honestly evaluate which one you relate to more.

  • A researcher who proactively reaches out to the CISO at the start of a research project to ensure that the practices they plan on following are adequate.
  • A researcher who is convinced that nobody in this world is interested in his/her research data and therefore security is not a concern.
  • An IT support professional who knows the owner of each system on their portion of the network and is quick to respond to security related incidents.
  • An IT support professional who provides support as requested, but otherwise allows faculty to manage their own equipment and therefore does not view security as part of their job description.
  • An IT admin who always takes into consideration security and can justify why every security adverse decision is made and employs compensating controls.
  • An IT admin who will always choose functionality and ease of use over security without giving any thought to risk.
  • A faculty member who wants to use their computer to accomplish a given task over the next few months.
  • A faculty member who wants admin rights on their computer so they can accomplish any task at any given time at some point in the future.

The list can go on and on, but those are some of the perspectives I’ve encountered on campus.  If reading this list put you on the defensive, ask yourself “Why?”

What needs to change? 

riskFor starters, we need to start thinking and talking about risk more often. The decisions we make must be made with both eyes wide open. Lack of thought has no place in higher education. In my opinion, this improvement will have the single greatest impact on the security of our organization. Coincidentally, our meeting with Information Systems today centered around this very topic. They are acutely aware of certain risks within their purview and they want to formalize a priority-based plan to address them. This the type of thinking that will keep Stony Brook safe.

We need to recognize who has the authority to accept risk in behalf of Stony Brook University, or wherever you happen to be employed. It’s probably not you or I. If a decision is being made that exposes Stony Brook to risk, make sure the right administrator is accepting that risk and is fully aware of the implications. It’s for your protection as much as it is for Stony Brook’s. I have observed that the higher you move up the chain of command, the less tolerance there is for risk. Let the decision makers do their job.

When there is conflict between security and preference or ease of use, we need to default secure. As it stands now, it is not uncommon to default less secure until an incident. That mentality needs to change. If a security related decision is going to impact the business flow or ease of use negatively, there needs to be a well informed decision made by the appropriate person. Don’t default less secure, default more secure until otherwise advised.

In the past, there was no reasonable way to collaborate safely. That is no longer true. Responsible collaboration is possible and practical. We have to be willing to jump through a hoop here or there to operate securely. Connecting to the VPN before accessing something is not unreasonable. Put the organization’s safety before your own convenience.

Finally, we need to work together. We need to disagree and discuss it intelligently. We need to yield when a reasonable argument is presented.

Overall, I am optimistic about our security posture and our security trajectory. Let’s make a concerted effort this year to think and talk about risk so our posture will continue to improve.

Thanks for reading and don’t forget to subscribe!