Security's Everyman

Security's Everyman

Tuesday, July 31, 2007

Virtual Machine = Virtual Vulnerability?

Paul and Cutaway both write about the latest research in VM escaping and it's not pretty. The research that is not their writing.

It seems that Ed Skoudis and team have come up with a way to really escape a VM and run an exploit on the host system. This is still "shaky" in terms of it's not perfect and it's not complete but the potential consequences of this is pretty severe. VM's are used quiet heavily today for many different things. One of the biggest being malware testing. The bad guys have already figured out a way to make that more difficult but this makes it even worse. A VM is used because it can be blown away and reloaded in a matter of minutes so if it get hosed it's no big deal. If the bad guys can cause the VM to crash and then exploit the host machine then that puts AV research in a bit of a bind. VM's are also used by companies to save space, hardware and time. Lots of security software runs on VM's and this has the potential to put all of that at risk.

Read the articles by Cutaway and Paul and do some research yourself and let me know your thoughts. After you have become informed check back on my site and take the new poll. "Are Virtual Machines days numbered?"

The debate continues

I just tallied the results of my first poll (we actually they were automatically tallied). It looks like the jury is still out on Security ROI. There has been lots of good debate going on lately regarding this and both sides have good points.

The question was "Whether real or perceived, does security provide ROI?"
46% said Yes, it does provide ROI
54% said No, it does not provide ROI

Obviously the No's have it, but the results are fairly close. If I were a statistician and figured in a margin of error of 3 or 4 percent then the results could be much closer.

People much smarter than me have written on this and have sound arguments for their positions but here is the final word (I can say that because it's my poll) :)

In the strictest sense of the term security does not provide ROI but when you look at it in the big picture and take into account things that you can't really measure (and that is what happens in real life business everyday) then yes it can and does provide ROI. Money not spent because a breach didn't happen is a form of ROI. Savings realized because of time saved due to a security measure introduced is a form of ROI.

Now I know that many of you will take issue with this and go back to the "literal" definition of ROI but this world isn't literal when it comes to technology and security. If it was then my guess is that most of us would not be employed in this field because our "literal" inability to completely protect our networks and data 100% of the time would push us out the door. The Information Security field would be reduced to a very small group of people in a "literal" world.

Saturday, July 28, 2007

You can never be too careful

You would think that me being a Information Security Professional that I would always be extra careful in what I do. That way I save face and ensure that all of my systems are safe and secure. Well as an act of humility I'm gonna tell you about something STUPID AND CARELESS that I did yesterday morning. I started to write about it but forgot. Then I read this post by Ravi Char this morning and it reminded me.

You have heard my rants and woes about SunRocket. (just a quick update, my service was restored for 2 days then went away again. My sister still has service w/ them even though she has signed up w/ another company. She is just waiting on the equipment to arrive so she can complete the transfer.) A couple of days ago I signed up w/ another company for phone and internet service. I saved the order info to a pdf on my laptop. I then emailed it to myself so I could get it at work. I was in a hurry and didn't pay attention to the address that I selected. I accidentally sent it to a group list that I had that was named Andy. So the details went to about 15 friends. Luckily there wasn't any "sensitive" info but a careless mistake like that could cause real problems. So lesson learned? Pay Attention!!!

Legimitate Uses for Encryption

Robert over at the Errata Security Blog writes about a fear that he has. He read a post that made him start to worry more about the possibility of encryption being used against you. I think I agree with him. Our rights are being eroded almost every day. A new law is passed or a judge with an agenda makes a ruling that makes it illegal for the average person to do something that is completely harmless. Already in some countries rights have been taken away all in the name of "security". Handguns have been banned and made illegal, encryption keys are required to be given to law enforcement, etc...

Robert has a method that he suggest that all of us use to do a couple of things. One will make it much harder for law enforcement to determine what is actually encrypted data and what is just random "junk". The other will make the daily use of encryption more acceptable and "normal". The purpose is to increase the use of encryption so that it is considered something that the normal person would do. Kind of along the line of the "Reasonable Person" rule used in many legal cases.

I like the ideas but the method is not for the faint of heart. Many IT and information security pros would have difficulty making sense of his plan unless they are very familiar with cryptography. So it is out of the question for the "average Joe". Not to mention many would have moral and religious issues with carrying around a DVD full of encrypted Porn. :)

My suggestion is that we, the IT and Security community, need to do a couple of things. First, we need to make sure that we use encryption on all of our personal systems. It's a good idea from a privacy and security perspective, but even if you don't have anything to hide use it just to increase the number of people using it for normal and legitimate reasons. Second, we need to encourage and teach our friends and family how to use it. There are several free and low cost options for encrypting our disk or data. Third, we need to create a plan to get the word out to the rest of the world. We also need to create some easy to understand guides that we can make available to anyone. They need to be done is such a way as to be usable by most anyone without them needing assistance from someone who understands encryption.

This is a big challenge, especially number 3, but I think we can do it. How is the question. I have posted this question to the forums over at the Security Catalysts Community also. So between them and us we can come up with a plan.

Thursday, July 26, 2007

Someone Beat Me To IT

I knew that I should have quit procrastinating and started writing. But it looks like Scott Watson beat me to the punch and wrote "The Art of War for Security Managers". I've already put it on my Amazon Wish List and will get it soon. I may even get 2 copies. One for me and one to send to Amrit. :)

Wednesday, July 25, 2007

HOTSEC is Tonight!! (this time I mean it)

For those of you in the Atlanta area that can make it tonight is the inagural meeting of the Atlanta CitySec community. We are meeting at The Brick Store Pub in Decatur at 6:00. If you are in the area and can make it we'd love to see you there.

Monday, July 23, 2007

Learning from the Pros

My Out of Control Network post has generated a lot of discussion on the Security Catalysts forums. The reason I'm telling you this is to point you to a resource that will give you lots of useful information and advice. These information security and IT pros took my few comments on documenting your network and expanded it into a firestorm of advice for what to document to ensure that your network is a fine tuned machine. At least from a documentation point of view. Check it and the rest of the useful information out.

Web Poll

With all the discussion going on regarding ROI and information security and the fact that blogger has just released a polling option I have decided to take a poll on my site. For those of you who read via RSS please take a minute and go to my site here and take the poll. It is on the right hand side of the page just under the subscription links.

It's a simple and short poll. Whether real or perceived, does security provide ROI? I'm not asking to get into the true definition of ROI. For You and your organization does it provide ROI?

Friday, July 20, 2007

I just changed primary search engins

Like many, many people I use google a lot. I have a gmail account, I use Google calendar, Google docs and spreadsheets, Google reader, Google blogger, Google maps, Google earth and Google search. I, also like many others, am concerned about the amount of information that Google is able to gleen about me from my use of their tools. Not enough to really do anything about it because I don't do things that I want or need to hide. I know that there is much more to it than just that, but that is how I feel currently. Now I don't use any of them as my primary tool except for blogger, reader and search. Now the search is going to change. At least for a while. I saw this ComputerWorld article this morning that has made me switch to for my search needs. Why? Principle if nothing else. I like the fact that they are willing to really do something to address the concerns and needs of their users. Although I don't have anything to hide in my searches I like knowing that I can do them anonymously and, even more so, that cares that I may want to. I sure seems that Google doesn't care. Even though they are implementing a new 2 year policy on cookie life Martin McKeay, of The Network Security Podcast and Blog, tells us that this is really useless because the cookies are "renewed" every time you visit a Google site. Can you say "tomorrow never comes"?

Out of control network

Like most IT people I've always disliked documentation. At least having to be the one to actually do the documentation. I know it's important and that it can save you and others lots of time when push comes to shove. This has hit me in the face hard since starting my new job. The company uses lots of contractors in the IT department and the network has been built and modified over the years by lots of different people. Documentation has been sporadic at best. So therefore knowing what is going on and why can be a challenge. Almost everyday someone on the team gets a "surprise". They either discover something new, different, unexpected, unexplained, or just plain unnecessary. It's almost comical at times, but when you think about it there are potential serious ramifications.

This has made my job quiet a challenge. It's hard to design a security program when the environment isn't well understood by those who have been there for a while and especially when I'm still learning new things about it. The good news is that we have managements blessing and understanding of how things are and how they need to change. We also have a good team assembled to make this work. I'm amazed at the level of knowledge and understanding that they guys I work with have. They are much smarter than most of the guys I've worked with in the past. These guys are passionate about what they do and they don't like doing shoddy work.

All that said the real purpose of this post is to emphasize the importance of documenting and understanding your network. Not only is it good for daily understanding of what you have and how it works it will come in handy in troubleshooting, DR situations, personnel changes and compliance. Many of the regulations that most of us have to comply with require you to have a well documented environment.

Technology will help you in your information security endeavors but it has to be complemented with documentation, policies, procedures and a well designed User Awareness program. Most of us focus on the technology part but if we want to expand our horizons and ensure that our environments are as secure as they can be it is a good idea to get familiar with the other areas.

  • Look over your documentation and update it. This needs to be done at least yearly and especially anytime you introduce a change in the environment.
  • Read your policies. Ask questions if you don't understand something or if you think something is incorrect. Remember, if your policy says you do it you better do it and be able to prove that you do. The Auditors will want to see the checklist, the archived logs, etc.. Don't be afraid to bring up inconsistencies to Management and to make suggestions.
  • Review the procedures and guidelines that are published within your company. Again many regulations require you to have written procedures for how you deploy systems, handle new users and users that leave. They want to know that you know what is going on and again if your procedures say that you do something they will want to see proof that you do it.
  • Sit in on a UA session or ask to see the material that is used. Make suggestions on ways to make it better and more understandable for the average user. Suggest new things that could be done to make the information easier to retain. People learn in different ways and maybe you have an idea on how to present something in a different format. You may even have the talent to make it happen. You could help put together podcast, videos, RSS feeds, email blasts, or whatever sounds good and works.
As I've said before security goes beyond the server room. It requires that the IT and IS groups work together along with Management, HR, Training and even the end users. We have the knowledge and skills to really make a difference beyond the technology side of things. We just have to get out there and make it happen. I don't think you will regret making the effort.

Final SunRocket Update

Something "official" finally happened from SunRocket. I received the email below yesterday telling me that it's over and that they enjoyed serving me. It also gives a few more details but nothing much.

The odd thing is that my sister still has not lost her phone service, my dad lost his on Wednesday and my service was restored last night.?????? Of course I have no idea how long it will work for. I still haven't decided what to do as far as my service goes. Do I continue with a similar VOIP provider (Packet8, ViaTalk, etc), go with my cable providers offering, go back to a land line provider.

Here is the email that SunRocket sent.

Dear Customers,

After significant effort by the Company to avoid this result, SunRocket is in the process of closing its operations and therefore will no longer be able to provide you with the phone service that you have been accustomed to. However, this email provides you with an opportunity to sign up with select service providers who we believe will offer outstanding replacement service

In order to assist you, we have entered into negotiations with a number of service providers. As a result of those negotiations, we have entered into agreements with 8x8, Inc., provider of the Packet8 service, and Unified Communications Corp., provider of Teleband service to offer you the best options and we are proud to recommend the following alternatives to you. Please make your decision to move to a new service provides immediately as future service is uncertain.


The Packet8 Internet phone service incorporates patent protected technology from 8x8. Inc., a publicly traded company in business for more than 20 years. The service works in the same way as SunRocket.s and offers a virtually identical feature set.

. No Startup Costs
. FREE activation
. FREE equipment
. FREE shipping
. FREE first month of service
. Quickly port your number at no charge

A Savings of over $100!

Copy and paste the following link into your Internet browser: or call 1-800-868-0068 and mention special offer code SUNROCKET

Unified Communications Corp./TeleBlend

The TeleBlend Internet phone service incorporates patent-protected technology from Unified Communications Corp., a privately held company in business to provide outstanding customer service and telephony products. Teleblends has been working behind the scenes already to restore and continue service for all Sun Rocket customers The service works in the same way as SunRocket.s and offers an identical feature set with our Unlimited Transfer Plan.
. No Startup Costs
. FREE activation
. USE your existing hardware
. FREE and Quick transfer of your current number
. No Need to port your number to another provider
. UNLIMITED calling to the US, Canada, and Puerto Rico

Copy and paste the following link into your Internet browser:

It has been our pleasure to service you at SunRocket!

Wednesday, July 18, 2007

Correction on HotSec

It's not tonight it's next week on Wednesday 7/25/07. Sorry for the confusion. I was so excited that I moved it up a week. :(

Thanks for pointing this out to me Rothman.

HotSec Tonight

For those of you in the Atlanta area that can make it tonight is the inagural meeting of the Atlanta CitySec community. We are meeting at The Brick Store Pub in Decatur at 6:00. If you are in the area and can make it we'd love to see you there.

Tuesday, July 17, 2007

New SunRocket Update

I've found a little more info. This CNN article gives some news and Beau pointed me to this blog from a former SunRocket employee. He gives us tips on how to transfer our numbers.

I still don't have any clue as to why some service is up and some is down.



OK, I'm officially confused. I called my sister and my dad and they both have service. I thought that maybe SunRocket was forced to turn service back up until all current users can make other arrangements. So I called my house and I still do not have service.


About a year ago I signed up for VOIP home phone service with SunRocket. They had been around for a while and seemed to have a good track record. Voynage was starting to have issues so I decided to go w/ SunRocket. NOT A WISE CHOICE!

Last night I lost service and decided to wait until today to see what happened. Then this morning I saw this post on O'Riley. I did a little more investigating including calling their support line. It was before 7:00am Eastern Time so I got their voicemail. I just called back and got the following message.

Thank You for calling SunRocket. We are no longer taking sales or support calls. Goodbye.
That's it. No emails telling us what we need to do to be able to retain our number. No word on what happens to those who paid a yearly fee and still had months remaining. Nothing.

I consider myself lucky in that I was close to the end of my first year and only lost a month or so of prepaid service. My sister, on the other hand, just signed up in May and my Dad signed up in January. What are they to do?

Anyone interested in buying 3 relatively new SIP enabled VOIP boxes? :) Just kidding. They may make good project fodder. Maybe the guys at Pauldotcom will write a book on hacking them.

Monday, July 16, 2007

You know better than that

I received a password protected document from a security company that we do business with. I did not know the password so I sent him an email letting him know that. I expected to get a phone call but to my surprise and disappointment I received an email with the password in plain text. Now the document was not of a highly sensitive nature but it's not something that is meant for the public eye.

Of course the sensitivity of the document is not the issue here. The issue is that the password was sent via email. An worse than that is the fact that it was a security professional that did it. Someone who really should know better. I realize that the chance of someone actually sniffing out connection at that moment and pulling the password is remote and that it is even more remote that he would have been able to capture the earlier email with the document attached to it.

It's just one of those things that gets my goat just a little. Of course shortly after I started writing this I received another email with a password in it. This one was from a friend and Security Professional. What am I gonna do with you guys! :)

Thursday, July 12, 2007

Maybe he didn't really think this through.

A friend pointed me to this article about a student list at Texas A&M Corpus Christi that was "misplaced" for a few hours. The list contained the personally identifiable information of 49 students. The list contained names and social security numbers of the students. This is the second incident in less than 2 months for TAMCC.

This post isn't about the incident or how it was handled by the college. It's about a comment that was left. Here is the comment:

Posted by josegutz on July 12, 2007 at 1:24 p.m.

It seems like it is an issue with the IT department at TAMUCC.
They need to ban all key or flash drives from being used if they cannot get that security measure together about using SSN's for identity purposes. They should do a PKI access after all they use access cards for Identity when enrolling at the University. Banning these thumb drives would minimize the security risk of someone walking off with all of this information. I don't want to get in too deep about all this technical garb since it seems that one would have a hard time to comprehend such a concept.

Here is my issue with the comment:
  1. This has absolutely NOTHING to do with the IT department.
  2. This has absolutely NOTHING to do with flash drives.
  3. IT does not dictate whether or not the university uses student SSN's as identifiers.
  4. PKI would not have prevented a student from walking off with a SHEET OF PAPER.
  5. PKI is not an easy technology to implement or manage especially is a university environment where my nature of what they do the network needs to be open.
  6. Banning thumb drives would not have prevented anyone from walking off with a SHEET OF PAPER!
This comment just set me off for some reason. Maybe it's because I have friends who work in IT and security for several universities. Maybe it's because the person tried to blame the IT staff for this and IT gets enough of a bad rap as it is. Maybe it's because the comment really didn't serve any constructive purpose except to put blame on someone without having all, no wait, ANY of the facts. Maybe it's because this person probably works in IT. I say that because the average person does not know what PKI is or how it works. Apparently this person doesn't really have much of an understanding of PKI either. If he did he would have realized point 5 above.

Now that I have ranted let me try to add value to this.
  1. Yes, it is a bad idea to use students SSN's as identifiers. I have it on pretty good authority that this is going to change in the very near future.
  2. Yes, PKI can help mitigate the risk associated with storing PII. It can be used to prevent it from being accessed by unauthorized users. It can be used to enforce security policies that could prevent copying data to removable media or prevent documents from being printed. But it has to be used in conjunction with other technologies to be effective.
  3. There is no reason for the SSN's to be on the class roster that is given to the professor. But it is not the fault of IT or Security that this happens. Even if there are policies in place they have to have the support from Management in order to be enforced and true enforcement would require other technology to be implemented.
  4. Security is not just the responsibility of the IT or Security. It is something that has to be embraced by everyone (or most everyone) in the environment. The professors have a share of the responsibility even more so than the IT department does.
Then my final point. If you really want to blame someone for all the problems that SSN has caused us, blame President F.D. Roosevelt and the U.S. Congress of 1935. They are the ones who gave us Social Security Numbers. :)

Wednesday, July 11, 2007

The Slow, Blue Poop Security Model

The other day I was on the TCC Silc channel and mad a comment about security being considered a four letter word at some companies. Well true to form James Costello and Larry Pesce both chimed in with several four letter words: slow, easy, blue, poop, none. The the conversation went south from there. Some how Larry coined the term "Slow, Blue Poop Security". I knew there was a blog hidden in there somewhere. Well here it is.

What does a SBP security model look like? It looks a lot like what you may have seen at your company or a company that you once worked for. It the security model that does just enough to get by. The security that keeps you from having you network owned by every hacker in the world but not enough to really offer protection. It provides just enough to make you feel like everything is OK but you really don't know what is going on. What is happening with your clients and servers? Just because AV doesn't report anything doesn't mean there isn't anything to report. Richard Bejtlich has a post today about something very similar. The SBP Security model doesn't let you know what is really going on on your network.

Sometimes the SBP model even looks good to the casual information security professional. The network has many tools and devices that look good and provide lots of pretty blinking lights. But there is no real plan behind them. These are devices that allow them to check boxes on their compliance audit. They have a device for each check box, yet there is still gaping holes in the network.

The point of all this is to say that there is no room for the SBP Security model in today's world. SBP security only causes things to be less secure in the long run. It keeps compromised systems on the network and allows them to still spew their SBP to the rest of the world. It gives the bad guys a cloak of privacy to do their bidding without being discovered because SBP makes you feel good.

That's where our job comes in to rid the world of SBP networks. To build our case for building networks that are really secure and that actually provide our companies, users and customers with the protection, privacy, and security that they really deserve.

And to quote Sun Tzu.................. Just kidding Amrit. :)

Larry, bet you didn't think I could do it.

Monday, July 09, 2007

Learning Security

There is an interesting conversation going on over at the Security Catalysts Community that I wanted to point you to. It's about employees using ICMP tunneling to get around web filters. It is just an example of the many different topics that are discussed in the SCC.

For those of you who may not be familiar with the SCC it is a gathering of passionate security professionals who want to have a place to interact with others who are of like mind. It consist of forums, a silc channel for secure chat and other resources to help you do security better. There are other things in the works also that will be coming down the pike soon. The best part is the interaction that goes on between the members of the community. We have people from all different industries. Financial, educational, government, private industry, the public sector. Our members work in different disciplines in security. Beginner Techs, programmers, researchers, penetration testers, administrators, managers, policy and compliance, and even CIO's, CSO's and CTO's. Many of these men and women have become my friends and I value what I have gained from the community.

I say all of this to invite you to stop by and take a look. You can spend time just looking around or apply for membership. It's all up to you. If you have a passion for security and want to join a group of people who are working towards changing the way we practice security then you are the type of person the SCC wants and the SCC is probably the place for you.


It's official Atlanta is starting a CitySec gathering. According to Thomas Ptacek (CitySec site Administrator and Matasano Chargen) the official name for Atlanta is HotSec but for some reason someone has branded it HillyBillySec. :)

It will be held Wednesday July 25th at 6:00 PM at The Brick Store Pub in Decatur. It's open to all Atlanta area Information Security and Computer professionals. I look forward to meeting y'all there! If you want to join in the conversation check out the posts at the CitySec site.

Saturday, July 07, 2007

Writing Policies

Information Security involves many different disciplines. Some are technical, some are administrative, some are managerial. A good security professional will gain and retain skills in all of these areas as he/she moves through their career. I've spent most of my career on the technical side of things with some administrative and managerial thrown in. My new job has me focused primarily on working with policy at this time. I've been updating old policies, writing new policies and looking into just how PCI is going to affect us and what we have to do in terms of policy and technology to ensure that we are compliant. This is not an easy process, especially when you are new to a company. I still am learning how various parts of the network connect and interact with other parts. I'm still learning what it is that Management wants and what we have the technology and infrastructure to support. Then there is the decisions that were made just prior to my starting with the company. Some of them were done because it fits well with the direction that the company is heading and some of theme were made because it allowed us to put a check mark in a compliance box. If you have been reading my blog for very long you know how I feel about that.

Anyway, I digress. My point in this post is to talk about policy and how to write an effective one for your company. Of course I'm not the expert on this and I don't have all the answers and am still learning much. Much to my delight I ran across a site the other day that does a much better job than I can do. The site is The Trusted Toolkit Blog. They have declared July to be "Policy Month" and they are writing about how to create a security policy and even giving sample policies for you to download. I recommend that you keep you eye on this site this month because even if you never have to write a policy it will benefit you to have an understanding of how a policy is written and the steps involved in creating one. Not to mention that the focus on learning some "soft skills" will benefit you in the long run.

Security Urgency

There is a trend in information security (actually in IT and life in general) to tackle the urgent issues first. These are the issues that users are screaming about, management is on you about, auditors have written you up about and then things that get you noticed. No one gets noticed for the security flaw or vulnerability that they found, patched and as a result prevented a breach. You get noticed when you put out a fire that other people see. Even if that fire is in the middle of an field and is surrounded by a mote full of water. People see you out there jumping up and down putting out that fire and they applaud you. This is where the security professional needs to make a change.

How do we do this? We can't stop fighting fires because if we do then we will lose battles that we can't afford to lose and we need others to see us succeed. We have to be proactive and plan. We have to know our environment and what the threats to it are. We have to put together a plan to protect our data and get management buy in. Being proactive and getting buy in can be our biggest challenges (next to time) but they are crucial to success. Not only success in getting our plan implemented but being successful in getting out of the "Tyranny of the Urgent" cycle.

This problem is multiplied for those who are either solo IT/Security departments or part of a small shop. Fighting fires can and often does take most of your time because they are always there. That is why it's important for management to realize that just because it's a fire doesn't mean that it's a priority. You need to have a policy in place that defines what is priority and what isn't. A problem that affects only one user or doesn't impact business is not as important as getting a patch deployed that will prevent a breach. Sure the fire is visible and puts off heat where as the patch is not seen by anyone but you but it is important and has to be done.

So what is it that needs to change. Our policy? Our plan? Our mindset? Ensuring that all three constantly updated and evolving is a good idea but our definition of urgent and our priorities are key to keep us out of trouble and keep us from stomping out fires in the middle of a field surrounded by a mote full of water.

Friday, July 06, 2007

Bye Bye Data

Wouldn't this just tick you off? You make one mistake and get a virus. That is bad enough. If you are lucky it's just a mass mailer and none of your data is at "real" risk. Maybe you get something that does a little damage to an app or some files. It could be worse. You might get infected with a bot program or a keystroke logger. Not pretty. Yet if you don't do any financial related work on your PC even that isn't so bad. What could possible be the worst thing is a virus that actually deletes files from you machine. Especially one that deletes OS files. Now you are hosed. You have to rebuild and for many that means losing data because they don't back up and don't know how to recover what may be left on the system.

Oh wait, it can get worse. Not only does the virus delete your files it tells you it's doing it and taunts you as it happens. That is one cold hearted virus writer.

Wednesday, July 04, 2007

Let Freedom Ring

I usually try to keep this completely Information Security related but today is a special day and thus I will detour from my normal format.

231 years ago the men who signed the Declaration of Independence took a stance for what they believed to be right and the best course for the colonies. They risked their lives and homes and many of them paid a very heavy price. Loss of life, family, land, possessions. They were willing to make the sacrifice for freedom.

Since then men and women have served this country in the armed forces and many have lost family, possessions, homes and their lives. They did this not because they were forced into it. They did it not because they wanted to be heroes. They did it because they believe that freedom is worth fighting for and that preserving freedom in America is worth the cost. They did it because they too believe in the same things that fueled the fires of the American Revolution.

I want to take this time to personally thank everyone of them for what they have done. Thank You for the sacrifices that you made for us. Thank You for serving your country.

I also want to lift up in prayer those who are currently serving our country. Especially those who are in Iraq and Afghanistan. These men and women are facing danger every day for us. It doesn't matter what your opinion on the war is these soldiers need our support. Lets give it to them.


Tuesday, July 03, 2007

User Awareness Training in Action

All of you know that I feel strongly that UA training has great value in keeping us more secure in our online and work network lives. I've caught flack from some for my hard line stance on it but this story just goes to show how effective it can be. I'll say it again, "a good information security program includes UA training and daily secure practices from the IT staff." The best part of this is that it was done in day to day life and not via classes and boring material. If all IT professionals practice security around their users, take time to talk to and explain secure practices to their users then this is what can happen. Rebecca Herold tells the story of awareness from her kids.

Creative Commons License
This work is licensed under a Creative Commons Attribution-NC-SA 3.0.