2010
10.13

The Recap

A female riding a motorized wheel chair was advised by officer to stay on sidewalks until the chair had all proper safety equipment installed.

The Lesson

I read this particular police report and thought duh! I apologize for my bluntness, but of course you must have proper safety equipment to be road worthy. Then it hit me, we are more and more dependent on our customers interfacing with our business using a web browser. Sure each browser has it’s pros and cons, but at some point each one makes and big leap and it can not be overlooked that older versions are not secure enough based on the evolving threat landscape. So at some point, as security professionals, we have to push our organizations to no longer support older browsers. Yes, this may cause some pain because the customers have to go through the process of updating their systems. However, we would be remiss to both our organization and the customers to allow an insecure connection into our systems.

We always have to walk a fine line of balance in being accessible to our customers while maintaining security, but there are just those times where we have make security the first concern. This means the critical role we need to play in the change is to help sell “security” as a benefit, not a hindrance. No, we shouldn’t over promise, but we should make sure there is a value placed on the pain we are about to cause. It is always a challenge to sell security, but customers have a choice of where to do business which means we really need to understand how to convey value. If we can sell security to customers, pitching security internally should be a piece of cake. Just remember to make sure every one is “security” worthy before driving into your system.

2010
10.02

The Recap

Someone reportedly damaged a pavilion by removing shingles and set a picnic table on fire at a local park.

The Lesson

As security professionals we spend a lot of time keeping the bad guys out, and we frequently are under the impression the bad guy wants something. With the idea that we are trying to prevent a loss of assets, we often overlook the fact that there are still those who want to access our system just to damage them. Although our defensive strategies may be the same when it comes to preventing unauthorized access, the strategies differ once access is gained. When an intruder wants something of value from a system they take precautions not to be detected, and often times they want to return to increase their rewards. However, when an intruders’ intention is to wreak havoc and destruction there is little time to respond. Once our systems are destroyed there is little to no forensics evidence to aid in uderstanding what went wrong, there is only time to start restoring systems as best we can.