Speaking at BSides Ottawa - a great security conference tradition (ScottWright)
posted Tue September 22nd 2015 @ 8:28 AM
What do you do if you're interested in learning about security and hanging out with a variety of interesting people to network and share ideas, but the most popular conferences are too far away, over-crowded, and too expensive? You look for, or start your own local BSides conference. BSides conferences are free, security-oriented events (funded by sponsors, and staffed by volunteers) that started in 2009.
Last year's event (2014) in Ottawa was a great mix of interesting talks.
This year, I'm fortunate to have been invited to speak at the BSides Ottawa event on October 2 and 3 (Friday and Saturday at the Ottawa RA Centre). I will be presenting on the history (and possibly the future) of the Honey Stick Project. If you're not familiar with it, The Honey Stick Project is a fun series of social experiments I started in 2008 to explore the human component of risks. Read More »
ISAC is a community-based approach to addressing cyber risks in industry verticals (ScottWright)
posted Mon August 31st 2015 @ 11:57 PM
I often teach organizations to educate users on doing their jobs securely by focusing on doing only the things they are authorized to do. Anything else that comes up - like "out of the blue" requests from outsiders - should be treated with caution. This lets employees work efficiently in areas they know well, and gives them guidance on when to double-check and take extra security precautions.
A similar approach has been used successfully by cooperative industry organizations called Information Sharing and Analysis Centers (ISAC). These types of organizations offer some degree of promise for setting up guidelines and standards to reduce risks for businesses within their industry area. Read More »
The Shared Security Podcast is Here - formerly the Social Media Security Podcast (ScottWright)
posted Fri August 14th 2015 @ 4:21 PM
Since 2009, Tom Eston and I have been publishing a pseudo-monthly audio program called the Social Media Security Podcast. In that time, we've put out 42 episodes, discussing privacy risks, threats and vulnerabilities, as well as tips for staying secure.
While social media and social networks still deserve some critical attention in the area of security, we've decided to expand our scope. In our 43rd episode just published this month, we now aim to cover security news, tips and advice in the many areas of personal and business life that are increasingly in the news. Read More »
Politically correct justifications for addressing insider employee security threats (ScottWright)
posted Mon July 27th 2015 @ 12:00 AM
Nobody wants to be suspected of being untrustworthy, or acting against their employer or other employees. So, senior managers can be hesitant or unwilling to deal seriously with insider security threats. They may not want to face backlash from employees who feel they are being treated like criminals. Some Apple Store employees apparently complained to Apple CEO Tim Cook that some mandatory bag searches of employees leaving their shifts are unnecessarily embarrassing, and are sometimes even done in public.
It’s understandable that this is a touchy subject with employees; but there are ways that employers can start to take a reasonable position on reducing risks from insiders. Read More »
LastPass password manager gets hit - nobody is immune, but this is about as good as you can hope for (ScottWright)
posted Tue June 16th 2015 @ 6:33 AM
Yesterday, the online password management system known as LastPass announced that they had detected an attack on their service's client data which appears to have been partially successful. This is a system that I use, but I'm not really concerned (although I recommend that all LastPass users read the following and change their master password ASAP). Here's why... Read More »
Why the Internet of Things needs your attention now (ScottWright)
posted Fri April 24th 2015 @ 4:08 PM
As a wise man once told me, the two most important reasons people invest in security are: Fear and Compliance. Of course, there are a few smart people who invest in security because they actually think it's a good way to manage risk. But some might still argue that this falls under the Fear category. In any case, I'm going to have to appeal to your sense of fear now, since there are no regulations that will force you to spend any time or money on the Internet of Things.
Smart devices are coming
If you haven't heard the term the Internet of Things, you may have already been exposed to the concept. That is, one day in the not too distant future, just about any object you can imagine will be available in a Smart version... New and Improved! the ads will read. Anything labeled as being Smart will be expected to be able to connect to the Internet and communicate with you, of course. But it also implies that these Smart things will be able to communicate with other Smart things via wireless communications. Sounds great, right? Well, not so fast... Read More »
Why not put a 2 person over-ride in every commercial airliner? (ScottWright)
posted Tue March 31st 2015 @ 10:03 AM
Just a quick thought after this week's air crash in France, in which the co-pilot locked the pilot out of the cockpit and intentionally crashed the plane into the mountains. In this case, security worked too well. The cockpit door locks were designed to keep terrorists out of the cockpit. But there has always been a risk that pilots could also become incapacitated by smoke or other hazards. We have remotely piloted drones now. So, why not equip every airliner with the capability to be piloted from the ground in an emergency? Read More »
Don't blindly accept all privileges requested by mobile apps (they often don't need all of them) (ScottWright)
posted Sat February 28th 2015 @ 7:28 AM
Most of us have probably downloaded at least one app to our mobile devices or phones by now. But have you ever noticed what they are asking for when you download them. Sometimes they don't need access to all the resources on your device that they are requesting.
Read More »
How can you tell if your organization is set up to defeat attackers or your auditors? (ScottWright)
posted Fri February 27th 2015 @ 9:24 PM
Sometimes, we get confused about whom the enemy actually is. While businesses should be defending themselves against hackers and phishers, they often just want to get the auditors and regulators off their backs.
How can you tell whether you're fighting the wrong battle? Here are some clues that you might be fighting the people who are supposed to be protecting your organization: Read More »
When choosing passwords and security questions, spell words and names incorrectly (ScottWright)
posted Mon February 2nd 2015 @ 7:02 PM
Unless you have a mind like Mike Ross on the TV series "Suits", you probably struggle to come up with good passwords that you can remember. One of the common security guidelines for choosing passwords is to "not use dictionary words or even recognizable names." Unfortunately, however, this can make it hard to remember your new password because you can't just choose words or names that mean something to you. Read More »