Information Security solutions for small businesses & individuals with advanced protection needs

Free Security Software – 5 free must use security tools

Posted on July 19, 2011 by Mark Kelly

Need security for your computers but on a budget of $0? Free security software is available to assist with your dilemma. A few years ago acquiring free security software often carried a risk of picking up unwanted malware or an annoying every other second registered version offering. Luckily for you, the quality of free security software has risen dramatically and it no longer carries the stigma of being inferior products.

Top 5 Free Security Software Tools

1. Avast Free Antivirus – Previously, I was always skeptical of free anti-virus products and considered them a novelty. My Norton subscription for my new pc recently expired and I decided to give this software a legitimate chance since I had heard good things. I am very glad that I did this is a first rate freely available software package with signature updates that rival it’s subscription based rivals. If you are not already getting AV via your broadband provider be bold and save 30-50$ a year per machine by using Avast.

2. LastPass -Despite well publicized security events that happened awhile ago, LastPass is a first rate company that makes a high quality freely available password manager that should be in your free security tool arsenal. LastPass is a life saver for managing the essential process of creating unique user ids and passwords across the web to help minimize the risk of reusing accounts or passwords. LastPass also helps me save my brain cells and avoid wasted time of resetting forgotten passwords which is bound to happen to anyone creating unique passwords for each site. LastPass is more secure then using either browser saved credentials or managing your credentials via another unencrypted document like word or excel. To help minimize your risk of a LastPass credential compromise I recommend changing your master password every 90 days or if you receive a notice from the company about potential security issues (which hopefully was a one time occurrence).

3. TrueCrypt – Freely available encryption software for your computer or USB related drives and works on multiple OS’s including Windows, Mac, and various Linux distributions. Disk encryption is an essential security control to prevent your data from falling into the wrong hands if your pc or portable storage device are lost or stolen. I have just recently started using this software but like what I see so far.

4. Qualys BrowserCheck – Your internet browser is one of the most attractive targets for attackers to infect your system so keeping your browser and installed browser plugins up to date is mandatory to maintain optimum system health. Qualys has developed a useful browser plugin that helps validate you are operating at a fully patched and protected level. Qualys is a trusted high end security company and they have made a valuable contribution to your free security tool bench.

5. Microsoft Security Essentials – Security vendors often advise not to run multiple malware/anti-virus packages at the same time due to incompatibilities. I have had no problems running MSE with either Norton (previously) or Avast so I will continue using the Microsoft Security Essentials package. I was uncomfortable relying on it as my sole protection but it is an excellent secondary control for the Avast package I am using as the primary. If you are looking for personal firewall protection I recommend the Microsoft supplied option as well.

I am actively using or have in the past used all of these free products so feel free to ask a question if you are having problems or provide other recommendations if you have other free security tools that are working well for you.

How to secure your iPad/iPad 2 at a conference or trade show

Posted on June 23, 2011 by Mark Kelly

Photo credit: http://www.flickr.com/photos/schargis/

Are you responsible for delivering an important conference or trade show for your company? If so, I know you have a thousand things going through your mind to prepare for the big event but please remember to make information security part of the plan. Failing to account for security could be the difference between a successful event and a disaster. Remember to physically secure your ipads, portable electronic devices, and tv/display units because some attendees think more then the pens and stress reducing squeezy balls are fair game as giveaways.

General Information Security tips for trade shows and conferences

Mount/lock all electronic assets down to prevent loss or theft. Choosing one of the attractive options below will allow you to have security and an attractive setup
Be careful with the equipment while it is transit in your car or van. If you stop to eat or rest make sure someone has their eyes on the equipment at all times. If you are stopping for the night I advise unloading it into your hotel room.
Have a trusted person watch your electronic equipment while it is being moved from your car to the trade show (and vice versa). The equipment is most exposed while in transit
If you are capturing attendee’s contact information make sure you are treating the collected information as confidential and ensure the appropriate controls are in place. If you are capturing leads with electronic methods physical security controls recommended below should be used. If you are using business cards or other ways to capture leads also secure the box or container that you are using to collect the information.
Inquire with the organizers of the event about the security of the location to help ensure the equipment will be secure when you can not have your eyes on it. (likely thieves would target those without the security controls mentioned below so you will be a less attractive target overall)
Do not use USB/storage devices of unknown origin on your electronic devices you bring with you. This is a common way an attacker may seek to infect your systems.

iPad Physical Security Options for Trade Shows/Industrial Users

iPads are beautiful devices to show off your products and company’s electronic presence at a conference or trade show. Prospective customers love the latest technology and gravitate to displays that feature high tech displays. iPads and other portable devices should be attractively mounted as part of your display to prevent theft while at the same time retaining the beauty and usefulness of your showcase.

RAM Mounting System for iPad/iPad2 -Mounting device looks a lot like your typical tv bracket and is a top choice for securing an iPad/iPad2 in a semi-permanent fashion when the device needs to be featured securely in your display. This high security mount/lock will give you the confidence that your device will not be lost or stolen during your next trade show or conference.

Arktis iPad Security Mount Lock. Another option for you to securely feature your ipad or iPad2 device for signature events. The Artkis is a bit more minimalistic then the RAM system listed above but another good option for security on the go.

General Laptop/Desktop Cable locks

Kensington is the most trusted name around for laptop/notebook/desktop cables so I recommend sticking with one of their basic offerings. Two options are either the combination or key lock depending on your preference.

Kensington Key Lock

Kensington Combination Lock How to secure your iPad/iPad 2 at a conference or trade show

Kensington Notebook Combination Lock

Other Trade Show/Conference Security Items

Mobile security mount for TVs/Displays – Top rated mobile security cart should be assembled prior to attending the trade show or conference. You can then roll it in easily and mount your tv unit once you arrive simplifying the process. This mount works for tvs/displays between 32-60 inches.

Security mount for TVs/Displays – If you are looking for a way to secure your tv screens/monitors for your exhibits this stand is a good choice for models between 23-42 inches.

Follow these tips to ensure your next conference or trade show is pulled off without an information security hitch.

Be sure to check out our recommended iPad and iPad 2 screen privacy recommendations

Posted in iPad Security, Physical Security | Tagged Conference planning security devices, IPad Physical Security, Trade show display security devices, Trade Show Security Mounts, Trade show tv security devices | Leave a comment

WordPress Plugin Security – Your Sites worst security nightmare?

Posted on June 22, 2011 by Mark Kelly

The WordPress security team recently announced some serious wordpress plugin security vulnerabilities with three popular plugins WPtouch, AddThis, and W3 Total Cache. If you are one of the WordPress site owners using the mentioned plugins who updates plugins as soon as they are available you need to take prompt action to avoid potential information security problems with your site. If you have updated within the last few days you need to quickly update again to avoid problems from potentially malicious wordpress plugins.

Bad versions of each plugin:

Wptouch: versions 1.9.27 or 1.9.28

AddThis: version 2.1.3

W3 Total Cache: Unclear latest version is recommended

Good versions of each plugin:

WPtouch: 1.9.26 or older or the latest version 1.9.29

AddThis: 2.1.2 or older or the latest version 2.2.0

W3 Total Cache: version 0.9.2.3

WordPress security lessons learned/validated

WordPress plugins are of unknown security levels and must be treated as such by sites requiring a high level of security
WordPress updates and plugin updates should be given a 2-3 week burn in process before applying to avoid defects and issues such as this. This would have helped prevent exposure to the situation described by WordPress and the only caveat would be if failing to update exposes to your site you known exploits that are circulating in the wild.
Disable or preferably delete any WordPress plugins that you are no longer utilizing for your site.
Make sure your WordPress site administrator is staying in the loop with WordPress security updates, awareness is half the battle.
Keep multiple copies of your sites backups so you have your choice of restore points if the worst
Security issues can happen even with trusted plugins. WPTouch is probably the most widely used plugin to assist with mobile device compatibility and if it can happen to them it can happen to anyone.

Be sure to understand the risk of installing WordPress plugins prior to doing so and be sure to stay on top of WordPress plugin security news to help your site stay secure.

Posted in Wordpress Security | Tagged Wordpress Plugin Security, Wordpress Plugin Security Risks | Leave a comment

Penetration Test – Does your business need one?

Posted on June 9, 2011 by Mark Kelly

A penetration test is a method of evaluating the robustness of your IT security level by simulating an actual attack on your own systems. Penetration testing can be a very valuable tool to help identify the path of least resistance into your company’s critical systems and is often an eye opening experience for management. If your company has not yet embraced the need for effective information security controls and penetration test might be just what the doctor ordered to raise awareness and build support.

Is your business ready for a penetration test?

The answer to this question depends a lot on the maturity of your information security program. If your business is still developing your information security program a skilled penetration tester may quickly gain access to all of your systems without much effort and you might only learn that you are highly vulnerable to attack and little else. My recommendation is to ensure you have conducted internal vulnerability assessments prior to conducting a penetration test unless you are using the exercise as a means to communicate your company’s exposure to attack. Unfortunately, sometimes information security is not taken seriously until there is a smoking gun and a targeted pen test can provide that.

Important items to keep in mind before signing up for a penetration test

Choose the company/individual that will perform the penetration test wisely. A lot of sensitive company data will be exposed so it is important to only deal with reputable people.
Make a confidentiality agreement part of the contract.
Scope the penetration test as desired to achieve your intended results. Possible penetration test scope includes: Full review, External Review Only, Internal Review Only.
The cost of a penetration test can be quite high so make sure your organization is ready to benefit from the results otherwise a full security audit may be a better choice.
Define objectives for the penetration testers to aim for. These objectives should be targeted at the highest risk business processes especially if you are performing the pen test to build support for expanding your information security program
Make sure senior management has signed off on the penetration test. Things can go wrong during a penetration test even under controlled conditions so it is an important CYA step to ensure your career does not go down the tubes.

Other Frequently Asked Questions about penetration tests

Should the penetration test be announced to your technical staff?

Usually it is a good idea to announce the impending penetration test to your technical staff so they will know it is occurring, be on hand to support if there are problems, and not escalate detected items to a higher level. A counter case of not notifying the technical staff can be made if you desire to assess the effectiveness of monitoring controls and wish to avoid having the staff on red alert.

How much information should be provided to the penetration testing team?

Penetration tests differ on how much information is provided to the testing teams. Some penetration tests are basically a blank slate where the technical team must discover everything without any inside information (black box testing) vs. other tests where significant network and system information may be provided (white box testing). Hybrid approaches are also possible where some generalized information is provided but the pen test team must figure out the rest. For external assessments I recommend providing in scope external IP addresses and phone numbers (if analog lines are being assessed) to avoid the problems that could come if the wrong targets are identified.

Can the penetration test have an adverse effect on my systems?

The answer is most definitely yes if the pen testing team does not take steps to minimize the risks to your operations. There is an inherent risk that comes with performing an activity like this but choosing experience testers and setting solid engagement rules can help minimize your exposure.

Are there any established frameworks for conducting a penetration test?

The Open Source Security Testing Methodology Manual (OSSTMM) is the best current framework to help guide a penetration test (including helping a client define the scope of engagement)

Should I have a member of my team witness the penetration test as a member of the technical team?

If you can negotiate this into the contract terms and plan to build your own internal capability to some extent this would be a great way to acquire on the job training at the same time the pen test is delivered.

Now that you have more information about penetration testing you can determine if your business is a good candidate to consider one vs. a standard information security audit.

Posted in Vulnerability Scanning | Leave a comment

10 Commandments of Vulnerability Scanning – Tips for conducting an effective vulnerability scan

Posted on June 7, 2011 by Mark Kelly

Photo credits: hernandezmarzal

Vulnerability scanning is a critical business security control for identifying system vulnerabilities that puts information at risk. Vulnerabilities can exist at the network, operating system, database, and application levels so it is important that your vulnerability scanning tool(s) check as many of these layers as possible.

Ten Vulnerability Scanning Commandments

#1 – You shall not assume an accurate system inventory

Maintaining an accurate system inventory is a challenge even for disciplined IT shops. During the introductory phases of implementing vulnerability scans into your environment you should perform a scan of all of your internal, external, and RFC 1918 private addresses. By scanning all of your possible ranges you minimize your chances of missing systems that have not been recorded in your asset inventory or systems that have been added without authorization.

#2 – Remember the change control procedures

Vulnerability scanning is important but so is proper change control. It is important to follow disciplined change control processes for every scan so that the activity is properly documented and approved. Following proper change control procedures also helps pinpoint potential negative impact related to a vulnerability scan to a more precise time frame. For the vulnerability scanner personally not following established change control procedures could be a legitimate reason for termination.

#3 – You shall attempt to do no harm to thy own network

Performing a vulnerability scan is an inherently risky process. Until you have performed baseline scans and determined the robustness of your systems stability a cautious approach should be taken. This involves scaling up the level of the scans in addition to monitoring the systems being scanned for negative impact. Systems experiencing negative impact likely need to be upgraded or added to a scanning exclude list.

#4 – You shall configure your vulnerability scans with proper system credentials

The vulnerability scanning tool must be configured to have adequate system credentials to get the full benefit of the scan. Consult the scan setup documentation provided by your vendor to get help on the needed permissions configuration. If you fail to set up your scans with proper credentials you will get a false sense of security and only be scratching the surface of your potential vulnerabilities.

#5 – Remember thy scan frequency and make it at least monthly

New vulnerabilities are discovered on a daily basis so it is essential to schedule your scans on a recurring basis. It is good practice to define a consistent time period to perform your weekly/monthly scans to simplify change control and troubleshooting if problems occur. Regular scans are also required to validate that needed improvements have been put in place to lower the number of system vulnerabilities.

#6 -You shall not be careless with vulnerability scan information

Reports produced from vulnerability scans should be classified as high risk and access to them should be granted on a need to know basis. These reports contain the detailed information that would be attackers would love to have to compromise your systems. Do not make their job any easier.

#7 -Do not falsely accuse your system administrators

System administrators need to be partners in the vulnerability remediation process and are essential for validating potential false positives. Stay on friendly terms with them and do not assume the vulnerability scan detail is 100% accurate.

#8 – You shall document your vulnerability scan exclusion list

When a system experiences negative impact from a vulnerability scan you will often times need to add the IP address to a scan exclusion list. The decision to exclude a system from the regular scan process should not be taken lightly and should be made visible so management understands the potential risk. Creating an exception process to document these situations and keeping it up to date is a best practice.

#9 – You shall decide what vulnerability severity level to focus and report on

Many of the items detected by vulnerability scanners are more informational in nature and may not require remediation. Decide ahead of time which level of vulnerabilities you will focus and report on. I recommend starting with severe/high level vulnerabilities only and only move down once those riskier items are under control.

#10 – Do not get frustrated at lack of progress

Implementing a strong vulnerability management process takes time. Do not get discouraged if improvement results are slow to come in the beginning. Stay focused on running a disciplined vulnerability management program and build the needed connections in the IT organization to make the process sustainable.

Have you started your vulnerability management program?

Posted in Vulnerability Scanning | Leave a comment

Physical Security Options for iPad, iPad2, and other tablets

Posted on May 20, 2011 by Mark Kelly

Physical security for the iPad and iPad 2 is just as important as any technical security configurations that you have implemented for your device. Physical security for the ipad2/ipad comes in a couple flavors as described below.

Physical Security devices for iPad2/iPad

Bags and cases that help protect your device from damage (breaks/cracks) if dropped
Protective cases to help with minimal water exposure (but not full submersion)
Security locks that prevent your device from theft
Security mounts that are more permanent and used to secure your device to a fixed location for a period of time.

Home/Office Users – Protective Cases

There are a lot of different options to protect your iPad/iPad2 devices while traveling. These devices are padded to help cushion against a fall but depending how rough you are with it they may not totally protect you. Find the right case for you depending on how prone to the drops you are and your style preferences.

Boxwave Hardshell iPad/iPad2 Briefcase (Black) – Solid traditional case has positive reviews and is a low cost way to get minimize the risk of problems should you drop it on the go.

Protective Zeroshock III Case for iPad 1/2 -Sleek protective case is designed for safety of the device itself so do not expect room to store much else. For the minimalist that is looking to secure their device while it is not in use.

Hard Candy iPad/iPad2 Case -Stylish case with grooves is both highly rated and attractive to carry your iPad/iPad 2 on the go. Available in many different colors so one of the few options that lets you get away from traditional black.

Targus EcoSmart Mini Messenger Case for ipad/ipad2 – Targus is a trusted name in the travel bag industry and this model gives ample extra storage room vs. some of the other options.

Toblino 2 Premium Leather iPad 2 Case -Highest rated leather case for the ipad/ipad2 and it would be my choice to protect my device while in use. Provides snug protection for all four corners to help minimize your risk of significant damage if it drops.

Bear Motion Protective Leather Case for iPad/iPad2 -Leather case is attractive and highly rated by those who have purchased it.

BoxWave iPad2 Armor Case – This is one cool looking case so had to include it from a variety stand point. This one is going to be a hit with iPad/iPad2 device owners.

Case Logic Water Resistant iPad2/iPad Case -Protective case is highly rated to help provide some protection for user around water. Care should still be taken because submerging in water is still not advised.

Home/Small Office Users – Security Locks

iPad Lock & Security Case Bundle – Provides basic cable lock/case functionality to prevent your device from being easily stolen. Very similar to cable locks available for laptop pcs and used the same way.

On the Road Security for iPad/iPad2

RAM Suction Cup Twist Lock Mount for iPad/iPad2/other Tablets – This device is a convenient way to mount your device on the go for long trips to prevent it from becoming a dangerous projectile if you get into an accident and to prevent theft while you are away.

Options for Trade Shows/Industrial Users

For anyone that uses an iPad device at trade shows or other high traffic events that require many hands touching the device you might want to consider more sturdy mounting brackets. These devices are not practical for casual users unless mobility is not desired, but they are ideal for individuals needing additional security while showcasing their iPad/iPad2s for big events.

RAM Mounting System for iPad/iPad2 -Mounting device looks a lot like a tv bracket and is a top choice for securing an iPad/iPad2 in a semi-permanent fashion when the device needs to remain in a fixed location.

Arktis iPad Security Mount Lock. This device would not be practical for casual users but is ideal for individuals needing additional security while showcasing their iPad/iPad2s for big events.

Be sure to check out our recommended iPad and iPad 2 screen privacy recommendations

Posted in iPad Security | Tagged iPad 2 Security, iPad 2 Security Mounts, iPad Protective Cases, iPad Security, iPad security locks | Leave a comment

Android Security Applications – The best free apps in Android market

Posted on May 16, 2011 by Mark Kelly

High quality android security apps are available for free that can help you increase the security of your android device. Android market is the place to go to download or learn more about the apps mentioned in this article.

You might be asking yourself, Do I need more security protection for my Android device?

Are you a business user? – If so your device could end up being a pathway into your corporate network and for that reason it requires the same type of endpoint protection as any other device
Do you perform online banking or manage other sensitive financial accounts with your android? Online banking increases your potential for financial loss if your credentials are compromised so additional controls are recommended.
Do you frequently web surf to many sites of unknown quality?
Do you have kids and desire advanced security or child protection features?

If you answered yes to any of these questions or just want to secure your Android with some high quality apps you have come to the right place. Android market has both free and commercial security tools available but for this first review I will pay special attention to the free tools that you need to know about.

List of free Android security apps by category

Anti Virus & Web Surfing Security Apps – Tools that provide additional security from viruses and other web based malware.

Anti-Virus Free by AVG Mobilation

Why you need it?: Has real-time protection capabilities to protect against viruses, malware and spyware. Also identifies unsecure Android device settings and gives tips on how to fix them. Features continue to expand and backup/remote locator functionality are in beta phase.

Antivirus Free by Creative apps

Why you need it: Famous for its battery friendly footprint this free security app is highly rated for its performance and ability to detect malware. Uses the vendors virus signature database which is regularly updated and protects against known Android threats such as DroidDream and Geinimi.

Dr.Web Anti-virus Light

Why you need it: Highly rated app provides malware scanning and quarantines suspicious items that are detected. Some recent comments have complained about performance issues so probably isn’t the top option in the space right now.

Kinetoo Malware Scan

Why you need it: Yet another malware scanner this one has a relatively low install footprint which concerns me but the reviews thus far have been positive. Specifically mentions that it protects against Fakeplayer, Geinimi, PJApps, DroidDream, TapSnake and other spyware.

Mobility Management/Device Locators – Tools that help identify a lost device or simplify the management/cleanup process to minimize the risk when a device is lost or stolen.

Plan B

Why you need it: Advertises itself as the locator to end all locators and the one to use to recover your device if nothing else works. There were generally positive reviews in the app marketplace so it is worth trying as a last resort.

All in One Apps – These apps do a bit of everything so do not fit cleanly in any one of the categories. Useful for someone wanting protection without installing a lot of different applications

Lookout Mobile Security

Why you need it: This is the swiss army knife of Android apps it has security protection, backup/restore capability, and find my phone functionality if you lose your device. The security functionality blocks malware and spyware and is useful for scanning all new apps to make sure they are not a known security risk. The find my phone functionality can be used even if the GPS is turned off or if the phone is on silent

NetQin Antivirus Free

Why you need it: All in one tool kit does malware scanning, remote device location, and backup options. Has a relatively large install base and good ratings in the Android market. Allows remote wiping of your Android device if it is lost or stolen and is unrecoverable.

Password Managers – Tools that help securely manage passwords for the Android device and for the web sites you visit.

KeePassDroid

Why you need it: Android version of award winning password management program. Even though this program is still technically in beta it is highly rated and a trusted name in password management.

OI Safe

Why you need it: Secure password management option that uses AES encryption algorithm.

Kepper Password & Data Vault

Why you need it: Another password management option this one is freely available but expect to get a lot of incentive to upgrade to the paid version. I’d probably use a different app unless I was ok paying for the full version.

Other useful resources:

How to secure your Android

Posted in Android Security | Tagged Android Market security tools, Android Security, Android Security Apps, Android security tools | Leave a comment

10 Top Websites for Information Security

Posted on May 11, 2011 by Mark Kelly

Coming up with a Top 10 information security resource list like this is always subjective and based on personal preferences. So with that disclaimer out of the way here are my 10 favorite information security sites out there today. I regularly follow all 10 of these and try to comment and be active as much as possible on several of them.

Top 10 Information Security Sites

Krebs on Security

I consider Brian Krebs to be the leading information security reporter out there right now and it is convenient all of his stuff is easily available online. I love his material highlighting the risks that small-mid size businesses face while banking online. His coverage of the hacking underground economy is also a fascinating look into the economics behind the hack for profit crime culture. Favorite posts:

Dancho Danchev’s Blog

Dancho is an information security consultant whose posts specialize in cyber counter intelligence focusing on the current threats facing both individuals and corporations. There is a wide range of topics from the latest in bot net dissection to the inside workings of money mule recruiting. Favorite posts include:

Keeping Money Recruiters on a short leash series
Don’t Play Poker on an Infected Table – (For you fans of the felt)

TaoSecurity 10 Top Websites for Information Security TaoSecurity

Information Security professional Richard Bejtlich’s blog is a personal favorite of mine for the in depth reviews of information security related materials. I follow Richard on twitter as well and also enjoy his posts around the US-China relationship and the cyber security rivalry that exists between the powers. Favorite posts:

Ars Technica 10 Top Websites for Information Security Ars technica

Their work on the Anonymous v.s HB Gary was so riveting that it deserved an award and it would have made for a fabulous Hollywood screenplay. I always link in to see what they have to say with respect to Anonymous and other high profile information security incidents. Favorite posts:

Black ops: How HBGary wrote backdoors for the government

Anonymous: Sony is incompetent (and we don’t steal credit cards)

Lenny Zeltser 10 Top Websites for Information Security Lenny Zeltser on Information Security

I discovered this gem a little later in the game vs. a lot of these other sites but I really love the content. This is probably the site that is the closest to targeting the same type of audience that I write for. I will definitely be spending a lot of time catching up on the content here. Favorite posts so far:

The Worst Information Security Advice Ever (Based on an interesting twitter survey conducted by Lenny)
Developing Information Security Skills Through Deliberate Practice

threatchaos2 10 Top Websites for Information Security ThreatChaos Security Blog

I love eye appealing design of this site and the content is top notch too. A lot of the subject matter in 2011 has focused on the information security exploits of China and Google. My favorite posts:

Putting Chinese cyber espionage in perspective
Modern Malware defense (love the interview format and how it is integrated into the site)

Rogers Information Security Blog 10 Top Websites for Information Security Roger’s Information Security Blog

Roger focuses his content from the perspective of a hands on information security practitioner and it is good to keep up with his latest writings. Roger has a ton of information security certifications and experience and a wealth of knowledge. Favorite posts:

Uncommon Sense Security 10 Top Websites for Information Security Uncommon Sense Security

Great simple information security blog resource to keep up with Jack Daniel’s take on current issues (awesome name too). Favorite posts:

Kai Roer 10 Top Websites for Information Security Kai Roer on Security

I first ran across Kai’s blog via some other people I follow on twitter and it has been a good find as I have enjoyed several of his recent posts. Kai focuses on current events in the information security industry and his material is more at a managerial level vs. that of a technical person. Favorite recent post:

Security Industry – Stop embarrassing yourself

Schneier On Security

Schneier on Security

Bruce Schneier is operating at near deity level when it comes to the field of information security so it would be outright heresy not to include him on the list. I like to check out his blog on occasion although I tend to focus more on business risk mitigation vs. detailed technical analysis. Alot of the posts are archived and hard to link but a current favorite post is:

Status Report: The Dishonest Minority

Hopefully you have picked up some new information security resources by reviewing the information security site top 10 list. Feel free to disagree and make suggestions as to what I missed as I always have an appetite for new information.

Posted in Information Security Awareness, Information Security Sites | Leave a comment

How to remove the Sent from my iPad message from emails

Posted on April 28, 2011 by Mark Kelly

Tired of seeing the Sent from my iPad message when you send email to colleagues or friends? If so here is how you can change that setting to remove the sent from my iPad message.

Settings > Mail, Contacts, Calendars > Signature – Remove the signature.

If you are leaving it as a status symbol by all means ignore this tip. ; )

Additional Resource for iPad 2 Security Recommendations

Posted in Apple Devices | Tagged iPad Security | Leave a comment

WordPress 3.1.2 Upgrade- What are the information security implications?

Posted on April 26, 2011 by Mark Kelly

I logged into the WordPress admin panel today and noticed it is once again time to consider when to apply the latest WordPress version update. A quick scan of the update shows it is a very minor one with nothing standing out from either a functionality or security perspective that makes a quick upgrade a necessity.

My typical recommendation is two wait about 2 weeks before applying a WordPress version update unless there are some high risk security vulnerabilities mentioned in the release. You can feel safe allowing at least a two week burn in for WordPress 3.1.2 at this point to allow any bugs to be detected and resolved without you playing the role of guinea pig.

Security Details of WordPress v3.1.2

The only element mentioned in the WordPress v3.1.2 upgrade summary is related to a vulnerability in the contributor access permission around post publishing abilities. The contributor role already has a good bit of posting privilege so this seems very minor from a security stand point.

Fixes a vulnerability that allowed Contributor-level users to improperly publish posts. (r17710)

WordPress version upgrade best practices

Apply all plugin updates prior to updating the WordPress version.
Take a full backup of your entire site prior to the update (a good precaution even though 99 times out of 100 the update is painless)
Apply the update at an off peak time when your usage base is smaller and you or your technical resource would be available for troubleshooting if a restore were required.

If you require WordPress backup guidance consult this additional material.

Posted in Wordpress Security | Leave a comment

Information Security HeadQuarters