We’re At Risk Because Nobody Really Cares About Cybersecurity!

Here’s a shocker: We’re At Risk Because Nobody Really Cares About Cybersecurity!

tao

I recently completed a risk assessment for an organization, and I am waiting to present the findings, but as I was describing this to my girlfriend her response shocked me: Nobody cares! At first I tried to convince her people did indeed care, but to no avail. I realized a cold hard truth as to why so many organizations are getting hit (again, and again): while Information security professionals do care a great deal about security, and many other key people in organizations also understand and respect the cyber-threats: a large proportion of people, and organizations on many levels don’t care, and are just checking off the boxes that they’re running anti-virus software.

People are busy, people don’t understand and are stressed out by the complexity. I believe that many are so overwhelmed, and stressed out by the information overload that they don’t even respond to any non-critical events. This is bad-news for the prospects to stem the tide of all the successful attacks which are making it look so easy.

The fact is that the Internets functionality has far outpaced it’s ability to create secure environments. One issue I see is that the protocol that the Internet is built on http was never meant to be secure, thus https was created as an after thought. In fact I would venture to say that most web-sites could be successfully breached by hackers of only moderate ability.

So where does this all end, how does the story play out. Unless those on the front lines, and not just those who work at companies develop new behaviors and mindsets, the headlines will continue, and not in a good way. Sadly many of those hit in the smaller company range might not even report their losses when their bank accounts get attacked, and they are put out of business.

I believe each of us individually does have some responsibility to try to be more secure, and help each other more in understanding the implications of our current technology behaviors.

Together we can make tomorrow more secure.

 

Chris

 

PS: You can check out some more information about keylogger programs which can cause your bank account to be drained right here:

http://chris.welber.net/2014/02/22/what-are-keyloggers-programs/

 

What is the role of risk management in information security?

What is the role of risk management in information security?

IMG_0899

A potential role of Risk Management in Information Security maybe as Stewart and Tittel’s CISSP study guide says on the topic of Auditing:

“Auditing is a methodical examination or review of an environment to ensure compliance with regulations and to detect abnormalities, unauthorized occurrences, or outright crimes. Secure IT environments rely heavily on auditing. Overall, auditing is the primary type of detective control used in a secure environment.” (Stewart, James M., Tittel, Ed 2011-01-14, p. 464).

While auditing maybe considered a sub-topic within risk analyses and management, this quote is very to the point. The detection of unwarranted, and unwanted conditions which could allow a threat to turned into a compromise is a major component of risk management.

The role of Risk Management would appear to be to detect, analyze and come up with recommended solutions to discovered risks. These solutions could be in the form of mitigation, acceptance, transference, and I would even put forth an additional definition: sharing risk with a partner.

Daril Gibson’s guide to the Security+ certification puts forth the following definition of Risk:

“Risk Assessment: A risk assessment, or risk analysis, is an important task in risk management. It quantifies or qualifies risks based on different values or judgments.” (Gibson, Darril, 2011, Kindle Locations 9767-9769)

 

How can effective risk management strategies help to strengthen information security? Provide an example to explain your answer.

I believe by including a hybrid mixture of Risk Management which includes risk quantification and qualification systems, along with integrated staff training, inclusion and nurturing of stake holder relationships, and having an arm always connected to the academic research community, risk management can make a huge difference in an organizations risk profile.

One thing on reflection of my readings regarding FRAAP and FAIR which I have started to think about is the idea that a Risk Management System itself needs auditing to see what’s working, and what’s not working.

What’s exciting and a challenge at the same time I believe is how new all these technologies are. Being 49 this month, I remember the days of: no Internet, no computers, no cell phones, and no beepers. When we advance at such an incredibly rapid pace as a society sometimes our ability to understand how to use the technology and manage associated risk can be a challenge.

I am excited to be part of Excelsior Security Group which I am a founding member of, because I believe it’s out of environments like this one that the future Cyber Security leaders will come. I was at a talk by CERT’s Christopher May recently, and he discussed how important every one of us is in the daily battle of cybersecurity.

Here’s to a working together, and to great things coming out of our shared Internet experiences.

 

Sincerely,

Chris

 

References:

Ali, Shakeel; Tedi Heriyanto, (2011). BackTrack 4: Assuring Security by Penetration Testing.

 Stewart, James M.; Tittel, Ed (2011-01-14). CISSP: Certified Information Systems Security

Professional Study Guide (p. 464). Wiley. Kindle Edition.
Gibson, Darril (2011-11-10). CompTIA Security+: Get Certified Get Ahead: SY0-301 Study

 

 

 

 

 

 

Musical Interlude? (You Ain’t Done Yet)

Musical Interlude? (You Ain’t Done Yet)

Buddha Red

And now for something completely different…

I started writing some songs about 6 months ago, the inspiration came after my band went from a trio to my drummer Perry, and myself. I have about 5 original songs; I’ve playing guitar and singing for years.

So here is just the words to one of my new songs titled: “You Ain’t Done Yet.” The music will be available eventually, and currently it’s in the process of getting more polished.

You Ain’t Done Yet (c) by chris welber

 

Verse:

I’m laughing my time away

Not thinking about what to say

I’m laughing my time away

Thinking about nothing at all

I’m Sit here ‘in in my chair

Got my feet kicked up in the air

I don’t have a care

I’m Sit ‘in and smiling at the world

Chorus

Someone told me  I better get going before yesterday is gone

Someone told me  just keep on flowing I’ll figure out how to move on

Walking down..the road I see..Knowing that.. you’re coming to be

 

Verse Two:

Some people say

You gotta think their way Today

But I say to myself I’m

Sittin and Smiling at the world

When I think about what to do

I’m gonna be happy and be true To myself

When I smile at passers by

It gives me a natural high

 

Chorus

Someone told me  I better get going  before yesterday is gone

Someone told me just keep on flowing I’ll figure out how to move on

Walking down..the road I see..Knowing that..you’re coming to be

 

Keep sitting and smiling at the world!

 

Chris

The Modern Age of the Internet Requires Offline Time

The Modern Age of the Internet Requires Offline Time

 IMG_1730

I’ve been thinking recently about how stressful the modern Internet age is. In the old days things moved slower; having recently turned 49 I’m in the position of remembering the pre-internet days when I used to build my own computers, and ran one of the first Bulletin Board Systems in New York called the Red Phone BBS. I actually remember in high school the only computers were very primitive ones that I occasionally ran into in computer labs.

I myself work in the technology industry, and allot of stress comes from the fact that it operates essentially 24-7, and I need to make a conscious effort to disengage and allow myself downtime.

Three recommendations I have are:

  • Try not to sit or work in front of a computer for more than an hour and a half at time.
  • Give yourself “flash 5 minute meditation sessions”: these consist of finding someplace quiet, sitting, breathing deeply, shutting out everything external and viewing your internal landscape. When disruptive thoughts come up, just set them aside, they’ll still be there in a 5 minutes. At the times of maximum stress, when you feel you can’t do this is when you need to do it the most.
  • Give yourself some offline time in the beginning of your day and at the end. Electronic devices give off allot of energy, and this is not always what you want aimed at you immediately when you wake up, and right before retiring for the night.

Finally I will leave you with the thought that the more downtime you fit into your schedule, the more productive you will become. This may seem counter-intuitive, but give it a try. I challenge you to increase your offline, downtime, and you-time by double what it is now and see what happens.

 

Sincerely,

 

Chris

What is a Broken Web Application and Why You Should Care?

What is a Broken Web Application and Why You Should Care?

 Untitled

Did you know that your web-site maybe a sitting duck for Internet Hackers?

I have found that many small to mid-size organizations tend to setup a web-site with the idea of “driving traffic to their sites.” Of course this is obvious, but the sad fact is these same small to mid-size organizations put almost no thought into building a fortress of protection around their sites to slow down and try to stop malicious hackers who seek to do you, and your organization damage. Security is not even on their radar, but it needs to be!

A simple example of the damage which is possible is the hypothetical situation where a small organization has a hosted web-site that accepts user data (user-names, passwords, and maybe other personal data.) The organization maybe using a web-developer who is well-versed in coding features then building their web-sites with secure development security models. The end result is an organization web-site might end up with poor security and end up being hacked, having the user accounts stolen and used on other web-sites (because people tend to use the same passwords everywhere.) Then once other sites realize that the hypothetical organization is the source of the problems things go from bad to ugly at the speed of the Internet.

There are steps you can take:

  • Scan you web-site regular for vulnerabilities (if you don’t know how to do it, it’s recommended to hire a professional who does)

 

Post information on safe browsing for users, here is a previous post which discusses it:

http://chris.welber.net/2014/02/22/what-are-keyloggers-programs/

I look forward to answering any questions which you may have, and be safe out there!

 

Christopher

 

 

Pivot Points

Pivot PointsIMG_1730

Click to Retweet

When I think of a pivot point in life, I think of a concentrated moment during which everything changed, and new horizons opened up for me. One recent pivot point for me was meeting one of my mentors in an academic course in 2013. This chance meeting with Professor Vel Pavlov, of Excelsior University changed my life, and accelerated my journey into information security.

I believe in the growth-path of any great individual, company, or project there are always a few inflection points (opportunities) which come along (this is true of life as well I believe,) we don’t get allot of these in life, yet it’s training ourselves to know when these “moments” have arrived, and taking advantage of them that allows us to prosper and grow. This is a key take-away from years of academic, life, and business training.

We all need a bit (or more than a little) of LUCK! We have to be on the lookout for our points of rapid expansion and then pivot on these. I have worked hard, and sometimes I wonder at the same time, if destiny plays a part (karma?).

I need to be happy if nothing comes of my efforts, but continue to strive while I am alive to grow, and enjoy my journey.

Building strong emotional experiences/connections, and bonds is very important. I believe that people embed the strong experiences they have (both bad and good,) into their deepest areas of mind and body. In a sense we can program ourselves for the journey ahead.

I also wonder if pacing applies to life building, and developing the platforms in our lives where we try to do what we are driven to accomplish. So often, steady on-going efforts build an audience of life connections over time. With that said; luck, timing, and being in the right place at the right time matter too.

I always wonder why some people work so hard in life, and seem to get no one where; while others appear to work not as hard, get a lucky break and BOOM their famous, rich and get there. Maybe karma plays a part. Yet in the end it’s what’s inside us that we take with us when this dream of a life is over that matters. Everything worldly, has a shelf life…

My friend said it best: “write for the pure joy of creating, writing, and expression.” This way if you end up having a day job your whole life you’ll still be happy which in the end is a good goal! While my friend was referring to writing, this could apply to life in general as well. This thinking could apply to almost any area of human activity.

I learned I should never under estimate where a new connection, or development idea may come from.

The next step is only a thought away.

May we all experience happiness on our individual, and collective journeys in the world together.

Chris

Is Risk Always Bad?

IMG_1871Is Risk Always Bad?

There is the notion that if something is “Risky” this means it’s bad. I have found this is not always the case, and in fact sometimes a calculated risk can be a good thing.

I believe we all need to start looking on risk as something we can potentially use to our advantage, and to grow. Being an Information Technology professional with decades of experience, and the creators of one of the first “Electronic Bulletin Board Systems” in the early 90’s (it was called the Red Phone,) I of course understand the concept of assessing and protecting against harmful risks, but at the same time we have all have had the experience of trying something new, taking an uncomfortable risk, and experiencing something we totally were not expecting in a good way.

How can we use risk in a beneficial way? I think by asking ourselves a couple of simple questions:

  • Does the risk have the potential to cause us great harm?
  • What are the potential benefits of the risk in question?
  • What could we stand to gain by taking the potential “calculated risk”
  • What is the emotion we associate with the risk (i.e. fear, anger, anxiety,) and also where do we feel this emotion?

Sometimes I have found that it was a simple, and unjustified fear which kept me from trying something new, taking a risk, doing something which was uncomfortable yet, beneficial.

Don’t ever let fear stop you! Most of the times growth is uncomfortable, fearful, and risky.

So be fearless in trying new things, and seeking to use risk to your advantage.

 

Christopher

How I lost 40 pounds and kept it off for 14 years!

How I lost 40 pounds and kept it off for 14 years!

The journey started 14 years ago, it was the fall of 2000, and many lifetimes ago. One day I was sitting with my dad, and he said I didn’t look healthy. He mentioned he was concerned in the way fathers do. Also I realized I was not getting any younger, and I needed to do something about my health.

This was the time in my life I was destined to learn about the Tao. I had met my Buddhist life teacher that same year, and now I was about to embark on another journey; the journey back to health. I learned allot in a wonderful book by, Denial Reid, The Tao Of Health, Sex and Longevity. The book discussed deep breathing, Taoist principles and exercises, I can’t recommend this book enough. In the book it discussed one core belief which I have lived by the last 14 years, and has allowed me to go from 200 pounds to 160 and stay there all this time: it’s called food combinations. The way it works is that I only eat carbohydrates & veggies, meat & veggies, or fruit, and sweets always by themselves. I can’t really do justice to the deep dive in the book on this topic calledTrophology,” which I recommend you buy and read. Here is a direct quotation from this wonderful book:

“Trophology: The Science of Food Combining Compared to Taoist concepts of balance, the Western notion of a ‘balanced diet’ is simplistic and superficial. Western physicians advise everyone to take ‘a little of everything at every meal,’ jumbling together such disparate ingredients as meat, milk, starch, fat and sugar. Such indiscriminate consumption of food is no different than pouring a combination of gas, oil, alcohol and sugar into the gas tank of a car. These blends will not burn efficiently, will provide little power and will quickly clog up the engine so badly that the entire system grinds to a halt. The advice given in the quote at the beginning of this chapter, from a book presented to the founding emperor of the Ming Dynasty on the occasion of the author’s 100th birthday, clearly reflects the fact that the ancient Chinese were well aware of the importance of the science of food combining. This wisdom was once known to the West as well, as evidenced by Moses’ strict regulation that meat and milk must never be consumed at the same meal.” (Reid, Daniel, 2011-03-08, pp. 58-59).

More than weight loss, I found that eating a diet in this manner helps my body be more comfortable in all the areas you can imagine you might be uncomfortable related to food.

I believe low carb diets work for this reason, yet at the same time I believe extremes in general in life do not work, and we always come back to the middle (by choice or by force.)

I am happy to share my personal experiences further with anyone interested.

Also check out my prior post on “THREE BOOKS I LOVE”book #2

Here’s to a juicy steak, and vegetables (no potatoes for me please).

Christopher

References:

(Reid, Daniel (2011-03-08). The Tao Of Health, Sex and Longevity (Fireside Books (Fireside)) (pp. 58-59). Simon & Schuster, Inc.. Kindle Edition.

I’m sort of confused about the idea of detachment in Buddhism?

This week we present a guest blogger, my Buddhist teacher. The format is a question, and answer by him. I hope you enjoy it.Buddha Red

(Question) I’m sort of confused about the idea of detachment in Buddhism?

What does it mean to be detached in a Buddhist sense?

To me, it means you don’t care about anything, but if that were true of Buddhism, it would be pointless to care about reaching enlightenment or helping others to end their suffering.

Does it just mean that you don’t love any one thing or person more than anything else?

I don’t know if I could get used to that idea. The only things I really care about are my pets, and I don’t know if I could just not love them anymore…

So, could anyone help me out with this?

(Answer by stbb)

What causes you to be happy or unhappy?  We human beings mistakenly think to get things is the cause of all happiness; so we spend 95% of our life, time and efforts to get what we think will give us happiness, the remaining 5% maybe used to take care our survival needs, like going to bathroom, drinking liquid, eating food and sleep.

To understand what happiness is we must examine what is the Nature of Suffering? Not the other way around! Unlike another answerer, he seems to have read Buddhism books, yet he didn’t fully understand the true teaching or theories of Buddhism. He assumes Buddhism is the teaching of understanding Suffering, and therefore he assumes that happiness is an illusion.

We must understand the Nature of Suffering is not our main concern; rather it is the byproduct of our activities in pursuing the happiness. It is true, most people confuse getting their desires fulfilled as happiness; if that is the case then this mundane happiness is truly an illusion as this answerer said. But the happiness in Buddhism I am talking about is, “Nirvana is Happiness”; the ultimate happiness that is every bit real, therefore the pursuing of Happiness is the ultimate teaching in Buddhism.

Whereas some people dwell in getting their mundane desires fulfilled, and then they are disappointed when they failed and can’t have their cake and eat it too; they get distraught, bent out of shape, become upset and unhappy, then this is truly suffering for them. So therefore we must learn to be detached from the outcomes of the activities of getting our desires fulfilled.

Many things we hold dear to our heart in this Samsara world are love, friendship, companionship, money, wealth, cars and houses,… etc.; but they are merely illusions of this life. You may have all of the above as your processions for a while, or for a long time, or even for the rest of your life; but in the end there is nothing you truly gain or can truly hold on to for eternity, as all things are impermanent.

You will die, your wealth can be lost, and your lover can fall out of love with you, your body and all things materials will fall apart. When you die, all things you posses will left behind, nothing you have can be taken with you. In the final end, what is there for you? And what is truly everlasting?

For most, obtaining things are happiness and losing things are suffering; as humans we get some and we lose some. If we have the attitude of detachment; if we can get what we want we can be happy and enjoy them; or if we lost them we might be upset for a bit but it won’t cause extreme Suffering.

Therefore Buddhism teachings suggest that we carry out our life with the attitude of detachment; then we won’t be extremely upset when we experience pain and suffering; and if we do get what we want, we won’t be overly exuberant and develop fear of losing what we have obtained, which then would turn into a type of suffering again.

How do we develop detachment, an attitude of Non- attachment? First we need to examine what is the motive of why we need something, or why do we want it so dearly; then we analyze do we really need it badly or it was just a momentarily passion? After a logical analysis we may come to a conclusion that a particular attachment is an unnecessary passion of our needy mind, and we can logically write it off and cross off the attachment. The attachment to that particular passion will fade like last year’s rose. This process is by logical deduction in Buddhism.

Any other way is more difficult for book Buddhists, and that is where you need training in real practices of meditation and Vajrayana Yoga’s, which cannot be done without a teacher. As we practice we come to realization of impermanence, all material and solid things fade into nothingness, so do our wrongful passions and attachments. In time you come to realize the 4 Noble Truths; then realizing the urgency of limited time in our life and what we can do to leave a mark or to obtain a permanence is more important than a trivial passions and attachments

My Personal Reflections

I’ve been working on an eBook based on a PDF “The Top Ten Ways to be Happy Today!,” which I am developing with my teacher. Point number one is: All I have is the moment (The moment is the only thing that counts. I take time each day to just be in the moment.) Over attachment to outcomes which I still suffer from I find pulls me out of the moment, and I meditate daily to work in exercising the letting go muscles. I’m happy to share the free PDF which my upcoming book is based. Anyone who signs up for the newsletter can request it for FREE!

As always I look forward to receiving feedback and developing constructive dialogs,

Chris

Protect yourself from Keylogger Programs!

What are Keyloggers? We hear so much about the bad things which can happen to your computer when you get attacked, and your machine becomes compromised by hackers. Yet what are these mysterious little programs?the finger

(Click Here to Re-tweet)

Keyloggers programs are software programs or hardware devices which record (log) user input on keyboard devices, and in most cases this will occur without the user’s knowledge or their consent. This is a popular way that Black-hat crackers steel user information from Bank accounts. Sometimes organizations will legally use key-logging programs and devices to monitor their employees.

Popular hacking tools such as Metasploit include keylogger and screenshot tools which allow the hacker or penetration tester to capture keyboard input once the victim computer is compromised. In fact many organizations perform what are called penetration tests which seek to test how susceptible their computer systems are to these kinds of attacks.

What are some ways to prevent your system from becoming infected, compromised and having key-loggers installed on your computers?

1. Use safe browsing programs like noscript for Firefox. Here’s a link to a video I created on how to use it: How Install and use NoScript for Firefox

2. Read Brian Krebs excellent blog on security issues, just keeping up with with his columns can help you become safer. If you own a linksys router you should read this article immediately:

3. Use different passwords for different web-sites which have combinations of complex characters, numbers and special characters. Here’s a video I created on that (Complex Passwords).

In a future article I will discuss using the lastpass program to create, and save complex passwords.

Finally below is some further recommended reading on keylogger programs. Don’t be a victim, some business have literally been put-out-of-business by keylogger programs.

Here is a Symantec “Introduction to Keyloggers”:

http://www.symantec.com/connect/articles/introduction-spyware-keyloggers

Here is a Kaspersky article on “What is a Keylogger?”

http://blog.kaspersky.com/keylogger/


As always I’m happy to answer questions you may have.

Chris