Friday, September 23, 2016

Proper Security “Flow” Begins at C-Level

Water

Everyone knows that water “typically” doesn’t flow uphill. The same gravitational forces that dictate water flow also drive waves, currents, tides and even waterfalls, making water a very powerful, albeit sometimes punishing and destructive element of nature. It has the ability to wear away at land masses, erode even the most solid of objects and can evolve into a very real and imminent danger, such as when tidal waves, typhoons and hurricanes batter the shore.

Yet water’s effects can also be healing, relaxing and calming. Hydrotherapy is commonly used to treat injury, or other system imbalances in the body. The sight and sound of waves crashing on a beach, rain falling in a forest, or water flowing over the rocks in a creek bed can help to bring focus to the mind and carry one’s thoughts away from stressful situations. I’m always amazed at how such random sights and sounds can distract from everything else around me.

Water is a building block of life. Science has shown that all cellular organisms contain water, and physical life cannot exist in its absence (at least in the sense that humans understand). Water supplies nutrients, it hydrates and it nourishes.

Water permeates and penetrates, saturates and combines with other elements and materials to produce a variety of substances. Additionally, water can be found in various states of matter. It can be a solid, a liquid or a gas and, in each state, it has its benefits.

In the natural realm, one might say water is “ubiquitous”.

Security

Like water, a strong security mindset is a powerful force. Driven by proper motivations, it brings about positive change. Security permeates an environment, mixing with other ideologies to help lay the foundation that everything else rests upon. It builds and creates strategic boundaries, effective barriers and trusted solutions for ensuring safety of data and the individuals who both own and utilize that data.

It can exist in various states or configurations, whether they be hardware or software, physical or logical. Providing it is correctly implemented, security is always changing to accommodate the conditions around it. An effective security posture may appear different in every environment, making each implementation unique in its own way.

A true security mindset can be somewhat calming, in that it understands and accounts for change. While change often brings new challenges, knowing that proper policies and procedures, analysis and monitoring, corrective action and continuing security-related training are in place helps to ease the mind of company leadership. Knowing this, strong company leaders will strive to drive home their security mindset to the rest of their organization.

Leaders with a lack of understanding in areas of security, however, often succumb to fear when they realize that their organization exists in a state of complacency. Their comfort levels become extremely low (as well they should), and they tend to try to drive initiatives in which they have no background or formal experience. While their efforts intend to provide the appearance of security, their environment is at constant risk of attack.

The Cycle

Going back to our discussion of water, we know that it flows downhill or falls, with gravity. Often times, water picks up nutrients and minerals along its path, allowing it to provide benefit when it reaches its final destination. The same holds true in security.

But contrary to the physical realm, where “sea level” is at the bottom of the flow, organizational “C-level” begins at the top. The concept remains the same however in that, just like water, in order to benefit from a good security plan, that plan needs to begin at the top.

As it progresses, it begins to accelerate, but it also picks up further knowledge and experience as it flows downward throughout the organization. Business units, engineering and security departments, and other individuals can take what was envisioned, lend their knowledge to it, and contribute in a meaningful way, by providing feedback to the policy and decision makers. Just as water cycles occur (evaporation yields condensation, which yields flow, which eventually yields new condensation and the cycle begins anew), security ideology continues to revolve. Unlike water, however, which essentially starts anew during evaporation, security continues to build.

Taking the above into consideration, upper management needs a firm grasp of the state of their organizational security posture, including a working understanding of, at a minimum, the risk factors that exist within their environment. They need to understand that learning is a never-ending process, when it comes to information security. Additionally, they need to have a willingness to listen to, acknowledge and implement recommended policies and solutions from their management and security teams, and ensure that they appropriately convey security ideologies in their every day associations with their staff. If this flow is handled appropriately, a company will come out of the cycle with a solid security posture, which is able to evolve and adapt as the need arises.

Closing Thoughts

In closing, with our 20,000 ft overviews of water and security behind us, let’s reiterate the importance of “C-level”, with regards to security. The involvement and interaction of C-level executives is crucial to the overall success of a company’s security efforts. If they convey a weak security posture, the downhill progression can be both destructive and devastating. However, if executives value the security mindset and convey the principals and behaviors to their staff that are needed to achieve their organizational security goals, the result is most often a strengthened corporate security posture, destined for success.



Thursday, January 7, 2016

Red versus Blue - What to Do? What to Do?

Red versus Blue - What to do?  What to do?
Security’s been lacking, they've let hackers through.

Script-kiddies are giggling, their phishing uncaught.
Someone's opened their email, without even a thought.

Antivirus averted, the firewall’s a bust
and their passwords were stolen, a violation of trust.

Protections were few - no IDS, IPS, or SIEM.
Their reactive analysis proved only a dream.

Now the CEO’s yelling. IT’s grasping at straws
‘cause they’d simply been dwelling, ignoring the laws.

Their posture, unhealthy, their planning was ill.
Now they’re looking for talent with just the right skill,

education and training, but where to begin?
The red team the blue team - do they pull from within?

Consider your goals kids and what training to pursue.
Red versus Blue - What to do?  What to do?

The past seven or eight years, it’s been fairly common for high-school and college students alike to hit me up for IT career advice and direction - particularly in the security realm.  Most of these kids are young and driven out of a desire to earn the ‘big bucks’, but they’re uncertain as to the proper direction to follow, the classes to take or even the school / training to attend.  Additionally, each student has different strengths, goals and ambitions, as well as differing desires and needs for learning, knowing that not all students ‘learn in the same way’.

It’s difficult to give them one specific answer, because I’ve never attended college nor have I gone through ‘formal’ education, in order to do what I do.  Much of what I’ve learned and accomplished was driven by my personal fancies, dreams, ambitions and the goal of always trying to be among the first to do and discover new things.  Add to the mix that the information security world is a very large, continually growing space and you have a recipe for mass confusion, if the conversation begins blindly, from the student’s perspective.

As I sit down and talk with each of them, the biggest, most important question I lead with is, "What do you WANT to be doing in ten to twenty years?"  I ask them to consider, first and foremost, where they want to be (location, professionally, financially) and what their NON-professional goals are.  Quite honestly, the security industry can be extremely taxing on even the most seasoned veteran infosec people.  I want aspiring students to understand that because of the way the field changes, because of the attitudes and stressors that they'll encounter, because they'll quite literally NEVER be able to stop learning and adapting in this field, they need to decide, first and foremost, on their willingness to commit to their goals, wholeheartedly.  This isn't to say that with the right effort and time, life won't all come together nicely.  Just that, more often than not, if a person wants to succeed in both their professional infosec career AND their personal life, their schooling (whether organized / formal courses or self-teaching, seminars, books, videos, CBT's) will likely be much more taxing than their primary / secondary education has been or ever will be and it will likely impact their personal life and 'free time' much more than they'd anticipate.

Once that's been put to bed, assuming the person hasn't run away realizing that the glamorous portrayal of hackers and infosec geeks in the media (untrained / uneducated 'whiz kids', hacking merrily away) isn't the reality they've come to expect, I'm usually asked, "OK, what courses should I take and from where?" This is followed by, "What school should I attend or can I be all self-study, like you?"

<cough> Ahh, how I love loaded questions! </cough>   (They all hope for a straight / simple answer)

As previously noted, I've attended ZERO college, so I can't speak for formal secondary education, specifically which school to attend.  I could be biased and refer them to some of the schools where my professional colleagues teach, but in all honesty, as I've not taken their courses or those of the others in their departments, I can't speak for the quality of their teaching.  Will I mention them in the discussions?  Absolutely!  Especially if their outside activities (infosec community activity and involvement, conference speaking, tool development, etc) have shown me that they know their stuff.  But otherwise, I can't recommend any one over the other from a 'personal experience' point of view.

With regard to 'what to take', this discussion could go a number of directions.  Depending on WHERE a student chooses to attend, the course offerings and programs might differ entirely, from one college to the next.  Additionally, different courses and programs might be geared to one discipline versus another and therefore the student has to make at least an initial career decision (knowing this could change in the future) on what 'part' or role they want to play in infosec, because whichever program or path of study they choose, it needs to benefit their career progression and prepare them to dive in.

This leads us to Red Versus Blue - What to Do?  What to Do? - or even Purple (or White, Gray, Black... but we'll delve into those areas another time)

Ultimately I ask students to really think about the following question.  I ask them for their first, gut response, then we discuss a bit and I follow up with them again after our chat, to see if their thoughts have changed or if their initial answer(s) still stand.  The question is:

"If you were to picture yourself in 10 years, would you want to be in an upper management role (where you're managing the overall security posture and practice of your organization), or would you prefer to be a team leader or member, working on hardware and / or software security and protection, versus trying to break those protections in order to help assure a secure environment?"

This is where our colors come into play.  An upper-level manager, who is responsible for all areas of the corporate security strategy, generally falls into the purple (mixed red / blue) category or leans more in the direction of blue.  Blue is typically thought of as cool / 'safe' and the team members are dedicated to protection - auditing and analysis, hardening systems, building solutions or monitoring existing solutions.  Red is considered to be hot / 'dangerous', and the team members are typically your attackers - penetration testers, malware experts, social engineers or even 'hackers'.

What differentiates the two colors is typically the work they're performing, as well as what I call their 'known' approach.  What do I mean by this?  Well...

While it's not always the case, more often than not, blue team activity is typically more relative to 'known' information and issues.  As they build protections, IDS / IPS, deploy antivirus or what have you, they're following known procedures and best practices (at least, I HOPE they are) in order to watch for and protect against known problems.  They're protectors and, by nature, protectors will try their best to prevent 'the unknown', but are obviously much better suited to deal with 'the known'.  More often than not, at least from many of the companies and environments I've seen, their approach takes a turn for the reactive side.  But every now and then, I'm excited to see a proactive blue team, trying to think more ahead of the eight ball (visible, easy to reach and eager to be put to work), rather than sitting behind it, where their activity might be less noticeable and success might be harder to obtain.

The red team, on the other hand, tend to be more proactive and are always looking for the newest 'unknowns', methods, exploits, vulnerabilities and ways to attack.  (This isn't to say they won't take complete advantage of a 'known', if the blue team isn't on top of their game, however).  While their purpose is still to act as an 'enabler' (and ultimately often additional educators) for the blue teams to be able to resolve their problems, because they try to remain one or more steps ahead of the curve, they tend to be more aggressive with their education and training, and are always on the lookout for the 'cool' or 'exciting' blog posts, newsfeed, IRC discussions and videos, showing the latest and greatest methods for exploitations.

Now that I've discussed Red and Blue (and Purple), it's often at least a BIT easier for the students to begin making some decisions.

In either case (red or blue), typically there will be a need for some sort of programming language.  Even if the student never becomes 100% proficient in a language, the ability to at least follow along, in general, with a program's flow or execution is a needed skill.  Depending upon specialization (red team might include web application hacking, for instance), specific languages such as Python, Ruby, Javascript, HTML or even shell scripting (BASH) will be more useful than others, so those discussions come into the mix.  Alternatively, for 'operating system' / client-side application hackers, there may be more need for C++, Visual Basic or .Net experience.  In either case, an understanding of Assembly is also a good 'back pocket' skill, even if only at a high level.

Along with programming, both red and blue teams also need at least a reasonable awareness of the latest applications and operating systems, as well as a solid understanding of networking fundamentals.  In any modern environment, there may be a mixture of Windows, Linux and OSX devices, and these may be connected via wired or wireless networks, throughout the organization.  In addition, routing protocols and topologies are important to gain an understanding of both inter- and intra-office communications, as well as internet connectivity.  As such, topics of study in college might include classes on one or more of the operating systems, especially Linux if available, as on one hand it's very similar to Mac OSX and on the other many security tools and distributions are built on and using Linux.  Beyond the OS, networking courses, such as the various Cisco certifications that many schools now offer (or other vendors' courseware, if applicable / offered), should be a staple of any information security curriculum.

Technical classes aside, other courses that would be extremely useful for information security professionals are psychology (useful in understanding how various people 'think', as well as understanding social engineering, phishing, etc), language / writing (it is VERY important to be able to communicate findings, whether to a company or to the infosec community as a whole) and mathematical courses, including statistics, since analysis skills are a big commodity in the industry.

All of the above said, students need to make those 'final' decisions.  First of all, which pieces of what I've already provided fit into their long term goals and plans?  Based on those pieces, which courses and programs will suit their needs and best prepare them for their careers?  Which schools offer the best packages and curriculum in order to accommodate all of the courses and are the instructors well known and active enough (whether in the community or by reputation), such that the students feel they can get the most from the experience?  Finally, dear students, do you think you CAN (and do you WANT to) do all of this learning on your own, or do you feel a collegiate program is better suited to prepare you?

I'll be the last to profess that only a college degree will get you somewhere in life.  I'm living proof that it can all be accomplished without one.  But as a married father of 4, who just had a wife progress through nursing school in her mid-to-late thirties, I'll also be the last to say it's an easy ride if you go it on your own.  The commitment and time required are difficult to substantiate and I can honestly say that, while I'd do it all again, it definitely would've been an easier road to have traveled before the married life.


Tuesday, June 30, 2015

How ‘FIT’ is Your IT Security Posture?

A.J. Materi once said, “So many people spend their health gaining wealth, and then have to spend their wealth to regain their health.”  When it comes to a person’s wellbeing, the profound reality is that too many of us spend our lives reaching for the ‘wants’ that seem important to us, only to realize that the core, root items we ‘need’ have been available, all along.  Yet we’ve squandered and sacrificed our very life-sources, to pursue the wrong goals.

Likening this to IT Security, there’s a very distinct parallel.  Looking at the companies we work for, the companies we deal with and our customers, very often we’ll find that in pursuit of the perfect IT solutions, tons of money, decisions and effort are spent trying to ensure such things as functionality, profitability, consistency, compatibility, accessibility and end-user satisfaction.  At the end of the day, those goals are admirable.  They’re desirable.  Often times they’re absolute requirements, set in stone, and they must be accomplished.  All are completely understandable and are worthy goals, but…

In the effort to provide all of the things we want, too often we sacrifice in other areas to achieve those wants.  We sacrifice people (staff get overworked, trying to accomplish the never-ending wish lists from product management or customers).  We sacrifice maintainability (code paths get too large, making it hard for current and future developers to support and maintain the code). We sacrifice time (to add increased functionality and features requested by whomever, we dedicate cycles to research and development, training, supporting and documenting).  Some of these sacrifices can be bad.  Some just come as a part of doing business.  However, very often and most importantly, we sacrifice security.

Security and fitness go hand in hand.  To live a healthy lifestyle, one must eat right, develop good habits, exercise regularly, get plenty of rest and continue to adapt their bodies as needed in order to ensure their physical condition remains constant (or for many, improves).  The same things are true for a good security posture.  Knowledge must regularly be fed (security training must always be accounted for and maintained, as IT and technology are always changing), good habits must continue (secure coding habits, incident analysis habits, management habits), exercise is imperative (employees whose skills aren’t tested periodically, in order to find and grow their weak areas, will grow lax and complacent - particularly in security), get plenty of rest (overworked employees tend to make mistakes, fall asleep on the job, miss crucial information, often due to overload) and continue to adapt.  Just as in fitness, IT security employees need to hit the Y.M.C.A (“You MUST Continue Adapting”).

Now, that isn’t to say that the most physically ’fit’ people or security teams won’t eventually have issues.  An example of this is a buddy of mine - great guy, very physically fit.  He’s been running half-marathons (I’m envious, as I used to be a marathon runner, myself, before I let my OWN fitness level suffer on account of work, friends and family life - but that’s changing), eating right, and living a very healthy lifestyle.  Yet, just a couple of days ago, he suffered a heart attack, and is headed to a likely bypass surgery.  He was doing all the right things, but the issues still came.  IT security is very much the same.  You can have all your i’s dotted, your t’s crossed - ‘all your ducks in a row’.  But tomorrow, a new 0-day can pop up in the wild, an end-user can get socially engineered, someone might DDoS your network or ISP...  The list goes on.

However, just as in fitness, it helps to have a support team - those people who are there to push, to motivate, to encourage and to instruct your staff, your security teams and your customers.  The goal needs to be to continue to push through the rough spots, come back from the problems and continue to work to make things ‘better, stronger, faster’ than they were before (Six Million Dollar Man quote, for my generation).  Most importantly, someone needs to maintain the proper focus - just as a powerlifter must focus on his lift, to ensure he doesn’t injure himself by doing things incorrectly, so must IT management and security staff.  The focus needs to be kept on security and have buy-in from management, with an understanding that all of the ‘wants’ need to still be balanced out against the ‘needs’.

Closing thoughts -

If proper care is taken to ensure that the needs (security posture) are always met and properly maintained, then the entire system will thrive and focus can be aimed at the wants, allowing them to come to fruition.  MAKE the time to educate, to practice and to build the overall security posture of your organization, so that you can TAKE the time to handle your wants.  It’s far easier to stay ahead of the needs, rather than to lose sight of them and pay the price, down the road.

Stay Healthy, My Friends

Monday, May 11, 2015

Lions and Tigers and Bears, OH MY!

Recently, I read an article in a local newspaper, about a kid that did the wrong thing - http://www.sanduskyregister.com/news/law-enforcement/7871226 .  Mind you, I do NOT condone what he did, or why, or how.  However, the article sparked a discussion in which it was more or less 'inferred' (because of my opinions on 'hacking' and the proper instruction thereof, to kids) that I was 'part of the problem'.  I beg to differ, and thus, today's blog post ensued.

"Lions and Tigers and Bears, OH MY!"  That classic line from 'The Wizard of Oz' rings true as I watch parents, teachers and others who are tasked with rearing the next generation.  F.U.D. (Fear, Uncertainty and Doubt) plays a strong part in society's understanding of all things "technical".  While our children are encouraged, from a young age, to reach out / discover / explore and search to define themselves and prepare for their adult lives, too often the responsible parties are the first to discourage anything that they don't understand, simply because they don't realize the importance thereof. If they hear the word 'hacker', they jump to conclusions because of the depictions and definitions in the media, and how hackers are portrayed in entertainment (TV, movies, etc). They don't necessarily understand that a 'hacker', by definition, is simply someone who tries to make something work in a way, or do something, that it wasn't designed to do, often with the end goal of improving whatever they started with.  Sure, there are evil / malicious hackers, but there are also those who hack to make things better.  There are even those who hack for others' benefits ( http://johnny.ihackstuff.com )

With specific regard to the original topic (the young man who stirred up a lot of trouble for the area school districts), as I said, I'm in complete agreement that what the kid did was wrong.  However, had the 'responsible' adults exercised the same 'curiosity' he had regarding the consequences of someone DDoS'ing their network, the reality of the situation should have readily come to mind - that being a lack of proper distributed design, capacity planning and strong need for overall 'security posture' analysis.

The discussion quickly turned to all of the negative points.  ('The kid is bad, he should be sent to jail / military school', 'hackers are evil', 'my parents would've killed me', yada, yada, yada...)  Folks were quick to condemn the kid, pointing out that what he did was against the law and how everyone should come down on him for the time and expense that his 'hacking' cost the district, law enforcement, etc.

So I could follow along with this negative thinking.  I could concur that his actions were purely malicious (mind you, I DO agree that he obviously had every intention of causing problems and that this wasn't innocent curiosity - I wasn't born yesterday, folks).  I could chime into the choruses of 'string him up and hang him', 'burn him at the stake', 'lock him up and throw away the key'.

But I won't, and here's why...

While this kid did something stupid, there's something to be said for the PROPER education and training of kids who share his curiosity but want to use it in more positive ways - and for good. Perhaps his story will bring more kids to want to learn and grow, in order to better the technologies - kids who are the future of software engineers, security experts and technical geniuses.

Many experts would say that the best time to learn is during the 'school age years'. In most cases, I tend to agree.  Younger children tend to be more receptive to learning and their curiosity often makes them more receptive to new ideas than older people.  Case in point, with technology, one will often see kids doing things on computers, phones, tablets - pretty much anything dealing with technology - and adults sit an awe, not realizing the potentials of each.  Kids experiment, kids challenge the 'norm' (often because they're not yet old enough to accept said 'norm'), and kids are the ultimate 'hackers', in that they'll try to make things work how THEY want them to work, not always how they were designed to work.  Their 'hacking' isn't malicious (not all hacking is), but it does encourage change and often leads to making things better than they were, previously.

Now, going back to the story and the debate that ensued, I made a point that perhaps we should teach kids 'hacking' in school, in after school clubs, etc.  No, not malicious hacking, so to speak, although it can be argued that, in order to make things more secure, someone MUST be taught to understand the malicious methods and the 'evil' tactics.  After all, how does one make a technology (or anything else for that matter) better, if they don't truly understand it.  That especially holds true in engineering, in design and in SECURITY. In order to attain the unbreakable, one must first understand how things break.  It's a never-ending cycle of break - fix, break - fix.

A prime example of kids who truly understand security (his teachers understand the importance of it, his parents understand the importance of it, the INDUSTRY understands the importance of it), is Reuben A. Paul - aka RAPstar ( https://www.facebook.com/pages/Reuben-A-Paul-RAPstar/209275665828035 ). Reuben is a kid that truly 'gets it'.  Not only is he quickly becoming an international speaker and recognized security evangelist, but he's also the CEO of his own company and is the youngest Shaolin-Do Kung Fu black belt, having earned that distinction at only seven years old, in 2013.  So here's a young man who 'hacks', hacks well and does it for the right reasons.  Reuben understands many of his topics far better than many adults in the industry and I'm proud of his accomplishments.

A couple further links supporting my point:

http://www.al.com/news/huntsville/index.ssf/2015/03/grissom_high_cybersloths_take.html

http://www.al.com/news/huntsville/index.ssf/2015/04/huntsville_schools_cyber_secur.html

http://www.uscyberpatriot.org/

I propose that America should really begin to put forth the focus and effort to begin training our youth in this area - not just in these few cases.  It's common knowledge that other countries (China, Korea, etc) have been training their 'cyber' armies for years, recruiting their talent at a young age.  These countries have been leading the world in technological arenas for some time, not simply in security / hacking.  If we aren't to train and recruit our young talent while opportunity and interest from the kids permit us to do so, we're destined to fail when the time comes to both attack and defend.  The wellbeing of our military, our educational institutions, our businesses and our country, in general, rely on the technical ability of our future generations - our children.  We need to prepare them, NOW!

Closing thoughts for today, for those who would argue the negative aspects of training kids to 'hack' and learn security in school.  I'm a firm believer in God, and in Proverbs Chapter 22 verse 6, the Bible says: 

"Train up a child in the way he should go: and when he is old, he will not depart from it."

I believe this goes for the home (parents) as well as for educational institutions.  If a child is trained properly and has the proper motives and beliefs instilled in them throughout their lives and education, I believe they'll use the tools and trainings for the right purposes, not for the wrong ones.

Tuesday, May 5, 2015

Staying Balanced, while Navigating on a Slippery Slope

Looking at the state of IT organizations as both an observer and an insider, I’m often overwhelmed at the simplistic approaches taken by many and by the general oversights with regards to their overall security posture.  In far too many cases, the CxO’s and leadership staff are heavily focused on the business aspects and less on making sure their information and transactions are secured.  As I watch the day-to-day goings on behind various companies’ walls, I’ve come to realize that there’s a very dangerous (and very real) air of complacency within these environments - one that can seriously impact their businesses as a whole - and this realization drives me to continue working to evangelize security with what resources and knowledge I have, in order that all might attempt to make things better.

Complacency can be a very bad thing - 

What is “COMPLACENCY”?  The Webster’s Dictionary defines complacency as “self-satisfaction especially when accompanied by unawareness of actual dangers or deficiencies”  Further, a second definition refers to it as “an instance of usually unaware or uninformed self-satisfaction”  The key words in both definitions are ‘self-satisfaction’ and ‘unaware(ness)’, and the take away from this is that it’s never good to be complacent when your organizational security is on the line.

Self-satisfaction (that slippery slope I mentioned) -

Self-satisfaction is a very dangerous realm in terms of IT Security.  True thought leaders in the industry would acknowledge that in the IT world, learning is an ongoing endeavor, a constant pursuit of knowledge and a desire to stay atop the technological curve, which often require a high level of commitment and dedication by IT staff to maintain.    While it’s OK to recognize successes and to feel some satisfaction therein, one must remain focused and cognizant that each success is a stepping stone in a never-ending circle, with regards to an organization’s security posture.  If one doesn’t carefully monitor the individual steps and feels too self-satisfied, they might quickly lose focus and ‘slip up’.

Awareness is paramount -

In ‘The Art of War’, Sun Tzu (a Chinese military general, strategist, and philosopher) noted the following: "It is said that if you know your enemies and know yourself, you will not be imperiled in a hundred battles; if you do not know your enemies but do know yourself, you will win one and lose one; if you do not know your enemies nor yourself, you will be imperiled in every single battle."  Military leaders and their forces, throughout the world, relate to the words above in that not only are they valuable offensive strategy, but they’re worthy defensive strategy, as well.  Without a consistent, well-balanced understanding (not only of your own security and environment, but also of the enemy’s tactics and methods), while some wars may be won, sooner or later there’s a strong likelihood of failure.

One can never know enough -

Recognition that “one can never know enough” in this business is key to survival.  So there must come a point where self-satisfaction fades, moving back into a realization that change and action are inevitable in order to best protect one’s assets and data.  Until that point is reached, companies are constantly working to maintain their balance on that very slippery slope.

Companies tend to focus on what’s in front of them, today, and are often complacent and unprepared for what tomorrow may bring.  Their focus should be forward, toward what lies ahead, but they’re often still unaware of their immediate surroundings.  As technologies change, as environments grow and the footprint of information spreads more widely, technical staff must remain focused on emerging threats, focused training and educational plans (both for themselves and for all users who might utilize said technologies), in order that they might be prepared for any current and emerging threat landscape.  They must focus on bringing increased awareness to management to facilitate ‘buy in’ and funding, and they absolutely need to investigate opportunities to strengthen their posture.

In closing - 

There is always hope and promise that positive effort, knowledge attainment and hard work can make the IT world more secure.  With the right acknowledgement and buy-in, an organization’s security posture can always be bettered and continued success be maintained.  My closing thought for today is the following:

“In order to maintain your balance on the slippery slope that is IT Security, ensure that awareness comes before self-satisfaction and complacency, lest you slide off the edge and fall to your demise.” - Tim Everson (me)