The security problem is a people problem…surprise.

Well it’s looks like the new cyber czar is a noob in the eyes of the greater IT community all because of his “you don’t have to be a coder” comment.  First, why would one in the IT field expect someone in management to be able to configure a firewall on their own? j/k  Frankly, the cyber czar or any other management position doesn’t need a detailed IT background to succeed where the real problem exist – between the ears of everyone touching a keyboard, mouse, iPad, or smartphone.

Security is not a problem with information technology, vulnerabilities are.  Vulnerabilities are inherently created by the people who created the software.  They are exploited by other people.  Yet other people create the patch or find another way to mitigate the risk.  Still other people choose to apply or ignore the patch, or inadvertently mis-configure the technology creating more vulnerabilities.  See the common theme?

Fixing the vulnerabilities is actually the simple issue.  Security suffers from lack of interest – it’s not fun to build security into a fancy new application when you can focus on adding another feature.  Who’s got the time to setup their home firewall properly?  Why would a neighborhood convenience store pay more to have their point of sale system setup properly when they already have razor thin margins?  What will it take to get an industrial engineering firm interested in building secure equipment to control our critical infrastructure?  Our government and elected officials are showing some interest in improving security regulation, but how long will that last once the election year is over?  How much can they actually accomplish with no understanding of the problems or solutions? And who selects the consultants who will influence the decision makers in charge of the purse strings?  What are their motives – profit or the customer?

Take for example the latest Home Depot incident.  They were told by their own staff repeatedly about known vulnerabilities, many of whom quit after being ignored repeatedly. Home Depot hired a senior IT architect who had been fired and then left his previous company’s network broken by his sabotage.  They assumed monitoring systems would not have detected anomalous activity from the newly discovered BlackPOS malware.  The icing on the cake would be if the purported “cyber insurance” policy exists according to some reports, apparently leading the management at Home Depot to think “it’s not really that bad for us.”  What about all of your customers?  Do you think that policy is going to cover blatant insecurity?  What about the inevitable class-action lawsuit?

Home Depot’s problem was a people problem.  It wasn’t just the typical “security does nothing but hurt the bottom line” mentality seen at many businesses.  It was an egregious lack of oversight and enforcement by multiple layers of the business, as well as the card providers allowing businesses to self-certify compliance.  All it would have taken is one person at the C-level to simply think “what if?”  What if I get hacked?  What if one of my employees go off the rails?  What if my vendor’s leave a wide-open hole into my payment processing system?

Guns don’t kill people, people do.  Computers do not make insecurity, people do.  One of two possible solutions exist. Either we as security professionals will convince all the right people in all of the right places why security matters now and how to do it right; or the economy will putter along unfettered by the “shackles” of a security-driven mindset until someone finally causes a cyber-9/11 and brings us to our knees in real life.  The options for either solution are endless, but one key decisions must be made.  How will we solve the people problem?

It’s been a while

It’s been a long while since I wrote a blog entry.  Frankly, I’ve just been busy focusing on other things like spending the short summer with my family and dealing with the many changes this merger has brought on me.

One thing that I’ve realized is that I need to focus on myself as much as what’s important in my life.  Career-wise, this merger has really set me back.  I went from a solid focus on networking, security, and managing my AD to damn near everything including helpdesk.  Have I ever mentioned how much I HATE helpdesk?

Well, it is what it is and I have to make do considering where I live.  For now anyway.  And there are positives, like I get training and education that I didn’t have the opportunity to attend pre-merger.  Instead of wasting all of my time being angry over what things have become, I’m taking more control of life.  I’m the one ultimately responsible for where I am and what I become.  As Steve Martin said, “Be so good they can’t ignore you.”  I think it’s time I focus on doing just that.

I’ve spun off another blog to focus on some career aspects which I want to remove from this blog, changing this to a more personal development blog.  I’ve missed writing and hope to do more of it.

I expect all of this will come in fits and starts, but as long as I take a bit of time each day to focus on something important to me I will get there.

Help prevent corporate phishing by changing your MFP’s default subject line!

It’s all too often I see a threatening email with the subject “Scanned from a Xerox Multifunction Device” which could simply be spam, but it could also carry a malicious payload.  These devices come with enough vulnerabilities as it is, and everyone who deploys them should go through all the default settings.  All too often, the leasing company brings them in and only pops in the bare minimum to get the device up and running on the network.  I try to make my rounds and customize the settings, but how many IT shops actually do.

The most basic thing you can do to improve your organization’s security posture is user training, such as don’t open suspicious email.  By not changing these default settings, you are actually undoing that very training!  It only takes a few minutes during the initial setup to change the default subject line and email address to something more fitting to your organization.  Even if you have no access to the device, you will be providing the installer with basic settings such as the device’s IP address, your internal SMTP server address, the device name, etc.  So why not have them set the subject line to “XYZ Company – IT Department Scanner” and an email address of “device-abc@xyzcompany.local?”  This would take an extra few minutes and actually help you to help your users have a more secure mindset.

I’m interested in hearing anyone’s feedback on this; especially if anyone has verbiage in purchasing agreements to help enforce these types of more secure configurations.


Hello – I’ve spun up this blog to help me better categorize the many aspects of work I do and help share my experiences without jumbling up too many topics.  I may choose to consolidate this back into my main blog at some point.

I’ve working in various aspects of the IT field for almost 20 years, from midrange and PC programming, to web development, finally ended up focusing on networking and security.  I’ve worked primarily in the utility space and have focused mainly on critical infrastructure security in the last few years.

I’ve got a pretty good handle on the security side; however I want to delve in to how security vulnerabilities are discovered and how to protect against them.  The field changes more every day making it an exciting aspect of the IT field.

I hope I can both share and gain knowledge from this blog, as well as meet new people in the field to expand my horizons!

My first experience with PenAir

My first experience with PenAir wasn’t horrible, but it was far from perfect.  It can be summed up by saying this – PenAir needs to get it’s act together in Boston, and service their planes.
A little background:  PenAir bought out Colgan Air’s routes in Maine and now serves as the only regular air service to Presque Isle and Bar Harbor.  They have cut back on the number of flights per day, but still provides at least two flights per day.  I’ve heard complaints regarding their service, but had no experience until this week.
The Presque Isle airport went smoothly as usual.  Things started to go down hill in Boston as they are unable to check you I’m to your connections. This requires you to head all the way over to the departing terminal and check in.  I should qualify this by saying I was flying United so your mileage may vary with other airlines.  I remember having to go through this process when Colgan/US Air had this flight.  This might be a general comment on all airlines, but one would think you could get your boarding passes all at once regardless of airline.

Coming home was the same cluster plus one additional problem – the PenAir desk is well hidden in a small alcove with Us Airways Shuttle service.  The desk staff seemed inexperienced and unorganized, but friendly none the less.  I stood in line for about 15 minutes before anyone acknowledged my presence, but having six non-English speakers in line with me likely didn’t help.  I could go on about the cluster that is Logan’s security checkpoints, but anyone who’s been to Logan knows how this works.

Our flight left about 10 minutes late due to some issue with luggage, but I wouldn’t blame this on PenAir as it was pretty common during my recent trip.  Boarding the plane is always a bit interesting, as it’s a small Saab turbo-prop.  I think these might be the same planes Colgan used which would explain the state of disrepair inside the cabin.  Several seats around me would not lock in place regardless of what origami position you could fold it into.  Several of the air vents needed adjustment as they were loose and required two hands to adjust them.  I’m pretty sure this wasn’t the plane I flew out of Presque Isle on, but I do remember a few complaints regarding broken seats.

Our flight crew and steward were excellent, well mannered and helpful.  The plane itself looked physically and mechanically sound despite the state of the plane’s interior.
My suggestions to PenAir are this:  Get your planes cabin serviced.  No one likes to be lectured about putting your seat and tray tables in the upright and locked position when it’s not mechanically possible.  Not to mention it makes you look bad.  As it stands right now, I may have you use your service to Boston but I wouldn’t recommend anyone get aboard your planes when they have other options.