The Security Catalyst

On this last day of January, I wanted to quickly issue an update as to some of the things I am working on.

First: I’m still working on preparing the launch of the Family Security Series. I know it’s taking me longer than I had hoped… but I have decided that quality is more important; I think you’ll appreciate that. I’m working right now to lead my organization through some exciting changes, and that is taking a bit more time and energy than I expected.

I am focused on creating exceptional experiences - and I hope to bring that to the podcasts (and count on you to keep me honest). I set aside some time this weekend to get the Family Security Series finished so I can roll it out over the next 7 weeks and help you jump start your 2007 awareness program!

Here is a quick overview of what I am planning for 2007
We enter 2007 with an improved programming schedule, designed to provide you with important insights and information you need to be more effective in 2007. We kick-start the year with a series that you can use to promote awareness and gain an effective improvement in your overall security. We also have series planned to address the challenges and solutions you are considering for 2007.

Teach Your Family Security Series (starting February 2007)
Jump start your security awareness campaign with this seven-part series that explains the five steps every computer user must take to secure their personal computers. We also explore how to secure your wireless connection at home, and then share some tips and tricks the security professionals use with their families.
This series is based on published guidance and will include the audio podcast as well as handouts available in PDF format that you are encouraged to use in your organizations.
Security professionals will benefit from this approach, too, by having a more concrete approach to follow with home users for future initiatives, and by learning new ways to explain these concepts to their users.

Security Solutions and Implementation Series

* Privacy Policy
* Hard Drive Encryption Series
* Information Classification
* Identity Management Solutions
* Others - send in your requests

In each of these series, you can expect:

* A brief overview of the topic
* An approach for drafting a project overview, justification, RFP and initial research
* A briefing on top choices for vendors and solutions (including pricing)
* Interviews and insights from other catalysts that have already implemented the solution

I’m working to program each series (or some shorter episodes that cover one topic) to help provide some insights and guide you through some of the more complex projects many of us are being asked to implement. I plan to approach each show as if I were coaching your organization through this process.

We’re also launching two new programs:

Security Questions and Answers with Adam Dodge
Each Month, Adam Dodge and I provide answers and insights to audience questions - and help address consumer security concerns, business challenges and career questions. More than opinion, we provide details and information that you need to make a difference.

Privacy Strategies with John Sileo
Geared for business users, each month John and I will explore the 10 rules of corporate data privacy. Join two authors and professional speakers as we provide insights and information on how you can protect your business.

I’m expecting both to get started in February/March and then we’ll run monthly. We’ll see (but once we get started, it’ll roll).

You’ll also start to notice some subtle changes to the website, our branding and should expect more information about the growth of the Security Catalyst Community (and how you can be involved). These changes and information will trickle out over the entire year.

I am excited about the promise of 2007. I am even more passionate about and committed to improving the way we practice security and protect information.

By Ron Woerner

In his recent ComputerWorld article (http://www.computerworld.com/blogs/node/4425?source=NLT_SIC&nlid=92), Michael Farnum spells out the need for IT folks to be “people” people. Being an asshole no longer works. (See Bob Sutton’s blog.) Marcus Ranum and Bruce Schneier have been saying it for years that security is about the people and process not the technology.

They talk about the problem, but have no concrete solutions. The only way to fix this is that we—the people who design, write, implement, and manage security—have to learn how to deal with people. We need to get out of our introvert shells and learn about people.

We are rectifying this situation as part of the next generation of security. At the RSA 2007 US Conference, I am leading a session titled “Becoming “People” People – The Kinder, Gentler Security Professional.” This technical presentation will show the importance for understanding people: how they think; why they act the way they do and what motivates them. Attendees will learn fundamentals in areas such as psychology, sales & marketing, communications, and leadership to help them be “people” people. They will also receive a resources, tips, and tricks to take home to practice being “people” people. These ideas will force infosec professionals to think about this problem and see what they can do to solve it.

For those not attending the RSA Conference, I will provide a complete article describing this after the conference. Until then, here’s a little tidbit: Maxwell’s 30-second rule. Within 30 seconds of seeing someone, say something nice about him/her. This gives him or her attention, affirmation, and appreciation. This simple encouragement will help you become a “people” person.

By helping each other, we all become stronger.

Thanks to the work of Didier Stevens, here is the official word on how the Security Catalyst (and other security podcasts) can help you meet your CPE requirements (he even wrote about it on his blog):

http://didierstevens.wordpress.com/2007/01/22/listening-to-security-podcasts-earns-isc%c2%b2-cpe-credits/

PS: You can also get CPE credits for writing an article that is published on the Security Catalyst website. If you’re interested, send me an email: securitycatalyst@gmail.com.

Here are the steps Didier follows:
I submit my podcasts CPEs under the ‘Self-Study, Computer-Based
Training [CBT] or Web Cast’ category.

(ISC)² didn’t tell me which category to use, here’s how I decided on
this category: look at this page (https://www.isc2.org/cgi-bin/content.cgi?page=1036), and you’ll see that podcasts are put together with other online events like webinars
& webcasts.

I also do some administration for this: I keep a list of the podcasts I submit in a spreadsheet, I keep a copy of the mp3 files for auditing purposes.

Here is a copy of the official correspondence Didier got from ISC2 services:

This is the answer I got:
Yes, security podcasts are valid CPEs.

Thank you;
(ISC)² Services
P: 888.333.4458
F: 727.738.8522
registrar@isc2.org
Questions about CPE’s or AMF’s?  Visit the (ISC)² FAQ;
https://www.isc2.org/cgi-bin/content.cgi?category=84#cat0213

—–Original Message—–
Sent: Thursday, December 21, 2006 10:52 AM
To: cisspadmin@isc2.org
Subject: Does listening to Security Podcasts earn (ISC)² CPEs?

Hello,

Podcasts are mentioned as CPE activities on the (ISC)² website:

Free/Economical CPEs
Searching for CPE Activities?
Participate in Webinars, Seminars, Pod Casts
Search the Internet for free Webinars, Pod Casts or seminars focusing
on security methodology, technology or practices offered by
hardware/software sellers and other vendors carrying security-related
products. IP Events ofer substantive, complimentary “virtual
conferences”, for example.
https://www.isc2.org/cgi-bin/content.cgi?page=1036

Can you clarify what is meant by a Podcast? I listen to several security related
Podcasts, a good example is Michael Santarcangelo’s Security Catalyst Podcast
(http://www.securitycatalyst.com). Michael is a CISSP, he produces a Podcast
about security. A Podcast is like a radio talk show: Michael talks about a
security subject, records this talk and makes the MP3 file available on his
website for free.

If listening to this kind of Podcast is considered as a CPE activity, then I
suppose I can submit 1 CPE per hour listened, but can you tell me if there is
there a limit to the CPEs I can submit?

Thanks for your help,

Didier

By Joe Knape 

Prediction is very difficult, especially of the future.
- Niels Bohr

Apparently, drinking too much eggnog and watching a giant ball made of lights drop from the sky gets people in the in the mood to make predictions for the future. Speaking of which, where’s my flying car?!?

When it comes to security predictions, most of them are redundant, asinine, or just plain wrong in my opinion. But with so many vendors, media commentators, and wonks out there, you’re bound to come up with a diamond or two if you dig around long enough. One such diamond this year for me was Anton Chuvakin’s predictions, which you can find over at http://www.oreillynet.com/sysadmin/blog/2007/01/my_security_predictions_for_20_2.html.
Now, even if Anton Chuvakin’s predictions didn’t come out until January 14th, his article is still one of the few worth reading. We just won’t give him credit for anything that occurred in the first few weeks of January!
If you don’t see a prediction listed below it is because I agree with it and didn’t feel the need to jump on the “me too” wagon. However, others in the list definitely deserve some additional commentary.

IV.    Anton is frustrated at the numerous and sometimes contradictory ways that exist to rate and measure risk.

No standard emerging can be both bad and good. The “bad” means that enterprises will continue to use programs with little or no aid forthcoming from “industry best practices”. The “good” means that security professionals who are willing, will be able to continue taking the best information available and develop programs that best represent the concerns and careabouts of their specific organizations without worrying about fitting square pegs into round holes.

V. According to Anton, 2007 will not be the “Year of NAC” mostly due to the fact that it means so many different things to different people.

There’s a difference between a well-run network and a well-implemented one (not well-architected or designed). Operations groups all over the world are running the networks they are given to the best of their ability. Most of the groups that I have personal experience with are doing a phenomenal job considering what they have to work with.
They deserve better and it is up to us as security professionals to work with the designers, architects, and implementers to make sure that the networks that are being handed over are put together with security in mind in the first place. Easier said than done I know, but if we don’t make the effort we don’t make progress.

VIII. There is a question in Anton’s mind about how voluntary compliance frameworks such as ISO17799 or ITIL will fare in 2007.

These standards will continue to be touted by consultancies and even some internal compliance/audit groups. Enterprise wide implementation will hold steady or decline due to all the effort and money that will have to be put into MANDATORY compliance. It’s still all about prioritization and use of limited resources. It’s our job to make sure that we are prioritizing on the things that are right for our companies, even if that means being nice to the auditors.

IX.    Apparently security awareness is a topic of great amusement, (dare I say derision?) for Anton.

This reaction is unfortunate but all too common. We here at The Security Catalyst and ultimately you the reader can change this for the better in 2007. Let’s prove Anton wrong on this one.

X. And finally, Mr. Chuvakin apparently made some predictions for 2006 (I’ll assume they were made around late 2005 but you never know with these PhD types!) which he thinks are still appropriate, such as client and application based attacks outpacing server and platform based ones.

I agree. At the same time, I couldn’t let you, dear reader, go without giving you something to help you justify the time you spent reading this far. I want you to ask yourself whether or not your organization’s 2007 security projects are focusing on the REAL risks to YOUR organization or are they still trying to address the theoretical “threat of the month”. You know the one; it gets printed up on every infosec magazine cover and written up in every online security article that month (almost as if they copy each other’s editorial calendars).

If you, your security organization, or your upper management, are still not looking at risks, threats, and mitigations from a company specific perspective, stay tuned to this space because the next few posts will highlight some steps you can take to begin “changing the way people think” (and possibly even yourself) about applying security principles while keeping your particular company in mind.

Are there any security predictions you’ve read that are particularly interesting or disconcerting to you? Leave a comment or send me an email to jdknape@gmail.com. Please keep in mind that I reserve the right to publicly post and respond to anything I get unless I’m explicitly asked to refrain from doing so, but don’t worry I will change any and all names to protect the innocent…and the guilty. Thanks for reading and I look forward to hearing from you.

I believe in the power of human connection. I believe in the power of relationships. And I think that networking done for networking sake never works. But if you network by building relationships, then in my experience, you will be more successful in your endeavors.

Recently, there was a flurry of postings about the value of using LinkedIn to build your personal and professional networks. If you have not yet heard about or used LinkedIn, you can learn more here: http://www.linkedin.com/static?key=company_info

From their website:

When you join, you create a profile that summarizes your professional accomplishments. Your profile helps you find and be found by former colleagues, clients, and partners. You can add more connections by inviting trusted contacts to join LinkedIn and connect to you.

Your network consists of your connections, your connections’ connections, and the people they know, linking you to thousands of qualified professionals.

I learned about LinkedIn a few years ago and created a profile. At different times, I have worked to update my information, and am currently working to improve what I have there now. You can check it out here: http://www.linkedin.com/in/securitycatalyst

I’ve talked to many security professionals about using LinkedIn – and we seem to be something of a split bunch. Many I know confidently use (and some swear by) the effectiveness of LinkedIn. Others cite concerns over privacy and security and refuse (or have yet) to use it.

Do you use LinkedIn? Why or why not?

LinkedIn to generate answers for business people?
Yahoo! Answers has been considered to be a complete success. Even presidential candidates have used it! Perhaps driven by the success of Yahoo! Answers (or perhaps on their own accord), LinkedIn recently created an “answers” solution – focused on the needs of business users. When this announced this, it caught a lot of media attention.

Check out LinkedIn Answers here: http://www.linkedin.com/answers

It was one of the developments that sparked my interest, but I have yet to really follow up on it. I do believe that having a cadre of security professionals available to help provide some guidance to others would be a benefit to businesses, so I hope more of us work through this solution and get engaged.

The Good: How LinkedIn Can Help Your Security Career
Admittedly, I have yet to really explore or “tap” into the power of LinkedIn, I can see where if I was looking for a position, looking to make connections or otherwise grow a network, it could be useful. I’ve put it on my expanding list of things to research and use more in 2007.

It’s also useful for connecting with lost colleagues and old friends. More than once, I have noticed that someone I am connected to is connected to a friend. Through this, I have been able to reconnect with some good friends.

Guy Kawasaki recently wrote and excellent post about how to leverage the power of LinkedIn. You can read it here. http://blog.guykawasaki.com/2007/01/ten_ways_to_use.html

Guy explains 10 ways that you can use LinkedIn, and if you currently or plan to use it, this is entirely worth the read. I might also suggest that if you don’t regularly read and learn from Guy Kawasaki, you’re missing out.

The Bad: Where LinkedIn Can Ruin Your Security Day
The irony of social media is that sharing information (or too much information) can lead to some creative and highly effective attacks. The main concern I see is the benefit to social engineers.

Think about it. Many people who list profile information (and select to make it publicly available, of course) will choose to list the companies they have worked for, the positions they have held – and many who are not security minded list project names and other information that would be a total score for an attacker.

But it gets better (or worse), since now they also see who are you linked-to, or what connections you have. If an attacker takes enough time, they can piece together a lot of information and wage a successful attack.

With that in mind, take a minute and consider the work you do and the people around you. Now, think about this: do you have people in your organization that could be poached away because of their linked in profiles?

Seriously. I have found that LinkedIn is fertile ground for recruiters. Well, your competitors know this too. How much damage would it cause you if one of your key employees were courted away – entirely legally!!

So it LinkedIn good or bad for security?
As we know from the practice of security, there are no absolutes. I think that the use of LinkedIn should be a personal decision (which most of you probably already know).

I would suggest that if you are aware that your users are using LinkedIn, you should review your security policy to ensure it covers posting company information to public websites. And then we need to find a way to teach our users about the dangers and risks, educate them about our policies and then help them find effective ways to use LinkedIn without putting your company in unnecessary risk.

My Choice and How I Use LinkedIn
I chose to use LinkedIn. I try to be careful about the information I include in my profile, but as a business owner and professional speaker, it’s to my advantage to be more visible.

As a rule, I don’t link to people I don’t know (or haven’t heard of). That said, if you want to link with me, please let me know a bit about you and that you listen to or read the Security Catalyst and we can connect. Check me out at: http://www.linkedin.com/in/securitycatalyst

Come discuss this with me and the other members of the catalyst community: http://community.securitycatalyst.com/forums/index.php/topic,83.0.html, and we can debate if it makes sense to start a Catalyst Community Group for linked in? I’d also like to know what precautions you take and how you have advised your users to be more effective and more secure.

Raise your hand if you have a privacy policy that you think is awesome. Seriously? Cool. Send me a link?

For the rest of us, it’s time to lead by example and create privacy policies that have meaning, can (and will) be enforced and are written in a way that the average person can read and understand.

I know. I know. Privacy Policies have been around for years now – and many of us have drafted them, reviewed them or advised others to have them. When I launched the Security Catalyst Website, we created a privacy policy and posted it. You can see it here: http://www.securitycatalyst.com/privacy/

Now, before you point out all the things wrong with it our current privacy policy. I know. And that’s why I am sharing this post with you. When we helped launch the Catalyst Community (which is an effort that is far bigger than our humble efforts), it was pointed out that we lacked a clear and easy to locate privacy policy. Mea Culpa. And that’s when I read what we have on the site today. It’s simply not good enough.

Now, I could have simply taken some time and re-written it; but it seemed to make more sense to take a project-based approach to rewriting the privacy policy so that it will be easier in the future. Then I decided that if I make this more of a community project (probably one in which I do the bulk of the work) and release my work in a way that others can benefit, then, well, I’m leading by example, right? I know when it’s time to put my money where my mouth is.

So, a project is born. I know, I know. How many projects can I seem to take on at once? I figure I’ll stretch this out over the month of February (unless I catch a run where I have more energy or time than expected, or if I get some help).

Here is the process I intend to follow (currently)

1. Review privacy policies of websites – specifically looking for what I consider to be good examples.

2. Construct a mind map of the important elements that must be included, as well as additional elements or considerations to create effective and successful privacy policies.

Aside: learn more about the power of mind-mapping here: http://en.wikipedia.org/wiki/Mind_map

3. Use the mind map to develop a basic template of required elements, as well as optional or suggested elements in either Pages (mac) and/or Word (mac/pc). I tend to favor creating things in Pages, but we all know the end result will be in a universal (or nearly universal) format.

*** This is an area I welcome some help. Once the elements are all sorted, if you have good MS Word-Fu and can help me build a highly effective (and snazzy) template, that would be rockin. Send me your interest and proof of word-fu to securitycatalyst@gmail.com

4. Use the template to construct a privacy policy for securitycatalyst.com and perhaps another one for the catalyst community (if needed). This will allow me/us to test the template. Once this is completed, I will circulate the policy and the template for review.

5. I will prepare a package for step-by-step privacy policy creation.

Expected completion: March 2007 (hey, I’m trying to be reasonable)

What do I envision as an end result?

1. Once this project is completed, I will review the steps I took to develop the privacy policy and create a podcast. We’ll review, step-by-step, how the templates were created and how you can use them to create your own privacy policy.

Basically, if I do this right, I will be able to distill my research and effort into 45 minutes or less for someone else to create a privacy policy.

2. I will make copies of the supporting elements: mind maps, outlines and templates available under a Creative Commons license so you can use it for your websites, communities and in your organizations.

3. We can then support others through the Catalyst Community Forums (and I hope that you consider joining and helping).

So, How can you help me?

1. Well, I’m interested in websites that you think have excellent privacy policies. Send me the link, please, so I can review it in my efforts.

2. If you have been through this process and want to share some ideas, I’m open to collaboration and will happily give credit where credit is due.

3. If you have the time to contribute to this effort, send me an email and we can discuss what I need and how you can help.

Or if something else is on your mind, hit me with your best email: securitycatalyst@gmail.com

Cheers, and thanks!

PS: This is going to be an example how I intend to grow the Security Catalyst to provide more direct benefits to professionals and organizations that want to improve the way they think about and practice information security. If I do a good job, I’d appreciate a little link love, some credit and some help growing and improving the security catalyst podcast, blog and community.

Michael Santarcangelo
Your Security Catalyst
securitycatalyst@gmail.com

By Joe Knape

Performing your duties as a security professional with the following “code of conduct” in mind is quite possibly the best thing you could do for your company this year.

1. Learn to use what you already have as efficiently and effectively as possible before asking for more.

* Are you using your current people, processes, and technologies to their fullest?
* Are there any people in your organization with untapped or unrecognized potential?
* Are there processes or procedures on the books that aren’t being used?
* Are there policies or standards that aren’t being enforced or are in fact unenforceable or even damaging to the enterprise?

Find those diamonds in the rough, those nuggets of wealth. Use what you have as efficiently and effectively as possible before asking your company to pay for more.

2. Sometimes the best thing to do is to do nothing at all.

If you’ve decided that you ARE using everything you have and it’s time for something new, then before writing that policy or deploying that new device or putting forth that recommendation ask yourself, is it truly necessary? Is it possible the problem isn’t as serious as you might think or the risk isn’t quite as high as first thought?

Try to NOT make changes. Sometimes the problem does just go away by itself.

3. First, do no harm.

If you’ve decided you’re people, processes, and technologies are being used to their fullest and that something absolutely has to change then ask yourself, how can I architect, design, deploy, implement, etc. this “new thing” in such a way that it causes the least amount of change or trauma to the enterprise as a whole?

Minimize the amount of change you are responsible for in your enterprise, especially at any one time. When things have to change then make the changes gradually, over time, and always with the rest of the enterprise’s systems at the forefront of your thoughts.

By Ron Woerner

With the onset of the information age, laptop computers have become an invaluable resource to individuals and companies everywhere. About half of all computers sold today are laptops. That is also true at my company where half of the work force has a laptop computer.

The nature of portable laptops allows users to be productive while allowing for mobility. However, laptop theft has been on the rise. According to the FBI, losses due to laptop theft totaled more than $6.7 million in 2005. The Computer Science Institute/FBI Computer Crime & Security Survey found the average theft of a single laptop costs a company $89,000 on average. For the last seven years, laptop theft has been found to cause the second highest amount of financial loss, second only to damage caused by viruses (2005 FBI Computer Crime Survey).
Special measures should be taken to secure laptop computers:

• Don’t leave them out and unattended. Secure laptops in a locked room, file-cabinet, safe or other container whenever they are left unattended for a long period of time (i.e., overnight, weekends, etc.).
• Care should be taken so that they are not inadvertently left in taxi cabs, buses or rental cars, or in hotel lobbies or rooms. Many city hotels are notorious for having laptops stolen.
• Avoid leaving laptops in plain view when traveling in personal vehicles. When possible, put them in a locked trunk and make sure the door is locked.
• When flying, laptops should be treated as carry-on luggage and not checked. It is important that they remain in your control at all times.
• Store a minimal amount of data on your laptop. The less that is there, the less there is to lose. Portable storage devices like USB “thumb” drives and network drives can be used to backup and store information off of the laptop. Be sure to secure the storage devices, too.

The idea is to protect laptop computers and similar high-value, portable items by storing them where they can’t be seen. As they say, “out of site, out of mind.”

By working together and helping each other, we all become stronger.

Editor’s Note: When locking your laptop in your trunk, try to not let people see you do it. For example, if you’re leaving work and heading to the gym, lock it in your trunk before you leave the office. Not only are laptop thefts on the rise, but rings that target laptop theft are on the rise. In fact, depending on where you work, you could be easily targeted by someone wishing to gain access to your information.

Also - Ron’s number about the average cost of laptop theft is accurate, if not low. When your laptop is stolen, people don’t care (much) about the hardware - but now are interested in the information you have.

We’ll be covering this in much more detail when we launch the Hard Drive Encryption series (after the Family Security Series) and when we release our book examining breaches this Spring. Ron, thanks for a great article.

- Michael

I hope that your 2007 is off to a terrific start! I spent some time while in Key West to think about and plan for ways we can continue to improve the programming at Security Catalyst, across both the blog and the podcast. Our goal is simple: provide information and resources that you can use to improve the way you think about and protect information.

Now that January is nearly over, it’s time to start rolling out some of the improvements – and we’re going to start with some a new monthly security podcast providing answers to your questions!

Adam Dodge –catalyst contributor and passionate professional - and I met this weekend and spent a few hours reviewing the various questions that I have received and planning out our program. We’re in the process of researching some information and preparing for our first program. Look for our efforts to get started in February.

In the meantime, I sincerely apologize if you have sent me a question in the last few months and I have failed to answer. My schedule picked up rapidly in the second half of 2006 and I didn’t intentionally ignore you. The good news is that I still have those questions and we will seek to answer them in the coming months!

As we continue to refine the program a bit, we plan to focus on questions from three areas: career, consumer/personal, and corporate challenges. Each program we’ll answer one or more questions and work to provide you with information you can use to improve your career or the practice of security.

If you have some questions that you would like for us to address, send questions to: securitycatalyst@gmail.com

In the meantime, if you have a question that can’t wait, you are welcome to send it to me, or may I suggest you consider posting your questions to the catalyst community forums, a healthy and supportive place to ask for help and offer help. I have been excited by the initial participation and look forward to being part of a supportive community.

Here’s to your success as a security catalyst in 2007!

by David Stern

While it may be true that computers don’t make mistakes, they do run programs that were written by humans. We have grown comfortable with the concept of patching our systems and applications – to improve performance, enhance features and especially to correct ‘bugs’ and other security concerns. Often times, bugs that may be considered harmless are actually dangerous and make the system vulnerable to attack.

Developers are used to the code-bug-patch cycle. We have a long-standing tradition of reporting bugs to our vendors, and the developers fixing them, then releasing the patch. This, of course, takes time.  Further, this only works when the bugs are properly reported and the developer’s have time to address them.

Recently, we have seen a rise in a type of attack called a “Zero-Day” exploit. In the simplest form, this is an attack that makes use of a previously unreported bug – so no patch is available. The attack is launched at the same time (or slightly before) the bug is reported.

This has a serious consequence for business today. For example, vulnerabilities discovered in MS Word during December have still not been fixed. Incident handlers are seeing specially crafted attacks against specific targets that take advantage of these vulnerabilities. Since Word has become such a core business application, restricting its use is almost impossible. Users must be extra vigilant when opening MS Word files sent to them via email (which poses an entirely different sort of challenge).

We have always had some need to manage the risks presented by vulnerabilities in our operating systems and applications. As the awareness of security issues continues to increase and gain prominence, it is vitally important that organizations establish and operate vulnerability management and risk assessment programs, and should include the chain of command to improve decision-making.

Ed. note: all of the Security Friday Fast Facts are now archived in the Catalyst Community. Feel free to come there and use them to make your job(s) easier, to discuss them, or to suggest additional topics you would like to see. - Michael | Security Catalyst