After a great time in Nashville on Thursday, we decided extend our stay, meet with some potential clients and really get a jump on the book, etc. After working through the day on Saturday, we took it a bit easier on Sunday and then decided after dinner to go downtown to Mike’s Ice Cream Parlor (forgive me for not linking).

I have a lot of details -but here is the punchline: in the 90 minutes we were gone, a gang of professional thieves (I’ll explain how we know this later) broke into our coach (RV) through a window(s) and stole all of our electronics — laptops, ipods, headphones, cellphone (the battery was dead and charging), cameras, bags. They also managed to do some damage to the interior of the coach.

WE ARE FINE.

My family is and has been safe. We immediately worked with the Nashville Metro Police Department and due to the size of the theft, the CSI Unit. My training left everything undisturbed, documented and we may have gotten one or two useful prints (and sadly, one or two indicators they had on gloves). Other RVs were hit - cash, electronics, jewelry. Some had more damage than ours.

We are back in Albany for a few days to replace the electronics and prepare to head back out. As luck would have it - this was a travel week for us anyway, so we had some built-in flexibility. We have some backups (but not everything). As I’ve explained it - we ate our own dog food, sorta. We - like you and others - had some steps we *should* have followed and others we literally had planned to follow this week.

I also have some new insights after living through this sort of catastrophic loss. You can bet on me doing a full blog/podcast series on what happened, what we learned and what we’re doing different. These lessons will also be incorporated into the Protecting Information Program, our Family Safety Net Program — and in a new keynote/workshop we will offer as we travel around the country.

I may be a little quieter than usual for a few days - I have a few things I need to focus on and some client calls/meetings that require my full attention. I expect to be in full tilt by the weekend. Oh - and I developed an approach to teaching users about passwords. I’ll be putting it to great use this week - and then develop that into an awareness series.

Since my cell phone was lost, I’m considering options right now. Meantime, you can call me at the office if you want to check in. When time permits, I will transparently share a full accounting of the events, the loss, what the learned and where we are heading next. 

Safe, sound and as determined as ever…

If you enjoyed this post, make sure you subscribe to my RSS feed!

I take the stage today to share some insights on “Awareness that Works” - live in Nashville, TN. In the event you were unable to join me in Nashville (or even if you did), we can keep the conversation going tomorrow during the first Catalyst Live! talkcast:

Join me on Friday – September 19^th – at 2pm ET (11am PT) for Catalyst Live! – a live chat hosted by Michael Santarcangelo. This week, we look deeper into my recent freeware experience and welcome Dave Cole from Symantec to the call.

I’ll be monitoring twitter and the talkshoe client during the call, allowing us to field live calls, chats and instant messages. Participate in the conversation!

Join In!

Join the conversation on TalkShoe by using the spiffy browser-only client. For the more adventurous, check out the shiny TalkShoe Pro Java client.

To listen and join in – including to ask questions and engage in the conversation, launch your browser an click here: http://www.talkshoe.com/tc/25233 on Friday at 2pm ET.

Call in on regular phone or VOIP lines: dial (724) 444-7444 and enter the talkcast ID, 25233.

If you enjoyed this post, make sure you subscribe to my RSS feed!

Martin McKeay and I are evolving the Security Roundtable: we’ll be recording every other week at 7 am Pacific/10a Eastern on Saturday mornings. And we’ll be streaming the recording live (http://hak5radio.com:8000/srt.mp3.m3u), opening a chat session and encouraging more bloggers and podcasters to join us.

Our goal is simple: keep the program simple, under an hour and relevant while blending together the voices of the community. This is also an opportunity for members of the community to participate through segments. Rather than have a larger, static “panel” of people, we’re exploring more voices, shorter segments and more interactive. We’d love to know what you think, what you want to hear and if you want to be involved.  

While we consider this recording to be an experiment – it is a show where I learned from the conversation. In fact, I look forward to listening to it again. Our guest for the show is Marc Massar, Principal Solutions Architect at Venafi. I had interviewed Venafi previously (and liked their approach) and was happy to welcome Marc to the program.

Our rules are/were simple: no sales pitch. Marc didn’t need the rules – he’s got a solid background and jumped right into a meaty discussion about the industry and how we can improve our solutions.

Security Roundtable for September 13th, 2008

The next SRT will be recorded on September 27th, 2008 at 7:00 a.m. PDT.  I’ll be in Las Vegas – so for me, it will actually be nice and early (and I’ll find some Mountain Dew before we start – MD should sponsor me!).

 

 Standard Podcast [51:20m]: Play Now | Play in Popup | Download

If you enjoyed this post, make sure you subscribe to my RSS feed!

Greetings from Rochester, NY. We head out today to pick up a few cartons of Into the Breach - hot off the press - and then head to Nashville. Now that people are back to school, and back to work, the forums are really picking up. If you want to help with the planning and expansion of the SCC, please send me an email.

I am also spending more time on twitter these days - and would love to engage in the conversation with you.

•       You can learn more about twitter here: http://twitter.com/
•       and “follow” and chat with me here: https://twitter.com/catalyst

Discussion Forum Activity

• CA setup procedures
• Making it the 4 P’s instead of the 3 P’s
• Google Chrome
• Security testing tools
•  The “Internal Threat Encyclopedia”

The Voices of the Community

List of community blogger and podcasters (I am working to ensure the list is accurate and separate out the blogs from the podcasts — let me know if you need to be updated/included):

What Security Blogs and Podcasts are represented in this community? (http://www.securitycatalyst.org/forums/index.php?topic=28.0)

Join our LinkedIn Group (for active members of the Security Catalyst Community)

http://www.linkedin.com/groups?gid=27010

Here are some recent blog posts from Community Members that you may have missed:

About the Security Catalyst Community

We are a positively focused and supportive community that unites passionate professionals to achieve three goals:

(1) Provide a community where it is acceptable to be vulnerable and ask for help when you need it

(2) Create a community where anyone with an idea can share their approach in the pursuit of helping another. If today is your first day in security, welcome - share what you have learned without fear.

(3) Participate in a forum where members can share their passions, expand their thinking and find support with others who believe in making a positive difference.

Signing Up for the Security Catalyst Community

Your participation is your currency (means no charge to join) - the more you contribute the more you learn and the more valuable the community becomes to everyone (so dive in and share).

Registration Overview (NOTE THE NAMING CONVENTION)

•       Go here: http://www.securitycatalyst.org/forums/
•       Select the register link
•       Follow the naming standard: firstname.lastname (include the period between first and last names)
•       Your account will be reviewed and approved
•       Jump in and share your thoughts!

Where is Michael - onTour Schedule & Updates

As we set out to journey the country, keep tabs on our schedule and opportunities to meet at www.catalystontour.tv or follow the progress of the book and speaking tour at www.intothebreach.com. As always, if you are on the way (or in the city we are heading), please contact me directly so we can meet. Our RV is our home, and our home is always open to our friends.

Coming Up:

•       Week of September 15: Rochester, NY enroute to Nashville, TN
•       Week of September 22: Las Vegas
•       Week of September 29: San Francisco/Bay Area

If you enjoyed this post, make sure you subscribe to my RSS feed!

Join me on Friday – September 19^th – at 2pm ET (11am PT) for Catalyst Live! – a live chat hosted by Michael Santarcangelo. This week, we look deeper into my recent freeware experience and welcome Dave Cole from Symantec to the call.

I’ll be monitoring twitter and the talkshoe client during the call, allowing us to field live calls, chats and instant messages. Participate in the conversation!

Join In!

Join the conversation on TalkShoe by using the spiffy browser-only client. For the more adventurous, check out the shiny TalkShoe Pro Java client.

To listen and join in – including to ask questions and engage in the conversation, launch your browser an click here: http://www.talkshoe.com/tc/25233 on Friday at 2pm ET.

Call in on regular phone or VOIP lines: dial (724) 444-7444 and enter the talkcast ID, 25233. 

If you enjoyed this post, make sure you subscribe to my RSS feed!

I’ve mentioned that the two weeks “home” are being used to catch-up, plan and hopefully get ahead. With one week to go, I am making progress (especially on the marketing, blog and podcast fronts). In addition to planning and recording podcasts, I am also spending more time on twitter these days - and would love to engage in the conversation with you.

• learn more about twitter here: http://twitter.com/
• “follow” and chat with me here: https://twitter.com/catalyst

Discussion Forum Activity

Here are some recent posts in the community. Your voice and insights contribute to the conversation — join in!

• Infosec Tools for Law Enforcement [... two items in the past 24 hours started me thinking about how can we as a community help our local Law Enforcement Agencies?...]
• Mobile Field Technolgies [...Wondering if anyone has any security related research around service workers in the field...]
• Bootable Backtrack 3 thumbdrive with Nessus, Firefox 3 and Blackhat 2008 nmap [... guide on how-to create a bootable USB thumbdrive with Backtrack 3...]
• The Hidden Cost of Freeware - and why I don’t recommend it anymore [... this is based on the "conversation starter" I published - and has some great perspectives...]
• OPSEC for Out of Office Replies…

The Voices of the Community

List of community blogger and podcasters:

What Security Blogs and Podcasts are represented in this community? (http://www.securitycatalyst.org/forums/index.php?topic=28.0)

Join our LinkedIn Group (for active members of the Security Catalyst Community)

http://www.linkedin.com/groups?gid=27010

About the Security Catalyst Community

We are a positively focused and supportive community that unites passionate professionals to achieve three goals:

(1) Provide a community where it is acceptable to be vulnerable and ask for help when you need it

(2) Create a community where anyone with an idea can share their approach in the pursuit of helping another. If today is your first day in security, welcome - share what you have learned without fear.

(3) Participate in a forum where members can share their passions, expand their thinking and find support with others who believe in making a positive difference.

Signing Up for the Security Catalyst Community

Your participation is your currency (means no charge to join) - the more you contribute the more you learn and the more valuable the community becomes to everyone (so dive in and share).

Registration Overview (NOTE THE NAMING CONVENTION)

•       Go here: http://www.securitycatalyst.org/forums/
•       Select the register link
•       Follow the naming standard: firstname.lastname (include the period between first and last names)
•       Your account will be reviewed and approved
•       Jump in and share your thoughts!

Where is Michael - onTour Schedule & Updates

As we set out to journey the country, keep tabs on our schedule and opportunities to meet at www.catalystontour.tv or follow the progress of the book and speaking tour at www.intothebreach.com. As always, if you are on the way (or in the city we are heading), please contact me directly so we can meet. Our RV is our home, and our home is always open to our friends.

Coming Up:

•       Week of September 15: Nashville (ISSA Conference Keynote on Awareness that Works - with some special surprises)
•       Week of September 22: Las Vegas (Private briefing on Protecting Information Program)
•       Week of September 29: San Francisco/Bay Area (Applying PIP and the book approach to DLP)

If you enjoyed this post, make sure you subscribe to my RSS feed!

Due to a talkshoe failure: service unavailable - I have to punt the effort. I’ll see if we can get it worked out and then try again.

If you enjoyed this post, make sure you subscribe to my RSS feed!

Today we venture together into new territory. I am eager to conduct our first “Talkcast” - to explore the way we make recommendations to our users about how they should be protecting their home computers.

The idea of a talkcast is to be more like a talk radio program. We are going to use: http://www.talkshoe.com to host our effort.

The specific program starts here: http://www.talkshoe.com/tc/25233

The program starts at noon. After a brief introduction, I’ll introduce our guest - Dave Cole from Symantec - and then we’ll get down to an interactive conversation.

Get involved!

•       You can follow along on Talk Shoe: http://www.talkshoe.com/tc/25233
•       You can send me messages via twitter: https://twitter.com/catalyst
•       You can even text chat with me on skype: ‘securitycatalyst’

If you enjoyed this post, make sure you subscribe to my RSS feed!

When it comes to protecting home computers, “Is freeware free?”

This is not a question aimed at the enterprise. Instead, this is a question that cuts to the heart of the advice that security professionals offer to those who depend on that experience and insight to guide them, be they parents, siblings, friends, co-workers or even people we met in passing. Professionals are often called upon to make quick decisions based on experience and training (we can argue later whether this is good or bad). While this may be an accepted business practice - does it work as well when it comes to advising families on how to protect their computers?

I think we need to step back and consider. If someone asks you if they should spend money for a paid software solution to protect their home computer or simply use “freeware” solutions - what is the best answer? What do you recommend today? Why?

To aid in the process, I offer for consideration a report that details my experience evaluating freeware through the lens of a consumer. The report is short. It is designed to be an opportunity to stop, think and engage in the conversation.

Based on a challenge, I stepped back and examined the situation in a manner different than normal for me. I worked to experience the process of finding, downloading, installing, configuring and using freeware solutions. I considered the time spent and took an effort to measure pop-ups, messages and potential frustrations. Taking the time to step back literally changed what I thought and what I recommend. It forced me to examine the “truths” I believed in favor of real experience.

Get the report here: http://www.securitycatalyst.com/eGuides/Security-Catalyst-The-Hidden-Cost-of-Freeware.pdf

Come join the discussion in the Security Catalyst Community here: http://www.securitycatalyst.org/forums/index.php?topic=960.0

(and join me for a live Talkcast on Thursday — Noon Eastern — to discuss this with special guest Dave Cole)

If you enjoyed this post, make sure you subscribe to my RSS feed!

Is freeware really free?

Threats change. Solutions evolve. We no longer only face viruses, but now must contend with a multitude of attacks and other “bad things.” Whether speaking from the platform or offering our “Building Your Family Safety Net” seminar, here are the most important five actions for home computer protection (we handle networking and other elements in a different segment):

1.     Install and use a personal firewall

2.     Install and use anti-virus (and other protections, like anti-spyware, etc.)

3.     Select and use good passwords

4.     Use a regular user account instead of the administrative account

5.     Backup (and test) regularly

After sharing the list, a common question asked is, “What programs and brand should I use to protect my computer? From the platform, I work to remain neutral on brands and explain that using the solution is what counts - by keeping the program updated. That extended to freeware solutions, too. After all, this was a way to remain independent and still provide value, right?

Turns out my education is in social science with an emphasis on applied economics. Along the way, I wondered, out loud, if freeware was actually free. Economically speaking - which makes more sense - paying for a solution or building a “suite” to protect a PC from freely available solutions?

I recently had the opportunity to step back, put myself in the shoes of a user and experience the difference between piecing together a freeware suite versus a paid solution. This was a chance to step outside of my own expertise and beliefs and approach the situation with a fresh mind. As a professional speaker, I questioned whether I should be staying neutral and agnostic, or if I could provide more insights to help people make a better decision.

My experience and findings actually surprised me - and shifted not only my thinking, but also the recommendations I make from the platform and when working with family, friends and groups of people. Keep reading to learn about my experience in learning that freeware isn’t free, and actually may cost more - and create more hassle - than a current paid solution.

====

Quick note: I will be releasing a podcast with more insights tomorrow, along with the final report from my efforts. Check back for links and insights tomorrow.

Read the rest of this entry »

If you enjoyed this post, make sure you subscribe to my RSS feed!