I am honored to be a speaker on protecting information for the Microsoft Small Business Summit on Wednesday. I fly out to Redmond on Tuesday morning - and have my moments during the day on Wednesday.

You can follow along live! At this link:

http://www.microsoft.com/smallbusiness/summit/

I am a day 2 speaker - with an impressive lineup of guests:

http://www.microsoft.com/smallbusiness/summit/guests.aspx

This is a live program, but I have been working with the producers for a few weeks now - and I am excited about the questions, thought process and opportunity to share some different thinking about what businesses need to do to protect them. More, we’re also going to explore how the right approach to protecting your business can actually save money and increase the opportunity for more revenue (as outlined in Into the Breach). To me, that’s a really cool conversation.

I hope you check it out. I look forward to the opportunity continue to conversations through this blog, the podcast(s) and as we fire up the diesel and head out on the road again (Friday - next stop, Kansas City!).

If you enjoyed this post, make sure you subscribe to my RSS feed!

If you have heard me speak publicly, you know I advocate that the role of a security professional is to make it easier for others to do their jobs - while protecting information.

To be clear, this does not diminish network security, network operations or anything of the sort. That directly supports my point: done properly, the network operates in a way that does not impose a burden on users.

While at the “Apple Festival” last weekend, we took time to visit one of my favorite exhibits - a museum of working, but retired, farm equipment. Much of it is from turn of the century through the 1960s. Some of the equipment was routinely used in the act of farming and other support roles until the 1980s and 1990s.

I can’t explain why, but I have always been drawn to pickup trucks, tractors and flashlights. So to see a working series of tractors far older than I is simply amazing. As a kinesthetic learner, I am immediate transported back in time - and allow myself to be fully absorbed in the moment. I love learning. Period. But I really love learning about history - and specifically how improvements shifted the way things were done.

That brings us back to security. I have a sense that many organizations have lost sight of what they do, what they provide. The recent break-in and burglary of our RV put us in contact with a lot of different organizations. The responses have been interesting- and illuminating. And when the emotion has had a chance to subside a bit, I’ll post a transparent account of what we learned. What I can share today is that many organizations have lost a sense of who they are, what they do and who they serve.

But it is not too late!

Last Sunday, I watched simple -yet powerful and impressive — machines in action. What struck me most was the fact these machines were designed and used to make it easier for people (farmers, in this case) to do their jobs. It allowed them to do more with less, expand their farms, provide for more people or make more money with the resources they had. These simple machines (especially by today’s standards) were powered independently, easy to understand, use and repair. Did I mention they still work?

In fact, these machines were so simple that my five year old could quickly and easily understand what they were, what they did and how they worked. Can you say the same about the way information is protected in your organization?

The more we travel, the more I meet with people who explain their elegant laptop encryption solutions, extravagant VPNs and others measures to protect information. But when I have the opportunity to work with the people upon whom these ‘solutions’ are inflicted, I find that the solutions were not designed and implemented with people in mind; as a result, it actually makes it harder for people to do their jobs. This brings the unintended consequence of further disconnecting people from their responsibility to protect information - and ultimately creates more risk that is more difficult to assess, measure and manage.

I wrote Into the Breach to present a straightforward solution that any organization can use to make an immediate difference in the way people protect information. We are launching the Protecting Information Program to provide the additional guidance, insight and accountability people need to make the shift. I look forward to the opportunity to meet and support your efforts to make the change and join me in the challenge to change the way people protect information.

Until then, when you can, go check out some old farm equipment - and notice how it made it easier for people to do their jobs. Then ask yourself a simple question: is the solution I am working on going to make it easier for people to do their jobs?

If you enjoyed this post, make sure you subscribe to my RSS feed!

With all the activity the fall brings, take a few moments to learn from your fellow catalysts - and the time to share your experiences. This is what unites us as professionals. Even when we feel we lack the time, making the time to engage brings benefit to every person involved.

I am also spending more time on twitter these days - and would love to engage in the conversation with you. You can learn more about twitter here: http://twitter.com/ and “follow” and chat with me here: https://twitter.com/catalyst

Discussion Forum Activity

Here are some recent discussions ripe for contribution or learning:

•  Standards Document Supporting an Encryption Policy
•  ISO 17799/27001/27002
• Researching malicious file types
• Need a Multi-function Inkjet (INTERESTING CAVEATS TO CONSIDER)
• Nevada & E-mail Encryption Requirement      

List of community blogger and podcasters

(I am working to ensure the list is accurate and separate out the blogs from the podcasts - let me know if you need to be updated/included)

What Security Blogs and Podcasts are represented in this community? (http://www.securitycatalyst.org/forums/index.php?topic=28.0)

Join our LinkedIn Group

For active members of the Security Catalyst Community; once I get the new laptop and have had a chance to catch my breath from the recent breakin, I’ll focus on cleaning up the linkedin list - and ensuring we take strides to meet and work together.

http://www.linkedin.com/groups?gid=27010

Here are some recent blog posts from Community Members that you may have missed:

• Scareware Ad From Skype?
• Change your passwords with your smoke detector batteries
• Forensic Time Dilatation
• New TCP vulnerability about trust, not technology
• The best anti-malware software out there…

About the Security Catalyst Community

We are a positively focused and supportive community that unites passionate professionals to achieve three goals:

(1) Provide a community where it is acceptable to be vulnerable and ask for help when you need it

(2) Create a community where anyone with an idea can share their approach in the pursuit of helping another. If today is your first day in security, welcome - share what you have learned without fear.

(3) Participate in a forum where members can share their passions, expand their thinking and find support with others who believe in making a positive difference.

Signing Up for the Security Catalyst Community

Your participation is your currency (means no charge to join) - the more you contribute the more you learn and the more valuable the community becomes to everyone (so dive in and share).

Registration Overview (NOTE THE NAMING CONVENTION)

      Go here: http://www.securitycatalyst.org/forums/

      Select the register link

      Follow the naming standard: firstname.lastname (include the period between first and last names)

      Your account will be reviewed and approved

      Jump in and share your thoughts!

Where is Michael - onTour Schedule & Updates

As we set out to journey the country, keep tabs on our schedule and opportunities to meet at www.catalystontour.tv or follow the progress of the book and speaking tour at www.intothebreach.com. As always, if you are on the way (or in the city we are heading), please contact me directly so we can meet. Our RV is our home, and our home is always open to our friends.

Coming Up:

Once the RV is repaired (working on it now) and our laptops restored (also in progress), we head right back out - and amazingly, don’t really miss a beat!

• Week of October 6: Albany, NY (pending RV repairs and insurance hand-to-hand combat)
• Week of October 13: Seattle for the MSFT Small Business Summit http://www.microsoft.com/smallbusiness/summit/
• Week of October 20: Kansas City for the MCSF Keynote http://www.mcsfonline.org/
• Week of October 27: Seattle (still confirming details)
• Week of November 3: Portland, Oregon, Keynote for: http://www.nwsecurityconference.com
• Week of November 10: (transit back to East Coast, perhaps via Dallas)
• Week of November 17: DC Metro (still confirming details) and Philadelphia, PA for a private briefing for the CSO Breakfast Club

If you enjoyed this post, make sure you subscribe to my RSS feed!

Taking advantage of the beautiful fall weather this weekend, my family and I attended a local apple festival. It was an excuse to get out of the house, get some fresh apple cider donuts and have some fun on a beautiful fall day.

On the ride there, my children asked for some jazz on the radio and then called out the different things they ‘saw’ in the clouds. The list was common (trains, dinosaurs, bull dozers…) - and encouraged my wife and I to gaze up to “see what we could see.”

The ‘apple festival’ was held on some local fairgrounds that are well established, including some museums, pavilions, horse stables and a music amphitheatre (well, it has a stage and benches). The real gem of the day was the music and the freshly cooked food that was a little less than the picture of perfect health.

With a batch of fresh-cut French fries, we sat on some benches and listened to a jazz group entertain the crowd. When the fries were gone, I lay back on the bench and just looked up at the sky. The ride to the festival still fresh in my mind, I started to look for patterns. The first few looked like inkblots to me, then I saw some x-rays and finally, the imagination kicked in and I saw dinosaurs, alligators and a host of other things. Soon, then entire family was looking up at the clouds - in the middle of the festival around us, we celebrated the clouds.

For a few minutes, I was entirely in the moment. I absorbed the fall hue the sky took on, enjoyed the clouds and was content with the world.

Then it hit me - we allow ourselves to be so focused on the technology and the need for immediate solutions that we fail to take the time to let the clouds roll by. This leads to  vicious cycle where the so-called solutions actually create more problems. When we can step back and just let things be - we can see them for what they are. More:

• We can look for simple solutions; the ones that probably work best and require the least.
• We can allow our creativity to come through - and we certainly need more of that in nearly every aspect of life.
• We can relax, experience life and find common, but powerful, ways to connect with those around us - whether friends and family or our colleagues (which for some of us comprise our friends and family)

Technology has a place in our solutions. We live in a dynamic world with some interesting and often complex challenges. Such challenges require equally dynamic - but SIMPLE solutions. The way to get to simple solutions is to step back, gather, absorb, ponder, plan and test. This leads to the right requirements that generate solutions that work.

Want to develop better solutions? Then create better requirements. Here are three steps to get started:

1. Take time to first understand - then engage in conversation to reach a mutual agreement on what the end goal is.

2. Enjoy some time to ‘look at the clouds’ and test a range of ideas - creativity counts. Stepping back with a more complete understanding allows for better requirements, better solutions and less overall complication.

3. Document the requirements independent of the solutions and use them as a guide.

There are more steps - and I will be explaining and using them in the coming months as we take a closer look at the burglary of our RV - and how it has improved our planning and actions on a personal, family and business level.

While you have the opportunity - step outside today and look up at the clouds. If you can’t see trains, dinosaurs, dragons, roller coasters and a heap of other things, then maybe more cloud gazing is the answer for personal and professional success.

Continue the conversation with me

•       On twitter: http://twitter.com/catalyst
•       In the Security Catalyst Community (scc): http://www.securitycatalyst.org/forums/index.php
•       By email or telephone: http://www.securitycatalyst.com/contact.php
•       OnTour - heading back out in a few days: www.catalystontour.tv (and I’ll be updating the schedule and other information this week)

About Michael

Michael Santarcangelo is a human catalyst. An expert who speaks on information protection — including compliance, privacy and awareness that works — Michael energizes and inspires his audiences to change the way they protect information. His passion is contagious and approach gets results that shifts thinking and changes behaviors. Add the Security Catalyst to our organization today to get the results necessary for success.

If you enjoyed this post, make sure you subscribe to my RSS feed!

Greetings from Albany, NY - where the leaves are turning and there is crispness to the air that only autumn can bring. I love the fall, and this has been an upside of the recent events that brought us home. The book is now available - and I will be posting details in the coming days on how you can get a signed edition!

In the meantime, take the time to learn from your fellow catalysts - and the time to share your experiences. This is what unites us as professionals. Even when we feel we lack the time, making the time to engage brings benefit to every person involved.

I am also spending more time on twitter these days - and would love to engage in the conversation with you.

      You can learn more about twitter here: http://twitter.com/

      and “follow” and chat with me here: https://twitter.com/catalyst

Discussion Forum Activity

• Looking for Beta testers for the new Honey Stick fileset generation program…
• “End User Computing” ie Securing Excel…anyone with experience?
• Dshield Block List — Pros and Cons
• Anyone notice an uptick in greetingcard SPAM today?
• Blackberry Enteprise Server — Placement Considerations

List of community blogger and podcasters

(I am working to ensure the list is accurate and separate out the blogs from the podcasts - let me know if you need to be updated/included)

What Security Blogs and Podcasts are represented in this community? (http://www.securitycatalyst.org/forums/index.php?topic=28.0)

Join our LinkedIn Group

For active members of the Security Catalyst Community; once I get the new laptop and have had a chance to catch my breath from the recent breakin, I’ll focus on cleaning up the linkedin list - and ensuring we take strides to meet and work together.

http://www.linkedin.com/groups?gid=27010

Here are some recent blog posts from Community Members that you may have missed:

• Increase Your Logging
• IDS: Vitamins Or Prophylactic?
• Google’s New Browser

About the Security Catalyst Community

We are a positively focused and supportive community that unites passionate professionals to achieve three goals:

(1) Provide a community where it is acceptable to be vulnerable and ask for help when you need it

(2) Create a community where anyone with an idea can share their approach in the pursuit of helping another. If today is your first day in security, welcome - share what you have learned without fear.

(3) Participate in a forum where members can share their passions, expand their thinking and find support with others who believe in making a positive difference.

Signing Up for the Security Catalyst Community

Your participation is your currency (means no charge to join) - the more you contribute the more you learn and the more valuable the community becomes to everyone (so dive in and share).

Registration Overview (NOTE THE NAMING CONVENTION)

      Go here: http://www.securitycatalyst.org/forums/

      Select the register link

      Follow the naming standard: firstname.lastname (include the period between first and last names)

      Your account will be reviewed and approved

      Jump in and share your thoughts!

Where is Michael - onTour Schedule & Updates

As we set out to journey the country, keep tabs on our schedule and opportunities to meet at www.catalystontour.tv or follow the progress of the book and speaking tour at www.intothebreach.com. As always, if you are on the way (or in the city we are heading), please contact me directly so we can meet. Our RV is our home, and our home is always open to our friends.

Coming Up:

Once the RV is repaired (working on it now) and our laptops restored (also in progress), we head right back out - and amazingly, don’t really miss a beat!

• Week of October 6: Albany, NY (pending RV repairs and insurance hand-to-hand combat)
• Week of October 13: Seattle for the MSFT Small Business Summit http://www.microsoft.com/smallbusiness/summit/
• Week of October 20: Kansas City for the MCSF Keynote http://www.mcsfonline.org/
• Week of October 27: Seattle (still confirming details)
• Week of November 3: Portland, Oregon, Keynote for: http://www.nwsecurityconference.com
• Week of November 10: (transit back to East Coast, perhaps via Dallas)
• Week of November 17: DC Metro (still confirming details) and Philadelphia, PA for a private briefing for the CSO Breakfast Club

If you enjoyed this post, make sure you subscribe to my RSS feed!

Social media and social networking continue to spread - and that includes the security community. If you have heard about twitter, wondered about a service that begins with ‘twit’ and have pondered the advantages and concerns - listen in to the Security Roundtable that discusses those very points.

Our guest for this episode is Zach - security professional, friend of the show and curator of the Security Twits list.

Twitter: www.twitter.com

Zach: http://twitter.com/quine

Michael: http://twitter.com/catalyst

Martin: http://twitter.com/mckeay

Security Twits: http://n0where.org/security-twits/

Next Recording: Saturday, October 11, 2008 @ 10a Eastern - look for the live stream (and your chance to participate) around 10:15.

PS: 10 Days after the break-in and theft - we’re still working with insurance and others to sort out the mess, get the laptops replaced and head back out on the road. I will be posting a complete run-down of what happened, what we did well, what we learned and how we are going to improve. I’m also following the advice of my book - and will be publishing a set of requirements and inviting participation as we all learn smarter ways to protect ourselves. This will hit home for small businesses and those who travel a lot. 

I am confirming some exciting opportunities this week and next - and should be back out on the road within the next 10-15 days. The theft slowed us down a bit, but has not stopped us. Not one bit. Thanks for your continued support and help!

 

 Standard Podcast [39:19m]: Play Now | Play in Popup | Download

If you enjoyed this post, make sure you subscribe to my RSS feed!

I take the stage today to share some insights on “Awareness that Works” - live in Nashville, TN. In the event you were unable to join me in Nashville (or even if you did), we can keep the conversation going tomorrow during the first Catalyst Live! talkcast:

Join me on Friday – September 19^th – at 2pm ET (11am PT) for Catalyst Live! – a live chat hosted by Michael Santarcangelo. This week, we look deeper into my recent freeware experience and welcome Dave Cole from Symantec to the call.

I’ll be monitoring twitter and the talkshoe client during the call, allowing us to field live calls, chats and instant messages. Participate in the conversation!

Join In!

Join the conversation on TalkShoe by using the spiffy browser-only client. For the more adventurous, check out the shiny TalkShoe Pro Java client.

To listen and join in – including to ask questions and engage in the conversation, launch your browser an click here: http://www.talkshoe.com/tc/25233 on Friday at 2pm ET.

Call in on regular phone or VOIP lines: dial (724) 444-7444 and enter the talkcast ID, 25233.

If you enjoyed this post, make sure you subscribe to my RSS feed!

Martin McKeay and I are evolving the Security Roundtable: we’ll be recording every other week at 7 am Pacific/10a Eastern on Saturday mornings. And we’ll be streaming the recording live (http://hak5radio.com:8000/srt.mp3.m3u), opening a chat session and encouraging more bloggers and podcasters to join us.

Our goal is simple: keep the program simple, under an hour and relevant while blending together the voices of the community. This is also an opportunity for members of the community to participate through segments. Rather than have a larger, static “panel” of people, we’re exploring more voices, shorter segments and more interactive. We’d love to know what you think, what you want to hear and if you want to be involved.  

While we consider this recording to be an experiment – it is a show where I learned from the conversation. In fact, I look forward to listening to it again. Our guest for the show is Marc Massar, Principal Solutions Architect at Venafi. I had interviewed Venafi previously (and liked their approach) and was happy to welcome Marc to the program.

Our rules are/were simple: no sales pitch. Marc didn’t need the rules – he’s got a solid background and jumped right into a meaty discussion about the industry and how we can improve our solutions.

Security Roundtable for September 13th, 2008

The next SRT will be recorded on September 27th, 2008 at 7:00 a.m. PDT.  I’ll be in Las Vegas – so for me, it will actually be nice and early (and I’ll find some Mountain Dew before we start – MD should sponsor me!).

 

 Standard Podcast [51:20m]: Play Now | Play in Popup | Download

If you enjoyed this post, make sure you subscribe to my RSS feed!

Join me on Friday – September 19^th – at 2pm ET (11am PT) for Catalyst Live! – a live chat hosted by Michael Santarcangelo. This week, we look deeper into my recent freeware experience and welcome Dave Cole from Symantec to the call.

I’ll be monitoring twitter and the talkshoe client during the call, allowing us to field live calls, chats and instant messages. Participate in the conversation!

Join In!

Join the conversation on TalkShoe by using the spiffy browser-only client. For the more adventurous, check out the shiny TalkShoe Pro Java client.

To listen and join in – including to ask questions and engage in the conversation, launch your browser an click here: http://www.talkshoe.com/tc/25233 on Friday at 2pm ET.

Call in on regular phone or VOIP lines: dial (724) 444-7444 and enter the talkcast ID, 25233. 

If you enjoyed this post, make sure you subscribe to my RSS feed!

Is freeware really free?

Threats change. Solutions evolve. We no longer only face viruses, but now must contend with a multitude of attacks and other “bad things.” Whether speaking from the platform or offering our “Building Your Family Safety Net” seminar, here are the most important five actions for home computer protection (we handle networking and other elements in a different segment):

1.     Install and use a personal firewall

2.     Install and use anti-virus (and other protections, like anti-spyware, etc.)

3.     Select and use good passwords

4.     Use a regular user account instead of the administrative account

5.     Backup (and test) regularly

After sharing the list, a common question asked is, “What programs and brand should I use to protect my computer? From the platform, I work to remain neutral on brands and explain that using the solution is what counts - by keeping the program updated. That extended to freeware solutions, too. After all, this was a way to remain independent and still provide value, right?

Turns out my education is in social science with an emphasis on applied economics. Along the way, I wondered, out loud, if freeware was actually free. Economically speaking - which makes more sense - paying for a solution or building a “suite” to protect a PC from freely available solutions?

I recently had the opportunity to step back, put myself in the shoes of a user and experience the difference between piecing together a freeware suite versus a paid solution. This was a chance to step outside of my own expertise and beliefs and approach the situation with a fresh mind. As a professional speaker, I questioned whether I should be staying neutral and agnostic, or if I could provide more insights to help people make a better decision.

My experience and findings actually surprised me - and shifted not only my thinking, but also the recommendations I make from the platform and when working with family, friends and groups of people. Keep reading to learn about my experience in learning that freeware isn’t free, and actually may cost more - and create more hassle - than a current paid solution.

====

Quick note: I will be releasing a podcast with more insights tomorrow, along with the final report from my efforts. Check back for links and insights tomorrow.

Read the rest of this entry »

If you enjoyed this post, make sure you subscribe to my RSS feed!