I started my career in the network engineering and network administration field.  I held lots of those technical certifications from the likes of Microsoft, Novell and Cisco.  I thought I was pretty smart.  And in truth, I was.  I knew how to build a stable and reliable network that could support thousands of users across large geographic regions.  I could implement access control lists on firewalls, routers and switches.  I could provide access to resources with Active Directory or Novell Directory Services and restrict access like nobody’s business.

Problem was, I was too close to it.  I missed some of the security details because I had the same view every day.  Once I started to focus on security, I quickly realized that I was missing some design principles that could enhance the security of the system.  That’s when I decided to focus on just security.

Read more: Application Developers and Network Admins Need to Stop Pretending to Be Security Experts

Over the past several weeks, the team at Integrity has been called upon to investigate multiple data breaches.  During our investigation in the hacked organizations, these data breaches had the following item in common.  Each had firewall rules that were far too liberal and allowed attackers to easily access systems.  Each organization was hacked because a basic information security best practice was not followed.

Read more: Firewall Rules Are Key to Data Breach Protection

By this time you all know that Home Depot was hacked.  Many of you may be asking why I didn’t cover this in an earlier post.  The primary reason is that I didn’t want to add a bunch of fuel to a fire that was already burning hot.  I’ve read some posts from people hitting Home Depot for not giving any real details and not confirming there was a breach right away.  How could they leave us hanging?

Read more: Home Depot Approached Their Data Breach Correctly

“Time is of the essence.” “Time is money.” Yadda, yadda, yadda.  You’ve heard it all before. Every business leader is pressed for time in one way or another. That’s why today’s post is quick and simple. Here are three questions every CIO should be asking their CISO, VP, Director or “Whatever” of Technology:

  1. Can you prove to me that we’ve not had a system breach in the past “x” months and will your evidence stand up to an independent 3rd party review? 
    The idea here is to make people uncomfortable.  You don’t want to be placated.  You don’t want to hear someone touting their belief in the team.  You want concrete evidence.  Make them show you months of event logs that have been reviewed for anomalies or malicious activity.  Ask for something, anything.  Just don’t settle for “We believe our systems are safe”.   Even if you have no plans to get an independent review, ask them to be able to support their conclusions.  As Ronald Reagan said, “Trust, but verify”.

    Read more: Three Information Security Questions Every CIO Should Ask Their Leadership Team

In case you’ve been asleep at the wheel, everybody thinks they need drones these days: Amazon, your local police department, the pizza delivery guy, the neighbor kid, his dad, everybody.  All of these drones will be equipped with surveillance technology such as cameras, microphones, GPS and RFID.

If you think red light and speed cameras are bad, you’re in for a treat.  At least with the speed cameras, you can avoid that section of town if you really want to.  Once these drones are in the air, privacy as we know it will die.  The FAA needs to step up and address this quickly which unfortunately is not likely to happen.  In the meantime, local jurisdictions will attempt to implement their own enforcement rules. That might even be worse than the feds.

Read more: Drones...The End of Privacy as We Know It

Brian Krebs reported earlier this week about a suspected breach of credit and debit cards at Goodwill Industries stores in at least 21 states.  So when the 2013 Verizon DBIR reported a steep decline in breaches in the retail sector, I guess that was an incentive for the hackers.  Goodwill is just the latest major retail chain to be hacked.

If you’re about to graduate high school or are early in your college years and looking for a career field with long term grow and job security, maybe you should consider any one of the fields within information security.  I think there are a lot companies that will be looking for help in the near future.

A recent study by Osterman Research for Centrify concluded that 15% of respondents said their responsibility to protect employer data on their mobile device was “minimal to none”. 

If this is shocking to you it shouldn’t be.  The report also says users only think about security a few times per year.  I’ve said in the past that many organizations have rushed into BYOD programs.  Mobile devices are taking over our computing environment.  Mobile security is increasingly important.  So is securing the data instead of the device.

BYOD programs have a significant impact on how an organization complies with HIPAA, PCI, FISMA and other regulatory environments.  Has your organization implemented a mobile BYOD program?  Do you have a strong mobile security program in place?  What would you do if 15% of your employees said they didn’t care about the security of your cash?  Would that worry you?

Contact Information

Birmingham Office

205.568.5506


Des Moines Office

515.965.3756


Kansas City Office

913.991.8724