Failure to follow fundamental common-sense security policies can produce disastrous results, as the state of Utah discovered

When it comes to mounting a successful defense in what is a fast-changing threat environment, best practices require consistent execution

I've been teaching a user security awareness and training course to faculty and staff at our university. One of the great aspects of the class is the discussions that develop out of the participants' questions, like the security of social networks and how to use wireless securely while on the road. Lately, I've been getting one question more and more often: How do I know if a site is safe?

Security, as many consumers have recently discovered, is a matter of perspective. Many consumers carefully lock their houses each night and turn off their computers. They keep their AV products up to date, their wireless connections encrypted, and their passwords in their heads.

If you were a criminal, what data would you be looking for? The most obvious answer is to look for the types of data that give you direct access to cash: bank accounts, brokerage accounts, credit cards. Like Willie Sutton, you'd go where the money is, right? And that's why some of the stiffest security defenses surround this sort of account data.

Last week, another company got egg on its face by running a "we're-so-secure-you-can't-hack-our-stuff contest." When are companies going to learn claims like that always backfire?

When it comes to security, most security professionals -- indeed, most Dark Reading readers -- are do-it-yourselfers. They do their own research, find their own bugs, and remediate their own systems. It's almost a rite of passage -- if you have to ask for help, you can't be a real security pro. But I wonder, sometimes, if this attitude doesn't hurt small and midsize businesses, in which having even one full-time security professional is more than many can afford. Such businesses are just as concerned about security as their larger counterparts, but when their people attempt to ask questions or get the tools they need to build strong defenses, they are treated as "neophytes" or given tools they simply do not have the time or skills to learn to use properly. And because they don't have tools that work at their skill levels or have the support of the elite security community, they are sometimes left with no easy way to access the best defenses and tools available.

Management likes numbers. They get the the warm fuzzies when numbers can be graphed in a way that they can quickly discern what's going on. Of course, if the numbers are bad, then they may not feel those warm fuzzies. In the IT security world, we try to provide useful numbers to show what a great job we're doing, but it's hard to quantify thwarted attacks -- other than relying on numbers from an IPS and anti-malware system.

Like most computer geeks with the latest toys, I can always find a way to play rather than work. My procrastination tendencies can sometimes lead to troubling results (just ask my girlfriend), so I often give vendors some leeway when it comes to patching vulnerabilities. But some vendors just don't get it.

BackTrack 4 Pre Final Sneak Peek was released to Informer Blog subscribers last week. Informer, created by Johnny Long and his Hackers For Charity organization, is a fundraising program to help feed children in East Africa, and its blog "is designed to give subscribers a 'backstage pass' to the world of Information Security" by providing access to prereleases of tools, papers, and book chapters.

War-dialing received a revival in March with HD Moore's release of WarVOX, a tool that leverages VoIP to speed up the calling of phone numbers to find modems, faxes, and voice systems. Finding modems can help enterprises find backdoors into their network setup by a rogue employee. Likewise, it can help penetration testers find forgotten or lesser-known ways into a target's network through a poorly secured modems.

Today Dark Reading launches a new feature: the Security Services Tech Center, a subsite of Dark Reading devoted to bringing you news, product information, opinion, and analysis of the "outsourced" security services and technologies available to augment your organization's IT defenses.

I've been talking quite a bit about whether or not (not) users of cloud services can prove compliance with security, privacy, and e-discovery laws. Now a story from The Register has me thinking about yet another issue -- the inescapable question of a service provider's financial stability.

In Friday's Tech Insight, I provided arguments for creating your own internal security lab and some of the benefits to both the business and the IT security professionals. This week, I want to provide more direction on what you'll need depending on your goal and focus of the lab. Today, we'll be looking at suggestions for security teams looking to learn more about and get their hands dirty with some in-house penetration testing.

Adobe has a bit of a problem on its hands, and it is sitting in a spotlight usually reserved for a company like Microsoft. Adobe is currently responsible for a vulnerability that could allow mass pwnage of the Internet. Even though the company finally released a patch for version 9 of Acrobat and Acrobat Reader, two more versions are due to be patched. In other words, this is a bug that's going to be around for a long time.

The security of cloud computing is an area I've been following at a distance because I don't currently have any clients who have seriously considered moving any of their data and services into the "cloud." Something caught my eye on Friday, however, that piqued my interest in how security and forensic investigators may handle incidents that involve data and systems in the cloud.

A popular Website, phpbb.com, was recently hacked. The hacker published approximately 20,000 user passwords from the site. This is like candy to us security professionals because it's hard data we can use to figure out how users choose passwords. I wrote a program to analyze these passwords looking for patterns, and came up with some interesting results.

As infosec professionals, we are often tasked with performing duties that would be considered illegal if we did not receive proper authorization beforehand. For example, if you were performing a penetration test against a system that you or your employer doesn't own, or for which you don't have authorization to access, then you could be violating a number of laws leading to termination and possible criminal prosecution.