blogger

I have a strong interest in entrepreneurship. As my followers know, I am a long-time member of JCI, and I am a serial entrepreneur myself. I developed companies in both Norway, and in France, and I have had my share of success and failures.

I have decided that this blog - the Roer.com Information Security blog will change and narrow it's focus a bit, and focus on information security for entrepreneurs and start-ups. I hope that this small change in focus will not drive away my current readers, while continue to grow my readership.

By doing this change, I hope to fill what I think is a gap in the Security blogging arena - to help start-ups and SME's to adequate security. As far as I see it, most security bloggers out there are in one or more of these three groups:

• vendor or service provider, focusing on promoting their own products/services
• (enterprise) risk management, focusing on what many SMEs will consider theory and not very relevant to their everyday focus
• IT-security, focusing on technology, hacking, and "geek" stuff

I think they all have an important role to play, and that they are needed. But for myself, I do not belong directly in any of the categories, plus I am very interested in entrepreneurship. Thus, I will try to fill this gap :)

But worry not, my readers! I will continue to dish out my opinions on global security, TSA, other bloggers and whatever else even remotely securtiy related that I feel an urge to comment upon!

On a side note, I have also established a new blog, focusing on another area I love - trainings!

Do you think this is a good move? Or am I walking into a dead end? Your thoughts are highly valued!

entrepreneurship, jci, security

Chris Pirillo made an update regarding his loosing US$450,- from his PayPal account.

The post of his includes some tips (known to most of us, but no harm in repeating) on how to stay (more) secure when it comes to PayPal and online shopping:

(cut'n'pasted from Chris' post)

1. The first thing, it all starts with a clean computer system. A computer system with viruses or keyloggers may be the cause unauthorized people to be inside of your PayPal account. Use security programs on your computer.
2. Make sure the site you are in is the verified PayPal site, and not a Phishing site. You can check this out by checking the domain name in the browsers url bar. You should see PayPal’s actual site address, and not something else.
3. Don’t keep large amounts of money in your PayPal account, because people can easily send your money to other accounts in a blink of an eye if they gain access to it. Instead of keeping it on PayPal, keep it inside your bank account.
4. Check your Paypal history on a daily basis. This way, you can stop money from being transfered if you see it happening when and where it shouldn’t be.
5. This may be common sense, but use a strong password! Use a mixture of lowercase, uppercase, symbols, and numbers. Make it harder for a hacker to guess to begin with! Reading this post by Chris may help.
6. When you’re buying something with PayPal, be sure to check that the site you are on is secure. Do this by checking the url bar. The site should contain “HTTPS”. This will help you determine if the site is fraudulent or not. You can also do research on Google about certain sellers that you may not be sure of.
7. Shop with well-known companies who have established a good reputation.

He explains the case here:



Do You Have a Problem with PayPal?

This post welcomes Chris Hayes to the blogosphere! Chris is a security professional, and he seems obsessed by risk!

The few posts so far is well worth a read, and I am looking forward to Chris ramblings in the future! In his words, his blog is about:


He says he is influenced by Alex & gang, and he is found of asking his peers "What is Risk?"

Welcome, Chris!

Martin McKeay – a long time security specialist and popular blogger is next up as Security profile. He has been in the industry for more than a decade, and moved on to StillSecure a couple of month back. He probably got one of the best jobs in the world – evangelizing about Cobia. He loves getting attention to Cobia, and if you let him start, you end up using Cobia yourself.

Martin has his own security blog over at http://www.mckeay.net/. I have enjoyed it for quite a while as he expresses interesting and educated views. He has maintained this blog in more than 3.5 years (June, 2007). It has made him many new friends, he have learned a lot, and enabled him to share his knowledge – something we all know he just love!

Lately, he has maintained most focus on the Cobia blog – a job he blogged himself into according to himself: Blogging has expanded my horizons, introduced me to new friends and made it possible for me to become the Cobia Product Evangelist. I love to learn and love to share it with others, which made the position a perfect fit, Martin says.

The interest

Martin found his interest in Information Security in a manner many of us will recognize:

M: I've always thought of the security implications of IT, even as desktop support. It amazed me at the time how little people thought of handing their computer over to someone who claimed they worked for the IT department, not to mention passwords on stickies.

When I took over my first network, I continued making security one of my primary concerns, and several years later when an opportunity to become an IDS administrator for a major state agency came along, I jumped at it.

Sounds like someone you know, right?

M: I got interested, and remain interested, in Information Security because of the challenge of thinking of what could go wrong and doing your best to make sure it doesn't happen or happens in a controlled manner.

I like the challenge of thinking about how someone might try to gain access to my network or business and how to stop them.

Controlling your resources

When asking Martin about his view on the role of Information security in the organization, he makes it clear that technology itself is only a measure to enable controls.

M: Security is about controlling what happens to your resources, whether it's the computers on your network or the data on their drives. If someone else controls your resources, your not secure, it's that simple. All the rest is in the details of how you do it.

K: How can you make yourself a secure environment?

M: If you keep in mind that security is about maintaining control over your resources, not what technology or vendor you use; you're more likely to end up with a secure solution in the end.

K: So by looking beyond technology itself, you are able to better control your business environment?

M: I used to think of security as a set of absolutes, but I've come to learn of it as a viewpoint, especially when you get to the board room. We know what the problems are, how to fix them, but sometimes we don't understand how it affects the rest of the company. So when it comes down to it, security is about doing business, and if a security measure is going to interfere with business, it's security that's going to have to change.

Business impact

Martin is making a very important point here. Security only exists in order to support business goals.

M: I think that one of the trends in security for the last few years has been the realization that security is an integral part of any business and should be treated as such. No longer are the IT and IS departments their own fiefdoms, they're now considered as part of planning from the beginning in many corporations.

This shows that we're maturing as an industry, but it also means we're more responsible for understanding the overall business rather than a small part of it.

K: Do you find security integrated in a good manner today?

M: I think the need to integrate with the rest of the business structure will continue to be major theme this year and the foreseeable future. We've started down the road to integration, but so far it's only a few companies that really have security involved in all projects from the ground up.

But some day this will be the standard rather something only exceptional companies are doing.

K: What about compliance and regulations?

M: Industry and government regulations, such as HIPAA and PCI will continue to play a major role in companies as well. The benefit of such regulations is that they give businesses a specific checklist of items they need to secure; the downside of such regulations is that many businesses only deal with the security requirements on the list and don't examine their enterprise outside of these regulations.

As an example, all of the PCI regulations are aimed at keeping credit card information secure. Which means you might be able to pass an audit but still have gaping holes in your security somewhere not covered by PCI.

 

New challenges or new solutions?

K: I know the readers would love to hear about how you view the security market 2007. What are the challenges you see?

M: What will always be the biggest challenge in security is always going to be dealing with a landscape that is constantly changing. Ted Demopoulos calls it securing a moving target, Michael Dahn refers to the need for 'continuous security'.

The business is growing and changing around us, and we need to adapt as well. As much as we'd like to rest on our laurels from time to time, business is changing too quickly for that to happen.

I don't think we face to many really new challenges in IS. We have new solutions to answer the challenges with, but it's always the same problem we're trying to solve. Network Admissions Control was the big buzzword a few years ago, but the real issue was controlling the network endpoints.

New technology, but the same old problems.

A big thank you to Martin!

Read more on Martin:

Personal blog

Cobia blog

Thursday this week Martin Mckeay, the Cobia evangelist, veteran security blogger and Information Security podcaster will show up here as the Security Profile.

if you do not know Martin yet, head on to his blog!

Ted is one of those persons with strong feelings of right and wrong. This is especially shown trough his involvement in the security business. He has over 25 years of experience from IT and business, including a Security company start-up.

Read more about Ted and his background on his website.