Recently, one of my clients experienced one of those mind numbing “oops” moments. One of the software developers had opened up the firewall ports on their laptop to allow certain code to work for their testing. Even though this was against strict company security policy, the developer decided it was easier to do this than have to go through the procedure of having to request the port opening and filling in the substantial information as to why the change was needed. This highlights an important point in business; we mostly employ humans to do a large number of tasks in our offices. Humans think. In the security world, it is referred to as the human firewall.

Someone needs to write a no holds barred, down to earth guide for small to medium businesses so that they can start to implement security into their everyday lives. I think a friend of mine has found the perfect Security Guide for Small/Medium Business.

We all like joke how the government is not good at many things, but historically I find they do write some good guides for security. The guide they published for small business is a non nonsense guide to that can help any business owner with security. If your company relies on computers to operate the business, please read this guide.

I have spent my fair share in hospitals this last month. Various family members have been in hospital for various reasons so I have spend a few nights on cots in the hospital. As hospitals frown on mobile phone use I scoped out the area for a public access computer, which I found. I was pleasantly surprised the computer that only had only Internet access and was not connected to the main hospital network. Many things are improving. Too many places have guest computers which show all the network shares and services but this was not the case.

If your company has a strong open source technical team I would recommend taking a look at AlienVault.

AlienVault is a collection of 15 open source programs which can collect data from over 35 different products to help you manage and monitor your network security blanket. The open source products used range from popular ones like Snort (IDS), Nessus (Vulnerability Scanner) and Ntop (Network profiling).

None of these products are new and have been used by many people in this configuration but what I like about AlienVault is the web site presents the products in a manner that is easy for management to understand and gives security professions a good idea on how to present these open source solutions to management.

There is an interesting story on The Register about a person working for NASA who got duped by a Nigerian fellow and installed malware on a government computer. The article does not tell if the employee got fired or not but this is a good example why large (well any really) businesses need a strict email security policy. As there are many good free e-mail services, there is no longer ANYONE needing to mix work and home emails. Check your home email at home. Some may think this is harsh, but how much money do companies spend in cleaning up the messes that non-company email usage creates?

Two Blackberries were swiped from a U.S. delegation by a press aide to the Mexican President. Does this incident sound the alarm for mobile security solutions, I sure hope so.

According to Aberdeen seven out of 10 enterprises will have deployed with either Blackberry or Windows Mobile by the end of 2008. That is a ton of corporate data on the hip. Hey - if your deployment of your mobile security policy coincides with your mobile device roll out you will have much less to worry about.

Last week in Nashville I broke down and bought an Apple iPhone, and I must say so far so good. The only issue I have is the password I selected for the phone is of course a complex password, thus it takes a little longer to type it in if I had just used a letter based password. I had a weak moment and almost changed my password to something easier. But the little voice on my shoulder said, what are you doing? So I stayed with my complex password. The only thing to make the iPhone complete is if it had a RDP client.

At the end of April 2008, Microsoft will release the final service pack for Windows XP. I set up a Windows XP machine a few weekends ago and after installing Service Pack 2 I had 90+ more updates to do, ugh. I am glad these updates will be all rolled up into Service Pack 3. What I am excited about with SP3 is Network Access Protection (NAP) which allows Windows XP machines to leverage with the NAP features in Windows 2008 Server. This way both Vista and XP machines can leverage NAP on Windows 2008 server.

Both Frank Abagnale and Kevin Mitnick proved by being nice and smooth, it can make many people give out their passwords. Even worse a hacker posing as a market researcher has a high percentage chance that people will give away their password for a chocolate bar. Imagine giving out your VPN password for a chocolate bar!

Smokers seem to get picked on all the time lately, and I am going to pick on them once more. Back in my “physical security assessment” days I worked with a team that would test the perimeter security of buildings. If we could not walk into the front office and march right pass the gatekeeper then we would scope the building for the smoking area. You could walk into a smoking area, bum a smoke (I never smoked it), talk about the weather, and the local sports team then instant trust would be built. While in the smoking area many times I would talk about the office back in city “X” so the people in the smoking area would just think I was visiting from an office in another city, then I could walk right into the office when they returned from their smoke break.

A good gatekeeper and security guard will filter the incoming people into your office building, but is there a security guard in the smoking area to make sure no one sneaks into the building? Have the smokers been educated to make sure not one gets into the smokers door unless they have an office ID badge or a guest pass?

Make sure the corporate smoke break does not smoke your business.