Just a quick, but late note, to say thanks to our friends at Core Security and Qualys. This past Tuesday, they pulled together another great crowd of professionals interested in learning more about how to build an efficient vulnerability management system. Special thanks also to Dr. Eric Cole for his dedication to the profession and down to earth security wisdom. It was a privilege to share the virtual mic with Dr. Cole.
For those of you that tuned in, you will recall that we were both asked by Mike Yaffe to close with a pearl of wisdom, a poignant thought. I challenged everyone to never make assumptions about how secure a device, host, or application may be. There are too many tools, processes, and security professionals to leave the security of sensitive data to chance.
If you don't know where to start, begin with what is most important. Where's your restricted data, cardholder information, patient data, financial information, secret sauce? Who has access and from where? How are they accessing it and where does that data go? Do the answers to these questions align with your legal obligations, corporate policy, and industry best practices? By focusing on high value, high impact systems, you'll quickly get the attention and perhaps the funding you need to make a difference -- even when the economy isn't so hot.
Assumptions will burn you. Never assume your safeguards are simply working. Security erosion says they'll degrade over time if not frequently tested and optimized.
Never assume someone else is "taking care of" security. Chances are someone thinks you're watching their back -- you'll want to make sure those roles and responsibilities are documented.
Never assume just because people attended security awareness training they're now "aware." Phish them. Social engineer them. Surf their desks for sensitive data.
Aggressively pursue the truth. Find it before someone else does.
Simon
