Roger A. Grimes's blog

The trouble with S/MIME e-mail encryption

Roger A. Grimes — Fri, 06 Nov 2009 11:00:00 +0000

A few times a year, I recognize the need for a product where none exists because I hear multiple customers asking for it. This is one of those times. The products that an increasing number of my clients is looking for are e-mail scanning and archiving systems that can handle S/MIME-encrypted messages.

Win the security numbers game

Roger A. Grimes — Fri, 30 Oct 2009 10:00:00 +0000

I used to be a Certified Public Accountant (CPA) before I learned that computers and computer security were a better fit. Still, you would think that earning a college accounting degree, working at a CPA firm, and passing one of the hardest professional exams in the world would enable me to do my own taxes. But I'm too scared. The tax code is full of thousands of ever changing laws. There are exceptions to every exception. Believe me, when Congress passes a tax simplification act, CPA firms cheer.

Don't trust a public PC with your digital identity

Roger A. Grimes — Fri, 23 Oct 2009 10:00:00 +0000

Contrary to popular belief, stealing someone's digital identity is a snap. It almost seems as though the more we use digital identities, the easier they are to swipe. The reason can be attributed to general carelessness or perhaps outright ignorance, but whatever the case, letting your digital identity fall into the wrong hands can expose you and your organization to a world of headaches.

Risk-analysis tools provide the big security picture

Roger A. Grimes — Fri, 16 Oct 2009 10:00:00 +0000

All computer security defense ultimately comes down to managing risk. Security admins implement various defenses, each of which should have its own cost/benefit analysis. The cost of the defense should not outweigh the estimated damage of the attack or exploit. For example, if buying anti-malware software for a 100 PCs costs $3,900 per year, but cleaning up the damage from a malware attack would cost only $2,000 per year, implementing the anti-malware software wouldn't make sense.

IT security admins, get to know your known unknowns

Roger A. Grimes — Fri, 09 Oct 2009 10:00:00 +0000

Say what you will about Donald Rumsfeld 's defense policies, but the former Secretary of Defense uttered a series of seemingly conflated nonsensical statements on July 12, 2002, that actually made perfect sense: "There are known knowns. These are things we know that we know. There are known unknowns. That is to say, there are things that we now know we don't know. But there are also unknown unknowns. These are things we do not know we don't know."

Macs' low popularity keeps them safer from hacking and malware

Roger A. Grimes — Fri, 02 Oct 2009 10:00:00 +0000

For two weeks, I was having a heated discussion with some diehard Mac-only fans in a stock forum. It was one of those self-perpetuating, boring Windows-versus-Mac flame wars, where neither side ends up believing the other. Each side sincerely believes their platform is better and destined to rule the world.

How to manage IT security -- without a tech background

Roger A. Grimes — Fri, 25 Sep 2009 10:00:00 +0000

A close friend of mine just got moved from financial services executive management to the CSO role within her organization. My friend is smart and has more degrees than a thermometer. She doesn't know much about IT security, however -- except that her company isn't doing it right.

Learn cloud security before it's too late

Roger A. Grimes — Fri, 18 Sep 2009 10:00:00 +0000

Don't believe anyone who says cloud computing is just a buzzword, doomed to become the next failed, overhyped industry former technology darling. Cloud computing is already here, and if you don't learn to secure it, you won't have much of a job to cling to in the not-too-distant future. Think of the information security version of a Cobol programmer.

Windows autorun may autoinfect

Roger A. Grimes — Fri, 11 Sep 2009 10:00:00 +0000

Nothing beats a USB port for convenience, whether you want to quickly transport a couple gigabytes of files for work, refresh the lineup on your MP3 player, or view the pictures from your recent trip to Boise. Unfortunately, USB ports also provide an overly convenient bridge for malware to creep from a portable media device onto an unsuspecting user's system. In fact, it seems nearly every client I visit these days has numerous computers carrying USB-infecting malware -- even trusted clients with otherwise stellar security histories.

Prepare for the next password attack

Roger A. Grimes — Fri, 04 Sep 2009 10:00:00 +0000

All that often stands between a malicious hacker and access to valuable, confidential data is a few keystrokes: an end-user's or admin's password. Yet even the most carefully crafted and well-guarded password is susceptible to being stolen from an innocent victim, and crafty miscreants have numerous techniques at their disposal to do the dirty deed.