Roger A. Grimes's blog

S/MIME gateways can create fatal security breakdowns

Roger A. Grimes — Fri, 20 Nov 2009 11:00:00 +0000

Over the years, I've had several clients use S/MIME to authenticate and encrypt e-mail messages. Unfortunately, encrypting anything end-to-end has problems, including those associated with scanning incoming encrypted messages, checking for data leaks, or indexing for later retrieval. When my clients turn on S/MIME, they are pretty much turning off easy e-mail scanning and retrieval.

Your data is safer in the cloud than you think

Roger A. Grimes — Fri, 13 Nov 2009 11:00:00 +0000

Nearly every week, news articles crop up shouting about someone's cloud data or application temporarily -- or in some rare instances, permanently -- disappearing. Name a vendor and they've probably been in the news. "Ack!" and "Not ready for prime time!" go the headlines. Cloud computing may be the future, but it isn't ready for the enterprise.

Or is it?

The trouble with S/MIME e-mail encryption

Roger A. Grimes — Fri, 06 Nov 2009 11:00:00 +0000

A few times a year, I recognize the need for a product where none exists because I hear multiple customers asking for it. This is one of those times. The products that an increasing number of my clients is looking for are e-mail scanning and archiving systems that can handle S/MIME-encrypted messages.

Win the security numbers game

Roger A. Grimes — Fri, 30 Oct 2009 10:00:00 +0000

I used to be a Certified Public Accountant (CPA) before I learned that computers and computer security were a better fit. Still, you would think that earning a college accounting degree, working at a CPA firm, and passing one of the hardest professional exams in the world would enable me to do my own taxes. But I'm too scared. The tax code is full of thousands of ever changing laws. There are exceptions to every exception. Believe me, when Congress passes a tax simplification act, CPA firms cheer.

Don't trust a public PC with your digital identity

Roger A. Grimes — Fri, 23 Oct 2009 10:00:00 +0000

Contrary to popular belief, stealing someone's digital identity is a snap. It almost seems as though the more we use digital identities, the easier they are to swipe. The reason can be attributed to general carelessness or perhaps outright ignorance, but whatever the case, letting your digital identity fall into the wrong hands can expose you and your organization to a world of headaches.

Risk-analysis tools provide the big security picture

Roger A. Grimes — Fri, 16 Oct 2009 10:00:00 +0000

All computer security defense ultimately comes down to managing risk. Security admins implement various defenses, each of which should have its own cost/benefit analysis. The cost of the defense should not outweigh the estimated damage of the attack or exploit. For example, if buying anti-malware software for a 100 PCs costs $3,900 per year, but cleaning up the damage from a malware attack would cost only $2,000 per year, implementing the anti-malware software wouldn't make sense.

IT security admins, get to know your known unknowns

Roger A. Grimes — Fri, 09 Oct 2009 10:00:00 +0000

Say what you will about Donald Rumsfeld 's defense policies, but the former Secretary of Defense uttered a series of seemingly conflated nonsensical statements on July 12, 2002, that actually made perfect sense: "There are known knowns. These are things we know that we know. There are known unknowns. That is to say, there are things that we now know we don't know. But there are also unknown unknowns. These are things we do not know we don't know."

Macs' low popularity keeps them safer from hacking and malware

Roger A. Grimes — Fri, 02 Oct 2009 10:00:00 +0000

For two weeks, I was having a heated discussion with some diehard Mac-only fans in a stock forum. It was one of those self-perpetuating, boring Windows-versus-Mac flame wars, where neither side ends up believing the other. Each side sincerely believes their platform is better and destined to rule the world.

How to manage IT security -- without a tech background

Roger A. Grimes — Fri, 25 Sep 2009 10:00:00 +0000

A close friend of mine just got moved from financial services executive management to the CSO role within her organization. My friend is smart and has more degrees than a thermometer. She doesn't know much about IT security, however -- except that her company isn't doing it right.

Learn cloud security before it's too late

Roger A. Grimes — Fri, 18 Sep 2009 10:00:00 +0000

Don't believe anyone who says cloud computing is just a buzzword, doomed to become the next failed, overhyped industry former technology darling. Cloud computing is already here, and if you don't learn to secure it, you won't have much of a job to cling to in the not-too-distant future. Think of the information security version of a Cobol programmer.