Help Bail JJ Out of Jail! 

Share

This Thursday, March 15th, I’ll be hosting the RSA Conference Online Peer2Peer chat session on BYOD, “Doubts, Dread and Decisions: Dealing with BYOD in the Enterprise”. The live P2P session at RSA was full 15 minutes before we started! If you missed that session, or couldn’t attend RSA, this is your opportunity to participate with your peers. Registration is free and open to the public.

RSA Conference Online, Peer2Peer
Thursday, March 15, 2012
8:00-8:30am Pacific | 11:00-11:30am Eastern
Doubts, Dread and Decisions: Dealing with BYOD in the Enterprise
Moderated by Jennifer Jabbusch Minella, Chief Information Security Officer, Infrastructure Security Specialist, CAD, Inc.

To participate, just register for free at http://www.rsaconference.com/events/online.htm. Please check your login access PRIOR to the event. I’ve had a few issues logging in when I originally set up my account.

To view the full RSA Conference Online schedule, visit http://www.rsaconference.com/events/2012/usa/rsac-online.htm.

I look forward to seeing you online Thursday!

# # #

Share

Recently I had the privilege of working with Pen Test Magazine for an interview to promote Low Tech Hacking. As you may have heard, all royalties from the book are going to the Wounded Warrior Project, an organization everyone can be proud to support.

They were kind enough to offer a 50% off discount to new subscribers, PLUS a free copy of Low Tech Hacking (if you subscribe this month).

Here are the details…

If you haven’t heard of PenTest Magazine (http://pentestmag.com/) yet, you may be familiar with some of their other publications, such as Hakin9 (http://hakin9.org/), and about a dozen titles in four languages. PenTest Magazine is a weekly downloadable IT security magazine, devoted exclusively to penetration testing, featuring articles by penetration testing specialists and enthusiasts, experts in vulnerability assessment and management. They cover all aspects of pen testing, from theory to practice, from methodologies and standards to tools and real-life solutions. I have several friends that write regularly for the magazine and have been pretty impressed with the depth and breadth of articles.

If you want to check it out first, you can download shortened teasers of the articles to see if the content suits your interests.

The PenTest Magazine subscription includes 4 editions each month, one per week.

Each month, you’ll receive 4 editions:

• PenTest Magazine Regular (week 1)
• Auditing & Standards PenTest (week 2)
• PenTest Market (week 3)
• Web App Pentesting (week 4)

Your subscription includes 4 issues a month, that’s 48 issues in a year. Each magazine averages 50 pages, giving you 200 pages of content each month! That’s practically a whole book of juicy tidbits every month. With your discount code, you’re paying just $2.30 an issue.

Week 1 PenTest Regular	Week 2 Auditing & Standards	Week 3 PenTest Market	Week 4 Web App PenTesting

How to subscribe at 50% off:

http://pentestmag.com/subscribe/
Your 50% off DISCOUNT CODE: PT50M2

Regular Subscription: $180 + tax = $221.40 (1 year, 48 issues)
Discounted Subscription: $90 + tax = $110.70 (1 year, 48 issues)

To get your free copy of Low Tech Hacking:

Subscribe to an individual annual subscription and get free hardcopies of

• Low Tech Hacking: Street Smarts for Security Professionals
• Security De-Engineering: Solving the Problems in Information Risk Management
• Network Security First-Step (2nd Edition)

After you’ve subscribed, just send an email with “Bookish Spring” in the subject at: malgorzata.skora@software.com.pl

More info can be found at http://pentestmag.com/bookish-spring-with-pentest-magazine/

Thanks to Malgorzata and the team at Pen Test Magazine! This is a great offer, and I’ve taken advantage of it already and subscribed myself.

# # #

Share

…and BYOD doesn’t necessarily mean consumerazation. Here are some key differences that affect how we’ll manage and secure devices following these two trends.

One of the points I made during my talk at today’s CITE (Consumerization of IT Expo) conference here in San Francisco was to differentiate between trends in consumerization and BYOD. Right now, the thinking is there’s a lot of overlap, and while that may be the case at the moment, I anticipate a change in the near future. Here are some key differences that affect how we will manage and secure devices following these two trends.

BYOD (Bring Your Own Device) is the emerging trend of organizations allowing managed users to supply and use their own device of choice at work. These are personally-owned devices that will be, in most cases, dual-purpose, hosting both personal and professional applications.

I see a lot of hurdles in this trend, mostly centering around psychological aspects, and a drastic change in mindset to one that can accept the comingling of personal and corporate applications and data. There will also be a slew of new technical complications; support and troubleshooting on various platforms, working through web-based business apps that only work well on one or two browser platforms and I certainly anticipate issues with compatibility of installed applications and maybe even antivirus and web browsing habits.

It’s possible that BYOD devices may not even be consumer-grade devices in the end. With the complexities of platforms and interoperability, we may see organizations negotiating with vendors for special pricing and bulk discounts for employees to purchase enterprise-class machines to use, for home and work. If you can have a solid state drive, more memory and a better OS for the same money, why not?

It’s possible that BYOD devices may not even be consumer-grade devices in the end.

It’s going to be a bumpy ride for BYOD, but we’ll reserve those thoughts for another discussion. Let’s move on to consumerization.

Consumerization is the matriculation of consumer devices in to the business market. It’s been a term used since the early 2000’s, and in today’s discussions we use the word to directly address consumer devices being introduced directly to the enterprise environment. Consumerization at this moment seems to be a phase of “introduction” versus “adoption” or “adaptation”.

Organizations are now purchasing these consumer-grade devices and managing them alongside the already-established enterprise-class devices. The best example is the rampant adoption of tablets – from hospitals and doctors’ offices to government facilities and enterprises all over. These things were designed to be toys; to watch movies, read books, play music and games. They weren’t designed with manageability and security in mind. And, because of that, we have some unique hurdles to overcome in the next 6-12 months as we introduce these little misfit devices in to our networks.

Organizations are now purchasing these consumer-grade devices and managing them alongside the already-established enterprise-class devices.

I’ve worked with two organizations recently that returned entire batches of tablets because the entire OS choked and died after indeterminate periods of time being connected to secured 802.1X (WPA2-Enterprise) wireless networks. After much research and digging, I found the issue to be a common chipset and driver. It was apparent the manufacturer had no plans to address or fix the issue, so back in the box they went. In environments like hospitals, pre-shared key schemas aren’t an acceptable level of security for these devices.

Another great example came from my friend Gal Shpantzer, when he pointed out that most of today’s FDE (full disk encryption) solutions authenticate at pre-boot and aren’t set up to take input from touch-only devices, such as tablets. At least one vendor has worked through this, and I expect we’ll see other FDE solutions following suit.

These are just a two examples of special considerations we’re making so we can introduce and secure these devices. As the months pass and more organizations jump on the bandwagon of adding toys to the environment, I’m sure more gremlins will pop up, and the market will respond in its usual Whack-a-Mole style, addressing each as it rears its little head!

To summarize, there’s a lot of anticipated overlap between BYOD and consumerization, but to secure them effectively, they need to be addressed as two different trends, with different sets of challenges and solutions.

# # #

Share

RSA starts next week, and there are so many sessions! How do you know which topics, tracks and speakers will deliver the content you want? Here’s a guide to get you going, with my quick tips and some great advice from the RSA Conference Senior Content Manager, Jeanne Friedman.

There are 6,269 sessions at RSA. Okay, not really, but it sure FEELS like the conference agenda is a page from The Neverending Story. With hundreds of sessions and about 500 speakers, finding the right content and right speakers for your needs can be cumbersome. The perceived value of a conference has a lot to do with which sessions you end up in, and how well that content and speaker resonates with you. It’s a very personal decision, selecting sessions. Here’s some advice to help you wade through the volume of options at this year’s RSA Conference.

During my recent interview with the RSA Conference Senior Content Manager, Jeanne Friedman, I asked “What words of wisdom do you have for attendees selecting the sessions they want to attend at RSA?” If anyone knows best, it’s Jeanne. Here’s her advice for you: 

Don’t confine yourself to one track – every track might actually have a session you might be interested in. And don’t forget about the Peer2Peer sessions – if you are looking for real experiences and insight and an opportunity to ask questions, these sessions are the place to be. I also tell delegates to look for the star speaker ratings – these are speakers that have been highly rated in the past. However, we always have so many new speakers who could be our next potential ‘stars’ that you shouldn’t limit yourself to the star sessions.

- Jeanne Friedman, Senior Content Manager, RSA Conferences

Quick Tips for finding (and making it to) the right sessions:

1. See what content will be available online

Don’t stress about making it to all the sessions. A lot of content will be available online later, either in its original format, or as part of a follow-up series. For example, new for 2012, RSA is hosting RSA Conference Online, which includes 20-minute sessions and live Q&A with speakers, interactive P2P sessions and keynotes. See what’s available at:
http://www.rsaconference.com/events/2012/usa/rsac-online.htm

2. Read the track descriptions

Get an idea of what topics are covered in each track. There’s always quite a bit of cross-over between topics and tracks, but some of the more specific ones will guide you toward (or away from) that content.
http://www.rsaconference.com/events/2012/usa/agenda/track-descriptions.htm

3. Use the mobile app to stay on task

During the conference, everything moves fast. There are plenty of resources, guides and foldie-thingies that list tracks and details, but if you don’t want to lug around books and papers,  THERE’S AN APP FOR THAT. Whether you have a Droid, BlackBerry, iPhone or tablet. Grab the RSA Conference app now, and use it onsite to find sessions, speakers, make notes, and even locate vendor booths on the expo floor.
http://www.rsaconference.com/events/2012/usa/mobile.htm

4. See what Jeanne says on the blog

Follow along and get more advice from Senior Content Manager Jeanne Friedman at the RSA Blog. You’ll see a weekly Friday Five, plus a ton of additional information on specific tracks, speakers and other conference events.
http://365.rsaconference.com/blogs/rsa-conference-blog

5. Review the conference archives

See the type of content that specific vendors, tracks or speakers have shared in the past, and decide ahead of time if that’s what you’re looking for (or not).
http://365.rsaconference.com/community/archive/usa

6. Public sector? Check out the government industry specific sessions

RSA has identified a handful of sessions on various topics that may be of interest to you.
http://www.rsaconference.com/events/2012/usa/agenda/government-sessions.htm

7. Use RSA’s personal scheduler

Try the personal scheduler. Don’t pigeonhole yourself in to any tracks or sessions, but use this tool to mark your don’t-miss sessions. Once the conference gets started, the time FLIES by!
https://ae.rsaconference.com/US12/scheduler/login.jsp

8. Podcasts

Download podcasts by RSA Speakers and see if you like the speaker and their content. Here’s another note from Jeanne Friedman, Senior Content Manager, ”We do about 60 podcasts with speakers about their sessions ahead of time and we post the slides. You can find out quite a bit about what the sessions will cover ahead of time.”
https://365.rsaconference.com/community/connect/blog/tags/podcast

9. Peer 2 Peer

I’m going to echo Jeanne’s sentiment about P2P sessions. I’ll be hosting one this year on BYOD, and this is my 3rd or 4th year hosting P2Ps at RSA, and I’ve attended several more. I have to say, the dialogue is invaluable and P2Ps are some of my favorite sessions. If you miss the P2Ps at the conference, or you can’t attend this year, catch some of them at RSA Conference Online.
http://www.rsaconference.com/events/2012/usa/agenda/peer2peer-sessions.htm

Happy hunting!

# # #

Share

I’ll be updating this page with BYOD resources I’ve found helpful, including media coverage, real war stories and results of surveys and statistics. We all love numbers, don’t we?

On Security Uncorked

• Consumerization is not BYOD, and what that means for security

Articles and Opinions

• BYOD: Bring your own device could spell end for work PC
  by Fiona Graham, BBC News
• Navigating the “Bring Your Own Device” Policy: An IT Manager’s Guide
  by Brian Proffitt, @TheTechScribe at HP Input Output blog
• Four keys to successful BYOD
  Note: This vendor-written tech primer has been edited by Network World to eliminate product promotion, but readers should note it will likely favor the submitter’s approach.
  by Eric Vanderburg, vendor contributor on Network World
• Can employee-owned devices save companies money?
  The costs of a ‘bring your own device’ (BYOD) enterprise deployment can be tricky to figure
  by Ellen Messmer, Network World
• Ignoring BYOD Spells Disaster
  by Joe Onisick, Network Computing
• Whitepaper on BYOD
  by Network World and Bradford Networks, 4-page PDF
• Security Manager’s Journal: BYOD planning gets a big boost
  Virtual desktop infrastructure to support personal devices
  By Mathias Thurman, Computer World

Research, Surveys and Stats

• Results on Survey: IT Organizations Embrace BYOD
  16-page report of the findings plus individual graphs with results of adoption, reimbursement plans, drivers and concerns
  by Citrix
• Job Survey: Online Holiday Shopping and BYOD Security
  The survey also examines the growing “bring your own device” (BYOD) trend that is blurring the lines between personal and corporate devices
  by ISACA
• Closing the Consumerization Gap
  Based on 3,000 respondents
  by IDC and Unisys
• For Purchase: Enterprise-Grade BYOD Strategies: Flexible, Compliant, Secure
  by the Aberdeen Group, $399
• Global IT Survey by Cisco
  Highlights Enthusiasm over Tablets in the Enterprise, Shows Customization, Collaboration and Virtualization as Key Features

In the Wild

• K12 in US: Hanover Public School District in PA
  The schools’ documented BYOD policy
• Commercial in US: Intel CISO: Policy, Accountability Created Positive Results
  Article with Intel’s CISO and how they address BYOD

I’ll keep adding to the list. If you’ve found a resource you like, send it in!

# # #

Share

BYOX is my new buzzronym. Here are your resources for BYOX at the RSA Conference and beyond.

Bring your own X, where X equals ”device”, “technology” or “new mobile gadget of the day”, is a hot topic for organizations of all types; government, education and of course commercial enterprise. The advantages and disadvantages of BYOD are numerous, and in many cases CXOs are finding the pros and cons nullify one another, creating an environment of strong emotions, steadfast opinions and a thunderstorm of debate.

A handful of organizations, large and small, have begun tackling the onslaught of BYOD in their environments. And, in the coming months, it’s anticipated that many more companies across the world will be hosting political, legal and technical discussions to address this growing trend.

This year at the RSA Conference, I’ll be hosting the BYOD Peer2Peer session “Doubts, Dreads and Decisions: Dealing with BYOD in the Enterprise” Thursday afternoon. I expect the session will a hit, and with a limit of just 20 participants in the P2Ps, we’ll probably have a packed room. As with all my P2Ps and roundtables, I’ll be providing attendees with a resource guide. Several of you have reached out to ask if I can make that available to all readers, and the answer is “absolutely.”

Between now and RSA, and probably beyond, I’ll be posting resources, summaries, links to research and surveys, and of course a guide to finding BYOD topics at RSA.

If you’ve seen a good BYOD resource, please email me from the contact page, or post a link and comment here, to share with other readers.

• Guide to BYOD at RSA Conference 2012
• BYOD Articles, Opinions and Surveys

# # #

Share

Are you looking for the best BYOD content at the 2012 RSA Conference? If so, here’s a list of events and sessions to add to your agenda.

Thursday, March 1st, I’ll be hosting the Peer2Peer session on BYOD in the enterprise. Details on that are below, along with other sessions with BYOD content. They’re listed here in chronological order. Twitter handles for people or organizations have been provided (as best I could find them, anyway).

BYOD-Specific Sessions

1. BYOD(evice) without BYOI(nsecurity)

Session: HOT-107 (Hot Topics Track)
Speakers:    Dan Houser*, Security & Identity Architect, Cardinal Health Inc (@SecWonk, @cardinalhealth)
                     Daniel DeSantis, Security Specialist, Cisco (@chuckthefrog)
                     Goran Avramov, Senior Infrastructure Architect, Cardinal Health Inc (@cardinalhealth)
                     Nasrin Rezai, CTO Security, WW Security Architectures, Cisco
Time: Tuesday, February 28, 2:40 PM, 50 minutes in Room 132

Overview:  The session presents the real life drama of running a BYOPC program without neutering security. As your workforce transitions to a mobile workforce, how do you meet the imperative while providing a reasonable security posture? Two Fortune 100 companies share their on-the-ground experience implementing secure Bring Your Own PC and mobile computing programs.

2. Mobile Devices: Does BYOD Spell RISK (m86 Security)

Session: BC-06  (Briefing Center Track)
Time: Tuesday, February 28, 4:30 PM, 30 minutes
Tweet: @M86Security

Overview: Mobile devices are a necessity for today’s enterprise. Employees use their own or company-provided phones, tablets and laptops to stay connected to work at all hours and from any location. And while mobility increases employee productivity, it also poses significant security challenges for an IT department. Attend this session to understand the essential elements of a mobile security strategy and the best practices for securing mobile devices in the workplace. This Briefing Center brought to you by m86 Security.

3. BYOD: Securing Mobile Devices You Don’t Own Panel

Session: MBS-303 (Mobile Security Track)
Moderator:  Kevin Mahaffey, Chief Technology Officer, Lookout (@dropalltables, @lookout)
Panelists:     Mike Convertino, Director, Network Security, Microsoft
                      Alex Stamos, Founding Partner of iSEC Partners, iSEC Partners (@alexstamos, @isecpartners)
                      Jeff Moss, Founder & Director, Blackhat (@thedarktangent, @blackhatevents)
                      William Boni, Corp. Info Security Officer, T-Mobile USA
Time:  Thursday, March 1, 10:40 AM, 50 minutes in Room 305

Overview:  As billions of people around the world use their phones as PCs, hackers are paying attention. In the workplace, personally owned phones and tablets are rapidly becoming the norm, making the tightly-managed PC obsolete. In this panel we’ll discuss issues affecting devices now and in the future as well as what security professionals can do to stay on top in this rapidly changing environment.

 4. Mobile Devices: A Privacy & Security Check-In Panel

Session: LAW-304 (Legal Track)
Moderator:      Demetrios Eleftheriou, Senior Counsel, EMC Corporation (@EMCCorp)
Panelists:          Ashkan Soltani, Consultant, Ashkansoltani.org  (@ashk4n)
                           Nicole Ozer, Tech & Civil Liberties Policy Dir., ACLU of N California (@ACLU_NorCal)
                           Rebecca Matthias, Sr. Corp Counsel, Privacy & Data Prot., VMware (@VMWare)
                           Laura Berger, Senior Attorney, Federal Trade Commission (@FTCgov)
Time: Thursday, March 1, 1:00 PM, 50 minutes in Room 131

Overview:  The use of mobile devices can raise an avalanche of privacy and security issues. Our diverse panel of privacy gurus will provide practical suggestions to address some significant privacy and security concerns arising from the use of mobile devices, including: (1) BYOD – bringing your own device to work; (2) location-based technology; (3) privacy disclosures and choice; and (4) the development and use of applications.

5. Doubts, Dread and Decisions: Dealing with BYOD in the Enterprise P2P

Session: P2P-306A (Peer2Peer Track)
Moderator:  Jennifer Jabbusch Minella, CISO, Infrastructure Security Specialist, CAD, Inc. (@jjx, @CADinc)
Time:  Thursday, March 1, 3:20 PM, 50 minutes in Room 110

Overview: With the consumerization of wireless and networked devices, the concept of BYOD (bring your own device) has most enterprise security teams scrambling for guidance. In this P2P session, attendees will exchange ideas on integrating unmanaged and personal devices in the enterprise environment, and discuss ways to secure assets, protect resources, manage use and create policies to govern it all.

6. CYA in a BYOD World Panel

Session: SECT-401
Moderator: Philippe Winthrop, Managing Dir, The Enterprise Mobility Foundation
Panelists:      Rob Greer, VP, Endpoint and Mobility, Symantec Corporation (@symantec)
                        Robert Smith, CTO, Mobile Active Defense (@MobileActiveD)
                        Ahmed Datoo, Chief Product Management & Marketing Officer, Zenprise (@Zenprise_Inc)
Time:  Friday, March 2, 9:00 AM, 50 minutes in Room 310
 
Overview: Mobile is recasting the IT landscape just like the PC did two decades ago. The invasion of smart phone and tablet personal devices (Bring Your Own Device – BYOD) into the enterprise has made secure mobile device management a top IT priority. The challenge begins at the device level and then extends into securing data, provisioning applications and managing application access to corporate resources. This panel will discuss challenges, options and tradeoffs around applying appropriate management and security policy controls to enable the new BYOD world.

# # #

Share

Plug in to this blog series to get a behind-the-scenes look at one of the world’s largest technology security conference.

At a conference that has more speakers than most conferences have attendees, the RSA Conference USA stands out as a massive, well-oiled machine. As the conference apporaches follow along as I interview the people most intimately involved in making sure the week-long event goes on without a hitch.

Within this series, I’ll share the secrets of how content is selected, how speakers are chosen, where the RSA themes originate, inner thoughts from the press and media, and even some juicy gossip from vendor PR teams. You’ll also get tips on how to select the best talks to attend, where to find the parties, how to get a sneak peek at content and ways you can participate with the RSA team.

In anticipation of RSA, I’ve redesigned and relaunched my http://SecurityUncorked site as a kick off and tribute to this one-of-a-kind conference.

Let the fun begin!

• Be Famous- Share Your Words of Wisdom with RSA (participate by Feb 29th EXTENDED)
• 9 Tips to Find the Best Sessions and Speakers at RSA

# # #

Share

Everyone has heard or given advice that has impacted his or her life… will you share yours?

RSA Conference invites you to tell them the best advice you’ve ever received, heard or given. It can be information security related, personal, poignant or just plain funny.

They say anything goes; I guess we’ll see!

If they like it, your entry may appear on the RSA Conference websites, on-site during keynote sessions, or even on digital messaging screens. You’ll be (almost) famous. You can even attach a photo to your words of wisdom. This could prove interesting.

So, how do you participate? Either:

• Post your words of wisdom as a comment on this RSA blog or
• Take the RSA quick Share Your Best Advice survey via SurveyMonkey (my Mom calls it Monkeybutt, by the way).

The deadline is now February 29th, so get movin’! I know you people, and you all have some smartass, I mean, smart comments to share. Go for it.

# # #

Share