According to the bi-annual Unisys Security Index, a majority of American’s feel that cyber security should be a dominant issue in the upcoming presidential election. Most public sector workers believe the government should be able to adequately protect sensitive online data, and many American’s fear the possibility of cyber-attacks. However, CISPA, a cyber security bill currently under debate in the US Senate, misses this mark by a wide margin.
What is exactly wrong with CISPA? Well, the current version of the bill delivers a mortal blow to the Electronic Communications Privacy Act of 1986 (ECAP) and allows law enforcement agencies to give all your data the equivalent of a TSA full body scan in the name of national security.
The complete lack of regard to user privacy is unnecessary. If we can put a man on the moon, a rover on Mars and create stealth planes and helicopters, we can create a CISPA bill that protects our citizens’ personal privacy.
Washington needs to rework the bill so citizens are not caught in political and cyber security crossfire, and Americans should realize they don’t need to give up personal privacy in order to improve our nation’s cyber security posture.
From a technical engineering point of view, if CISPA was a piece of software it would fail QA because it’s not ‘feature complete’. The Congress should not be vote on CISPA until it includes sound measures to protect our privacy.
The cyber security industry has been grappling with the opposing problems of privacy and security for years. It would be smart for Congress to use some of our best practices and expertise to create a bill that improves cyber security and includes privacy protection for citizens.
Freedom and security are not mutually exclusive; Washington needs to rework the bill so citizens are not caught in political and cyber security crossfire.
I was just thinking about how much more efficient software development has gotten since the adoption of Agile Methodologies. Almost 2 years ago the entire engineering organization here at nCircle made the switch to using Agile. I think it has totally changed how we think about building software. Recently I got to thinking about how much more efficient we are now and how much more work we are able to get done. One example is that my team has been able to cut the customer defect backlog down by almost 60%!
I also thought about how much down time teams used to have back when I was involved with projects who subscribed to waterfall practices. It seemed like the bottle neck just moved from one function of the team to another. The team was always waiting on development, QA or documentation to happen until any product could ship.
I was trying to put some of my thoughts on paper about Agile vs. Waterfall and found this video that sums it up nicely.
It's Patch Tuesday and nCircle's Vulnerability and Exposure Research Team (VERT) recorded their first monthly VERT Alert Live interactive discussion about today's security bulletins.
If you missed the discussion, a recording of today's VERT Alert Live is available here.
VERT Alert Live is a great opportunity to have a conversation with nCircle security researchers on the questions that matter most to you. Don't miss our next session on Tuesday, March 13, 2012 at 1 pm pacific / 4 pm eastern.
Are we in an international cyber security arms race? Would a set of international cyber security regulations help or hinder national cyber security efforts? Listen to Episode 28 of our Security Slice podcast as Tim 'TK' Keanini and Oliver Lavery discuss this multi-faceted problem and possible solution models.
Do you ever wish you could quickly consult a security expert right after new security bulletins are released so you can get your questions answered?
Starting next week, February 14, 2012, nCircle's Vulnerability and Exposure Research Team (VERT) will be hosting monthly 30 minute interactive sessions about Microsoft security bulletins and other security advisories.
It's a great opportunity to have a conversation with nCircle security researchers on the questions that matter most to you.
You can find more information on VERT Alert Live events here.
RSA Conference 2012 is right around the corner and nCircle is giving away a full delegate pass. A full delegate pass allows you to attend everything that RSA has to offer (a $2,295 value) including keynote presentations from Tony Blair, former Prime Minister of Great Britain and Robert Mueller, Director of the FBI as well as execs from Cisco, Microsoft, RSA and Symantec.
RSA Conference is a great opportunity to network, possibly over a free leap year beer or two. Enter to win here and start planning your conference schedule now.
The Fine Print: Only one entry per person. The full delegate pass is valid from Monday, February 27 through Friday, March 2, 2012 and is non-transferable. nCircle will select a winner by random drawing on February 10 at 5 pm pacific. The winner will be contacted through the email address supplied during registration. Once notified, the winner has 36 hours to respond before a new winner is selected. nCircle employees and their families are not eligible to enter or win.
Yesterday Symantec issued a security advisory for users of pcAnywhere asking users of the product to delete or disable it immediately until they release a set of updates that resolve currently known vulnerability risks.
Users of PC Anywhere may be at risk because of the theft of Symantec source code in 2006. Attackers have had plenty of time to study the code looking for vulnerabilities that could allow them to use the remote-access software to remotely access pcAnywhere installations. If attackers successfully exploit vulnerabilities in the code, it could give attackers unprecedented access to corporate networks around the world.
According to Symantec's security advisory, "All pcAnywhere 12.0, 12.1, and 12.5 customers are at increased risk, as well as customers using prior versions of the product."
The remote-access software runs on Windows, Mac OS X, Linux, and the PocketPC platform.
Symantec's PC Anywhere has also been bundled with numerous other products from Symantec and other partners.
In addition, Symantec said, "A remote access component of pcAnywhere, called the pcAnywhere Thin Host, is also bundled with a number of Symantec backup and security products."
nCircle customers can easily identify every system running pcAnywhere or pcAnywhere Thin Host on their network with IP360 or our new, cloud-based network security scanner PureCloud.
Forewarned is forearmed. Scan now; make sure your network is protected.
Updated Feb. 6, 2012: Symantec patches for pcAnywhere are now available for manual download here.
Calling all IT solution Providers, resellers and online communities! nCircle recently announced PureCloud our revolutionary new, cloud-based scanning service and it's been pulling in rave reviews from our customers and the industry.
Now it's time for partners to get in on PureCloud ! To make it easy for our partners to promote this new offering we've developed a complete online, click-through referral service that earns cash for every customer that makes a PureCloud purchase from your referral. As a Referral partner you receive 10% of the initial referral purchase of either a PureCloud detailed scan report or annual PureCloud subscription.
This new program makes it simple and easy for anyone with an online presence to make money with PureCloud. It literally takes minutes to sign up and you can track all your referrals and commissions online.
Referral partners have access to a wide range of marketing content designed to make it easy to immediately promote referrals through websites and social media. There are no commitments or minimums, so referral partners can get started monetizing their customer base and web presence instantly.
nCircle provides everything you need to get started. All you need to do is sign up here, get your code and start linking!
A key security initiative for government agencies is the implementation of continuous monitoring. nCircle’s new webinar can provide insight into agency implementations of continuous monitoring and detail the four key practices agencies are using to driving dramatic improvements in their security posture.
Listen to Jim Acquaviva and Keren Cummins discuss the relationship between continous monitoring best practices, metrics and benchmarking and how nCircle Benchmark can provide the foundation for dramatic improvements in your security posture.
It's stop SOPA day across the Internet. Listen to Episode 26 of our Security Slice podcast and hear Andrew Storms and Tim 'TK' Keanini discuss the flawed thinking behind SOPA.
We've got a great promotion in Spiceworks. Scan up to five IPs with nCircle PureCloud and get complete vulnerability reports, a $225 value. You can find more information here.
But hurry, this offer is only good through January 31.
Security breaches are a fact of life for everyone, but most organizations don't accurately quantify their security risks.
Listen to Episode 25 of our Security Slice podcast and hear Oliver Lavery and Tim 'TK' Keanini discuss the challenges inherent in accurately assessing security risk and offer suggestions on how to change your security mindset.
Go beyond the 'find and fix' mentality and begin to measure and manage by counting what matters. Work with other groups towards mutual goals and to share results both good and bad.
Finally, use metrics as a weapon of mass budget allocation and a tool to move budget dollars to where they're needed most.
- Tim Erlin, Director of Product Management
2) Understand IPv6 and All its Security Implications
We've all been avoiding the implications of IPv6 because haven't really needed it, but now we do. Set aside some time to really understand IPv6 because the impact on security is enormous and it's not something that can be integrated in a rush.
Become knowledgeable enough be to explain IPv6 security issues to upper management so you are prepared to fight for the necessary budget allocation before IPv6 issues become an emergency.
- Andrew Storms, Director of Security Operations
3) Start Thinking Like a Cyber Criminal
Imagine you were part of an organized crime unit, and your criminal organization has targeted your company for a cyber attack. What information would you try to steal? What information could be used to make money?
This mental exercise can help you defend your network and your data. Use the same thought process to evaluate cyber attacks originating from nation states and 'hactivists' because each of these groups may target different kinds of information for different reasons.
Understand each group and the data that could be valuable to them so you can make it more difficult for them to carry out any of their strategies on your network
- Tim 'TK' Keanini, CTO
4) Move Toward Continuous Monitoring of Security and Compliance Controls
Security is a business process that should be maturing in all organizations and 2012 is the time to move closer to a continuous view of your security and compliance controls. Maximize your use of automation and technology in 2012 to provide reports and alerts for material deviations from internal policies, provide baseline measurements and goals, and reduce hands-on intervention in routine security processes.
Security talent is a scare resource. Take advantage of the talent you have by having them focus on real risks. Automation can also provide excellent data that compares the performance of your security initiatives to your peers.
Does your executive team understand the real security risks to your enterprise? Does your IT team have an effective method to quantify and communicate those risks?
Listen to Episode 24 of our Security Slice podcast and hear Oliver Lavery and Tim 'TK' Keanini discuss why over estimating security posture is so common and the potential solutions.
2011 was a year of enormous change for the security landscape, a change so profound it has infiltrated popular culture.
Listen to Episode 23 of our Security Slice podcast and hear Oliver Lavery and Tim 'TK' Keanini discuss how the socialization of security will affect consumers and businesses in 2012.
We're giving away nCircle PureCloud scans until December 16, 2011.
PureCloud can:
Identify network weaknesses attackers can use to break in and tells you what to do about them
Scan your whole network without hardware or software to install or manage; all you need is a web browser
Assess every device on your network, even devices behind the firewall
This good deal just got a lot better. Scan anytime before 12:59 pm pacific Dec. 16 and you'll automatically be entered to win one of ten free Kindle Fire tablets.
A single malware attack or data breach can be fatal to small to medium sized businesses but many lack any evidence that their business is really protected from cyber attacks.
Listen to Episode 22 of our Security Slice podcast and hear Tim 'TK' Keanini's take on this report on the state of small business cyber security.
There is an ancient proverb (largely believed to be Persian in origin) that goes a bit like this:
He who knows not and knows not that he knows not is a fool; avoid him. He who knows not and knows that he knows not is a student; teach him. He who knows and knows not that he knows is asleep; wake him. He who knows and knows that he knows is a wise man; follow him.
In today's world of PCI compliance, the biggest problem many organizations have is very similar to that held by the individual in the first line - they don't know that they don't know. Let me explain my thinking here.
I've consulted with and audited a number of organizations for PCI compliance, both large and small. On the surface, the PCI standard is well-written and generally more explicit in terms of describing what you need to do to achieve compliance. However, no compliance mandate or information security guideline can help organizations fix what they don't know is broken. Particularly in large or more distributed organizations, there are some "gaps" that just don't get addressed. By and large, these aren't the "big things" - organizations know when they have undertaken a massive storage or encryption effort. Likewise, organizations know what brand of enterprise-class antivirus software they have deployed. No, the biggest headache for many organizations is not a particular technical control or product. It's the lack of a truly proactive attitude. This alone can significantly affect the overall security posture of an enterprise, and the state of PCI compliance efforts as a result
Most organizations are doing something about vulnerabilities. Patches are being monitored and deployed, some internal scans are probably run every now and then, and some degree of log monitoring is probably going on. Host-based firewalls or IDS/IPS might be deployed, well-configured images might be the standard, and so on. However, things change. People miss that one box when patching. The new Windows co-op might have screwed up the configuration. Would you know? When's the last time you performed an assessment
I'm a firm believer in the notion of "continuous assessment" for a few reasons. First, over a period of time, this mentality offers companies the best chance to develop a sound and measurable baseline of activity in their environments. This baseline is then monitored constantly - you know those kids' puzzles with the two identical pictures that ask you to "spot what's wrong" in the second one? Right, of course you do. Well, that would be an impossible puzzle without the first picture, wouldn't it? Yep - that would be one seriously frustrating puzzle, alright.
The second major reason I believe in the notion of continual assessment is straightforward - based on my experience I can vouch for it because it works. There, it's that simple. By being proactive, and learning a) what you have, b) how it's configured, and c) when something changes, you can create a truly effective security regimen that is much easier to monitor and maintain. So many people think that running a vulnerability scanner means clicking a button on a scanner, coming back 10 hours later and printing out the 478-page PDF file that now tells you exactly what is wrong in every nook and cranny of your infrastructure. That's a bit old-school: the new breed of tools can assess a LOT of things with a more automated approach, all of which can tie to a solid security program and a sound PCI compliance strategy. Here's a few:
Determining whether your patch management program is effective Determining whether your hardening standards and guidelines are effective and being followed Determining whether you already have an intrusion that needs to be dealt with Determining whether corporate-wide security policies are being adhered to Learning quickly when new systems come online, or when existing systems change in some way Learning whether unencrypted protocols and services are in use And on and on...
Continually assessing risks and exposures and discovering vulnerabilities is a program worth establishing. By learning what your issues are, fixing them, then continually assessing your own environment, you will quickly find that you are not a fool at all - you might just be on your way to being a wise person.
About the Author: Dave Shackleford is currently Vice President at the Center for Internet Security, a certified SANS instructor, and a founder of Blue Heron Security, Inc. Dave has also worked as a security architect, analyst, and manager for several Fortune 500 companies. In addition to these roles, Dave has consulted with hundreds of organizations for regulatory compliance, as well as security and network architecture and engineering.
The genesis of this article started with the observation that the time lag between the discovery of a security issue in a product and the (hopefully) eventual release by the vendor of a fix is highly variable. Some reasons for that variability, and in particular, why that lag may seem long is the topic of this discussion. I'll try to stay on track, but may occasionally veer off to observe interesting stuff (at least to me) along the way.
I should point out that my perspective is that of the vendor of a product and not that of a security researcher.
Not too long ago an email made its way to many of the security mailing lists with this topic:
It discusses a problem with parsing Exif data, used in most digital cameras, and in most software shipped by manufacturers of software with those cameras. In this case the library is open source. Now here's the relevant part:
VIII. DISCLOSURE TIMELINE
08/16/2006 Initial vendor notification 06/05/2007 Second vendor notification 06/11/2007 Initial vendor response 06/13/2007 Coordinated public disclosure
Ten months went by between the first notice to the vendor and the second notice. The second notice seems to have gotten some attention, and only a few days later the public disclosure occurred. But TEN MONTHS? Why didn't the security researcher ping the vendor sooner than ten months after the first disclosure? Did the vendor miss the first notification? If not, what were they doing in the interval?
"The lock's flaw was apparently first publicized in 1992 in the United Kingdom... The BBC even covered it, but the news apparently didn't resurface until a dozen years later."
Talk about lag time. You can still buy locks that are way too easy to open, but that's a different topic for another time.
Back to software. Now, I was not a party to any of this, but let's posit a hypothetical that instead of an open source vendor of this library, the vendor was a commercial supplier. They supplied this library to many vendors who used it in software that eventually made its way to consumers. Let's look at the various channels that software might follow to get to the consumer, and consider what time lags are built into each channel. We may find where those ten months went.
When you buy a digital camera most often you find a CD in the box that contains some sort of image processing software. You may find a version of Adobe Photoshop Elements, you may find a proprietary software package, and you may find both. That CD was made in bulk months before the camera was purchased, inserted into the box on an assembly line overseas, and shipped to a warehouse somewhere in the world. It could easily have sat on a shelf, either in the warehouse or in a retail store, for a year or two before being purchased. That's one channel, and we can see a few issues already.
The CD needs to be remastered, at least for new production runs. The original developer of the software needs to integrate the fixed library into the software, do their QA, provide a new master copy of the software to the camera company, which then would presumably also need to go through QA or acceptance testing, a build cycle for the new CD, and so on. They might need to decide on what info they supply to registered users of the software regarding this security issue. Do they host a patch or update on their web site (more QA)? How many languages does the notice need to be translated into? What training, if any, needs to be given to call center employees (and yes, there will be calls if they post or mail or email a notice). This leaves out the question of product recalls and such.
It gets better. Let's consider another channel. In this case the image software is pre-installed on the hard drives of a major retailer of consumer computers. Yup, another set of QA cycles, new builds of a gold master hard drive image to install on computers at the factory or factories, and the same set of questions regarding disclosure/notice to consumers who purchased a computer with this software pre-installed. Plus all the issues of FAQs on a web site, call center training, notice translations, product recalls, and so on.
One of the interesting things about the libexif advisory above is that none of the final products that incorporate the library are disclosed. The closest to that degree of disclosure is this statement:
Exploitation requires that a targeted user process a malicious image using one of several available tools that utilize libexif for Exif tag parsing. These tools include, but are not limited to, several applications included in the GNOME and KDE desktops.
Now imagine the discussions, negotiations, politics and such that would have gone on in our hypothetical case above with a commercial supplier and a security researcher who had found the vulnerability in just one of the many commercial products that incorporated it. Should the supplier of the library disclose their full customer list? In fact, they may be contractually prohibited from doing so. Clearly they need to contact all their customers, but during that TEN MONTH lag perhaps the researcher finds other applications that have incorporate the library. The list of affected application shifts over time, and getting agreement from each final customer on the wording of disclosures becomes a major effort. What's that you say, why should the wording be negotiated? Why should the end customer have input, be involved? Remember that the end customer may need to create web FAQs, emails, or paper mail that discusses the issue, and consistency of messaging is important. Remember, this stuff is being translated into a dozen or more languages, approved by product line managers in many countries, and coordinated with PR agencies.
Who pays for the costs of the mitigations listed above? New software builds, testing, new masters, translations, call center training. The costs rapidly exceed the revenue the library supplier generates from sales of the library. What do the contracts say with respect to responsibility? Who considered this scenario when the contracts were drafted?
Now, some of the issues above could be addressed by smart programming. Producing software that can be updated auto magically via the Internet would help. Having a feature that periodically checks with the mothership for those updates would help (do it right or you've got another security risk). None of this changes the issues of coordinated release, call center training, and so on. Nor does it remove the issues of remastering CDs and gold hard drive images.
Now I'm not advocating that vendors go dark for months at a time to deal with their internal and customer issues. Far better to communicate quickly, directly, and honestly with security researchers about the time needed to resolve vulnerabilities, not just from the code perspective but from the downstream customer perspective as well. This communication needs to be persistent and continuous, setting appropriate expectations on both sides. This may not change the time between discovery and disclosure but it will improve the relationships between security researchers and the vendors they research.
About the Author: From time to time, nCircle allows guest bloggers to post entries on our blog. This particular poster, under the pseudonym of "Sam Lee", has requested to remain anonymous.
As nCircle's Director of Operations, I thought I would share some of my experiences working with the new environmental regulations that today's nCircle press announcement described.
Anyone hoping for a break after achieving RoHS (European Directive 2002/95/EC, also known as the Restriction of Hazardous Substances or "RoHS" directive) and WEEE (European Directive 2002/96/EC, also known as Waste Electrical and Electronic Equipment directive) compliance will be disappointed as the amount of proposed new environmental programs has only accelerated in 2007. No sooner did the dust begin to settle on the RoHS front than the European Commission began the process of reviewing and amending the list of restricted substances. There is no guidance at this time as to which additional substances may be added to the current list of six or the timeframe for elimination, but it's only a matter of time.
On the other side of the world, China officially launched its RoHS program on March 1st of this year. Though modeled on the European Union RoHS legislation, China RoHS has its own unique requirements that must be followed. More recently, South Korea submitted a WTO notification for their version of RoHS/WEEE with a comment deadline of July 21, 2007.
Closer to home, virtually every state in the Union is in the process of considering or passing some form of environmental legislation. Most states are targeting the large consumer items - TV's, personal computers, and large appliances at this time, but computer servers like nCircle appliances will soon follow.
What's next? In addition to more countries adopting their own RoHS/WEEE type programs, there are moves afoot to improve energy usage and efficiency in data centers - project "Green Grid" and IBM's "Green Team" are two of the higher profile efforts in this area that will impact how servers are designed, deployed and utilized in the future. Finally, more and more organizations are moving toward eco-friendly purchasing. The University of California recently announced a new far-reaching "Environmental Sustainability policy" under which they will only buy products registered under EPEAT (Electronic Product Environmental Assessment Tool). Similar to "Energy Star", EPEAT measures products against a set of environmental standards including reduction in harmful chemicals and designs that are more easily recycled.
It's been a busy few years for those of us responsible for RoHS/WEEE compliance and that was only the start. The next few years promise to be even more exciting and I, for one, can't wait.
A little while back I was talking with my six year old, and said six year old asked me "What is risk?". I realized I didn't have an answer that was one or two sentences. In fact, I didn't have an answer that I thought would really get the idea across, though after going through several tries I think I got the idea across. The hardest part was finding a common frame of reference to build on. And yes, I was a bit dismayed that I didn't have one or two sentences to communicate an idea that is a basic part of Information Security to someone who didn't know anything about it.
What this episode made me realize (again) is that we, as security professionals, usually have a very different way of looking at things than the people we work with, both "business" people and IT people. This difference can be hard to detect - for example, as adults we all know what 'risk' means. Or do we? Overall, I think the majority of people will have roughly the same idea for the word 'risk', though I believe each person's meaning will be colored by their own experiences and observations. When it comes to clearly understanding a particular set of "risks", this is where I think our different viewpoints (security, IT, "business") result in very different understandings of the "risks".
I've seen this disparity of cultural viewpoint a number of times, and seen people struggle with it as they try to understand each other and move forward. Sometimes it takes awhile for them understanding they have a communication failure (vs. "so and so is just {"an idiot", "paranoid", "YOUR_FAVORITE_LABEL_HERE"}"), sometimes they don't. When they do make the realization, and I mean really make it, when they get that the other people are looking at the situation in a completely different way, I see them go through what I did in trying to explain risk to a person who has no real experience in it - trying to find a common frame of reference so they can build up a real understanding. Over and over again I've seen this be quite challenging, and where its been successful two of the common threads have been people listening to each other and trying to see the situation from the other person's point of view. Its not easy to twist our brains around to a different way of thinking, yet every time I see people do it, I see success. What has been (or was devolving into) an acrimonious relationship becomes one of trust and mutual respect, which then becomes a highly productive one. As well, both sides usually learn from the experience, both what and how the other people do and they learn a bit more about themselves and what they do and how they do it.
Overall lesson? Listen when the uninitiated ask questions, you might just find something useful and interesting in them.
About the Author: Eric Hall has an extensive background in information security, systems and network architecture and software development. He is currently a security architect/consultant, specializing in the design, implementation, and in-depth troubleshooting of complex information systems with a focus on security. Prior to becoming a consultant, he was CTO of Lucidian Technologies, where he was responsible for the design and development of a network-based intrusion detection system.
...Eric Hall! Eric is a security architect and consultant who specializes in the design, implementation, and in-depth troubleshooting of complex information systems with a focus on security. I look forward to reading Eric's upcoming posts on this blog, and I hope you do too. Enjoy!
It is somewhat daunting to post my first blog entry to a collection of forums that claims Tim Keanini as one of its participants. As much as I love to engage in cerebral discussions with TK I rarely traverse the same plane as he does in my blog postings. Anyone who has read my threatchaos security blog knows I like to focus on threats, the security industry, and the response, or lack of response, of enterprise.
If there is one theme I keep harping on it is the complete lack of preparation that most organizations exhibit when it comes to cyber security. Thus, I think it appropriate to raise that point here in my inaugural post to nCircle's guest blog.
If security investments are done properly they are done in the context of a risk management program. But risk management analysis invariably underestimates cyber risks because it relies on past experience which is not relevant in a threat environment that is growing exponentially.
I was speaking at the FDIC a couple of years ago and heard about one audit they had done at a LARGE data center on the Gulf Coast of Florida. The FDIC auditor was going through the list of risk factors they tracked and he came to "Hurricane" which was ranked 1 out of 10, the least chance of occurrence. When challenged the response was "We have not had a major hurricane come ashore here more than once every 100 years, so we rank that low". The auditor said, "Yes, but there is a category 5 hurricane in the Gulf right now heading your way, doesn't that impact your risk?"
The moral of the story is that risk is dynamic and risk management programs must take that in to account. Right now it is becoming painfully obvious that bad guys are making concerted efforts to steal identities, particularly credit cards, in any way they can. From the wireless attacks against BJ Wholesale and DSW to the physical attacks against Stop and Shop, and TJX the warnings have been sounded. If there is a similar attack against any retailer in the next six months they will not be able to plead ignorance of the threat level.
And operators of critical web sites that account for significant revenue are also on notice. The bad guys have identified you and your web assets. If they cannot steal directly from you they will launch denial of service attacks against your site and attempt to extort money from you. Not being prepared is not an excuse. The cost of recovery, after an attack, will exceed the cost of being prepared by a factor of ten.
About the Author: Richard Stiennon is currently the Chief Marketing Officer at Fortinet, and has more than 25 years of experience in the security industry. Most recently, Richard was the Founder and Chief Research Analyst of IT-Harvest, Inc., an independent IT research firm. Prior to IT-Harvest, Richard served as Vice President of Research for Gartner's Security and Privacy group. Richard also writes for the ZDNet Threat Chaos blog.
We are excited to announce that our nCircle Guest Blog series is about to kick off to an amazing start. We are working on a killer line up of guest bloggers for you, and the first one up is Richard Stiennon.
Richard is currently the Chief Marketing Officer at Fortinet, and has more than 25 years of experience in the security industry. You may already know Richard from his tenure as Vice President of Research for Gartner's Security and Privacy group. Most recently, Richard was the Founder and Chief Research Analyst of IT-Harvest, Inc., an independent IT research firm. Richard also writes for the ZDNet Threat Chaos blog. While at IT Harvest, Richard participated in one of nCircle's webinars, titled Doomsday Scenarios: Understanding the variables driving doomsday scenarios and strategies to protect your organization.
Thanks to all the entrants in my "Overheard at RSA" contest - I had a good laugh reading through my inbox over the past couple of days. Here are my favorite three submissions (all of the authors will receive an nCircle remote control car, as promised!) - at least the top three that were fit to print!
1. "Well, we're not the ones who drop our pants first..." - said by an exec at a security vendor, discussing the ongoing pricing wars between security companies.
2. "Wow, she's tall." - said by everyone passing the booth that employed a seven-foot tall model to attract attendees.
3. "Everyone claims to have a compliance product this year. Even if it was a toaster last year, it's a compliance product this year." - said by a member of the press as he walked the show floor.
