Wednesday, November 19, 2014

The War Against Personal Privacy

With the recent revelation of FBI director, James Comey, attacking tech companies for allowing complete encryption on their mobile devices, we as citizens should be concerned with our liberty and freedom; not just our privacy. When a government official thinks we as a people should lower our security and privacy standards because it makes his job easier to catch criminals, we should all be on our guard. If this is the case, I might as well leave my home unlocked, because if I was to get robbed it would make it easier for law enforcement to enter my home and catch the thieves. This of course is ridiculous and there are ulterior motives involved that include snooping on American citizens. With recent allegations and court hearings being brought up against our government due to citizen snooping, it came as a surprise that Director James Comey would come out so boldly with these remarks. This to me shows that our government doesn't care about our privacy and are still barreling down the path of complete control, with limited oversight.

Privacy is liberty and when it’s slowly siphoned away from our individual rights, so is our liberty and freedom. This is something that’s been happening for decades, with the FISA courts, PATRIOT Act, NSA warrant-less surveillance, etc. and with each legislative power grab by the government, either under the guise of security, the fight against global terrorism, the protection of our children, we end up handing over more of our God given right that our founding fathers fought so hard to establish. James Madison understood these issues when he proposed the Bill of Rights into the constitution; he understood that an individual has rights that a government shouldn't be infracting upon and that by pillaging these rights away from citizens will weaken not only our individual freedoms, but our collective rights as Americans.     

Why does the government want us under such high surveillance? It might come as a surprise to some, but just because you’re a government doesn't automatically make you trustworthy. There have been multiple occasions in history where regimes have controlled their inhabitants by the ever seeing eye of surveillance. We must learn from these mistakes in history now, so that we don’t repeat them again for our generation and generations to come. Even if a government was doing something honorable with mass surveillance doesn't mean that over time it won’t change its ideologies for something more nefarious. Once power has been given, once control has been handed over, it becomes orders of magnitude harder to withdrawn and rein that authority back to what it once was. Governments are aware of this and are consistently using fear and uncertainty during times of crisis to influence the actions of lawmakers and citizens to snatch more power. The best trick a Government can play during a crisis is making its citizens believe that it was their idea to include mass surveillance.

Why, then, is Director James Comey terrified of encryption? This isn't a new thing either. The Government has had a long fear of encryption, not really a fear of cryptography, but a fear of not knowing is more of what they’re concerned with. This goes back to the early nineties when the Government threatened Phillip Zimmerman, an amateur encryption enthusiast, with potential prison time after creating PGP. Not only was he being threatened, but he was being charged for not being an “arms dealer”. Is this what the Government see’s encryption as? A weapon?! Encryption isn't a weapon, it’s a shield and we as citizens have a right to protect ourselves from mass surveillance. It’s not a war against crime; it’s a war against personal privacy. 

Friday, September 19, 2014

Statistics of a Data Breach (SRC Cyber)

40 Information Security Blogs You Should Be Reading

I'm very humbled to have awarded as one of the "40 Information Security Blogs You Should Be Reading" by There are many others blogs that completely outshine this one on the list and I  highly recommended reading them first.

Saturday, July 12, 2014


Onward Through the Cloud

Over the past couple years anything with the word “cloud” in it has been selling big. It's been the ultimate buzzword in marketing and has completely clouded (pun intended) the understanding of what cloud-computing actually is these days. If you ask ten people today to explain what the cloud is you'll most likely get seven different answers. This confusion behind what a cloud actually is has also confused people from a security perspective as to what they should be protecting. If you're not sure what you're getting into with cloud services how can you realistically secure it? In this blog we'll speak about a few of the high points on security while in the cloud.
What’s Driving You To The Cloud?
Before you do anything, you'll need to consider what type of cloud architecture you're going to be building. Are you looking for a public cloud, private cloud or more of a hybrid/bare-metal service? This is really going to depend on a few things. Are you currently under some type of compliance requirements, like I don't know, PCI? If the answer is yes, you're going to find yourself moving towards more of a private or bare-metal cloud offering. It's not going to fly on the public cloud from a security perspective or a compliance perspective, if you're sharing resources with other clients. Also, what will you be putting in the cloud? Are you putting web servers, custom apps, file shares, etc? Depending on what you put in the cloud will determine the type of cloud you'll need, but having a hybrid solution that allows you to keep data separate from other clients in the cloud is the most important security decision you can make regarding your cloud architecture.
Consider The Risks of Cloud Infrastructure
After you've decided what type of architecture you'll be going to in the cloud, you need to consider what type of infrastructure you'll be using. Many people that go into the cloud these days are using shared  resources, not only from a storage and virutalization perspective, but from a network perspective. If you have a private cloud or a bare-metal implementation it's very possible that you're still running on shared load balancers, routers, firewalls, IDS, etc. It's here that you need to consider the risk of not owning your own infrastructure. Will this reduce cost? Absolutely. Will it add an area of risk to your network that you can't control? Absolutely. If you're on a shared load balancer or router and another client is to get attacked with a DDoS, or has greater than normal traffic hit their site, it's very possible that you're going to take a hit on your network due to their issues. This is something which you can't protect and are at the mercy of the cloud provider to mitigate. If you end up using the current firewall that's already in the hosting provider, be careful to review the SLA's of change controls and firewall changes before moving to this type of solution. Even if it's a hosted firewall that you have complete access of, it's going to be hard to run rule reviews on these systems without having complete control. Long story short, be careful to buy into a hosted cloud infrastructure model without first reviewing the risks.
 Security First Mentality
Lastly, from a security perspective you need to understand what you're gaining and what you're losing by moving directly into the cloud. Are you gaining a more solid security architecture by moving to the cloud? Many companies that start off now would be starting from scratch without a current infrastructure and would be wise to review these cloud offerings. Moving to the cloud can enable better security for these companies, rather than buying all the equipment themselves. But for established companies that already have a security architecture in place, they need to determine what's going to benefit them most from a security standpoint. If moving to the cloud means they have to limit themselves from performing security at a high standard, they need to determine how to keep the risk down.  Below are a few areas you should consider before jumping into the cloud (this is only a starter list):
  •  How cloud providers are perform DdoS mitigation? Do you own your internet connections (where there's DDoS mitigation already built in, or do you have to provide a separate service?)
  •  What about IPS and WAF? Will you be able to bring your own, or will you be forced to use the cloud providers? If you do use their systems will you be able to customize them with the rules that you might be used to? Or what about log management?
  • Where are the logs going to be thrown to while in the cloud? Do these providers have the ability to collect logs and run queries on them? If the answer to these questions is “NO”, you need to consider the risk of moving your network to the cloud.
  • Who has physical access to the datacenter while your data’s being hosted elsewhere?Where are the backups stored? Does your data ever get sent off internationally for any reason? The privacy and breach laws are different once data is no longer domestic.
Read more of my article over at: