Free2Secure http://free2secure.com Your guerilla guide to using smart security to make more money Fri, 24 Apr 2015 17:52:48 +0000 en-US hourly 1 The most important, most boring security tool you probably aren’t using http://free2secure.com/boring-backups/ http://free2secure.com/boring-backups/#comments Fri, 24 Apr 2015 16:57:09 +0000 http://free2secure.com/?p=350 Nothing on earth is more boring than backups. Encryption, firewalls, 2 factor authentication… they are all kind of clever and cool.   But backup is the one security thing you absolutely must do. And you don’t, and I don’t. And the security industry does everything in its power to make the backups boring. Even worse, they [...]

The post The most important, most boring security tool you probably aren’t using appeared first on Free2Secure.

]]>
Nothing on earth is more boring than backups. Encryption, firewalls, 2 factor authentication… they are all kind of clever and cool.

 

But backup is the one security thing you absolutely must do.

And you don’t, and I don’t.

And the security industry does everything in its power to make the backups boring. Even worse, they make backups difficult and ineffective.

  • Backups are not automatic.
  • Backups are not safe.
  • Backups are not smart.

Heck, you might as well not do them at all.

Security starts with Recovery

Nothing is perfect. No one is perfect.

You wouldn’t know it from looking at security systems.

Too many of them are designed as if they will never fail, that there will never be flaws.

Or, if they do acknowledge the possibility of failure, their recovery mechanisms are a joke.

The most obvious examples is DRM for movies and games: When the DRM gets broken for a movie or a game, the company’s proudly say they “recover from the compromise”.

What they don’t say is that the DRM system recovers, but the movie or game is still lost.

Your backup system is your universal recovery tool (almost).

 

Ransomware – Extortion at Home or Business

Ransomware is the security panic of the day. In short, hackers get into your systems, encrypt all of your valuable data (documents, spreadsheets, pictures, videos, … basically all of the stuff that you care about). The most famous example is/was Cryptolocker.

The scam is simple. You visit a web site or install a program that includes the ransomware program. It looks at all of your files for the useful ones (start in My Documents, look for .doc and other handy file types), and encrypts them. Probably with a secret key that it generates on the fly and encrypts that key with a public key that only the crooks know.

Bonus, it looks over your local network and tries to infest any of your other systems it can find.

Finally, the Ransomware application posts a message informing you of “an offer you can’t refuse”… and its time to pay up.

Will you?

Not if you have a good backup.

Backup Screwups #1 – Wrong Time

Backup systems seem to be designed purely for ease-of-programming, not for your ease-of-use.

The best time to back up something is right before I open it or before I close it, not in the middle of the night.

Protect my work, so I don’t have to think about it.

Programs like Quicken kind of get this right, but saving a safe copy (or multiple safe copies) should be standard practice for programs.

… and backup tools should work the same way.

Backup Screwups #2 – Safe Service

I use and quite like WordPress. However, I’ve been talking to people whose WordPress powered sites have been hacked and corrupted and they’re making me rethink using the tool.

WordPress is designed as both a production tool (I’m writing in it now) and a deployment environment.

It couldn’t be more unsafe. Just because the database can be backed up and the site can be backed up, you can easily lose the whole service.

No one is really very constrained in terms of memory or processing power when doing development. The system should ship to protect my work by default and backup tools should be triggered based on my actions as a default.

This used to be expensive, you’d need a separate development, test, and production environment on distinct computers, between services like Amazon Web Services and low cost web hosting, there is no reason not to be able to have a clean, complete development environment without needing a dedicated IT staff.

… and back up systems should protect me from me and you from you.

Backup Screwups #3 – Be Smart

Backup tools are lazy. They try to do as little work as possible. Since they don’t know what has been changed, they run checksums or some other method to look to see what files need to be backed up.

If a Cryptolocker or other Ransomware program has been at work, your files are going to be seriously changed.

MAYBE, your backup utility could take a look and decide that it is highly unlikely that you edited 10,000 photographs and 968 Word documents… and, I don’t know, make a separate image and not overwrite your data?

While you are at it, how about a tool to compare the different backup versions? I have a pretty good security tool for WordPress. Periodically, it tells me that different files have been changed.

Can I do anything with the information?

Nope, I can program in PHP (sort of), but since I don’t know what’s been changed, there is no way to determine if the change was intentional and innocuous or a hack on my site.

Bits are cheap, and Bandwidth is pretty cheap

Backup used to be a costly service. You’d buy a tape drive and take tapes home every day or week (or, rather, your IT guy would), you might have a RAID drive if you were a serious business – Veritas flashbacks, anyone?

Hard disk space is ridiculously cheap. Google gives me a GB of network storage for nothing more than suffering through some ads. Most of us can’t fill up our computers with cat pictures and porn if we tried.

Even my economy web hosting account gives me so much space, I’d be hard pressed to make a dent in it – Ever.

Can we start having backup on our computers, servers, and online services working smartly as a default?

There are open source version control systems and data warehouse designs that can handle this today.

And, for God’s sake, could you make the recovery system work as well?

I was brought in on a legal case to look at some data which was supposed to be being backed up on tape.

Unfortunately, the company had been using the same 10 tapes (2 weeks of backups) for… about 5 years and they had simply failed.

… but the software never checked to see if it was actually writing data to the tape.

Just last week, I was talking with a web site owner who was told that his web site backup was lost because it was on the same disk as his site…. which was rather unfortunate, as the hard disk failed.

Ooops.

Not acceptable.

It’s You, Too

While the IT industry has flaws, we are to blame too. We don’t use backup systems when they are available or even free. We don’t test the back up systems (if there is a good way to test them). I’m guilty of this too and I do know better.

The Cost

Ransomware sounds grim, doesn’t it? Some crazy guy from some country you’re never planning on visiting inserting some crypto-malicious-hacker-cyber-trojan program on your innocent computer. How much does it cost?

A bargain, really, $500 to $750.

Basically, the crooks know that they are competing with one-time serious tech support.

They’re not after your family jewels or life savings.

Just enough to make you pay them instead of fix it.

It makes that $50 or $100 or whatever for a backup product look like a bargain.

And that software will also protect you if your computer breaks or other “stuff” that happens.

Because you know that can bad things happen.

Do you backup your data?

So, do you back up your data at home or at work or both?

Do you know it works?

Do you have any backup or recovery horror stories?

Maybe we can Kate Upton to do some backup commercials?

Next Steps

Security needs to move beyond fear to a business basis, the Bulletproof Security Bootcamp is my approach to helping you make better business security decisions so you can make more money. Backup is the most remedial part of any security system or business.

To keep up, sign up for the latest free security answers to your security questions.

If you’ve experienced a Denial of Service attack or other security incidents, share your experiences at the Free2Secure Discussion Group.

And if you have any security questions, ask me.

The post The most important, most boring security tool you probably aren’t using appeared first on Free2Secure.

]]>
http://free2secure.com/boring-backups/feed/ 0
There is no Password Security Problem – Your Passwords are OK today! http://free2secure.com/passwords-profits/ http://free2secure.com/passwords-profits/#comments Tue, 21 Apr 2015 19:48:10 +0000 http://free2secure.com/?p=298 Your passwords could be totally secure today. Even those old 6 to 8 letter ones with a number or two thrown in… Just don’t use “password” as your password, please. Aaron Caswell, a senior software engineer from CapturePlay, asked me a question about passwords, profitability, and 2-factor authentication. It made me rethink a subject that [...]

The post There is no Password Security Problem – Your Passwords are OK today! appeared first on Free2Secure.

]]>
Your passwords could be totally secure today. Even those old 6 to 8 letter ones with a number or two thrown in…

Just don’t use “password” as your password, please.

Aaron Caswell, a senior software engineer from CapturePlay, asked me a question about passwords, profitability, and 2-factor authentication.

It made me rethink a subject that I’d been making assumptions about for decades.

Password Insanity

Password requirements have gone from 6 to 8 letters in length in the 1980s to 8 to 12 characters including symbols, numbers, and other increasingly baroque requirements designed to make you hate passwords, write them down, or just skip using them.

At the rate, we are going, by 2031, you are going to need to hire that roomful of Shakespearean monkey typists for every blasted web page and online service that you use.

And there is no need for it.

Cables and Chains, Services and Systems

When people talk about computer security, they often compare it to a chain that is only as strong as its weakest link.

They also talk about “security as a service”, as if you put the “right” security box or boxes in you system or business, you’ll be secure.

Worst mental models ever.

Instead, think of security as a suspension bridge – beautiful, light, and strong.

You don’t build a safe bridge with a “strength service”, you engineer a set of interlocking and reinforcing components that all combine to make it safe and strong.

Historically, bridges where made heavy and solid to make sure that they were strong. By adding arches and concrete, they could be made stronger and lighter, and today, we can afford to build suspension bridges to span valleys and bays because of the cables.

Bridge cables are amazing things, they are built up of thin strands woven into small cables that are in turn woven into larger cables.

No individual strand is particularly strong, but woven together, they can support tons of steel and concrete.

This is how security should work.

Rely on one “security component” and you’ll collapse under its weight.

Killing Password Security

We’ve been forcing passwords to carry all the weight of user authentication, and, unsurprisingly, they are failing.

Password systems were initially used on dumb computer terminals in controlled environments by students and researchers.

Now, as we all know, they are our gateway to virtually every online service and transaction from commenting at a web site to trading stocks.

As we’ve asked them to do more and more in a completely different environment from where they came from, our security folks have added more and more requirements to the passwords.

  • Longer and longer passwords
  • Numbers and Capitals
  • Special Characters
  • Two-factor and more authentication systems.

The system has been collapsing for thirty or more years, and all we do is pour more concrete on top.

 Passable Passwords

There are two main assumptions that have driven these changes to password authentication:

  • Promiscuous Login Systems
  • Server Dictionary Attacks

If we can remove these assumptions, we can get back to our old school passwords (no “1234” or “admin”, though).

Promiscuous Login Systems

History is important. Old school passwords had a limited try feature that prevented effective dictionary attacks. The dumb terminals that most people used were in common computer rooms which often had a system administrator present both to provide support and additional security.

Online, of course, one can make infinite login attempts and many sites use email addresses or public user names, making dictionary attacks (attempts to exhaust against common passwords) easy.

Doing Password Logins Securely

Passwords take the fall for this scenario, but it can be easily fixed if we combine all of the knowledge we have about both the individual and the computer they are using:

1. Check IP addresses

Most people come in from the same networks, if an IP address from a new network is is used, don’t allow the login without additional verification.

2. Check Cookies (platform identities)

A lot of online services use cookies to maintain a session for an extended period of time. This same information can be used to help verify the platform identity. Be smart about this, users use multiple computers and some computers are shared.

3. Check Device Fingerprints

Browsers, plugins, operating systems, and other information can be used to help form a device fingerprint.

4. Check Active Fingerprints

It is possible to protect against duplication of cookie data, see my presentation on Piracy Protection and Online Identity Security with Digital Duplicate Detection.

5. Keep User IDs somewhat secret

Too many sites use easily available information for user IDs. This turns passwords themselves from a 2-factor authentication system into the single security barrier – just stupid.

6. Limit Login Attempts

Only after your security policy passes for all of the previous steps do you even allow password attempts. And limit them. And lock the account.

Totally off-the-shelf technology that should be acceptable for almost anyone.

You can have 6-Factor Authentication today!

Of course, some people want stronger passwords because of server security problems. Also solvable

Enhancing Server Security

We’ve been using hash functions to protect passwords on servers since Robert Morris invented the technique back in the 1970s. Basically, a person submits a username and password to the server. It looks up a random number associated with the user name, combines it with a hash function and compares it against the stored hashed password.

A nice system back in the mainframe days when hardware was expensive and physically secure… and, as discussed previously, terminals were secure as well.

We can create a split server system to improve server-side password security and force a hacker to attack two systems instead of one.

The system looks the same to the user as described above.

There are three logical server functions:

  1. Login Policy Server
  2. Split Authentication Server
  3. Password Verification Server

Login Policy Server

Before any password attempts can even happen, the login policy has to pass. IP address, device identity, user identity, etc. all need to match up, or a platform registration action is triggered. Behavioral security works very well for credit cards, you could even add in time of login, day of week and other information.

Split Authorization Server

Today, the “hash function”, seed, and verification information are all on one server. This makes it one stop hacking shopping for hackers. Instead, you can split the authentication verification process into two parts.

Functionally, this server can work in a number of ways. The basic idea is to make dictionary attacks impractical by strengthening passwords.

How does it work?

Takes any user name and password pair and encrypt them with a key only known to the Split Authorization Server or hash them with a secret seed:

Authorization Phrase = Encrypt(username,password,secret) or Hash(username,password,secret)

This is done on ANY username and password pair that is submitted to the Split Authorization Server. It then passes the username, and the hashed or encrypted phrase on to the Password Verification Server:

Authorization Message = (user name,Authorization Phrase)

Make sure that they are as independent of each other as possible! The point of this design is to force the hacker to attack two independent systems, not just one. Ideally, you’d have them administered by different people in different locations.

Password Verification Server

The Password Verification Server works just like a password server today. It takes in the authorization message: (user name,authorization phrase), combines the authorization phrase with the user name unique seed, and hashes it:

 Hash (seed[user],authorization phrase)

And compares it with the previously stored hash phrase for that user.

Now, if the Password Verification Server gets hacked, the authorization phrase should be far too strong to run a dictionary attack on and two separate hacks are required to reduce the system back to the current situation. A real security requirement for your server team.

Better Server Security

Another aspect of doing passwords smarter, is to move the password security systems off of the same server as other applications. A lot of server problems come from updates to different applications causing toxic security impacts on other applications (for example, a community site interacting badly with the authentication service or ecommerce application).

See Protect Your Passwords, Secure Your Servers for additional information.

Better Password Security Today

Passwords are a great security tool. They are inexpensive and flexible and can even be reasonably easy for people to use. By using them as part of an overall authentication system instead of expecting them to solve the entire authentication and authorization problem themselves, you can have very strong identity security today.

Next Steps

Security needs to move beyond fear to a business basis, the Bulletproof Security Bootcamp is my approach to helping you make better business security decisions so you can make more money. You can smartly combine off-the-shelf techniques to build a strong system that is easy and familiar for your users.

For more security answers, sign up for the latest free security answers to your security questions.

If you’ve experienced a password attack on yourself or your servers or other security incidents, share your experiences at the Free2Secure Discussion Group.

And if you have any security questions, ask me.

The post There is no Password Security Problem – Your Passwords are OK today! appeared first on Free2Secure.

]]>
http://free2secure.com/passwords-profits/feed/ 0
Live Nude Million Dollar Backups – Fighting Ransomware at Bargain Prices http://free2secure.com/live-nude-million-dollar-backups-fighting-ransomware-at-bargain-prices/ http://free2secure.com/live-nude-million-dollar-backups-fighting-ransomware-at-bargain-prices/#comments Mon, 20 Apr 2015 23:24:07 +0000 http://free2secure.com/?p=291 It is silly to try to make backup sexy or exciting. but it is very important. Read the updated article The most important, most boring security tool you probably aren’t using.

The post Live Nude Million Dollar Backups – Fighting Ransomware at Bargain Prices appeared first on Free2Secure.

]]>
It is silly to try to make backup sexy or exciting. but it is very important.

Read the updated article The most important, most boring security tool you probably aren’t using.

The post Live Nude Million Dollar Backups – Fighting Ransomware at Bargain Prices appeared first on Free2Secure.

]]>
http://free2secure.com/live-nude-million-dollar-backups-fighting-ransomware-at-bargain-prices/feed/ 0
Buying Security, Selling Security – Why we all suck http://free2secure.com/buying-security-selling-security-why-we-all-suck/ http://free2secure.com/buying-security-selling-security-why-we-all-suck/#comments Sun, 19 Apr 2015 14:48:21 +0000 http://free2secure.com/?p=273 How much security do you need? Do you need any? Why should you choose one security product over another security product? Are you just trying to scare me! Alexandre Major, a Canadian security analyst, asked me a question about the importance of endpoint security. I asked what he meant by endpoint security…. and here we are: We [...]

The post Buying Security, Selling Security – Why we all suck appeared first on Free2Secure.

]]>
How much security do you need? Do you need any? Why should you choose one security product over another security product?

Are you just trying to scare me!

Alexandre Major, a Canadian security analyst, asked me a question about the importance of endpoint security. I asked what he meant by endpoint security…. and here we are:

We suck at buying and selling security

We really do.

Do you know why you should buy anti-virus, or a more comprehensive (expensive) endpoint security solution?

It doesn’t matter if it is you or me at home, or your small business, or a huge corporate enterprise, your reasons for buying or not buying security are probably pretty weak.

  • Someone told you to.
  • Fear.
  • Included with some other product or service

These are not very good reasons for doing anything.

Mom says “Buy Security”

Security is often sold as a “motherhood and apple pie”. If there is a reason given, it is that everyone else is doing it.

As your mother also told you…

If someone asked you to jump off a cliff, would you do it

Hopefully not.

But sometimes, there are good reasons for doing what other people do.

In my early days running my own security company, we resold security products. One of our customers was a state prison system who was buying an anti-virus product for their 1500 computers.

They really needed to.

They had let their previous license lapse and, even though they were required to have anti-virus on their systems.

The reason? Money of course. State budgets are and were lean.

1500 x $25 = $23,500 it was is a real budget item.

I’ve also heard the same from home users.

Why should I spend $50 on anti-virus?

Fear

Security people are really good at fear. I will say, as a nation and a world, we’ve all gotten really good at fear. Terrorism, hackers, cyber thieves, it goes on and on and on.

We become numb to it.

Most of the time, actually, except for extraordinarily rare events…. nothing happens.

Then, we get Fear Fatigue.

We start doing nothing.

The bad guys are portrayed as being so devious and dangerous that there is no point or we just get tired of it all and move on with our lives and our businesses.

You know, making money.

Bundles and Trial Offers

Sometimes you get “security for free” when you buy something else (firewalls and anti-virus being sold along with Internet access) or you get a trial version when you buy or install something else (a new computer, a piece of software, a download).

Here, the security companies are counting on your laziness and inertia.

It is a standard business tactic, a free or trial offer, a bundle. Nothing wrong with it. Just give submit your credit card and everything will be fine.

Sometimes, this works… at least for the security company.

Sometimes it even works for you.

There is something to be said for ease and convenience.

Are there good reasons to buy security?

Yes. I’ve had friends who have bought new computers because their old ones got infected by a virus. I’ve worked for companies spending many, many of man hours searching for a virus that we accidentally delivered to a customer. I’ve spent a lot of time and a rather high labor rate trying to find a virus that has infected our shared file system.

And these are just the easy virus problems.

What all of these problems share is something that every business cares a lot about.

Money

But the important thing about these incidents is not the anti-virus product or the virus infecting the business, it is the other costs:

  • Revenue
  • Reputation
  • Direct Costs

Security incidents can cost real money. Look at the Target security breach from late 2013. The breach has cost the company $19 million to settle some lawsuits… this is small potatoes, though… less than 50 cents per breached record (around 90 million customers records with credit cards were allegedly stolen). How many customers chose not to shop at Target that Christmas?

Lets run some numbers…. how about just 1 percent of Target’s customers chose to shop elsewhere for that holiday:

90,000,000 customers x 0.01 = 900,000 lost customers for Christmas

Guess the average purchases over the holidays total $50 per customer…

$50 x 900,000 customers = $45,000,000 in lost sales

… I’m guessing this is low based on the few times I’ve shopped at Target.

I’ve no idea what Target’s margins are, but let’s guess 20 percent on average:

0.20 x $45,000,000 = $9,000,000 in profit

But wait, there’s more…

Some people are going to stop shopping at Target because they don’t like what happened to their information… let’s say 0.1 percent.

90,000,000 customers x 0.001 = 90,000 lost customers forever.

Say, the average customer visits monthly and makes on average $75 in purchases per month.

90,000 x 12 x $75 = $81,000,000 in lost revenue per year.

$81 million per year!

Or, assuming the same margin number:

$16.2 million in profit per year.

And we’re not done yet…

Let’s estimate that the damage to Target’s reputation turns customer growth from 5 percent per year to 4 percent per year… the key being lost customer growth of 1 percent per year for 1 year until customers forget about what happened…

Again, 90 million customers, 1 percent lost growth:

90,000,000 customers x 0.01 lost customer growth = 900,000 lost new customers

Again, say, on average, you’ve added the customers half way through the year, so only 6 months of sales, and new customers make smaller average purchases of $40 monthly:

900,ooo customers x 6 months x $40 monthly sales  = $216,000,000 is lost revenue growth

Again, same profit margin, so…

$216,000,000 lost revenue growth x 0.2 profit margin = $43,200,000 is lost profit.

Plus, of course, those “new customers” that you lost may never choose you again.

Man, if I was a Target shareholder, I’d be p*ssed.

And we haven’t even gone into the direct costs for fixing what was wrong… it would probably be a round off error in this.

So, if you’d been the Target person responsible for their security budget, do you think you’d have an easier time arguing about $19 million in eventual legal settlements (throw in a good bit for your legal bills, though most of this will be covered by insurance) or

$9 million profit from Christmas customers lost

$16.2 million profit lost from customers who’ve left forever per year.

$43.2 million profit lost from customers who won’t choose you next year.

A total one year cost of $68.4 million in profit.

Your insurance sure won’t pay for this.

So, let’s stop talking costs of firewalls, encryption, or endpoint security, instead, let’s lay out the direct costs and indirect costs of data breaches, malware, etc.

I think I’ll be talking to the Chief Financial Officer instead of the hard-pressed CIO.

Don’t like my numbers? Fine, let’s change them, I’ll live with the changes to the models if you will.

No more fear, just $$$.

How do you sell or buy security?

How do you choose what security to buy? Based on features, fear, or business benefits?

What works and what doesn’t for getting your security paid for?

Next Steps

Security needs to move beyond fear to a business basis, the Bulletproof Security Bootcamp is my approach to helping you make better business security decisions so you can make more money.

To keep up, sign up for the latest free security answers to your security questions.

If you’ve experienced a Denial of Service attack or other security incidents, share your experiences at the Free2Secure Discussion Group.

And if you have any security questions, ask me.

 

The post Buying Security, Selling Security – Why we all suck appeared first on Free2Secure.

]]>
http://free2secure.com/buying-security-selling-security-why-we-all-suck/feed/ 0
Denial of Service Tactics – Superscale your business with other people’s infrastructure http://free2secure.com/superscale/ http://free2secure.com/superscale/#comments Fri, 17 Apr 2015 21:20:35 +0000 http://free2secure.com/?p=249 What is the cheapest, most effective way for you to fight denial of service attacks? Use the same strategy that Hollywood does – use Other People’s Money. Or, more specifically, Other People’s Infrastructure. But, there is a trick and a trap. I say “Denial of Service”, You say a “slight blip in traffic” If you are [...]

The post Denial of Service Tactics – Superscale your business with other people’s infrastructure appeared first on Free2Secure.

]]>
What is the cheapest, most effective way for you to fight denial of service attacks? Use the same strategy that Hollywood does – use Other People’s Money.

Or, more specifically, Other People’s Infrastructure.

But, there is a trick and a trap.

I say “Denial of Service”, You say a “slight blip in traffic”

If you are a small, medium, or even a fairly large business, building a highly scalable online infrastructure requires a lot of technical skill and a fair amount of money. To do things right, you are often “racking and stacking” your own hardware in one or more data centers. You need system and network engineering skills, and, of course, you are paying the big bucks for your network services on top of your equipment and staff costs.

Do you hear the sucking sound of dollars going away?

As a business, the problem with this approach is that you are always overbuilding your site as adding capacity is difficult and your hardware is obsolete within minutes, or that is what it feels like.

It is also really “old school”.

Instead, let the Internet Monoliths pay for your infrastructure.

The Trick – Superscale your business by Outsourcing Online Services

If you start breaking down the elements of your business, you will likely find that their are a lot of pieces that you can outsource either cheaply or free.

One of the smartest online marketing companies out there, Copyblogger, has moved its public community site to a LinkedIn Group – a tactic that I have shamelessly copied. In addition to being free for you to operate, it is virtually infinitely scalable – LinkedIn (or Facebook Groups which is similar) does not have anywhere near the same kind of risk from denial of service attacks as you do.

Similarly, YouTube and others host videos, AWeber, Mail Chimp, or even using your ISP’s mail service and others can handle your mail service, and you can reach out to your members via Twitter and even other online communities.

… you know, all of the Internet buzz words.

Every one of the small business people I’ve talked to who has been hit by a denial of service attack has used a multitude of other services to stay in touch with their customers and minimize the damage.

You need to superscale with care.

The Three Traps

We all know, free isn’t always free and there is a cost for yielding control of parts of your business. You need to know what you are giving up… and when you aren’t actually superscaling.

1. Scaling and Paying

One of the best reasons to keep everything in-house is you can really handle a lot of growth with no increase in costs. Regular outsourcing undermines this. For example, AWeber and MailChimp are powerful outsourced email solutions, but their costs scale based on your mail list. I decided to go with Sendy for smart email management, which I purchased, and then use Amazon’s Mail system to send our my mail. The system scales better for a very slight increase in initial cost.

Even more dangerously, if you use a “Cloud” or “Grid” web hosting system, denial of service attacks can look very different. They may not knock you out, but they can quickly drain your bank account as you are paying per page view.

This is a tricky trade. You need to read the fine print and think about both what can go well, and what happens when things fall apart.

2. Unscrewing – Divorce Internet Style

Prenups, buy-sell agreements, and contracts. The more you read them, the more you understand that most of what they are there for is to dealing with “divorce”, separating, and going your separate ways.

Online services are designed to be divorce proof.

Some won’t let you get your data out.

Many won’t allow you to efficiently extract anything that has been added to the service, even if it is by you or your clients.

You are their product and they don’t want to let you go.

So, you’ve got to have a plan.

Carefully choose the way you use the service. Make sure that if they went away tomorrow, you could survive and, preferably, thrive.

Don’t rely on them for backing up your data.

Whatever data they have that you can extract, make your own copy regularly.

Like any relationship, go into it with your eyes open, assume you’ll be partners for a while, but, remember, things might not work out.

3. Digital Sharecroppers

You need to control your own destiny. Otherwise, your business isn’t really yours. While you can use different online services, you need to protect yourself. Unscrew-ability is part of it, but you don’t want to be dependent on a single service or customer. Sonia Simone introduced the idea in the article Digital Sharecropping: The Most Dangerous Threat to Your Online Marketing.

It isn’t just applicable to online marketing, it is true for all business.

Don’t have single points of failure.

Plan your business operations to keep working in the face of failures.

Not just technical denial of service attacks, but anything that can take you down.

Next Steps

Security needs to move beyond fear to a business basis, the Bulletproof Security Bootcamp is my approach to helping you make better business security decisions so you can make more money. Understand the weak points in  your business and take steps to fix them.

For more security answers, sign up for the latest free security answers to your security questions.

If you’ve experienced a password attack on yourself or your servers or other security incidents, share your experiences at the Free2Secure Discussion Group.

And if you have any security questions, ask me.

The post Denial of Service Tactics – Superscale your business with other people’s infrastructure appeared first on Free2Secure.

]]>
http://free2secure.com/superscale/feed/ 0
Denial of Service Tactics – What is your minimal essential site? http://free2secure.com/minimal-essential-site/ http://free2secure.com/minimal-essential-site/#comments Fri, 17 Apr 2015 19:46:04 +0000 http://free2secure.com/?p=242 What is the essence of your online business? Fancy business gurus will talk about your “minimal viable product” and “fast startup”. When push comes to shove, what at a bare minimum do  you want your customers or potential customers to know about you and be able to do? What is your Minimal Essential Site? Surviving [...]

The post Denial of Service Tactics – What is your minimal essential site? appeared first on Free2Secure.

]]>
What is the essence of your online business? Fancy business gurus will talk about your “minimal viable product” and “fast startup”.

When push comes to shove, what at a bare minimum do  you want your customers or potential customers to know about you and be able to do?

What is your Minimal Essential Site?

Surviving a Denial of Service Attack

When you are in the middle of a denial of service attack, you want your online presence to be as simple as possible. The less there is to your site, the smaller the download, and the more likely that it will work.

A small static page that answers your essential business questions for new visitors and current users.

The site can be rich if you are pulling information from remote services whether it is a content delivery network that is serving  your own content or material from other sites (even your other sites).

It is all about simplicity and keeping the load on  your site to an absolute minimum.

There are three sins for your minimal essential site, from worst to least bad:

  • Database queries
  • Multiple file pulls from your server
  • Active server side scripts or code

The Deadly Database

Databases are amazingly powerful tools. Unfortunately, web sites use them very, very badly. Most web sites are mostly serving semi-static data. There is no need for a database at all. If you’ve ever set up a database on a web site, you’ve set up a “connection string” or some sort of database, username, password login process.

All of this is additional processing on the server.

If done properly, these connections can perform very efficiently, but there is inherent performance overhead that is buying you very little.

And that is if the database is

  • the right database type for your type of application and
  • its been tuned to meet your specific performance needs and
  • you’ve updated, compacted, reindexed, and otherwise optimized its performance.

You’ve done that, haven’t you?

Mysql is free, generic, fine database and it works well enough, but if you are concerned about performance or, from a security perspective, if want your site to keep going when under attack, you are adding a lot of complexity for little benefit.

I say this as someone who is running my web site using WordPress with MySql. A decision that I am reconsidering even as I write this.

Too Many Files

Computers are good at handling files. They open them, read them, and write them very, very well. It is what they do.

But, there is a cost.

Each time you attempt to open a file, the computer has to open its directory system file to find the the file you are requesting. It then searches through the directory file to find the name of the file you want. Once it finds that file, the directory tells the operating system where to look for the actual file in the file system.

It all works a lot like your phone book…. you start with a name, and, eventually end up with a phone number that you call.

The operating system has to do this for every file you ask for.

This is somewhat costly from a performance perspective. While your operating system is very fast, the more times this happens, the more time it takes… and when your site is under attack, every millisecond counts.

Say, your home page has 10 included files that need to be called within the page. If each file takes 10 millisecond to open, then, the page will take 100 milliseconds to open.

Not a big deal.

But, if you are getting hammered by page requests by a botnet with 2000 zombie computers that each are making 100 requests per second, you are now getting hit by:

2000 zombies x 100 page requests x 100 milliseconds to open a page

or 2,000,000 million milliseconds of work for your server to do in 1,000,000 milliseconds

… and now your server is getting behind 1 second every second.

… and this is before your regular users traffic is included.

… not to mention the extra “hits” from your increasingly frustrated legitimate users.

Bye, bye server.

Operating systems are smart, they cache recently open files. Web servers save recently opened pages. They are efficient. However, a denial of service attacker knows that caching is going on and can structure his attack to make caching work against you.

Active Pages

Lively, personalized websites are expected today. These are most easily achieved using server side scripting in PHP, Perl, or other programming languages. As seen above, processing takes processor time. When you are concerned about performance, you want to minimize the amount of processing on the server or the math of milliseconds starts working against you.

You can cheat using session variables and cookies to keep processing on the client side, but you may have to sacrifice personalization for performance.

 A bit of consolation

Most of what you can do for performance tuning is going to help you with denial of service attacks.

Answering the question “What is my Minimum Essential Site” can be good for your site and your business for the simple reason that you will know the answer to the question what IS important for your online site.

You may find that your site itself is the problem… that you are denying yourself customers by having a site that obscures your business objectives behind clever graphics and fancy layouts.

Next Steps

Do you know what goes into your Minimal Essential Site?

Are you making sure your site is not making the risks of denial of service attack worse?

What would you have as your web site if it was only one page of basic HTML?

Security needs to move beyond fear to a business basis, the Bulletproof Security Bootcamp is my approach to helping you make better business security decisions so you can make more money. Understand the weak points in  your business and take steps to fix them. Make sure you have your Minimal Essential Site available so you can switch to it if you are ever attacked.

For more security answers, sign up for the latest free security answers to your security questions.

If you’ve experienced a denial of service attack on yourself or your servers or other security incidents, share your experiences at the Free2Secure Discussion Group.

And if you have any security questions, ask me.

The post Denial of Service Tactics – What is your minimal essential site? appeared first on Free2Secure.

]]>
http://free2secure.com/minimal-essential-site/feed/ 0
Denial of Service – does your service provider have a plan? do you? http://free2secure.com/denial-service-service-provider-plan/ http://free2secure.com/denial-service-service-provider-plan/#comments Fri, 17 Apr 2015 19:08:06 +0000 http://free2secure.com/?p=238 It’s happened. You are the target of a denial of service attack. What do you do? But first, how do you know for sure? Stephen Schleicher of Major Spoilers experienced a Denial of Service attack starting right before Thanksgiving in 2014. He was on his way out of town, of course. Stephen has a thriving membership site, but he [...]

The post Denial of Service – does your service provider have a plan? do you? appeared first on Free2Secure.

]]>
It’s happened. You are the target of a denial of service attack. What do you do? But first, how do you know for sure?

Stephen Schleicher of Major Spoilers experienced a Denial of Service attack starting right before Thanksgiving in 2014.

He was on his way out of town, of course.

Stephen has a thriving membership site, but he was running lean like the rest of us. You can watch these two videos to see what it like to be in the middle of a denial of service attack:

WARNING: Stephen is rather frustrated, so the language can get “colorful”.

No one wants to spend more than they need to on their site. So, you go with a bargain ISP, you go with a simple site or a virtual server (a high tech timeshare, basically), or as small a server as you can get away with.

Enough capability to run your site and deal with “ordinary” traffic surges and server hiccups.

You’re Running Out of Resources

Even though free2secure.com is a pretty small site, I still get periodic messages that I’m “close” to capacity on my server.

I’m not worried (yet), but it is probably an automated backup, a traffic spike, an aggressive spider, or some combination thereof.

We all live with it. We all watch it. We all delay and delay upgrading our systems.

Oops

Sometimes, we do something to ourselves. We install a new piece of software, add a scheduled task, have a corrupted upload, or recovered backup, or messed up database that is causing our site to misbehave.

Thanks for your “service”

… and sometimes, it is something at your hosting provider. There’s a bozo on your server that is running a spam operation, has been hacked, or just got popular. You got moved to a new physical server with a slightly different configuration that works badly with your site, your server is on an overloaded network segment, or your server is just old.

I had a server that had a hardware failure. It is amazing how people tend not to believe that hardware can break. And it is impossible to isolate when hardware failure is not on the checklist.

There is a long list of problems that you should look at before you decide you are being hacked.

Still down

Of course if your site is really down, you probably can’t check what’s going on very well. Most administration tools run in the same space and on the same server as your live site.

So, if your site is down, you are as screwed as your visitors.

Now what?

So, you figure out, or your service provider tells you that you’re under attack. What is their plan? What is yours?

If you listen to Stephen’s description of the attack, it seems clear that his hosting company did not have a systematic plan for detecting and dealing with a denial of service attack.

Some techs were better than others, but the situation was seemingly being handled piecemeal.

 

At one point, the company turns on an “autoban” (a tool in the server, a firewall, or router that locks specific IP addresses out of the site or server to reduce the load on the site).

Except, one of the IP addresses that was being locked out was Stephen’s.

Oops.

Now he can’t log into his own server to try to fix anything.

And they are supposed to put his IP address on a “white list” (IP addresses that are definitely good), but it doesn’t seem to work.

Time to find a new hosting company.

(with lots of colorful language throughout).

What would you do?

Does your hosting company have a plan for managing denial of service attacks?

Does your hosting company have a systematic approach for isolating them or other service problems?

Have you asked your hosting company to see it?

Do you have a plan for managing denial of service attacks?

Do you have a systematic approach for isolating them or other service problems?

What is your plan to recover or rebuild your site and service with minimal lost and disruption at the lowest possible cost?

Next Steps

Stay tuned for more in this series of articles that will explore what being a target of a denial of service attack is like, what it costs to deal with one (more than you’d think), and how to plan just in case it happens to you.

Sign up for the latest free security answers to your security questions.

If you’ve experienced a Denial of Service attack or other security incidents, share your experiences at the Free2Secure Discussion Group.

And if you have any security questions, ask me.

The post Denial of Service – does your service provider have a plan? do you? appeared first on Free2Secure.

]]>
http://free2secure.com/denial-service-service-provider-plan/feed/ 0
Denial of Service – Rent or Buy a Botnet? http://free2secure.com/rent-or-buy-a-botnet/ http://free2secure.com/rent-or-buy-a-botnet/#comments Thu, 16 Apr 2015 22:37:31 +0000 http://free2secure.com/?p=235 Math sucks. You have to spend thousands of dollars, maybe even thousands of dollars per month to fight a distributed denial of service attack. So, how much does it cost to be the bad guy? It’s pretty cheap. Good for him, bad for you. According to Symantec in August 2014, it was a deal  steal: [...]

The post Denial of Service – Rent or Buy a Botnet? appeared first on Free2Secure.

]]>
Math sucks. You have to spend thousands of dollars, maybe even thousands of dollars per month to fight a distributed denial of service attack.

So, how much does it cost to be the bad guy?

It’s pretty cheap. Good for him, bad for you.

According to Symantec in August 2014, it was a deal  steal:

Getting into the game yourself, it’s a steal:

DIY Botnet Kit – $20

Or, you can get the full ZueS trojan package for between $200 and $500 (also Wired).

Your prices may vary, of course.

The math is not in your favor, unless you are the criminal, of course.

How do you fight something that is so cheap to implement and devastating to deal with?

Next steps

There’s a lot more to come. The more I’ve looked at denial of service, the more I’ve heard from people with concerns and scary stories.

What are your ideas for fighting this threat?

Sign up for the latest free security answers to your security questions about denial of service and a whole lot more:

If you’ve experienced a Denial of Service attack or have other security stories, share your experiences at the Free2Secure Discussion Group.

And if you have any security questions, ask me.

The post Denial of Service – Rent or Buy a Botnet? appeared first on Free2Secure.

]]>
http://free2secure.com/rent-or-buy-a-botnet/feed/ 0
You are worth less than 50 cents – The pathetically small consequences of data disclosure http://free2secure.com/worth-50-cents/ http://free2secure.com/worth-50-cents/#comments Thu, 16 Apr 2015 15:58:02 +0000 http://free2secure.com/?p=221 Target just announced that it was paying a settlement of $19 million dollars to settle its data breach in December of 2013. Big money, right? 40 million credit and debit cards and customer information was compromised. If you are in the US, that probably includes you and me and a number of people you know. [...]

The post You are worth less than 50 cents – The pathetically small consequences of data disclosure appeared first on Free2Secure.

]]>
Target just announced that it was paying a settlement of $19 million dollars to settle its data breach in December of 2013.

Big money, right?

40 million credit and debit cards and customer information was compromised.

If you are in the US, that probably includes you and me and a number of people you know.

$19 million divides into 40 million…

47.5 cents

By the way, it will cost you $4,930, on average, to recover from identity theft.

$4,930 of your money.

On average.

This is why we continue to have so many data breaches. It isn’t about PCI DSS (Target and Home Depot were compliant and still can process credit cards).

We don’t need a stronger PCI DSS framework from industry or government, we need accountability through liability.

No one is going to invest in good security if living with a problem costs less than 50 cents per person.

It is not good business.

By the way, things have gotten a bit more expensive.

The TJX data breach in 2005 disclosed 94 million individuals records and credit cards and cost the company $250 million.

A whopping 37.6 cents per person.

37.6 cents is all you were worth in 2005.

Almost 10 cents in 10 years?

Less than inflation?

Doing Better

The disconnect in cost and consequences is a security problem that shows up in a lot of places. Sign up for the latest free security answers to your security questions.

If you’ve experienced identity theft, a data breach, or other security incidents, share your experiences at the Free2Secure Discussion Group.

The post You are worth less than 50 cents – The pathetically small consequences of data disclosure appeared first on Free2Secure.

]]>
http://free2secure.com/worth-50-cents/feed/ 0
Denial of service – Measuring your countermeasures http://free2secure.com/jamming-margin/ http://free2secure.com/jamming-margin/#comments Wed, 15 Apr 2015 18:01:53 +0000 http://free2secure.com/?p=194 Denial of service. It is such a sterile term. It sounds like you forgot to wear a tie to a fancy restaurant and they won’t let you eat. You aren’t being “denied service” when this happens online, you are being jammed. Jamming Since the early days of radio and radar, people have been jamming and [...]

The post Denial of service – Measuring your countermeasures appeared first on Free2Secure.

]]>
Denial of service. It is such a sterile term. It sounds like you forgot to wear a tie to a fancy restaurant and they won’t let you eat.

You aren’t being “denied service” when this happens online, you are being jammed.

Jamming

Since the early days of radio and radar, people have been jamming and being jammed. In its simplest form, the bad guys simply overwhelm your signal (radio station, radar, or whatever) with more power than you are putting out. No one can hear you. You can’t do anything.

If they are more powerful than you, you are jammed. If it is close, your signal is degraded, if not, you win.

Sound familiar?

Welcome to Electronic Warfare

Jamming is a serious problem for the military, in fact, the military invented a whole discipline about jamming and stopping jamming called Electronic Warfare.

Pretty cool stuff, if you are into such things.

The military also have a pretty simple concept for measuring the effectiveness of jamming and anti-jamming, and, in bureaucratic military fashion, they call it:

Jamming Margin

Jamming Margin

Definition: jamming margin: The level of interference (jamming) that a system is able to accept and still maintain a specified level of performance, such as maintain a specified bit-error ratio even though thesignal-to-noise ratio is decreasing. [From Weik ’89]

Besides accurately describing what a denial of service attack looks like, it gives us a good way to measure of how we are doing (are we improving or losing jamming margin).

It also allows us to measure the return on investment (ROI) of our distributed denial of service countermeasures and compare them to each other.

After all, at the end of the day, it is about costs and benefits.

There are a lot more denial of service attacks than you might think. They hit web sites big and small and huge.

Some denial of service attacks are unintentional. If you’ve run a small web site, I’m sure you’ve had the experience of the site getting sluggish and, when you contact technical support, you find out someone else on your server is a spam site or suddenly got popular.

You can even do it to yourself: you install some new application on your phone or computer and it falls over because the new app eats up all of the processing and memory.

Measuring Your Margin

There are a lot of metrics you can use, there are the obvious technical ones:

  • Bits per second
  • Connections per second
  • Memory
  • Processes
  • CPU Cycles

My favorite:

  • Dollars per Month
  • Lost revenue per day
  • Insurance cost

After all, you can always pay more money:

  1. Shared Host (free to cheap $ per month)
  2. Virtual Host (low to mid $$ per month)
  3. Dedicated Host (upper $$ to $$$ per month)
  4. Multiple Hosts with load balancing ($$$ to $$$$ and beyond)
  5. Multiple Sites (serious $$$$$$)
  6. Cloud ($ to $$ to $$$ to $$$$ to…. you run out of money)

There are other ways to get the same effect and we’ll get to them in a later article.

It’s your money

Once we’ve got metrics, we can get out our spreadsheets and plan. Too often we do our security planning based on fear.

Once we understand what we are buying (or not), we can ask better questions about what we are buying (or not).

And make better decisions about risk and threat and if and where to spend our scarce resources.

More money in our pocket.

What are your metrics?

What are the measures related to the continual availability of your business operations?

What are all the different pieces of your business operations that can be affected by these problems?

What are the choke points where you can most easily be overwhelmed?

Next steps

There’s a lot more to come. The more I’ve looked at denial of service, the more I’ve heard from people with concerns and scary stories.

Sign up for the latest free security answers to your security questions about denial of service and a whole lot more:

If you’ve experienced a Denial of Service attack or have other security stories, share your experiences at the Free2Secure Discussion Group.

And if you have any security questions, ask me.

The post Denial of service – Measuring your countermeasures appeared first on Free2Secure.

]]>
http://free2secure.com/jamming-margin/feed/ 0
Denial of Service – It could happen to you http://free2secure.com/denial-of-service-1/ http://free2secure.com/denial-of-service-1/#comments Tue, 14 Apr 2015 19:29:57 +0000 http://free2secure.com/?p=197 Click. Wait. No web site. Click. Wait. No web site. Click. Reload. No web site. It has happened to all of us. Click. Wait. Reload. No web site. A web site that you use or want to visit is unresponsive. Click. Wait. Reload. No web site. Maybe it is a bad day on the Internet. [...]

The post Denial of Service – It could happen to you appeared first on Free2Secure.

]]>
Click. Wait. No web site. Click. Wait. No web site. Click. Reload. No web site. It has happened to all of us. Click. Wait. Reload. No web site. A web site that you use or want to visit is unresponsive. Click. Wait. Reload. No web site. Maybe it is a bad day on the Internet. Click. wait. Got the site. Enter username and password. Click wait. No web site. Maybe it is a bad day at the ISP. Click.Wait. Reload. No web site. SH*T. Not today.

We’ve all been there. Sometimes it is the Internet, your service provider, or your server.

Sometimes it is a Denial of Service attack.

We’ve all heard of denial of service attacks. Many of us have seen them from the outside at Sony or Microsoft or wherever.

Its kind of a nuisance.

Its not the same from the inside.

Inside a Denial of Service Attack

When you are getting hit with a Denial of Service attack. You can’t do a thing. Your business is drowning in a sea of screams. Your own customers become part of the problem.

Their attempts to visit or login unsuccessfully just add to the damage.

Your attempts to login, maybe just to do something, anything, are excruciatingly slow.

If you can do anything at all.

You are locked out too.

Over the Christmas holidays, Sony’s Playstation Network and Microsoft’s Xbox Live were both targeted by denial of service attacks. Microsoft was down for a day, Sony for two days with problems continuing for more than a week, some attacks have lasted a month or more.

It is no comfort to hear that some hacker group decided to do this just for the hell of it.

If they can knock out Microsoft or Sony, what about you?

I asked Thomas Bideax, Founder and CEO of Ico Partners and Reinout te Brake, Managing Partner of GWC Investments and CEO of  GetSocial what their biggest security concern was, and they both said Denial of Service attacks.

Denial of Service attacks seem pretty abstract, something that happens to big companies and is a nuisance.

There is a lot more to it than that.

Stay tuned for a series of articles that will explore what being a target of a denial of service attack is like, what it costs to deal with one (more than you’d think), and how to plan just in case it happens to you.

Sign up for the latest free security answers to your security questions.

If you’ve experienced a Denial of Service attack or other security incidents, share your experiences at the Free2Secure Discussion Group.

And if you have any security questions, ask me.

The post Denial of Service – It could happen to you appeared first on Free2Secure.

]]>
http://free2secure.com/denial-of-service-1/feed/ 0
Thank you for your application to the Bulletproof Security Bootcamp http://free2secure.com/application-thank-you/ http://free2secure.com/application-thank-you/#comments Mon, 13 Apr 2015 16:41:37 +0000 http://free2secure.com/?p=191 Thank you for your application to the Bulletproof Security Bootcamp. You should be receiving an email confirming your application shortly. Please add my email to your contact list so that it doesn’t wind up in your spam folder. I will get back to you soon. If you don’t receive a confirmation email within a day [...]

The post Thank you for your application to the Bulletproof Security Bootcamp appeared first on Free2Secure.

]]>
Thank you for your application to the Bulletproof Security Bootcamp. You should be receiving an email confirming your application shortly. Please add my email to your contact list so that it doesn’t wind up in your spam folder.

I will get back to you soon.

If you don’t receive a confirmation email within a day (hopefully, a lot sooner), shoot me a note at: steve@free2secure.com and we’ll fix the problem.

In the meantime, make sure to join the free security answers mailing list.



Also, be sure to join the Free2Secure Discussion Group over at LinkedIn.

And, if you need an answer to a specific security question, submit one.

My goal is to get back to you in less than a week, but life and the specifics of your application may slow me down.

Thank you again.

Steve

The post Thank you for your application to the Bulletproof Security Bootcamp appeared first on Free2Secure.

]]>
http://free2secure.com/application-thank-you/feed/ 0
Thank you for your Question http://free2secure.com/thank-question/ http://free2secure.com/thank-question/#comments Thu, 09 Apr 2015 16:11:09 +0000 http://free2secure.com/?p=149 Thank you for submitting a question. You should receive a confirmation email to the email that you used. If you haven’t signed up to get your free security answers, sign up now. Also, be sure to join the Free2Secure Discussion Group over at LinkedIn. My goal is to get back to you in less than [...]

The post Thank you for your Question appeared first on Free2Secure.

]]>
Thank you for submitting a question. You should receive a confirmation email to the email that you used.

If you haven’t signed up to get your free security answers, sign up now.



Also, be sure to join the Free2Secure Discussion Group over at LinkedIn.

My goal is to get back to you in less than a week, but life and the complexity of your question may slow me down a bit.

Thank you again.

Steve

The post Thank you for your Question appeared first on Free2Secure.

]]>
http://free2secure.com/thank-question/feed/ 0
Unsubscribe Confirmed http://free2secure.com/unsubscribe-confirmed/ http://free2secure.com/unsubscribe-confirmed/#comments Wed, 08 Apr 2015 19:53:44 +0000 http://free2secure.com/?p=172 Your email and personal data has been removed from our email database. Please do let me know if there was anything that I could have done to keep you part of this community. If you would be willing to share your reasons for leaving, my email is steve@free2secure.com. Good luck with your future endeavors.   [...]

The post Unsubscribe Confirmed appeared first on Free2Secure.

]]>
Your email and personal data has been removed from our email database.

Please do let me know if there was anything that I could have done to keep you part of this community. If you would be willing to share your reasons for leaving, my email is steve@free2secure.com.

Good luck with your future endeavors.

 

Steve

The post Unsubscribe Confirmed appeared first on Free2Secure.

]]>
http://free2secure.com/unsubscribe-confirmed/feed/ 0
Subscription Confirmed http://free2secure.com/subscription-confirmed/ http://free2secure.com/subscription-confirmed/#comments Wed, 08 Apr 2015 19:50:38 +0000 http://free2secure.com/?p=170 Your subscription has been confirmed. Thank you for joining. Please do shoot me a security question, also, check out the security resources and answer archive. If you haven’t signed up yet, do join the Free2Secure Discussion Group. As always, if you have any other questions, comments, or issues, email me at steve@free2secure.com

The post Subscription Confirmed appeared first on Free2Secure.

]]>
Your subscription has been confirmed. Thank you for joining.

Please do shoot me a security question, also, check out the security resources and answer archive.

If you haven’t signed up yet, do join the Free2Secure Discussion Group.

As always, if you have any other questions, comments, or issues, email me at steve@free2secure.com

The post Subscription Confirmed appeared first on Free2Secure.

]]>
http://free2secure.com/subscription-confirmed/feed/ 0
Thank you for joining! http://free2secure.com/thank-you/ http://free2secure.com/thank-you/#comments Wed, 08 Apr 2015 19:15:18 +0000 http://free2secure.com/?p=167 Thank you for signing up to get free security answers and joining the Free2Secure Discussion community. You will receive an email shortly asking you to confirm your subscription. Please make sure to add my email to your contact list so that your security answers don’t disappear into your spam folder. If you have a security [...]

The post Thank you for joining! appeared first on Free2Secure.

]]>
Thank you for signing up to get free security answers and joining the Free2Secure Discussion community.

You will receive an email shortly asking you to confirm your subscription. Please make sure to add my email to your contact list so that your security answers don’t disappear into your spam folder.

If you have a security question that you would like answered, submit it here.

Also, we have a community of like-minded business and security professionals, please join the Free2Secure Discussion Group.

If you have any other questions, comments, or issues, email me at steve@free2secure.com

The post Thank you for joining! appeared first on Free2Secure.

]]>
http://free2secure.com/thank-you/feed/ 0
Answers to Your Security Questions http://free2secure.com/answers-security-questions/ http://free2secure.com/answers-security-questions/#comments Wed, 08 Apr 2015 18:27:38 +0000 http://free2secure.com/?p=135 Security can be intimidating. If you have a question that affects the security of your business, it is important. Please share it with me and the rest of the Free2Secure business security community. I will get back to you with a direct response as quickly as I can. If you do no hear from me [...]

The post Answers to Your Security Questions appeared first on Free2Secure.

]]>
Security can be intimidating. If you have a question that affects the security of your business, it is important. Please share it with me and the rest of the Free2Secure business security community.

I will get back to you with a direct response as quickly as I can. If you do no hear from me within a week or if you have problems submitting the form, please email me at: steve@free2secure.com.

Security Code:
security code
Please enter the security code:

Ask Now!

The post Answers to Your Security Questions appeared first on Free2Secure.

]]>
http://free2secure.com/answers-security-questions/feed/ 0
Bulletproof Security Bootcamp http://free2secure.com/bulletproof-security-bootcamp/ http://free2secure.com/bulletproof-security-bootcamp/#comments Mon, 06 Apr 2015 17:05:38 +0000 http://free2secure.com/?p=138 You know you need security, but you aren’t quite sure what that means or how to get there. What is it? Bulletproof Security Bootcamp is a systematic process that helps you determine what your real security needs are, how to prioritize them, and the steps you need to take to make sure that your business [...]

The post Bulletproof Security Bootcamp appeared first on Free2Secure.

]]>
You know you need security, but you aren’t quite sure what that means or how to get there.

What is it?

Bulletproof Security Bootcamp is a systematic process that helps you determine what your real security needs are, how to prioritize them, and the steps you need to take to make sure that your business or system is protected.

Why will it work for you?

I’ve worked on security projects ranging from $100 Million Nuclear Command and Control Systems to startups with a marked up napkin and nothing more. Since 1987, I’ve had many successes and some notable failures. The key to security success is deep integration of security into the project from the beginning.

This works great, but it is very, very expensive.

It also isn’t very efficient.

Bulletproof Security Bootcamp

The Bulletproof Security Bootcamp is the process that I’ve developed to turn hundreds of hours of security staff work into a systematic methodology starting with where you are at with your business, developing a plan, and taking you down to into your security tactics.

The key to your security success is to start with your business goals and revenue and costs and make sure that your security is aligned with your money.

Security is too often about fear and rhetoric, not revenue.

Are you ready for security to help you make some money?

Next Steps

This program is under development now and I am looking for large and small companies and projects to ensure that the Bulletproof Security Bootcamp is actually bulletproof.

If you are interested in getting the benefits of this program as well as getting extra security advice, fill out the application below so I can review your situation to see if you are a good fit for where we are at today.

Security Code:
security code
Please enter the security code:

Submit

Thank you for your interest in the Bulletproof Security Bootcamp.

The post Bulletproof Security Bootcamp appeared first on Free2Secure.

]]>
http://free2secure.com/bulletproof-security-bootcamp/feed/ 0
Getting Started http://free2secure.com/getting-started/ http://free2secure.com/getting-started/#comments Mon, 06 Apr 2015 17:01:52 +0000 http://free2secure.com/?p=121 Security can be intimidating. If it was easy, everyone would be doing it right, the thieves would be out of a job and so would all of us security folk. I want you to get start using smart security to make more money. Fast. 1. Get answers immediately Check out the archive of security answers [...]

The post Getting Started appeared first on Free2Secure.

]]>
Security can be intimidating. If it was easy, everyone would be doing it right, the thieves would be out of a job and so would all of us security folk.

I want you to get start using smart security to make more money.

Fast.

1. Get answers immediately

Check out the archive of security answers to see if your questions have already been answered.

2. Keep up to date

If you want to see what is bothering your fellow businessmen and women, sign up, for the latest free security answers.

3. Join the community

You aren’t the only one with security concerns that may be hurting your business. Join the Free2Secure Discussion Group and share your experiences and learn from theirs.

4. Ask questions

Contact me to ask your security questions or concerns with what may threaten your business. I want to help you. You’ve got nothing to lose, its free.

5. Check out my books, guides, and software

In addition to advice, answers, and strategies, some problems require a bit more to answer. My growing set of books, guides and worksheets, and software are there to help you. If something you want doesn’t exist, contact me.

6. Sign up for the Bulletproof Security Bootcamp

If you are concerned that your security is causing you to lose money or that better security may help you make more money, sign up for the Bulletproof Security Bootcamp to understand, assess, and improve the security of your business, project, or system.

7. Ask

If none of this helps, contact me, and we’ll see what you and I can do together.

 

The post Getting Started appeared first on Free2Secure.

]]>
http://free2secure.com/getting-started/feed/ 0
Incoming! Secure Your Remote Client Data / Server Communications http://free2secure.com/incoming/ http://free2secure.com/incoming/#comments Wed, 04 Mar 2015 03:48:44 +0000 http://free2secure.com/?p=95 Getting user data to the server is a key part of many online applications, including video games. Encryption alone is not the answer. Here’s how you ensure that you get the data you want to your server. Incoming! Secure Your Remote Client Data / Server Communications   If you can’t see the presentation, click to view. [...]

The post Incoming! Secure Your Remote Client Data / Server Communications appeared first on Free2Secure.

]]>
Getting user data to the server is a key part of many online applications, including video games. Encryption alone is not the answer. Here’s how you ensure that you get the data you want to your server.

 

If you can’t see the presentation, click to view.

Next steps

There is a lot more that can be done to protect your online service. Join the Free2Secure Discussion Group, ask your questions, share your comments, add to the solutions.

If you are interested in keeping up with the latest books, articles, and tools from me at Free2Secure send me an email steve @ free2secure.com with the subject “Subscribe”.

Finally, if you have any security questions, issues, or shoot me a note to steve @ free2secure.com with the subject “Help”.

Who am I? Check out Steve Davis at LinkedIn.

The post Incoming! Secure Your Remote Client Data / Server Communications appeared first on Free2Secure.

]]>
http://free2secure.com/incoming/feed/ 0