Safelight Security Advisors

Safelight Security hiring in Rochester, NY!

Paul — Thu, 26 Aug 2010 16:46:56 +0000

Our team in Rochester, NY is growing. Safelight Security, a young and fast moving media and training firm specializing in application security education, is actively looking for a Junior Flash Animator to be based in Rochester, NY. The successful job candidate will report to the Development Manager but will be a highly motivated self starter. Projects will include rapid eLearning development, creation of animation sequences for our core products and working with other team members to develop the most engaging eLearning products on information security. If you, or someone you know, may be interested in this position, please visit to: http://safelightsecurity.com/about/careers/ And get in touch with us at careers@safelightsecurity.com.

Threatpost: Rob Cheyne on Security Education and the Problem of People in Security

Jess Hawks — Thu, 08 Jul 2010 16:25:59 +0000

Safelight CEO Rob Cheyne talks with Threatpost’s Dennis Fisher about why security is every employee’s responsibility and how companies can shift the way they communicate with users about the value of information and their role in protecting it.

Listen to the podcast.

Safelight Security Launches On-demand Information Security Awareness Course with Free Day of Staff Training

Kim Novino — Wed, 07 Jul 2010 17:21:47 +0000

Security Awareness Boot Camp on July 16 aims to reduce information risk by educating all employees

PROVIDENCE, RI (July 7, 2010) – Employees are a company’s primary line of security defense, but they often don’t have the skills to identify and prevent a potential breach. Safelight Security, a leading provider of security education programs, today announced the release of its new, on-demand Information Security Awareness course designed to make staff more aware of security risks and educate them on how to protect sensitive information. Safelight is offering organizations an opportunity to take the entire course for free during the company’s Security Awareness Boot Camp on July 16.

“Companies have made huge investments in technology to reduce their security risk, but have underestimated the importance of educating their employees—people who are in a position to protect or expose sensitive information every day,” said Safelight Chief Executive Officer Rob Cheyne. “We strongly believe that security is every employee’s responsibility. We’re hosting the boot camp to help companies kick-start their awareness programs.”

During Safelight’s Security Awareness Boot Camp, companies can send as many employees as they would like to the free, on-demand Information Security Awareness training course. The 90-minute course covers fourteen basic security topics teaching employees how to recognize and protect sensitive information. Presented in five modules, the course delivers deep content through highly interactive, scenario-based lessons that engage students and reinforce learning.

Lesson Topics:

• Identity theft
• Insider threats
• Industrial espionage

• Introduction to social engineering
• Tips for spotting social engineering attacks
• Best practices to mitigate social engineering attacks

• Hardware theft
• Travel security

• Wireless security
• Computer malware

• Sensitive information
• Password protection
• Email precautions
• Reporting and responding to threats

Companies can sign up for the free course on Safelight’s Security Awareness Boot Camp page.

Safelight is also offering special pricing on two of its on-demand courses for general staff: Information Security Awareness and Information Privacy. Through August 31, companies will receive a 20 percent discount on the new Information Security Awareness course and a 15 percent discount on the Information Privacy course. Safelight’s Information Privacy course equips employees to better identify and manage sensitive corporate information and is designed to expedite compliance with Massachusetts 201 CMR 17 and other state and federal privacy regulations. Companies can sign up to receive the special pricing on Safelight’s Summer Savings page.

Learn more about Safelight’s full range of instructor-led and on-demand courses, visit the Education Programs section of the company’s web site.

About Safelight Security

# # #

OWASP Boston Lighting Talk: Cross Site Scripting, Reflected and Persistent

Kim Novino — Fri, 28 May 2010 17:12:06 +0000

In the second installment of Safelight’s Lightning Talk series, Rob Cheyne will present the basics of cross-site scripting (XSS) at OWASP Boston.

He will cover the two primary methods of XSS attack, reflected and persistent, as well as provide detailed demonstrations that show how an attacker would use these methods in the real world.

As part of the demo, Rob will go beyond proof of concept and present an example of a “weaponized” JavaScript that could be used to steal another user’s session information.

Rob will also offer practical tips for defending against cross-site scripting flaws in your own applications.

When: June 2, 2010

Time: 6:30 p.m.

Where: Microsoft offices at the Waltham Weston Corporate Center, 201 Jones Rd., Sixth Floor Waltham, MA

Safelight Headlines OWASP Boston with Monthly Lightning Talk Series

Kim Novino — Wed, 05 May 2010 19:33:01 +0000

IT Security Education Key to Defending Against OWASP Top 10 Most Critical Web Application Vulnerabilities

In the first of the Safelight Security Advisors Lightning Talk Series, CEO Rob Cheyne will discuss “An Introduction to SQL Injection,” at the Open Web Application Security Project (OWASP) Boston chapter meeting, Monday, May 3.

Rob will cover the methodology used by professional attackers, along with detailed demonstrations of one of the most common and dangerous OWASP Top 10 issues.

After demonstrating how SQL injection can be used to run system commands and gain root access on a database server, Rob will provide practical tips for defending against SQL injection flaws.

Safelight’s Lightning talks are designed for members newer to OWASP interested in understanding the basics of web application security, although everyone should feel free to attend.

When: May 3, 2010, with subsequent meetings typically the first Wednesday of the month

6:30 – 7:00 p.m. Networking 7:00 – 9:00 p.m. Main Presentations Join the Boston mailing list.

6 Tips for using online remote login services SAFELY

Rob — Sat, 27 Mar 2010 07:36:21 +0000

This week I am out at a Peak Potentials boot camp called Guerilla Business School. It has been absolutely fantastic and I would highly recommend it to anyone!

This is a PUBLIC SERVICE ANNOUNCEMENT for those who are in the seminar and attended Alex Mandossian’s excellent session on web-based marketing.

Today when we were talking about free online sites, a service called LogMeIn.com came up. LogMeIn is a site that facilitates logging into your PC from anywhere in the world.

These types of services can be extremely convenient, but there are some very important security considerations that must be taken. Failure to take appropriate precautions opens you up to ATTACK by professional criminals from ANYWHERE in the world.

I poked around the site, and it seems to offer decent security options, but unfortunately MOST people opt for the LEAST security possible for CONVENIENCE purposes, and the WEAKEST LINK in every security system is often YOU.

Let’s be clear. This site allows you FULL ACCESS to your computer from ANYWHERE in the world.

Here are some tips to use this type of site safely. These are the same tips I teach to my corporate customers:

1) This is an OPEN door into YOUR computer! Only use a service like this if you have a compelling reason. Any open door is a potential security hole for hackers. If the door is not open, the hacker cannot get in.

2) Use ALL the security features they offer! For example, this service has a feature that allows you to check the logs to see who is logging in – USE IT! Also, look into features such as one-time passwords and RSA SecurID tokens. These are significant security improvements.

3) HOW you log into your computer MATTERS. In order to use the service, you must log into the site as well as your computer. Most people log into their computer as an ADMINISTRATOR. AVOID doing this at all costs. Ideally, create a special guest account with low privileges, and use THAT account for this service. This ONE THING will make a HUGE difference. In fact, the less often you log into your computer as an administrator, the better.

4) Strong passwords are CRITICAL. Unfortunately, most people get this completely WRONG!

A few words on passwords. Remember, you are allowing people to log in to your computer from ANYWHERE in the world! You MUST use STRONG authentication. Passwords MUST be L-O-N-G and complex.

Passwords should be at least 8 characters (more is even better), and a combination of letters, numbers, and special characters.

Just for the record, if I were to allow a service to log me in from anywhere in the world, I would choose AT LEAST a 14 character password.

An easy way to remember a long password is to choose a quote from a movie, book, or song that you like. For example, a favorite movie of mine is The Princess Bride.

A popular quote from the movie is:
“Hello, my name is Inigo Montoya. You killed my father, prepare to Die!”

To choose a password using this quote, use the first letter of each word and include the special character. In this case, it becomes:
H,mniIM.Ykmf,ptD!

Believe it or not, this is a 17 character password that you will NEVER forget!

Also, passwords should NEVER look anything like words, even if you use the popular technique of substituting symbols for letters or numbers. For example, @ for A, 5 for S, etc.

Using this method, Password might become P@5sw0rd

Just to be clear, this is NOT a secure method of choosing a password! All good hackers know this trick, and the book/movie/song quote method I discussed above is MUCH better.

5) WHERE you store your passwords matters! Do NOT store your password on your computer, phone or PDA unless it is encrypted! If you do not know how to do this, you are probably better off writing it down somewhere safe at home, or memorizing it.

Remember: if you store it digitally, it can be STOLEN!

6) Don’t make all your passwords the same! A common method of IDENTITY THEFT is to break into one account, and then quickly log into all your other accounts that use the same password. Use DIFFERENT passwords for EVERY site! This goes double for online remote login services!

Think secure and be secure!
–rob

Top 5 Things I don’t want to hear at RSA this year

Rob — Mon, 01 Mar 2010 08:20:51 +0000

This year marks my 10th year attending the RSA conference. While the conference (and the security industry) has grown significantly in that time, the marketing conversation from the vendors has not.

Since I’m on the people and process side of things, it annoys me to no end when I see vendors proclaiming some of the nonsense that they do. One of my hobbies has become talking to the vendors to see just how thick they are shoveling the BS (Apparently I am a glutton for punishment). The old adage of course applies: if it sounds too good to be true, then it probably is.

With that said, here are the top 5 things I do NOT want to hear on the RSA Expo floor this year.

#5) We’ve secured the cloud. First of all, we haven’t even defined the cloud. It typically means outsourcing some part of your system to somebody else’s infrastructure, but what that actually means varies tremendously once you get down into the details. If you can’t define it, you probably can’t secure it either. The reality is way too complex to make such blanket statements.

#4) Advanced Persistent Threat. Ever since the recent google hack, this term has been thrown around quite a bit. The so-called “Advanced Persistent Threat” is something that has always been there, and probably always will – the sophisticated attacker on the inside. If somebody tells you they have a solution that is guaranteed to deter the sophisticated, targeted inside attack, run away as quickly as possible. You can mitigate this problem, but you will never completely prevent it.

#3) “We’ve solved the application security problem.” I actually had a vendor say this to me with a straight face last year. Let’s be clear. No you haven’t. Case in point: one of my colleagues, a professional penetration tester, told me a story about a test they did where an application firewall was in place. The firewall was thwarting all of their attacks for the first day, so on day two the team shifted their focus to the application firewall. After they succeeded in killing it, the tests ran smoothly from there on out. Once again, the reality is way too complex for blanket statements.

#2) Our product is secure because it’s never been broken. Is that really your criteria for security? That’s like saying “I know there’s no life on other planets because I haven’t personally seen any yet.” How about “we make our product as secure as possible by incorporating secure development practices into our lifecycle, and we hire reputable third parties to thoroughly penetration test our product?” That would be a good start. Pro tip: the reason your product hasn’t been broken is most likely because the right person hasn’t looked at it yet. ALL applications have bugs!

#1) Nothing can get past our [Firewall/Anti-virus/IDS/IPS/Wizbang new security product]. Repeat after me: There is no silver bullet and there is NO SUCH THING as 100% security! It’s OK! No one actually expects you to be perfectly secure. It’s all about what you do AFTER you’ve been hacked that matters. Misinforming your customers by saying that your product is 100% secure makes you look silly and ultimately puts your customers at greater risk. I would much rather have no security at all than a FALSE sense of security.

As a reminder to all the RSA Expo vendors, we have created a special limited edition t-shirt for you to wear on the Expo floor:

Stop by booth #2058 to pick up your t-shirt while they last!

Join Us at the RSA 2010 Conference

Kim Novino — Fri, 19 Feb 2010 17:21:54 +0000

RSA 2010 Conference

March 1-3

Moscone Center

San Francisco, CA

Join Safelight at Booth #2058 to see the latest in information security training, including our newest online learning programs. Attend our customer presentation, Banking on Security Education with State Street Bank’s Vice President Jeff Richard, and cocktail reception from 6:00 -8:00 p.m. at The St. Regis Hotel to hear how this leading financial institution rolled out a comprehensive security training program for thousands of developers worldwide. You must register for this event in advance in order to attend.

Information Security Training Lacking

Kim Novino — Fri, 12 Feb 2010 20:35:52 +0000

Two out of three IT security professionals say the risk of data or systems breaches is related to a lack of training.

IT security professionals ranked the threat of a data breach and the resulting damage to their company brand, and loss of customer loyalty and sales as the top business driver for information security training. Though surprisingly, the majority of companies do not have formal training programs to educate staff, according to Safelight Security Advisors’ survey. Two out of three companies directly link data or systems breaches, or the risk of them, to a lack of security training at their organizations.

Yet, the state of security training is fairly bleak even with information security programs in place. Only half of companies who rate themselves a low risk for a data or systems breach say their information security policies are effective at helping to prevent them. Often times security training courses are available, but not required for those on the front lines of information security: a company’s IT and development staff.

In this survey, 60 IT security decision makers from a range of industries were asked how their companies are integrating people into their information security strategies and what practices are most effective. They were asked to estimate their current risk for a data or system breach and were categorized as either a low or high risk company. A data or systems breach was defined as including the accidental loss of control over sensitive data to malicious theft of data by insiders or external threats. They also responded to questions about the effectiveness of their organization’s security programs in people, process and technology areas, the security awareness of their management teams and the effectiveness of training IT and non-IT staff as well as IT and non-IT vendors and contractors.

You can download the complete report on the study. In today’s tough economic climate where expensive technology investments may be temporarily on hold, smaller, incremental investments targeted at training personnel on security awareness and compliance, as well as processes for ongoing security risk assessment, security procedure definition and implementation, and compliance tracking, may return significant reductions in risks for companies.

Webcast: “New Technology Wearing Hand-Me-Down Vulns”

Kim Novino — Wed, 10 Feb 2010 21:51:17 +0000

Safelight’s CEO Rob Cheyne will present a webcast for the Microsoft SDL Pro Network community on “New Technology Wearing Hand-Me-Down Vulns,” February 25, 2010 from 1:00-1:30 p.m. EDT.

Using a web service as an example, Rob will demonstrate how classic vulnerabilities can crop up in new technologies and how applying SDL principles can help build secure systems. Register for the Webcast.