...I disagree.
Putting your information security eggs in one basket by using only a vulnerability scanner in the name of PCI DSS or some "This site is secure" seal to test your Web security is one of the greatest ways to get yourself - and your business - in a bind.

I talk about this topic more in depth in this recent post:
Looking past Layer 7

...as well as these articles:
Security scan results: Take them with a grain of salt
Something you need to know about all in one scanners
Web application hacking: inside the mind of an attacker
The bottom line: just because your network admin or some outside consultant or vendor ran a basic security scan on your systems and everything checked out okay doesn't mean everything really is.

In case you missed it on the Atlanta news yesterday, check out this train/truck crash that happened in downtown Acworth. Great example of why we have to set our users up for success in IT.

Here's a new blog post I just made over at Security On Wheels regarding one of my pet peeves with security - telling users that they need to select strong passwords on their computer systems and leaving it up to them to do the right thing. Perfect example of how you simply cannot rely on users to enhance your information security.

If you're currently looking for a job in IT in/around Atlanta with the unemployment rate at 10.1% you know how difficult things can be. Deep down you likely know that you've got to do something to stand out above the noise so you can land that new position. But what is that? Do you network more, do you go back to school, do you get a certification, or do you run on a platform of "hope" and wait on the sidelines for things to happen?

Here's a webinar I'm taking part in this Thursday that you may want to check out:

Application Security, Inc.'s Fve Burning Questions Series: 2010 IT Security Auditor’s Roundtable

I'm not digging the "auditor" angle because, well, I'm not an auditor in the traditional. It's just semantics... :-)
Hope to "see" you there!

Check out my new Smart IT blog http://features.bizmore.com/blog/smart-it which will complement my work here in Trust but Verify.

My goal with Smart IT is to help you be sensible with IT and use it to your advantage for your small business. Whether you’re a tech-savvy entrepreneur, a business-focused manager, an IT specialist, or combination of all three I’ll have something for you.
Also, be sure to check out the IT and information security audio programs I’ve recorded and information security books, articles, and whitepapers I’ve written — including a link to my Twitter page — at www.principlelogic.com/resources.html.

Are you one of the many, many businesses that hosts its own Web site or application at a third-party facility?  Be it a managed services data center here in Atlanta or a low-cost provider on the West coast, you (and they) have some work to do. Let me explain.

You've heard of Network Solutions - one of the original big name Web registrars which happens to provide Web hosting services for a lot of businesses? Well, their Web hosting systems were recently hacked and thousands of business' Web pages were defaced and ended up looking like this:


...Ouch. All because someone somewhere didn't take responsibility for their systems to find (and fix) a Web vulnerability that's been around for years. Unbelievable. 

If Web security and document redaction play a role in what you do, check out my recent information security articles and podcast focusing on changes coming to the OWASP Top 10 this year, how to secure Web servers in Windows environments, and, finally, you'll really enjoy this story about our lovely and capable TSA and how their screening procedures document was leaked.

http://securityonwheels.blogspot.com/2010/01/my-latest-information-security-content.html

Enjoy!

I just saw this press release about 2010 being a pivotal year for the healthcare industry and the adoption of electronic health records. I've been seeing a lot about EHR, etc. within TAG and other groups here in town as well. It looks like healthcare IT is finally moving into the 20th century. ;-) 
If you're one of these organizations jumping on the EHR bandwagon just know that adoption, implementation, and basic administration of these systems is only the beginning. There's this other thing called compliance you've got hanging over your head as well. Both HIPAA and the HITECH Act are far reaching, especially when it comes to these sensitive electronic records. And they equally apply to both healthcare providers and thier business associates.
Don't let your guard down and never ever let your EHR vendors tell you that just because you're using their product that you're going to be HIPAA or HITECH "compliant". Compliance doesn't come in a box.

You may have heard that Gartner projects IT spending to increase in 2010. This will likely lead to hiring new staff or at least new consultants for your IT and information security projects. Just don't fall for the "I'm certified therefore I'm all you need" persona. There are a lot of people out there looking for work - many of which have added one, two, perhaps four IT/security certifications such as CCNA and CISSP to their names over the past year. But you have to be forewarned: just because someone has relevant training doesn't mean he or she is going to be a disciplined worker, or a good communicator, or have goals, or possess that sticktuitiveness required to succeed in IT. Certification only goes so far. In fact, I've often found that the more certifications one has the harder he or she is "trying" to prove something to mask other deficiencies (likely the very things you're in need of).

It's a harsh reality but it is what it is. Buyer beware.