Stories by Mathias Thurman

Security Manager's Journal: Without patch management, you are nothing.

Does it all come down to patch management? As a security manager, I pursue many initiatives, striving to protect the company on many fronts. But patch management is a key metric of our risk exposure, since there is a direct correlation between security incidents and patch compliance. So, in a way, it does all come down to something as basic as patch management, because if we fail there, we can't be secure.

Mathias Thurman | 08 Jun | Read more

These rules will keep users in their place

As information security professionals, we tend to throw around certain terms when we talk about how information security should be implemented. Lately, when I've gone to meetings or written an e-mail that gives me a chance to evangelize about our security needs, my terms of preference have been "rule of least privilege" and "separation of duties."

Mathias Thurman | 26 Apr | Read more

IDS pays off, even if there's no hacking

When I came into work after the weekend, a very interesting e-mail message was waiting for me. The message, with the subject line "Account Alert," appeared to be from our help desk. It requested that I read an attached document pertaining to my user account.

Mathias Thurman | 12 Jul | Read more

Protecting the crown jewels

You would probably imagine that a company that writes and sells software would make the protection of that software paramount. That's why it's hard to believe that my company has implemented no comprehensive efforts to prevent its bread-and-butter software falling into the wrong hands.

Mathias Thurman | 01 Jun | Read more

VPN evolution progressing to SSL

For several years, my company used Microsoft's Point-to-Point Tunneling Protocol (PPTP) to provide remote users with VPN access to corporate resources. This worked well, and almost all employees who had PPTP permissions were comfortable with this method. But after several security problems with PPTP were reported, we decided about a year ago to deploy virtual private network concentrators from Cisco Systems at all of our core points of presence.

Mathias Thurman | 30 Nov | Read more

Single sign-on effort falls short

Just when I thought we had solved one set of IT security problems by getting the human resources department to properly train new hires, another has cropped up with our IT team and a new single sign-on system it has deployed. The system was designed without input from the IT security team and at least one other department that will be affected. Now we're dealing with the issues after the fact.

Mathias Thurman | 16 Dec | Read more