Don’t get me wrong at all, I love Cloud computing and even invest in cloud computing companies but since cloud computing is becoming more popular than ever as more and more applications core to our businesses move into the cloud we need to consider some of our own risks. One thing I’m not sure if you or your business has thought of is availability on your own end (your internet connections). Availability is not just on the provider side which is normally fully redundant. Being that I am a CISSP, of course I know the clever Triad, but given that most of availability issues are still addressed by other parts of our organizations (network engineering, telecom etc). I know that I myself mostly focus on confidentiality and integrity related controls and not on availability. I don’t think I’m the only one in the security industry that is in this boat.
So, if we take a moment and step back from our little paper cluttered desks filled with pie charts and excel spreadsheets of PCI or SOX controls and take a look at availability, we should ask ourselves these questions: Would our company function if we lost our primary internet connection? How about if we lost our internet connections entirely? How about if a global routing event or some other attack on the Root DNS servers was successful? hmm…
My 2 cents is that companies are relying very heavily on a mixed bag of routing protocols and interconnected networks who don’t always have your company’s goals at heart. I’d love to see a lawyer try and say that the company internet connection going down should be reimbursed to the level of reliance that has been placed on those same connections. So please please please ensure you have fully redundant internet connections and think this issue through. Keep in mind that you may have two circuits coming out of your data center but they often could go physically through the same single fiber connection at the Telco (a single point of failure). You should also consider financial risks associated with the 2nd and 3rd Tier cloud providers. Providers such as Salesforce.com and Amazon are best suited to provide you financial stability and fault tolerance, but startups often lack the resources or money to really cover all these availability issues effectively so be cautious and have a backup plan in place to address any of the issues that could arise.
More questions to ask….If your internet went down:
1. Would your helpdesk software work?
2. Would your finance portal work?
3. Would your out-sourced marketing work?
4. Would your advertising continue?
5. Would your paycheck administration continue?
6. Would your recruiting efforts continue?
8. Would your customers be able to buy from you?
9. Would your banks be able to communicate to you?
10. Would you be able to get updates for your operating systems?
The list goes on and on…. Think about it at least a little.
With all of today’s focus on securing for PCI or SOX we often find ourselves leaving our security risk management priorities behind. As we all know there are many ways to breach the security of a corporation and many safeguards we have to select from.
Which brings me to the fact that there are many internal web applications used inside companies that we sometimes forget that can cause the rest of our security to fail. Good examples of such sites are intranets, bug tracking apps, internal document websites, employee benefit portals, time tracking portals etc.
It only takes one of these sites using a non-encrypted session (i.e. no ssl) to render an entire corporate PCI or SOX security paradigm useless. One single use of Cain & Abel sniffer tool along with ARP spoofing can suck down the passwords your privileged users use and give rise to an attacker gaining access to your sensitive data.
Although most corporations ask employees to use different or more complex passwords on disperate applications, the move to centralized LDAP or AD authenticated environments means now passwords are no longer different on these systems.
The moral of this story is, please don’t ignore your weakest link. Security is end to end.
I’ve not blogged in quite some time, mostly due to being very busy these days. However I felt I should talk a bit about compliance and how it seems to have changed security from eliminating threats to eliminating compliance gaps.
In the last few years, many regulations have emerged that are now controlling our security initiatives and goals. PCI, SOX, HIPAA, SB1386, Massachusetts Privacy Law, and more on the way. Now, I’m not one to say that regulation does not help in some respects, but often it has undesirable effects that cause many security professionals much discomfort.
What I feel has changed in the security landscape is rather than targeting the latest “threats” we find ourselves doing burdensome business processes which do little or nothing to improve the overall security of our companies. One notable pain point is in an area of PCI that I think drives many of us nuts. The “log review” provision.
In PCI 1.2, the requirement for daily log review in and of itself is well intentioned and something that I cannot argue cause most of us don’t do enough of it. What I find difficult is that we find ourselves reviewing things such as “successful logins” or “failed logins” to comply with these stated controls and I feel there is very little value to doing so. Many companies mandate that system owners review these logs on a daily basis, is our investment really giving us a return? For instance, most companies utilize domain policies that cause account lockout to occur at 5 times and complex passwords to be employed. This represents a compensating control and therefore monitoring and reviewing failed logins is burdensome and unnecessary. That being said, there is still residual value if you receive alerts or reports of extremely high numbers of login failures so it does make sense to monitor for those.
Another issue that I see happening across the industry is when executives make financial decisions based on whether or not they meet these minimum regulations. Often my friends have told me that their companies are cutting back their budgets once they receive their PCI ROC, or their HIPAA compliance report etc. This causes security professionals to face the daunting task of justifying their budgets to mitigate threats against a management who’s already met the minimum bar. Quite a quandary for many of us. I am very hopeful that PCI will continue to morph so that it addresses threats more directly by requiring harder line approaches such as actual inline IPS’s being mandatory and in a blocking state. Or ensuring that application Firewalls are mandatory. Gone are the days you can expose an application to the dirty internet without all your defenses in an active state.
Lawrence , has many years of experience within organizations of varying sizes with an extensive background in engineering, technical architecture, networking, security policies, procedures, systems analysis and auditing. Throughout his career, Lawrence has engaged in extensive consulting efforts for organizations of all sizes, he and is an active member of multiple non-profit organizations. Lawrence was a founding board member of the Digital Forensics Association where he served as Vice President and he is currently working as a Research Director and Market Analyst at Gartner, Inc. At Gartner, Lawrence continues to engage daily as a strategic advisor for literally hundreds of organizations worldwide and enjoys helping individuals become more successful with their businesses.
• Served as Vice President of the Digital Forensics Association
• Member of the Silicon Valley chapter of the ISSA (Information Systems Security Association).
• Member of the Open Web Application Security Project (OWASP)
• Served as Vice President of the Springtown Association Board of Directors
Book: “The Manager’s Guide to Becoming Great” by iUniverse Publishing – Author
Book: “CCSA Study Guide” by Syngress Media/McGraw Hill – Author and Technical Editor
White Paper: Analysis of VRRP v2 Issues and Solutions
Blog: LawrencePingree.com “Pingree on Security”
Vendor Negotiations, Contract Negotiations, Budget Management, Program Management, Goal development, Technology Roadmap Planning and Business Strategy.
CISSP CCSA CCSE
CCSI NSA ICE
NSS NCSA NCSP
CISA – Pending
BGP OSPF IGRP EIGRP
RIP v1 & v2, and PIM 802.11 PKI
RADIUS AAA IKE 802.1x
GLBA Sarbanes Oxley (SOX) Common Criteria
SB1386 COBIT ISO 17799 ISO 27001 FISMA
Research Director – Security Technologies at Gartner, Inc.
Responsibilities include the coverage of information security technologies and markets, security program execution, advanced threats, network-based security technologies, mobile device security and cloud-related security issues. The emphasis of his research is on providing insights to the security vendor community. His inquiry and research goals are to provide technology providers with critical insights on the latest security market trends, technology alignments and potential partnerships and to aid technology providers competing in the security markets. He achieves these goals for technology and service providers by reviewing their businesses. This includes examination of their marketing efforts, go-to-market strategy, currently employed technologies, technology development plans and various other business attributes to identify the key competitive differentiation and competitive strategies that providers should use to navigate the market. On inquiry with end users, Mr. Pingree is focused on identifying the best opportunities and technologies to address strategic customer requirements and providing insights into the strategies they may need to employ in order to successfully combat the advancing threat landscape by leveraging security technologies.
Sr. Security Engineer at Williams-Sonoma, Inc.
June 2009 – August 30th 2010
• Responsible for the review of security alerts originating from our MSSP security monitoring service including triage, investigation and root cause analysis
• Instrumental in coordinating compliance remediation efforts effectively raising our systems configuration compliance levels from approximately 40% compliant to over 98% compliance in just 6 months for over 200 systems.
• Participated in the prioritization and planning for our $1.6 million capital expense budget aligning it to both business and information security program goals.
• Responsible for Corporate Security Policy development
• Developed Security Operations procedures to maintain regulatory compliance in accordance with prescriptive PCI controls
• Assisted in the internal review of corporate information security policies in cooperation with key systems administration departments in alignment with PCI, SOX and future regulatory frameworks utilizing CIS as a guideline for their provisions
• Participated extensively with external PCI and SOX audits by developing audit evidence and coordinating with internal compliance teams
• Actively Participated in corporate PCI Compliance initiatives and assessment
• Responsible for managing the corporate Tripwire Enterprise file integrity management product
• Responsible for RSA Envision SIEM monitoring and configuration aligned to internal PCI and SOX controls
• Evaluated the selection of Managed Security Services for key IT security systems
• Responsible for corporate Cryptographic tools (Safenet Appliances) and key management processes/procedures.
• Acted as Sr. Security Engineer, Security Analyst and Security Architect for IT projects
• Managed extensive PCI remediation efforts across IT
• Deployed corporate Intrusion Prevention systems for all corporate and ecommerce DMZ environments.
• Evaluated data loss prevention technology for future deployment and budget needs
• Responsible for review/monitoring of corporate Symantec (SEP11) virus/malware remediation efforts
Vice President at Digital Forensics Association (DFA)
July 2007 – Present
Responsible for the development of internal policies and procedures for chapter startup
Responsible for Member Services
Responsible for Member Recruitment
Member Collateral & Promotion
Advertising and Evangelizing the Organization
Chief Information Officer (CIO) at BuddyFetch, Inc.
August 2007 – July 2009
Currently serving in an advisory capacity while the company looks for funding sources.
Provides strategic and tactical planning, development, evaluation, and
coordination of the information and technology systems for the network.
Facilitates communication between staff, management, vendors, and other technology resources within the organization.
Oversees the back office computer operations of the affiliate management information system, including local area networks and wide-area networks.
Responsible for the management of multiple information and communications systems and projects, including voice, data, imaging, and office automation.
Designs, implements, and evaluates the systems that support end users in the productive use of computer hardware and software.
Develops and implements user-training programs.
Oversees and evaluates system security and back up procedures.
Sr. Security Engineer at McAfee, Inc.
October 2007 – April 2009
Responsible for McAfee Competitive Analysis for Enterprise Products
Act as liaison to Internal and External Sales staff
Responsible for Evangelizing Enterprise Security Products & Services
Sr. Security Architect at Safeway, Inc.
August 2004 – October 2007
Served as Security Evangelist for Safeway Information Security program
Managed over $1 Million in budget for Application Security Program, Information Security Lab and Forensics/Investigations
Managed complete eDiscovery Process for IT and Legal
Responsible for over 52 Safeway Information Security policies for the Overall Safeway Security Program
Responsible for risk assessment and remediation recommendations of all IT applications assessed by risk assessment process
Responsible for SOX Compliance Audit and Assessment
Liaison to the Business to promote security within Safeway
Responsible for Training Classes for IT to ensure Information Security Standards are communicated and adopted
Responsible for developing Safeway’s Vulnerability Assessment Program
Responsible for Safeway’s Intellectual Property Monitoring Program
Safeway Forensics & Investigations team lead
Responsible for assessing application security and compliance
Chief Security Architect at Netscreen Technologies
2003 – 2004
Managed over $600,000+ budget for the Information Security Program
Responsible for Information Security Program
Responsible for Creation of Information security policies
Responsible for Security assessment and audit of IT Projects
Responsible for the Security Awareness training program
Network and Security architecture, design and implementation for customers.
Taught certification courses in Firewall-1, Internet Security Systems ISS product and a course in advanced hacking techniques and methodology.
Consulted for the National Security Agency, Federal Bureau Of Investigation, Department of Defense – Defense Information Systems Agency, and other related agencies and companies about hacker attack scenarios and abilities and methods.
Certified and taught Check Point Firewall-1 to over 400 people across the country including many large banks, Government Agencies, and fortune 500 and 100 companies.
Sr. Security Consultant at Websense, Inc
November 1996 – November 1997
Duties included design, implementation and installation of 3 different Firewall Software packages for customers
Responsible for troubleshooting and support for existing customers.
Consulted in the implementation of the following technologies: Checkpoint’s Firewall-1,Borderware, and Raptor.
Responsible for the maintenance of all NetPartners# Internal Workstations, Servers, and Internet connections using Cisco 2501 routers.
Responsible for internal NetPartners# machines including Windows 95, Windows NT Workstation and Server.
Responsible for implementing a clear and concise backup policy for our networked machines.
Responsible for implementing a standard WinNT Login and Drive mapping policy, and administration our Corporate SQL Server.
Final duty included the management of our corporate computer security policy and our corporate Firewalls.
Las Positas Community College, Criminal Investigations, 2007 – 2007
Las Positas Community College, Criminal Evidence, 2006 – 2006
El Capitan 1990 – 1994
Honors and Awards
2009 – Participated in ISACA 26th Anniversary Winter Conference PCI Panel Discussion with other industry leaders
2007 – Presented at SecureWorld Expo – eDiscovery and Forensics
2006 – Presented at Cornerstones of Trust Conference on Emerging Firewall Technologies
Computers, Electronics, Hiking, Biking & Exploring the Wilderness
23 people have recommended Lawrence
“Lawrence is a highly technical, highly motivated individual who gets the job done. His passion for information security is second to none and his knowledge in the space is incredible. Lawrence would be a great addition to any security marketing or technical team.”
— Scott Emo at McAfee, Inc., Group Product Mkting Manager, Network Security, McAfee, worked with Lawrence
“Lawrence is an excellent professional with a breadth of knowledge of the Security Industry and its players that is second to none. While working with him at McAfee, I saw him bring a level of exposure and credibility to the company that I know would not have had been possible without him.”
— Afonso Infante worked with Lawrence at McAfee, Inc.
“I have not known Larry Pingree all that long, but from what I have seen of him, I would like to learn much more. He demonstrates great professional maturity as well as outstanding communication and people skills. I am amazed at how many information security professionals who work in Silicon Valley know and respect him.”
— Eugene Schultz when working with Lawrence at McAfee, Inc., Chief Technology Officer, Emagined Security, was with another company
“I had the greatest opportunity to work and partner with Larry Pingree at PeopleSoft. A master and intellect in information security practices, Larry was incredible in his ability to quickly analyze a situation and create solutions. In the mist of building our information security organization, Larry immediately stepped-in to plan, architect, and implement a secure network environment and developed key partnerships with critical IT and business organizations. He is an exceptional talent, professional, and a visionary leader. I would consider myself fortunate to have the opportunity to work with him again in the future.”
— Kimberly Trapani – CISO at PeopleSoft, Inc., CISO / Director Information Security, PeopleSoft, managed Lawrence
“Larry is a professional and skilled network and security engineer. He is highly motivated and driven to succeed. He keeps abreast of new technologies and is always evaluating new solutions. I wish Larry all the best in his professional career.”
— Timothy Brush Inc, Web Operations Manager, AvantGo, worked with Lawrence at Avantgo
“Lawrence is a pleasure to work with. He is always professional and comes prepared to his meetings. His competitive intelligence research has been a great asset to me and my team contributing to the success of my product. Lawrence is a keeper.”
— Harold Toomey Inc., Group Product Manager, Governance, Risk & Compliance, McAfee,, worked directly with Lawrence at McAfee, Inc.
“Larry is an asset to any team. He brings energy and a fantastic team approach to challenging situations and is ready to tackle problems. I hope to work with Larry again in the future.”
— Phil Agcaoili SecureIT), Chief Information Security Officer & Co-Founder, VeriSign (formerly, managed Lawrence indirectly at SecureIT, Inc.
“If I had to pick a single word for Larry, it would be this: Focus. Incredibly potent, laser-like focus that cuts right through “to the chase” – in the time it takes most people to realize a chase is even afoot. If that sounds like the sort of person you need (who doesn’t need him?) then you will find him to be among your most valued resources.”
— Gary Arthur Douglas II
Lawrence at PeopleSoft, Inc., Sr. Security Systems Engineer, PeopleSoft, worked directly with Lawrence at Peoplesoft
“Larry is truly an asset to any Information Security organization. His wealth of technical knowledge combined with big business know-how enables him to succeed in any diverse, high impact environment”
— Woody Hughes
Safeway, Inc., Information Security Analyst, Safeway, Inc., worked directly with Lawrence at Safeway
“PeopleSoft was moving to a complete architecture and platform change for our support systems and our customer support website. Larry worked on the project team to design security for our customer facing applications. Larry’s prior experience and understanding of how we wanted to conduct business with our customers was critical to releasing the project and new capabilities on time with minimal impact to our customer base. Larry possessed a business focus and a could relate real risks back during the process, which minimized debate as we planned, configured and communicated.”
— Sean Bingham, PeopleSoft, Inc., Director, Service Readiness, PeopleSoft, Inc., worked with Lawrence at Peoplesoft
“Larry was a highly valued security thought leader at Safeway. He is an extremly well versed computer security professional who provided superior customer service to a wide variety of internal customers.”
— Colin Anderson, Director Information Security, Safeway, managed Lawrence at Safeway, Inc.
“Larry has a great passion about what he does. He is also willing to take the time to teach anyone who will listen. If you go to Larry needing help, he will teach how to solve your problem. He would make a great manager.”
— Benjamin Woodford
Lawrence at Safeway, Inc., Information Security Analyst, Safeway Inc., worked indirectly for Lawrence
“Larry is an incredibly sharp and well rounded information security and technology professional. In working with Larry, no matter what the technology issue was at hand, he always seemed to have a very insightful and visionary perspective. I quickly learned that he is a very valuable resource and his willingness to go above and beyond to help others makes him that much more valuable.”
— James (Jim) Range
Lawrence at Safeway, Inc., Senior Consultant, PwC, was with another company when working with Lawrence
“Larry is a technologist, very personable, creative strategist who can execute and implement the solution meeting the business needs. I know him for long time from his days at Nokia when we were building Global Firewall Management Solution and partners trust model at Applied Materials. He was, always, out there to understand our technical/complex global blue print architecture and surprised us every time with the solution. He was a life saver for my team and highly respected. I am very impressed with his progress over these years and helping companies succeed and expand globally. I highly recommend him for a leadership role in the area of security requiring to bridge the gap between business, IT and spearhead security program/product.”
— Jit Singh, was Lawrence’s client
“Larry is a brilliant Security Architect who I first met while trying to sell him NetScreen security solutions while he worked at PeopleSoft. I recall very clearly how impressed I was with his depth of knowledge, penetrating questions, wit, and engaging personality. I was thrilled when not long after Larry ended up working at NetScreen! When I moved into a Business Development and Solutions Strategy position at NetScreen, Larry became one of my most reliable and effective advisors whom I routinely sought for feedback and counsel on my most important strategic initiatives and projects. I strongly endorse Larry as a top tier player in the security industry.”
— Vince Barboni,Lawrence at Netscreen Technologies, Sr. Solution Architect – Corp Dev Strategist, Juniper / NetScreen, worked with Lawrence at Netscreen
“I worked with Larry for almost 4 years at two different companies. Larry is an extremely intelligent, dedicated, and passionate IT professional. Larry cares about continuously improving the organization and himself. I would hire Larry (and have) in a heartbeat!”
— Joshua Mauk PeopleSoft, Inc., Manager, Information Security, Safeway, Inc., worked directly with Lawrence at Safeway
“Larry was a fantasic coworker–knowledgeable, dependable, and a sincere personal interest in his field of expertise and expanding it. I knew that if I asked him something, he either knew the answer or knew where to find it. Any company would benefit from having Larry on board!”
— Laura Leff, PMP, Safeway, Inc., Director, Vendor Management Office, Safeway, worked with Lawrence at Safeway
“Larry is an excellent engineer whose passion for excellence leads him to deploy the right solution with the right components in the right way. He was a pleasure to manage, both professionally and interpersonally. I look forward to working with him again sometime.”
— Sean Casey, Avantgo, Inc, Manager of Networks and Information Security, Avantgo, managed Lawrence at Avantgo
“Larry has a lot of expertise of information security. He is very dedicated to his work at Safeway. He has contributed to the improvement of enterprise security posture.”
— Lena Shey, Supervisor Sr. IT Auditor, Safeway, worked with Lawrence at Safeway, Inc.
“Larry has been the lead engineer for digital forensics and workplace investigations for our team. His customer focus and dedication have been instrumental in handling many large scale cases. He is a skilled mentor for junior members of the team, as well as an excellent educator for raising security awareness among business groups. He is one of those rare breeds–a person with strong technical knowledge and the soft skills to interface well with all levels of management.”
— Suzanne Widup, Safeway, Inc., Sr. Information Security Analyst, Safeway, worked directly with Lawrence at Safeway
“Larry is a down to earth, very detail oriented, technical person, who knows how to get the job done. He is always ready to go the extra mile to get the job done.”
— Eric Locastro, Account Rep, Netscreen, worked with Lawrence at Safeway, Inc.
“Larry is a strong security expert. Many people know him and respect him in the area. I always heard great things about Larry.”
— Norman Girard with Lawrence at Netscreen, Technical Product Manager, Qualys, was with another company when working
“Larry made an immediate impact when he joined Netscreen. Working in the Legal Department, I soon had my consciousness raised to the significance of security awareness not just for our network but also for every aspect of our information handling. Larry weaves together threads from many disciplines into one comprehensive picture. And he’s fun, too.”
This management book focuses on the crucial knowledge you'll need to become a great manager and leader. It will teach you the important management and leadership skills so others will call you "great"!