J Wolfgang Goerlich's thoughts on Information Security

Press mentions

Tokenization no POS panacea; retailers need balanced security strategy -- Securing credit card information comes down to securing all points along the payment processing chain. "Though tokenization and EMV have a place, there is no silver bullet. Retailers must consider and assess the security along all points in their processing," Goerlich said. (May 2015)

Is Starbucks Under Siege from Hackers? -- "As retailers and emerging payment systems develop bank-like functionality (funds transfer, cards), they need to start thinking more like banks," J Wolfgang Goerlich, cyber security strategist at CBI says. (May 2015)

ComputerWorld: Mobile payments: What will it take for beacons to take the next step? -- Wolfgang Goerlich, a cybersecurity strategist at CBI, adds that there are essentially no ways to secure Bluetooth communications, which are essential for beacon interactions. "What is going to need to happen is that, instead of trying to secure Bluetooth per se, we'll end up with better controls on the devices." (May 2015)

Main Street: Has Your Phone Number Been Stolen? Another Apple Pay Fraud Hits the Nation -- "Illegally porting telephone numbers has been around for some time. Criminals are reusing the old technique to subvert Apple Pay’s device authentication mechanism," said J. Wolfgang Goerlich, cyber security strategist with IT risk management company CBI. (May 2015)

Beacon Payments: A Bright Idea with Dim (Near-Term) Chances -- Beacons—those little Bluetooth mechanisms stores use to beam ads to shoppers' phones—may someday play a critical role in payments. But the technology is still years away from being a practical alternative to cards and NFC-based mobile wallets. (May 2015)

The Hill: Tokenization: the answer to retail data breaches? -- The Payment Card Industry Security Standards Council is urging the payment industry to adopt tokenization products. But security firm CBI found that 97 percent of records stolen in recent retail data breaches would still have been compromised in tokenized systems. (April 2015)

CSO: Tokenization would not have helped in the majority of retail breaches over the past two years -- Only 41 percent of breaches involved attacks on databases or servers, where tokenization would have protected it. "This exactly the type of trend that we often see when a control begins to be widely deployed," said Goerlich. "The attackers will shift their focus away from we strengthened the system, to the point where it is weakest." (April 2015)

The Futility of the Strong Password Solution -- After experiencing a data breach, most companies take a number of measures to strengthen security, including advising users to change their passwords and to make them strong. (March 2015)

Data Security Experts Reveal the Biggest Mistakes Companies Make with Data & Information Security -- "Neglecting data governance. Many companies lack the processes, policies, and standards for protecting data throughout its lifecycle." (February 2015)

The 8 Most Desired Skills in 2015 -- As information security executive J. Wolfgang Goerlich recently said: "The ability to effectively communicate never goes out of style. Soft skills make or break your IT career." (October 2014)

GRRCon Blends Mix Of IT Professionals, Hackers At Cyber Security Conference -- Todd Bursch and J Wolfgang Goerlich shared methods that can be followed to help provide guidance for incident response and protection. Proper security models and methodologies are great ways to stay educated and defend against the security threats of our time. (October 2014)

How to Transition From Information Technology to Cyber Security -- "As simple as it sounds, getting security experience within IT itself is often overlooked. The Exchange administrator can gain security skills around email. The Cisco engineer can gain specific skills in network security." (September 2014)

Windows XP's Demise Shows That Microsoft Handles End of Support Better than Apple -- Wolfgang Goerlich, vice president of Consulting Services for VioPoint, says that Microsoft handles end of support completely different than Apple, as the fruity-named company chose to stop providing updates for OS X Snow Leopard without providing advanced notice to its users. (April 2014)

Windows XPs Penalties for Success -- "Windows XP was the first enterprise ready OS from Microsoft, and it hit at a time when most software was on the desktop. The desktop fleet aged at the same time enterprises shifted from desktop software back to server-side software. The success in these services extended the life of Windows XP. The cloud’s success meant under-investing in the desktop fleet, thereby extending Windows XP’s lifespan." (April 2014)

Anatomy of an IT Security Career -- Veteran IT security specialist, J. Wolfgang Goerlich, gives advice on breaking into the information security field, in demand skills, emerging industry trends and more. (March 2014)

Moar Security War Games (PDF) -- The team of ethical hackers is called MiSec, short for Michigan Security, and were testing their metal against 173 teams spread across the planet. The team captain, Wolfgang Goerlich, asked if I would join the MiSec team to deploy a Barracuda Web Application Firewall (WAF) and Barracuda NG Firewall in front of a highly vulnerable Linux server. (December 2013)

VioPoint doubles space and adds jobs in Auburn Hills (PDF) -- "We have the right people and the right services and we're going at the market at the right time," says Wolfgang Goerlich, vice president of consulting at VioPoint. (December 2013)

Expert Advice on Why You Should Work in Information Security -- "Information security is new unexplored territory ... and this creates exciting and challenging work," says J. Wolfgang Goerlich, vice president of consulting at VioPoint. (November 2013)

GRRCon Delivered By Bringing Security People Together (PDF) -- J. Wolfgang Goerlich from VioPoint presented on "Beautiful models" which discussed the changing trends in threat modeling, a critical component to a security strategy. Goerlich believes that "defense in depth is dead because you can't defend properly unless you think like an attacker." (September 2013)

Detroit- Based Technology Guru Blends Education & Experience To Succeed (PDF) -- J Wolfgang Goerlich is the vice president of consulting services for VioPoint, a Michigan-based information security firm. He actively mentors younger people in the community through internships, open- source software projects and community events. (August 2013)

VioPoint Appoints J. Wolfgang Goerlich as Vice President of Consulting Services (PDF) -- Goerlich, known for his outstanding leadership in the technology and information security community, is the co-founder of OWASP Detroit and an organizer of the annual BSides Detroit conference. Goerlich is joining VioPoint with a background in systems engineering, software development, and information security. (August 2013)

10 IT Leaders To Follow On Twitter. Wolfgang shares a unique mixture of insights, tech articles, and local happenings in the Michigan tech scene. He has a wry sense of humor and an ear towards dialog, intertwining humorous anecdotes alongside his hard-edge technical posts. (July 2013)

InfoSec’s Rising Stars and Hidden Gems: The Defenders. Goerlich is described as a superb leader who mixes his deep interest and knowledge of technology and security with his management experience and business understanding, as evidenced by his 2012 InfoWorld Technology Leadership and his 2008 IDG Best Practices in Infrastructure Management awards. Goerlich is also a well known podcaster, avid Twitterer, and a co-organizer for events like the BSidesDetroit. (July 2013)

Dark Reading: Hacker Conferences Come To Bloom In Chicago (PDF) -- This year's speaker line up included many well-known names in the local Midwestern security community, such as, Wolfgang Goerlich, Raphael Mudge, Chris Payne, Kyle Maxwell, and first-time speaker Eve Adams, to name a few. (April 2013)

CSO: Privilege management could cut breaches -- if it were used (PDF) -- The concept has been around for decades. J. Wolfgang Goerlich, information systems and information security manager for a Michigan-based financial services firm, said it was, "first explicitly called out as a design goal in the Multics operating system, in a paper by Jerome Saltzer in 1974." But, it appears that so far, it has still not gone mainstream. (January 2013)

IT Security: When Protection Becomes Prohibitive -- Goerlich believes the number-one thing that IT teams can do to address how security prevents productivity is correct their attitude towards the employees, recognize employee value, and foster good relationships: "We are not here to prevent some virus from being on some PC. We are here to ensure that the company can utilize the technology that we’re delivering to drive business value. And whenever those two objectives are in conflict, immediately we have to go towards driving business value." (January 2013)

Cloud computing gains steam, but questions remain (PDF) -- J. Wolfgang Goerlich, who handles cyber security for a Michigan-based financial services company, said the attacks by the bad guys wanting to get into servers is the same whether the servers are in a company’s on-premises data center or one hosted by an outside provider. But the difference is when your data is stored in the cloud, it’s like your data is stored on a shared server. (November 2012)

CSO: Web still king, but email stages scam comeback -- "Organizations need to utilize and update spam filters to reduce the likelihood of scam emails getting to the end user," J. Wolfgang Goerlich said. But he said given that signature controls always lag behind the scammers, "people become the last line of defense. It is important for an organization help its employees develop the equivalent of email street smarts." (October 2012)

Dark Reading: 4 Reasons Why IT Security Needs Risk Management (PDF) -- "Traditional IT security has what I think of as a Sisyphus complex," says J. Wolfgang Goerlich, information systems and security manager for a Midwest financial services firm. "Every day, we roll the boulders up hill. We leave with as many systems, or boulders, secure as possible at the top of the hill. Overnight, new attacks are formed and new vulnerabilities are released. The next morning, some systems are insecure again, and we start again rolling boulders back up hill." (July 2012)

The InfoWorld 2012 Technology Leadership Awards (PDF) -- J. Wolfgang Goerlich, information systems and security manager, faced a problem in executing that business strategy: The existing systems -- the applications, servers, storage, network, and the data center itself -- were unable to scale to the new demands. Goerlich responded with two initiatives. (June 2012)

Detr oit Hackers Fly Under Radar (PDF) -- The notion of a hackers conference probably calls to mind some motley rabble of quasianarchists tethered to laptops, but Wolf Goerlich, BSides spokesman and one of the conference’s four organizers, says computer hacking has grown up. When we talk about hackers here, we are talking about a subset of IT professionals thatfocus on network and system security. (June 2012)

7 Lessons Learned in the DevOps Trenches (PDF) -- J. Wolfgang Goerlich, information systems and security manager at a midwestern financial services firm, explains how he turned his company into a DevOps shop and answered questions from the community about what DevOps is and how to implement it. (March 2012)

Dark Reading: Passphrases A Viable Alternative To Passwords? (PDF) -- "One reason (organizations don't use passphrases) is the number of software applications that do not support long or complex passphrases," says J. Wolfgang Goerlich, Network Operations and Security Manager for a midwest financial services firm. "Length and special characters seem to be a challenge for some vendors. Sometimes referred to as technological debt, many IT departments must maintain a suite of apps that have not been updated with modern security recommendations." (January 2012)

Remediating IT vulnerabilities: Quick hits for risk prioritization (PDF) -- Use multiple information sources. As J. Wolfgang Goerlich, network operations and security manager for a mid-sized money management firm told me, he looks for reports that provide "solid information regarding what the threats are and at what frequency they’re occurring." (September 2011)

10 Gigabit Ethernet technology: a viable option for SMBs? (PDF) -- For J. Wolfgang Goerlich, an IT professional at a 200-employee financial services company, making the switch to 10 Gigabit Ethernet (10 GbE) was a straightforward process. “Like many firms, we have a three-year technology refresh cycle. And last year, with a big push for private cloud, we looked at many things and decided 10 GbE would be an important enabler for those increased bandwidth needs." (September 2011)

Framework for building a vulnerability management lifecycle program (PDF) -- We will present a framework for building a vulnerability management lifecycle. Using examples from practitioners, you will get a from–the-trenches view of what works and what doesn’t when trying to win the ongoing vulnerability management war. (August 2011)

I Like My IT Budget Tight and My Developers Stupid (PDF) -- Goerlich picked up responsibility for managing the IT staff three years ago and management of the development staff about a year back. He has a background in consulting, where he learned the importance of training, so one of the first things he did was implement a quarterly training goal. (May 2011)

Dark Reading: Backup files put database information at risk (PDF) -- Cord Blood Registry breach a cautionary tale in the need for encryption, key management, and secure physical transport of database back-up media . (March, 2011)

Easing Email Management (PDF) -- Email management remains a complex undertaking for IT managers, with spam and email security among the biggest problems, according to Mimecast’s recent Microsoft Exchange 2010 Infrastructure Survey. (February, 2011)

Evaluating Data Center Colocation Providers (PDF) -- At the Midwest-based financial company where J. Wolfgang Goerlich works, the corporate-owned data center was aging and needed repairs and upgrades. The company was also due for its three-year hardware cycle. (December, 2010)

Financial services firm turning to a private cloud (PDF) -- Michigan firm decides that public cloud-based systems aren't enterprise-ready. (October, 2010)

Smart blogging can boost your career (PDF) -- If you’re looking to land a job out of college, enhance your career or find a new one, maybe you’re thinking about jumping on the blogging bandwagon. But do you really need blogger on your resume? (January, 2010)

IT World: Mentoring in open source communities (PDF) -- A sponsor provides high- level guidance, an advisor does the day-to-day mentoring, and then there's the intern or mentee. "Our pilot has my firm being the sponsor, J. Wolfgang Goerlich (a local seasoned security expert) mentoring, and a college student from Detroit interning." (September, 2009)

Security pros want strong policy for virtualization (PDF) -- Security consultants believe that the ongoing economic malaise is prompting many businesses to rush skunkworks server virtualization projects into production without thoroughly considering how these deployments might affect their overall security posture. (June, 2009)

Desktop Virtualization and the Rise of Netbooks (PDF) -- It’s a question the many in the tech industry are aksing: Will Desktop Virtualization and the Rise of Netbooks Kill the PC? (May, 2009)

Munder Capital selects Modulo to automate its risk management processes (PDF) -- Leading investment firm announces gains in productivity by deploying Modulo´s IT Governance, Risk and Compliance software. Effective risk management and control imply the development and maintenance of a process that enables the identification, analysis, evaluation and treatment of risks that may impact an organization. "The only time you know a system is secured is when you check. Modulo Risk Manager automates auditing, which enables us to check more systems more regularly. The software's risk console also gives us a score and reporting mechanism. These reports focus our efforts and prioritize our remediation," said Goerlich. (February 2009)

Double-Take Software Expands Infrastructure Software Solutions with Network Boot Technology and Software-Based iSCSI SAN (PDF) -- New Offerings Allow for Faster Server and Desktop Deployment, Easier Movement and Management of Workloads and Reduced Power and Cooling Consumption. (October, 2008)

Best Practices in DR, BCP (PDF) -- IT manager: Hurricane, tropical storm, and natural disaster season is here. Learn how to have a disaster recovery plan for business continuity with the appropriate storage and backup strategies. Disaster recovery should be looked at not just in terms of business continuity and applications availability, but also for compliance reasons. (September, 2008)

Financial Firm Shrinks Data Center (PDF) -- The combination of server virtualization and holistic management tools from Microsoft and advanced storage virtualization technologies from Compellent has enabled Munder Capital Management, a financial investment company with $28.5 billion in managed assets, to create a highly efficient, flexible and easy-to-manage data center. The money management firm now has an IT infrastructure that can quickly adapt to changing business conditions. (September, 2008)

CIO: How Microsoft Hyper-V Helped My IT Shop Revamp Disaster Recovery (PDF) -- Munder Capital Management used Microsoft Hyper-V virtualization technology and Compellent SANs to revamp its disaster recovery strategy, eliminate 42 servers and slash cooling costs. Here's a look inside their plans and decisions. (August, 2008)

Best Practices in Infrastructure Award (PDF) Compellent customer, Munder Capital Management, receives Computerworld “Best Practices in Infrastructure Management” award. (June, 2008)

My Headshot (2015)

Out and About

I will be presenting at the CSA Nordic Summit and Security Culture Conference events in June, 2015.

Playing With

SimWitty #incog. #incog, or Incognito is a C# library for demonstrating steganographic techniques and covert channels. I am also playing with the PoshSec framework and scripts, specifically for implementing the SANS 20 Critical Security Controls.