Kenneth G. Hartman bio photo

Kenneth G. Hartman

Security Consultant,  
Forensic Analyst & 
Certified SANS Instructor

Email Twitter GitHub

All Blog Posts








Linux Hardening

I have found that Lynis (, is a great way to audit a system for CIS benchmark compliance

Has SHA-1 been hacked?

To summarize, SHA-1 has not been hacked, it is just simply not strong enough with today's computing power.


The Trust-Value Equation

I must trust that the benefit that I gain from using your service exceeds the concerns (Fear, Uncertainty, and Doubt) that I have about using it.

The Encryption Magic Bullet

Encryption is not a magic bullet, but it does it play a vital role in a company’s data protection strategy.

Are BitTorrent Pieces 250Kb Long?

I was researching BitTorrent and noticed in the Specification that it said that the typical length of a Piece was 250 kilobytes long. That made me curious...

SOC 1 vs SOC 2

The difference between a SOC 1 report and a SOC 2 report and why an organization would have both.


CISSP vs CEH vs Security+

A friend of mine recently made the following post on his Facebook page. It resulted in an interesting discussion, so I thought that I would share it and my ...

The Contracting Life Cycle

Just as there is a life cycle for software development, there is a life cycle for contracting and this cycle must be managed as well to assure information se...

Define: PCI Service Provider

When working with the Payment Card Industry Data Security Standard (PCI-DSS) it is important to understand this definition to make sure your compliance progr...


Defense-in-depth, Part 2

Last post, I discussed the concept of defense-in-depth (DiD) where overlapping controls provide increased security, particularly if one of the controls shoul...

ZeroBin XSS Vulnerability Patched in 0.19

Sébastien Sauvague has just informed me that he has released Version 0.19 to address the Cross-Site Scripting vulnerability that I wrote about in my previous...

Defense in Depth

Think about your security controls. Have you identified which controls are preventive, and which are detective or deterrent controls? Also remember that th...

Security Policy Exceptions

I was reading a debate on a forum discussing all kinds of edge cases that some participants were arguing needed to be considered in a security ...

Calculate File Entropy

Entropy is the measurement of the randomness. The concept originated in the study of thermodynamics, but Claude E. Shannon in applied the concept to digital...

Securely Delete Files with SDelete

There is a variety of GUI-based utilities such as CCleaner or Freeraser, but SDelete is very simple to use for anyone comfortable with the command line. SDe...

Why Have Security Policy?

I have found that not everyone has considered the role of security policy in an organization’s information security management program. Therefore, I will sh...

Goodbye Oz Data Centa

The Oz Data Centa ( was a very useful tool for monitoring PasteBin and I, for one will miss it.


CMM & Organizational Process Maturity

Since the Software Engineering Institute first published the capability maturity model, many other organizations have adapted the concepts to process maturit...

Be an Actor, Not a Reactor

I love reading about brain research and understanding how we learn. It seems our brain is constantly making connections between things that we are learning ...

OPSEC is Really Not OPSEC

I am delighted to have an entry written by Jack Emanuelson, an independent contractor specializing in OPSEC and information assurance.

Ironic OpSec

What struck me as ironic is that the document is labeled For Official Use Only (FOUO) which means that the government intends to limit its distribution.

How Hackers Get Passwords

Systems that contain more sensitive data need to have stronger passwords. Strong passwords do not use words from the dictionary and use symbols and numbers...

Are We More Secure Today?

Yesterday I was asked a question in passing. The question was this --Are we more secure today? My reflexive answer was...

Security & Customer Trust

In my role as a security professional, I have pondered the various dimensions of trust and have some thoughts on the subject...


Management Paradigms

As a leader, you want to establish the strategy (MBO) and operating parameters (MBE) and then inspire and fuel the discussion by MBWA.

Skype in the Enterprise

The following excerpt is a thread... This discussion was the impetus for my article Is Skype Secure?

Hire Yourself as a Consultant

In today’s fast paced world, we are often so busy trying to scratch off items on our to-do lists that we short change ourselves of time to reflect on how to ...

Maxwell's Law of the Scoreboard

I reread a John C. Maxwell book entitled The 17 Indisputable Laws of Teamwork. In this book, Maxwell has a chapter dedicated to the Law of the Scoreboard...

Alligator Fighting

Several years ago, I saw a quote that has resonated with many of the people that I have consulted with over the years.