Book Proposal Form Archives Catalog Auerbach Publications Book Proposal Form Catalog
Information Security Today is brought to you by Auerbach Publications


IT Management


Risk Management

Business Continuity and Disaster Recovery Planning


Operations and Data Center

Networking and Telecommunications

Project Management

IT Performance Improvement


Book Chapters and Excerpts

Auerbach Information Management Service

Editorial Calendar


Contributor Guidelines

Contact Editor


New Books

A Practical Introduction to Enterprise Network and Security Management by Bongsik Shin; ISBN 9781498787970
Risk Thinking for Cloud-Based Application Services by Eric Bauer; ISBN 9781138035249
Big Data Analytics with Applications in Insider Threat Detection by Bhavani Thuraisingham, Pallabi Parveen, Mohammad Mehedy Masud, and Latifur Khan; ISBN 978-1-4987-0547-9
Supply Chain Risk Management: Applying Secure Acquisition Principles to Ensure a Trusted Technology Product by Ken Sigler, Dan Shoemaker, and Anne Kohnke; ISBN 978-1-138-19733-6
SMACing the Bank: How to Use Social Media, Mobility, Analytics and Cloud Technologies to Transform the Business Processes of Banks and the Banking Experience by Balaji Raghunathan and Rajashekara Maiya; ISBN 978-1-4987-1193-7
<font size=-2></font>
Empirical Research for Software Security: Foundations and Experience by Lotfi ben Othmane, Martin Gilje Jaatun, and Edgar Weippl; ISBN 978-1-4987-7641-7

Click on a book cover for more information or to order.
SAVE 20% AND GET FREE SHIPPING when you order these or any book online! Simply enter this code--813DA--at checkout.

802.1X Authentication Has Never Been So Easy
Stronger authentication is possible with 802.1X although several challenges currently exist for IEEE 802.1X NAC and authentication. For the most part, the challenges relate to the need for costly hardware, the complexity of integration, and other issues such as authorization and device compliance. 802.1X confers multiple benefits, including enhancements in security that is not dependent on PSKs (pre-shared keys), easy installation and setup of access permissions, and fully integrated management functionality. Given these pros and cons, 802.1x Network access control is a must-have when formulating solutions based on this authentication system. But how can this be achieved easily while not compromising security?

Mitigating Mobile Crimeware
With fraudsters increasingly turning their attention to the mobile channel, and the use of mobile increasingly exponentially for many types of transactions, organizations have to implement technologies to detect crimeware to protect their consumers and their own reputation.

Introduction to Blockchain and Its Applications in FinTech
This excerpt from FinTech: The Technology Driving Disruption in the Financial Services Industry by Parag Y. Arjunwadkar explains the basic of blockchain and then reviews how Fintechs are adopting blockchain for security and transparency.

2018 Industrial IoT Predictions
What threats lie ahead for the industrial IoT? Read this to find out.

The Top Game Changing Data Trends for 2018
Infogix today identified pivotal data trends that will impact businesses in 2018 and beyond. These include the convergence of data management technologies, growth of metadata management, and the increased focus on AI.

2018 Security Predictions: It's Still the Wild, Wild West
The last US presidential election revealed the dangers and the difficulties of prognostication. But that doesn't deter those determined to look ahead at what we may face in 2018. We reached out to several security mavens to learn what worries them about the coming year. It's interesting how broad their concerns are, and how little they overlap. Yes, 2018 will be an interesting year.

The Evolution of Cybersecurity and the Rise of Threat Hunting
There's one thing for certain, hackers will continue to evolve their techniques and organizations must acknowledge that. It has become imperative to organizations to embrace the Zero Trust Model. This article explains why threat hunting can't be a one-time exercise. Instead, organizations must continuously verify endpoints to determine if they've been compromised, so quick action can be taken to limit damage and restore network integrity if a threat is detected.

Recently Released GAO Reports: Policies and Procedures, Internet of Things, Identity Theft Risks, Identity Fraud, Cyber-Threat Nations, and Data Privacy

Information Security: the Dismal Discipline?
Read this chapter from Why CISOs Fail: The Missing Link in Security Management--and How to Fix It and understand why the author likes to call information security the "dismal discipline," and why this perception needs to change.

A Review of Intrusion Detection and Prevention on Mobile Devices: The Last Decade
This chapter from Intrusion Detection and Prevention for Mobile Ecosystems introduces the background of IDSs/IPSs and then investigates the development of IDS/IPS on mobile devices within the last decade by examining notable work in the literature. Then, it identifies the issues and challenges of designing such defense mechanisms on mobile devices, describe several potential solutions, and analyze the future directions in this field.

Call for Chapter Proposals: Computer and Cyber Security: Principles, Algorithm, Applications and Perspectives
The main objective of the book is to provide relevant theoretical frameworks and the latest empirical research findings in the area. It will be written for professionals who want to improve their understanding of the principles, challenges and applications of computer and cyber security. The book will help to identify the interesting and exciting areas of future research to apply these techniques. In addition, it will be an excellent book to teach a course on computer and cyber security. The material will prepare the students for exercising better protection in terms of understanding the motivation of the attackers and how to deal with and mitigate the situation in a better manner. The chapter proposals will be selected in the following categories to make a balance of theory, future research directions, and practical use cases; i.e., original research articles, case studies, and review articles in the aforementioned domain.

Mirai Goes Open Source and Morphs into Persirai
The Mirai malware has become notorious for recruiting IoT devices to form botnets that have launched some of the largest distributed denial of service (DDoS) attacks we have recorded. Mirai came onto the scene in late-2016 as the malware behind very large DDoS attacks, including a 650 Mbps attack on the Krebs on Security site. It is also purported to have been the basis of the attack in October 2016 that brought down many sites including Twitter, Netflix, and Airbnb. Since then, Mirai has morphed into an even more aggressive and effective botnet tool.

How Long Can Resources in Short Supply Last?
Smart Energy: From Fire Making to the Post-Carbon World first traces the history of mankind's discovery and use of energy. It then reviews contemporary issues such as global warming, environmental deterioration, depletion of carbon energy sources, and energy disputes. Next, it evaluates technical innovations, system change, and international cooperation. Then, it tackles how civilization will continue to evolve in light of meeting future energy needs, how Smart Energy will meet these needs, and defines the global mission. The book closes with a summary of China's vision of the Smart Energy future. This chapter considers how long petroleum, coal, and other carbon-based resources can last.

Understanding the Organizational Context for a Business Impact Analysis
Conducting a business impact analysis (BIA) for an organization makes it imperative for a practitioner to understand the business and the manifold dependencies and relationships and to study the enterprise as an extended enterprise. This chapter from Practitioner's Guide to Business Impact Analysis explains the organizational context for conducing a BIA.

Rebecca Herold's June Privacy Professor Tips
Rebecca Herold's Privacy Professor Tips were published last week! This month's Tips cover a wide range of topics, including privacy concerns on the dark web, fake emails that look totally real, security threats from your (not so smart) used car, considering if you could lose your new home to hackers, yet another public employee under fire for personal email use, yet more surveillance considerations, as well as healthcare security and privacy news. Plus, her current list of recent publications and upcoming events.

Special Interest Groups’ Use of Social Media as a Weapon
There are hundreds of special interest groups involved in a wide variety of interests ranging from commerce, health, or art, to community development or religion. There are also groups that are involved in political and social causes. This excerpt from Social Media Warfare: Equal Weapons for All examines well-established special interest groups and the various types of special interest groups, as well as issues related to these groups: health care; guns, hate, and social media warfare; abortion debates and violent acts of extremists; environmentalists and eco-terrorists; lesbian, gay, bisexual and transsexual (LGBT) rights and social media warfare; and religious bias and discrimination in social media warfare.

Factoring Cloud Service Quality Risks
Cloud user service quality risks potentially impact service reliability, latency, availability, or overall quality delivered to cloud service users. The excerpt from Risk Thinking for Cloud-Based Application Services discusses risk capture, the differences between virtualized network function and physical network function deployments, and the ETSI Network Functions Virtualization Quality Accountability Framework.

A New Profession: The Data Protection Officer
Chapter IV, Section 4 of the new General Data Protection Regulation (GDPR) creates the new professional role of and requirement for organizations to designate a formal data protection officer for the organization. This essentially creates a new profession, described in this excerpt from The Data Protection Officer: Profession, Rules, and Role, perhaps one of a number of new professions and career paths related to data protection issues and the new data protection regime.

IoT Threats Underline the Need for Modern DDoS Defense
A chilling new report from Deloitte warns that the proliferation of IoT devices in 2017 will raise the threat of Distributed Denial of Service (DDoS) attacks. The scale and nature of the evolving DDoS threat means that companies need to modernize and implement new defense strategies if they want to avoid bad outcomes. This article discusses how, in the age of DDoS, big data power is a key ingredient to modern defense.

Introduction to Onion Routing
This chapter from Anonymous Communication Networks: Protecting Privacy on the Web explains how onion routing works and the second generation Tor.

Exploring Mobile Authentication Mechanisms from Personal Identification Numbers to Biometrics
This chapter from Protecting Mobile Networks and Devices highlights the strength and the weakness of the current authentication schemes, from the simpler ones such as personal identification number to the more complex biometric systems such as fingerprints. The authors evaluate the usability of these schemes for the user based on both existing and new criteria.

An Overview of End-to-End Verifiable Voting Systems
This excerpt from Real-World Electronic Voting: Design, Analysis and Deployment provides a comprehensive high-level introduction to the field of E2E voting. In this chapter, Syed Taha Ali and Judy Murray introduce security properties of voting systems; summarize the workings of some twenty of the most influential E2E voting systems, classified into four distinct categories, as per their reliance on cryptography (cryptographic and non-cryptographic systems), ballot format (physical and electronic ballots) and mode of voting (precinct-based and remote voting); and discuss open challenges to mainstream deployment of E2E voting systems.

The Data Security Money Pit: Expense In Depth Hinders Maturity
This new study finds that finds organizations focused on threats rather than their data and do not have a good handle on understanding and controlling sensitive data. The fragmented approach to data security exacerbates vulnerabilities and challenges, and 96% of these respondents believe a unified approach would benefit them, including preventing and more quickly responding to attempted attacks, limiting exposure and reducing complexity and cost. The study goes on to highlight specific areas where enterprise data security falls short.

What's Behind the Rise in Data Breaches (and What to Do about It)
The drumbeat of high-profile hacking incidents in the news continues. Just in the past year, more than 200 million records have been stolen in data breaches that occurred at Premera Blue Cross, Anthem, Sony, and Home Depot. There appears to be no end in sight to the hacking epidemic, and large and small businesses as well as consumers are scrambling to find new ways to protect themselves. So what’s behind the rise in data breaches? Here are three top drivers, and tips to mitigate the risk.

What’s Ahead for 2017: The RSAC Advisory Board Industry Predictions
If you're wondering where things are headed in the coming year, you're not alone. RSA reached out to its RSA Conference Advisory Board to find out what they expect will happen in the world of cybersecurity as we enter 2017. From intergovernmental cyber-conflicts to a rocky road for the Internet of Things, read what's potentially around the corner.

Secure PHP: A Blog and Book about Agile PHP Security
Glaser's site also includes tutorials on how to use PHP and Content Security Policy to dramatically increase the security of your site and the safety of your users, and how to use the Specs Derived from the User Story to Drive Agile Security. It also has a chapter on PHP Security Anti-Patterns and the reasons security holes exist.

Top 10 Rock and Roll Cybersecurity Predictions for 2017
It's that time of year again. Time for information security predictions for 2017. This year, we have an interesting twist on predictions by tying them to classic rock lyrics to accompany them. It's interesting how prescient the lyrics are.

Cognitive Hack: The New Battleground in Cybersecurity
Here's an interview with James Bone, author of "Cognitive Hack: The New Battleground in Cybersecurity - The Human Mind"(

Security of Smart Devices: Hardware Features
Smart devices use a combination of hardware and software to combat the security challenges that the device users face today. This chapter from Security and Auditing of Smart Devices: Managing Proliferation of Confidential Data on Corporate and BYOD Devices discusses the hardware features that help secure smart devices.

The Internal Audit Charter
The Internal Audit Charter, also referred to as "terms of reference," spells out the purpose, authority, and responsibility of the internal audit function of any organization. The charter provides the framework for the conduct of the internal audit function in any organization. It also provides a basis for the appraisal of the operations of the internal audit function and acts as a formal written agreement with management about the role and responsibility of the internal audit within the organization. This chapter from Internal Audit Practice from A to Z discusses the purpose, scope, authority, and responsibility of an internal audit charter.

Situational Project Management
In this video, Ginger Levin and Oliver Lehmann discuss Situational Project Management, the subject of his new book. They cover how to identify projects by type and how to manage them accordingly; the skill set required to lead projects successfully; how to use lessons learned to avoid future failed projects; how to apply life experiences to improve your ability of manage projects successfully; and how to manage a project according to the situation and the environment in which it exists.

Introduction to Behavioral Biometrics
New Directions in Behavioral Biometrics presents the concept of behavioral biometrics on the basis of some selected features like signature, keystroke dynamics, gait, and voice. This excerpt from the book provides a brief overview of behavioral biometrics.

Risk and Trust Assessment: Schemes for Cloud Services
Both risk and trust have been extensively studied in various contexts for hundreds of years. Risk management, and specifically risk assessment for IT, has also been a hot research topic for several decades. On the other hand, modeling risk and trust for cloud computing has attracted researchers only recently. This chapter from Cloud Computing Security: Foundations and Challenges provides a survey on cloud risk assessments made by various organizations, as well as risk and trust models developed for the cloud.

Overview of Mobile Apps and Interfaces
This chapter from Mobile Applications Development with Android: Technologies and Algorithms introduces the mobile system; mobile interface and applications in mobile system; optimization in mobile system; mobile embedded system; mobile cloud computing; big data in mobile systems; data security and privacy protection in mobile system; mobile app; and Android.

Introduction to Project Portfolio Management
This chapter from Project Portfolio Management in Theory and Practice: Thirty Case Studies from around the World looks at the definition of PPM and discusses several examples of portfolio value, balance, and strategic alignment. It then examines the effect the absence of PPM has on the organizations, including thinly spread resources, longer time-to-market, and poor quality of final products and services. Finally, it examines two research initiatives and compares them to demonstrate that although PPM has made bold strides in the last ten years, but there is a lot of work to be done.

Preservation and Management of Documents
One of the most important tasks an organization or individual will face when dealing with electronic evidence is the preservation of that data in a way that ensures the integrity and availability of the data. This chapter from Electronically Stored Information, Second Edition looks at all of the aspects of that task and discuss the tools and requirements that you should be considering.

Introduction to Machine Learning
Machine learning is a branch of artificial intelligence that aims at enabling machines to perform their jobs skillfully by using intelligent software. This excerpt from Machine Learning: Algorithms and Applications present an introduction to machine learning including the use of machine learning algorithms and present and future applications.

IT Project Management: A Geek's Guide to Leadership
Author Byron A. Love admits proudly to being an IT geek. However, he found that being an IT geek was limiting his career path and his effectiveness. During a career of more than 31 years, he has made the transition from geek to geek leader. He hopes this book helps other geeks do the same. It addresses leadership issues in the IT industry, to help IT practitioners lead from the lowest level. Unlike other leadership books that provide a one-size-fits-all approach to leadership, this book focuses on the unique challenges that IT practitioners face.

Introduction to Certificateless Cryptography
In this excerpt from Introduction to Certificateless Cryptography, authors Hu Xiong, Zhen Qin, and Athanasios V. Vasilakos present a brief intriduction to symmetric cryptography, discuss the setting of asymmetric public key cryptography, and argue why you should care about certificateless PKC.

Corporate Defense Framework
The delivery of sustainable stakeholder value requires a subtle balance between the focus on value creation and value preservation In this video, Sean Lyons, author of Corporate Defense and the Value Preservation Imperative, explains what is required for effective corporate defense rather than the illusion of corporate defense. He presents an integrated corporate defense framework required in order to align an organization's critical corporate defense components. This multi-centric approach can help you develop a more holistic view of corporate defense.

25 Years of DDoS
It has been 25 years since the first DDoS attack, and since then the world has witnessed many variants that all share the same result: disrupting the availability of the target host and its services. At the same time, we have seen a similar evolution in DDoS protection technologies, as well as improvements to enable anti-DDoS to interact with evolving technologies. This article looks at how the DDoS attack evolved over the past 25 years, if the ever growing Internet of Things affected the growth of DDoS attacks at all, and what can we expect in the future.

Stop Squandering Time With All Talk and No Action
True or false: If a meeting ends with no actions, you didn't really need the meeting in the first place. Nancy Settle-Murphy's vote: Mostly true. Although some meetings may be held simply to cross-pollinate information or brainstorm new ideas, the goal of most meetings is to get something concrete accomplished. A resulting list of actions is often the most reliable barometer of progress. Why then do so many meetings end up with few, if any, action items? I have some suspicions. Simply put, she thinks that many of us give up too easily, offering a variety of excuses, some of which she enumerated in this article. For every excuse, she's provided at least a couple of choices.

Pokémon Infiltrates the Business Network
Pokemon Go has been taking the world by storm and some of the game playing may be finding its way onto the business network as employees decide to check in and play on corporate devices. This article explains how to find out if your employees are playing Pokemon Go while on the network, what other apps to look out for, and the perils of having these types of apps on your network.

Claims-Based Authentication
Authentication is the process that deals with the establishment of identities. Claims-based authorization, at its simplest, checks the value of a claim and allows access to a resource based upon that value. A claim is a name-value pair that represents what the subject is, not what the subject can do. Clear as mud, right? Read this chapter from Enterprise Level Security for total clarity on claims-based authorization.

Operational Auditing
The IIA defines operational auditing as "Defining, measuring, evaluating, and improving the economy, efficiency, and performance effectiveness of the organization's operations and constituent activities irrespective of function, purpose, or level within the organizational structure." The chapter from Operational Assessment of IT explains what this means and how to apply it in the context of operational assessment of ICT.

Instantly Improve Your Team Communications by Overturning 9 Dangerous Myths
Whether running a project team or managing a group, most team leaders assume that their communications skills are pretty decent. So when they send emails, post documents, ping people on IM, or lead team meetings, they imagine that people are ready, willing and able to hear what they have to say. Magical thinking? You bet. This article shares some common instances of wishful thinking, or irrationally optimistic assumptions, which often lead to frustration and disappointment for leaders and their teams. As a counterpoint, it provides a tips to ground that wishful thinking more in reality, resulting in communications that actually may be nothing short of magical.

5 Dangerous Misconceptions When Sharing Your Personal Data
As the developing Pokemon Go security breach demonstrates, the world is now structured with a thin layer of reassurance while underneath the hood the cogs aren't necessarily whirring with our interests as consumers at heart. The same applies to many of our interactions with service providers. This article highlights and debunks five popular misconceptions around sharing personal data.

Software Quality Assurance: Defect Management
This chapter from Software Quality Assurance: Integrating Testing, Security, and Audit deals with the conceptual aspects of defect management. There are three parts in this chapter. Part 1 discusses the basic concepts of a defect and why a defect happens. Part 2 introduces the practical methodologies of how to manage the defects. In this section, some sample documents and templates are provided to manage the defect properly. Part 3 discusses and analyzes the root causes of defects and provides recommendations of how to prevent defects in the future.

3 Effective Bomb Protection Solutions and Why Your Business Needs Them
It is a sad fact that the harsh realities of life mean that today's businesses have to factor in bomb protection solutions as part of their security objectives. Blast protection is now required in an ever growing list of situations, particularly where the public or sensitive information are concerned. One of the most important aspects of business is always being prepared for the unexpected, and by having bomb protection in place companies have the opportunity to reduce the potential of personal injury and property damage should an unfortunate event occur. With that in mind, here's a list of three effective bomb protection solutions and why your business needs to have such contingencies in place.

Dissemination and Reporting of Electronically Stored Information
This chapter from the new, second edition of Electronically Stored Information discusses the reasons and the methods for sharing the data we have so carefully acquired, preserved, and managed. There are several reasons and each may engender different approaches or procedures appropriate to the specific needs of those situations. These approaches include the format in which the data are produced, the content, the timing of release, and the actual physical media and process for delivering the electronic information. It also discusses reporting protocols and suggest some ideas to ensure that the reports you create are clear and concise. Finally, it presents tips for participating in depositions or as an expert witness.

Building Cyber Awareness: What I Would Do First
Cyber security experts are often asked what strides an organization should take in order to measurably reduce their exposure to cyber threat actors, and their relentless cyber-attacks. Deploying the right security technologies obviously makes good sense. However, no matter how much security technology you deploy, it will never completely replace good common sense. Most cyber-attacks that result in data theft involve the human element, and the dreaded 'click.' That is, the act of an employee being fooled by a phishing E-mail and clicking a link or attachment that installs malicious software without detection. Reducing this single liability would serve to improve anyone's defensive posture. This article discusses how to solve this problem.

Spring Clean Your Network with Automated Access Management
Most of us partake in the annual ritual of cleaning our homes, cars, offices, and workshops. But, what about our organization's software? Organizations need to take some time to look at all of the software, applications, accounts and licenses they have available for the company and clean house of those that are no longer needed but possibly being paid for. These applications aren't just a waste of space on the company's network. They may be costing the company hundreds or even thousands of dollars every year for unused licenses. Even worse, they may actually be a security risk! This article explains why this is an issue; how to mitigate it; and outlines the types of solutions or guidelines to put in place.

All Seeing, All Knowing Border Control: Endpoint Detection and Response
The evolutionary arms race between hackers and cyber-defenders has led to the rapid disruption of the traditional managed security service provider (MSSP) market. As vendors scramble to stay relevant, this has led to a sea of sales messages and acronyms, including the advent of EDR and proactive threat hunting. Breaking this down, we have EDR (Endpoint Detection and Response), the word proactive (the mainstay of copyright teams globally), and threat hunting (why wouldn’t you want that), but marketing aside, what does this actually mean? Read this article and you'll know.

The Game Changer: Next Generation Cyber Security
With the threat landscape constantly changing, and most organizations accepting that it is now less a case of when they get attacked, but if we get attacked, it is time for a game changer. By actively pursuing attackers within your own infrastructure, and hunting them down, companies will be able to dramatically reduce the number of days an attacker is sitting on their network. This article highlights why actively pursuing attackers within your network will change the way you look at security; the best ways to be more proactive within your network environment; and how the cloud and migrating your systems to a cloud environment opens the opportunity to go on the offensive.

New Considerations for Securing the Mobile Enterprise
The FBI dropped its suit against Apple to build a skeleton key to unlock the iPhone after it developed its own means to access the iPhone linked to the San Bernardino terrorist shootings. This has unprecedented implications for personal privacy as well as business privacy. Now law enforcement has the means top access data on any iPhone seized as part of an investigation or in connection to any crime. It also seems likely that the same iPhone-breaking technology will make it's way into the hands of hackers and cyber criminals. This article considers what impact will this have on mobile strategies for business; what impact will this new iPhone skeleton key have on company BYOD strategies; what threat do mobile devices pose as a hacker interface to access enterprise technology; and what are the liability considerations for businesses who equip their staff with iPhones.

We're Going on a Threat Hunt: Why Enterprise Cybersecurity Reminds Me of a Classic Children's Book
Not all enterprise threats are going to be big. In fact, lots of smaller issues, if unaddressed, can add up to the infosec equivalent to the Death of a Thousand Cuts. Being fixated on the big logoed vulnerabilities talked about in the media means you will always be on the defensive. To regain the upper hand, organizations need to focus on the little things, like practicing sound security fundamentals, while at the same time transforming their security model from one based on playing defence to a proactive one based on comprehensive security assurance.

Analyzing and Securing Social Networks
This chapter from Analyzing and Securing Social Networks sets the stage to discuss both social media analytics and security. It discusses various applications of social media analytics. Then it considers applying various data mining techniques for social network analysis (SNA), before discussing security and privacy aspects.

The Evolution of Ransomware
A recent study found that 80% of organizations experienced an IT security incident in 2015, with 53% of respondents having a concern for ransomware in 2016. But, how did we get here? And how can we avoid these growing attacks in the coming year and beyond? In general, all ransomware pretty much works the same, but each variation of it does something slightly different. This article discusses the history of ransomwarefrom the first known ransomware to GPCode, CryptoLocker, Cryptowall, and Locky with many others in between. It closes with a discussion of 2016 ransomware predictions, as well as how to mitigate future malware attacks.

Cloaking Is the New Perimeter
Cloaking is the ability to hide assets in plain site so that bad actors have no idea the asset exists. Using a castle analogy, this article delves into what it takes to use cloaking to protect the assets within the perimeter of the organization's walls as well as when the assets are in motion or distributed outside the perimeter.

Tackling Tough Issues Remotely, When Your Boss Is the Problem
We hear a lot about how virtual leaders can deal effectively with workplace conflicts and performance problems. But we don't hear nearly as much about how to confront tough issues from the remote worker's point of view. And that's precisely what Sue Shellenbarger, Work and Family columnist for the Wall Street Journal, wanted to know when she contacted Nancy Settle-Murphy recently for an interview. Since Sue's questions were so insightful, Nancy has paraphrased three of them here, along with a few replies.

Balancing the Risk and Opportunity of Deep Customer Data Analytics
For Big Data to power new insights, it is critical that firms move their core customer and transaction histories into these new environments in addition to any new data sources that may be brought in. This often means taking data once stored and processed on the highly-secure mainframe and move it off-platform. This, paired with many high-profile breaches of consumer data, has driven heightened security and compliance regulations around how personal data is stored, analyzed and used by large enterprises. There are many steps--both policy- and technology-driven--that you can take to initiate these projects while balancing compliance and security.

The Hotel Industry Has a PoS Malware Problem
Based on the spike in hotel data heists recently, the industry is falling seriously short when it comes to security. With BlackPoS and other RAM-scraper variants finding good hotels to vacation in, it's startling to think that very little seems to have been learnt from these types of attacks. This article highlights the increase in point of sale (PoS) malware, particularly within the hotel industry; a typical PoS malware attack scenario, from entry to exfiltration; the best ways to defend against these types of attacks, including employee education and data governance; and how User Behaviour Analytics (UBA) can help identify an attacker earlier in the kill chain and prevent the loss of important data such as credit card details.

What You Need to Know about the EU General Data Protection Regulation
The EU's General Data Protection Regulation (GDPR) has achieved final approval after a long two year process. Now that the GDPR has been finalized, and is due to take effect in the later part of 2017, this article outlines the key points that should resonate the most with organizations.

Biometrics: The Physical Attributes vs. Behavioral Patterns Privacy Debate
In a world where we can no longer rely on authentication based on 'static elements,' we are increasingly seeing biometric-based authentication technology used as a way to verify users. But the use of biometric factors is rapidly becoming an area of concern from a data privacy and security perspective. This article highlights why it is no longer viable for organizations to only rely on traditional, static forms of identification, such as passwords; the difference between physical and behavioral biometrics, and why behavioral biometrics is able to provide a higher level of security for online activities; and why behavioral biometrics are far more privacy-friendly than physical biometrics, and are far less invasive.

8 of the Largest Data Breaches of All Time
According to the ITRC (Identity Theft Resource Center), there were 5,754 data breaches between November 2005 and November 2015 that have exposed 856,548,312 records. According to their data, there were 783 breaches in 2014, the largest number of data breaches in a single year to date. Although this data includes a comprehensive list of data breaches, whether large-scale or small, there are a few that stand out from the rest as some of the worst data breaches in history in terms of resulting costs and the number of records compromised. This list of eight of the worst breaches in history highlights the cause of the breach and the effects on the public and business sectors.

Making Vulnerability Assessments a Priority in 2016
The vulnerability assessment of an organization's applications and data is critical given the increasing number of automated and targeted attacks. Businesses must proactively identify potential vulnerabilities to prevent breaches. This article discusses two highly-effective ways to identify vulnerabilities: vulnerability scanning and penetration testing.

What Is the EU General Data Protection Regulation?
It has been a long time coming, but the new EU data security and privacy law, also known as the General Data Protection Regulation (GDPR), is finally close to being finalised and will likely go into effect sometime in 2017. This article includes an outline of the GDPR and why it is important for organizations to not panic over changes to the existing data rules; the current Data Protection Directive (DPD) and why the EU felt the need to change to the GDPR; some of the more important vocabulary included with the new law; and outlines of the new articles contained with the GDPR and how they will affect organizations.

Is Your Business Winter Ready?
Have you formulated a plan to avoid grinding to a halt should your employees find themselves cut-off or the office inaccessible that includes keeping data safe? The answer could be to have adequate infrastructure in place that allows workers to securely work from home, while stranded anywhere sensible with an internet connection. This article examines what technologies are there to help, and what security implications that need to be considered.

5 Steps to Securing Data Workflows in Your Organization
With all organizations having data flowing constantly into and out of them, the risk of malware infecting the system is greatly increased. To protect against these threats, most organizations have anti-malware solutions implemented at the different entry points, including email, web and portable media, in an attempt to stop malware from entering the organization's network. But is this the most effective way to stop malware? This article highlights why implementing a secure data workflow is more beneficial to organizations than single solutions at different entry points; the five steps organizations need to take to implement a secure data workflow; and how the use of multiple anti-malware engines can assist an organizations secure data workflow even further.

6 Steps to Secure Retailing
The article highlights the stats and facts behind how retail has become the new favourite playground for hackers; why it is important for retailers to keep themselves safe from possible data breaches; the 6 best ways for retailers to secure their businesses from attacks, including securing web applications and reviewing logs regularly; and how focusing on reducing threats can reduce the window of opportunity for criminals.

Is Machine Learning Cybersecurity's Latest Pipe Dream?
A recurring claim at security conferences is that "security is a big data, machine learning (ML), and artificial intelligence (AI) problem." This is unfortunately wildly optimistic, and wrong in general. While certain security problems can be addressed by ML/AI algorithms, in general the problem of detecting a malicious actor amidst the vast trove of information collected by most organizations is not one of them.

User Behavior Based Biometrics: The New Frontier
Gone are the days when online security could be trusted to a simple username and password combination or simple identity checks. As fraudsters got better at bending and breaking the system, e-commerce and digital banking initiatives had to keep pace, creating tough rule-based systems to check for fraud and adding new technology like IP detection and Device ID. But even these measures are no longer enough. As this article explains, the next great leap in digital security isn't based on a device or a password, but on the user themselves--User Behavior Based Biometrics.

A Look Back at SCADA Security in 2015
It should come as no surprise that SCADA systems and ICS that control key functions in critical infrastructure are especially at risk of cyber attack. This article reviews the current state of SCADA security; present a 2015 timeline that that highlights the growing risk of SCADA attacks; and discusses technologies you can use to bolster the security in SCADA and ICS systems.

Protecting the Oil and Gas Industry from email Threats
According to a recent report from the US Industrial Control Systems Cyber Emergency Response Team (ICS-CERT), the energy sector is facing a significant rise in cyber attacks. The high volume of business communications conducted via email within this industry give hackers quite the window of opportunity to intercept sensitive information through the use of spear phishing. This article by OPSWAT's Doug Rangi describes spear phishing attacks that have occurred in various sectors of oil and gas, along with recommendations on how the industry can boost their cyber security and specifically adopt new preventative measures to protect against these and other email-borne threats.

Predicting the Cyber Security Future in 2016
In this article, Lancope CTO TK Keanini provides a brief retrospective on 2015, including the biggest patterns seen from within the cyber security industry; highlights the biggest trends to expect in 2016; from cracking as a service to DNA breaches; and discusses how these trends will impact businesses and individuals alike and have long reaching implications.

Top 5 Predictions for Online Fraud in 2016
As 2015 comes to a close, all of us fighting fraud may start preparing for the upcoming fraud battle in 2016. As mobile apps and web services continue to increase in number and functionality, they remain an attractive target for fraudsters. Meanwhile, cyber attackers have continued to adapt to evade traditional security defenses using the latest mobile hacker tools and cloud technology to impersonate legitimate users. If you are a consumer-facing web or mobile app, you are up against a much more numerous and advanced adversary than ever before. Here are some online threat trends you're likely to encounter in 2016.

Chimera Changes the Ransomware Game
Ransomware is an ever growing issue within the cyber security industry. With the announcement of the new Chimera variant, what was already a large nuisance has been turned into a real threat to organizations and individuals alike. This article highlights what ransomware is and the staggering damages it can cause financially; how the new Chimera variant has changed the ransomware game from a nuisance to a real threat; the damaging effect this strain of ransomware could have, looking at high-profile breahes from the past year; and why an inside out security approach is the best way to fight these types of threats.

Mobile Wallets: The New Fraud Frontier
With a company's bottom line, brand reputation and customer loyalty on the line, how can institutions secure payments via mobile wallets? The answer is in User Behavioral Analytics. This article highlights the different types of mobile payments that are currently being used, and how they work; why financial institutions have held back on developing their own mobile banking apps; and how utilizing user behavioral analytics can help detect good users more accurately within mobile payments and improve the overall customer experience.

6 CyberHacks That Will Affect Your Life in 2016
As we are quickly marching toward the end of another year, Stephen Newman, CTO of Damballa, discusses the new types of cyber attackes that will likely see in 2016. He points out that these new types of attacks will draw everyone's attention to the lack of privacy and security in our interconnected world.

The Threat Within: 3 Out of 4 Companies Affected by Internal Information Security Incidents
Costly cyberattacks are now almost routine for businesses, but while many organizations are focusing on external attackers, it's important to also look at threats from within. According to the IT Security Risks Survey conducted by Kaspersky Lab and B2B International, 73% of companies have been affected by internal information security incidents. The survey also found that the largest single cause of confidential data losses is by employees (42%).

5 Tips for Shrinking the Elephant in the Room: Careless Employees
While it is important for organizations to be aware of the possibility of all types of insider threats, and to continue to invest in training courses and awareness programs, mistakes will continue to be made, making it more important to focus on the one thing that you can control: your data. This article by Dietrich Benjes, VP EMEA at Varonis, outlines the different types of insider threats facing your organization; how the more mundane insider threats are as serious than the less frequent 'corporate espionage' types; why organizations should focus on what they can control—their data; and the top 5 tips you can take in order to take control of the insider threat issue.

Russia’s Undeclared Cyber Wars
Post-Soviet Russia continues to exercise a get-tough attitude toward its former possessions. With each successful foray, its treatment toward the newly independent states that were once part of the Russian Empire becomes more and more assertive if not more aggressive. The excerpt from Vladimir Putin and Russia's Imperial Revival discusses Russia's cyberwar tactics and analyzes its 2007 Cyber War with Estonia.

Subscribe to Information Security Today

Google Reader or Homepage
Add to My Yahoo!

Bookmark and Share

Search the Site

The Blog



connect:ID on April 30-May 2, 2018 in Washington, DC

The WITI Summit on June 10-12, 2018 in San Jose, CA


Here are links to all Rebecca Herold's monthly Privacy Professor Tips to date.

Guided Insights

© Copyright 2017 Auerbach Publications