Secure PHP: A Blog and Book about Agile PHP Security
Glaser's site also includes tutorials on how to use PHP and Content Security Policy to dramatically increase the security of your site and the safety of your users, and how to use the Specs Derived from the User Story to Drive Agile Security. It also has a chapter on PHP Security Anti-Patterns and the reasons security holes exist.
Top 10 Rock and Roll Cybersecurity Predictions for 2017
It's that time of year again. Time for information security predictions for 2017. This year, we have an interesting twist on predictions by tying them to classic rock lyrics to accompany them. It's interesting how prescient the lyrics are.
Cognitive Hack: The New Battleground in Cybersecurity
Here's an interview with James Bone, author of "Cognitive Hack: The New Battleground in Cybersecurity - The Human Mind"(https://www.crcpress.com/9781498749817).
Security of Smart Devices: Hardware Features
Smart devices use a combination of hardware and software to combat the security challenges that the device users face today. This chapter from Security and Auditing of Smart Devices: Managing Proliferation of Confidential Data on Corporate and BYOD Devices discusses the hardware features that help secure smart devices.
The Internal Audit Charter
The Internal Audit Charter, also referred to as "terms of reference," spells out the purpose, authority, and responsibility of the internal audit function of any organization. The charter provides the framework for the conduct of the internal audit function in any organization. It also provides a basis for the appraisal of the operations of the internal audit function and acts as a formal written agreement with management about the role and responsibility of the internal audit within the organization. This chapter from Internal Audit Practice from A to Z discusses the purpose, scope, authority, and responsibility of an internal audit charter.
Situational Project Management
In this video, Ginger Levin and Oliver Lehmann discuss Situational Project Management, the subject of his new book. They cover how to identify projects by type and how to manage them accordingly; the skill set required to lead projects successfully; how to use lessons learned to avoid future failed projects; how to apply life experiences to improve your ability of manage projects successfully; and how to manage a project according to the situation and the environment in which it exists.
Introduction to Behavioral Biometrics
New Directions in Behavioral Biometrics presents the concept of behavioral biometrics on the basis of some selected features like signature, keystroke dynamics, gait, and voice. This excerpt from the book provides a brief overview of behavioral biometrics.
Risk and Trust Assessment: Schemes for Cloud Services
Both risk and trust have been extensively studied in various contexts for hundreds of years. Risk management, and specifically risk assessment for IT, has also been a hot research topic for several decades. On the other hand, modeling risk and trust for cloud computing has attracted researchers only recently. This chapter from Cloud Computing Security: Foundations and Challenges provides a survey on cloud risk assessments made by various organizations, as well as risk and trust models developed for the cloud.
Overview of Mobile Apps and Interfaces
This chapter from Mobile Applications Development with Android: Technologies and Algorithms introduces the mobile system; mobile interface and applications in mobile system; optimization in mobile system; mobile embedded system; mobile cloud computing; big data in mobile systems; data security and privacy protection in mobile system; mobile app; and Android.
Introduction to Project Portfolio Management
This chapter from Project Portfolio Management in Theory and Practice: Thirty Case Studies from around the World looks at the definition of PPM and discusses several examples of portfolio value, balance, and strategic alignment. It then examines the effect the absence of PPM has on the organizations, including thinly spread resources, longer time-to-market, and poor quality of final products and services. Finally, it examines two research initiatives and compares them to demonstrate that although PPM has made bold strides in the last ten years, but there is a lot of work to be done.
Preservation and Management of Documents
One of the most important tasks an organization or individual will face when dealing with electronic evidence is the preservation of that data in a way that ensures the integrity and availability of the data. This chapter from Electronically Stored Information, Second Edition looks at all of the aspects of that task and discuss the tools and requirements that you should be considering.
Introduction to Machine Learning
Machine learning is a branch of artificial intelligence that aims at enabling machines to perform their jobs skillfully by using intelligent software. This excerpt from Machine Learning: Algorithms and Applications present an introduction to machine learning including the use of machine learning algorithms and present and future applications.
IT Project Management: A Geek's Guide to Leadership
Author Byron A. Love admits proudly to being an IT geek. However, he found that being an IT geek was limiting his career path and his effectiveness. During a career of more than 31 years, he has made the transition from geek to geek leader. He hopes this book helps other geeks do the same. It addresses leadership issues in the IT industry, to help IT practitioners lead from the lowest level. Unlike other leadership books that provide a one-size-fits-all approach to leadership, this book focuses on the unique challenges that IT practitioners face.
Introduction to Certificateless Cryptography
In this excerpt from Introduction to Certificateless Cryptography, authors Hu Xiong, Zhen Qin, and Athanasios V. Vasilakos present a brief intriduction to symmetric cryptography, discuss the setting of asymmetric public key cryptography, and argue why you should care about certificateless PKC.
Corporate Defense Framework
The delivery of sustainable stakeholder value requires a subtle balance between the focus on value creation and value preservation In this video, Sean Lyons, author of Corporate Defense and the Value Preservation Imperative, explains what is required for effective corporate defense rather than the illusion of corporate defense. He presents an integrated corporate defense framework required in order to align an organization's critical corporate defense components. This multi-centric approach can help you develop a more holistic view of corporate defense.
25 Years of DDoS
It has been 25 years since the first DDoS attack, and since then the world has witnessed many variants that all share the same result: disrupting the availability of the target host and its services. At the same time, we have seen a similar evolution in DDoS protection technologies, as well as improvements to enable anti-DDoS to interact with evolving technologies. This article looks at how the DDoS attack evolved over the past 25 years, if the ever growing Internet of Things affected the growth of DDoS attacks at all, and what can we expect in the future.
Stop Squandering Time With All Talk and No Action
True or false: If a meeting ends with no actions, you didn't really need the meeting in the first place. Nancy Settle-Murphy's vote: Mostly true. Although some meetings may be held simply to cross-pollinate information or brainstorm new ideas, the goal of most meetings is to get something concrete accomplished. A resulting list of actions is often the most reliable barometer of progress. Why then do so many meetings end up with few, if any, action items? I have some suspicions. Simply put, she thinks that many of us give up too easily, offering a variety of excuses, some of which she enumerated in this article. For every excuse, she's provided at least a couple of choices.
Pokémon Infiltrates the Business Network
Pokemon Go has been taking the world by storm and some of the game playing may be finding its way onto the business network as employees decide to check in and play on corporate devices. This article explains how to find out if your employees are playing Pokemon Go while on the network, what other apps to look out for, and the perils of having these types of apps on your network.
Authentication is the process that deals with the establishment of identities. Claims-based authorization, at its simplest, checks the value of a claim and allows access to a resource based upon that value. A claim is a name-value pair that represents what the subject is, not what the subject can do. Clear as mud, right? Read this chapter from Enterprise Level Security for total clarity on claims-based authorization.
The IIA defines operational auditing as "Defining, measuring, evaluating, and improving the economy, efficiency, and performance effectiveness of the organization's operations and constituent activities irrespective of function, purpose, or level within the organizational structure." The chapter from Operational Assessment of IT explains what this means and how to apply it in the context of operational assessment of ICT.
Instantly Improve Your Team Communications by Overturning 9 Dangerous Myths
Whether running a project team or managing a group, most team leaders assume that their communications skills are pretty decent. So when they send emails, post documents, ping people on IM, or lead team meetings, they imagine that people are ready, willing and able to hear what they have to say. Magical thinking? You bet. This article shares some common instances of wishful thinking, or irrationally optimistic assumptions, which often lead to frustration and disappointment for leaders and their teams. As a counterpoint, it provides a tips to ground that wishful thinking more in reality, resulting in communications that actually may be nothing short of magical.
5 Dangerous Misconceptions When Sharing Your Personal Data
As the developing Pokemon Go security breach demonstrates, the world is now structured with a thin layer of reassurance while underneath the hood the cogs aren't necessarily whirring with our interests as consumers at heart. The same applies to many of our interactions with service providers. This article highlights and debunks five popular misconceptions around sharing personal data.
Software Quality Assurance: Defect Management
This chapter from Software Quality Assurance: Integrating Testing, Security, and Audit deals with the conceptual aspects of defect management. There are three parts in this chapter. Part 1 discusses the basic concepts of a defect and why a defect happens. Part 2 introduces the practical methodologies of how to manage the defects. In this section, some sample documents and templates are provided to manage the defect properly. Part 3 discusses and analyzes the root causes of defects and provides recommendations of how to prevent defects in the future.
3 Effective Bomb Protection Solutions and Why Your Business Needs Them
It is a sad fact that the harsh realities of life mean that today's businesses have to factor in bomb protection solutions as part of their security objectives. Blast protection is now required in an ever growing list of situations, particularly where the public or sensitive information are concerned. One of the most important aspects of business is always being prepared for the unexpected, and by having bomb protection in place companies have the opportunity to reduce the potential of personal injury and property damage should an unfortunate event occur. With that in mind, here's a list of three effective bomb protection solutions and why your business needs to have such contingencies in place.
Dissemination and Reporting of Electronically Stored Information
This chapter from the new, second edition of Electronically Stored Information discusses the reasons and the methods for sharing the data we have so carefully acquired, preserved, and managed. There are several reasons and each may engender different approaches or procedures appropriate to the specific needs of those situations. These approaches include the format in which the data are produced, the content, the timing of release, and the actual physical media and process for delivering the electronic information. It also discusses reporting protocols and suggest some ideas to ensure that the reports you create are clear and concise. Finally, it presents tips for participating in depositions or as an expert witness.
Building Cyber Awareness: What I Would Do First
Cyber security experts are often asked what strides an organization should take in order to measurably reduce their exposure to cyber threat actors, and their relentless cyber-attacks. Deploying the right security technologies obviously makes good sense. However, no matter how much security technology you deploy, it will never completely replace good common sense. Most cyber-attacks that result in data theft involve the human element, and the dreaded 'click.' That is, the act of an employee being fooled by a phishing E-mail and clicking a link or attachment that installs malicious software without detection. Reducing this single liability would serve to improve anyone's defensive posture. This article discusses how to solve this problem.
Spring Clean Your Network with Automated Access Management
Most of us partake in the annual ritual of cleaning our homes, cars, offices, and workshops. But, what about our organization's software? Organizations need to take some time to look at all of the software, applications, accounts and licenses they have available for the company and clean house of those that are no longer needed but possibly being paid for. These applications aren't just a waste of space on the company's network. They may be costing the company hundreds or even thousands of dollars every year for unused licenses. Even worse, they may actually be a security risk! This article explains why this is an issue; how to mitigate it; and outlines the types of solutions or guidelines to put in place.
All Seeing, All Knowing Border Control: Endpoint Detection and Response
The evolutionary arms race between hackers and cyber-defenders has led to the rapid disruption of the traditional managed security service provider (MSSP) market. As vendors scramble to stay relevant, this has led to a sea of sales messages and acronyms, including the advent of EDR and proactive threat hunting. Breaking this down, we have EDR (Endpoint Detection and Response), the word proactive (the mainstay of copyright teams globally), and threat hunting (why wouldn’t you want that), but marketing aside, what does this actually mean? Read this article and you'll know.
The Game Changer: Next Generation Cyber Security
With the threat landscape constantly changing, and most organizations accepting that it is now less a case of when they get attacked, but if we get attacked, it is time for a game changer. By actively pursuing attackers within your own infrastructure, and hunting them down, companies will be able to dramatically reduce the number of days an attacker is sitting on their network. This article highlights why actively pursuing attackers within your network will change the way you look at security; the best ways to be more proactive within your network environment; and how the cloud and migrating your systems to a cloud environment opens the opportunity to go on the offensive.
New Considerations for Securing the Mobile Enterprise
The FBI dropped its suit against Apple to build a skeleton key to unlock the iPhone after it developed its own means to access the iPhone linked to the San Bernardino terrorist shootings. This has unprecedented implications for personal privacy as well as business privacy. Now law enforcement has the means top access data on any iPhone seized as part of an investigation or in connection to any crime. It also seems likely that the same iPhone-breaking technology will make it's way into the hands of hackers and cyber criminals. This article considers what impact will this have on mobile strategies for business; what impact will this new iPhone skeleton key have on company BYOD strategies; what threat do mobile devices pose as a hacker interface to access enterprise technology; and what are the liability considerations for businesses who equip their staff with iPhones.
We're Going on a Threat Hunt: Why Enterprise Cybersecurity Reminds Me of a Classic Children's Book
Not all enterprise threats are going to be big. In fact, lots of smaller issues, if unaddressed, can add up to the infosec equivalent to the Death of a Thousand Cuts. Being fixated on the big logoed vulnerabilities talked about in the media means you will always be on the defensive. To regain the upper hand, organizations need to focus on the little things, like practicing sound security fundamentals, while at the same time transforming their security model from one based on playing defence to a proactive one based on comprehensive security assurance.
Analyzing and Securing Social Networks
This chapter from Analyzing and Securing Social Networks sets the stage to discuss both social media analytics and security. It discusses various applications of social media analytics. Then it considers applying various data mining techniques for social network analysis (SNA), before discussing security and privacy aspects.
The Evolution of Ransomware
A recent study found that 80% of organizations experienced an IT security incident in 2015, with 53% of respondents having a concern for ransomware in 2016. But, how did we get here? And how can we avoid these growing attacks in the coming year and beyond? In general, all ransomware pretty much works the same, but each variation of it does something slightly different. This article discusses the history of ransomwarefrom the first known ransomware to GPCode, CryptoLocker, Cryptowall, and Locky with many others in between. It closes with a discussion of 2016 ransomware predictions, as well as how to mitigate future malware attacks.
Cloaking Is the New Perimeter
Cloaking is the ability to hide assets in plain site so that bad actors have no idea the asset exists. Using a castle analogy, this article delves into what it takes to use cloaking to protect the assets within the perimeter of the organization's walls as well as when the assets are in motion or distributed outside the perimeter.
Tackling Tough Issues Remotely, When Your Boss Is the Problem
We hear a lot about how virtual leaders can deal effectively with workplace conflicts and performance problems. But we don't hear nearly as much about how to confront tough issues from the remote worker's point of view. And that's precisely what Sue Shellenbarger, Work and Family columnist for the Wall Street Journal, wanted to know when she contacted Nancy Settle-Murphy recently for an interview. Since Sue's questions were so insightful, Nancy has paraphrased three of them here, along with a few replies.
Balancing the Risk and Opportunity of Deep Customer Data Analytics
For Big Data to power new insights, it is critical that firms move their core customer and transaction histories into these new environments in addition to any new data sources that may be brought in. This often means taking data once stored and processed on the highly-secure mainframe and move it off-platform. This, paired with many high-profile breaches of consumer data, has driven heightened security and compliance regulations around how personal data is stored, analyzed and used by large enterprises. There are many steps--both policy- and technology-driven--that you can take to initiate these projects while balancing compliance and security.
The Hotel Industry Has a PoS Malware Problem
Based on the spike in hotel data heists recently, the industry is falling seriously short when it comes to security. With BlackPoS and other RAM-scraper variants finding good hotels to vacation in, it's startling to think that very little seems to have been learnt from these types of attacks. This article highlights the increase in point of sale (PoS) malware, particularly within the hotel industry; a typical PoS malware attack scenario, from entry to exfiltration; the best ways to defend against these types of attacks, including employee education and data governance; and how User Behaviour Analytics (UBA) can help identify an attacker earlier in the kill chain and prevent the loss of important data such as credit card details.
What You Need to Know about the EU General Data Protection Regulation
The EU's General Data Protection Regulation (GDPR) has achieved final approval after a long two year process. Now that the GDPR has been finalized, and is due to take effect in the later part of 2017, this article outlines the key points that should resonate the most with organizations.
Biometrics: The Physical Attributes vs. Behavioral Patterns Privacy Debate
In a world where we can no longer rely on authentication based on 'static elements,' we are increasingly seeing biometric-based authentication technology used as a way to verify users. But the use of biometric factors is rapidly becoming an area of concern from a data privacy and security perspective. This article highlights why it is no longer viable for organizations to only rely on traditional, static forms of identification, such as passwords; the difference between physical and behavioral biometrics, and why behavioral biometrics is able to provide a higher level of security for online activities; and why behavioral biometrics are far more privacy-friendly than physical biometrics, and are far less invasive.
8 of the Largest Data Breaches of All Time
According to the ITRC (Identity Theft Resource Center), there were 5,754 data breaches between November 2005 and November 2015 that have exposed 856,548,312 records. According to their data, there were 783 breaches in 2014, the largest number of data breaches in a single year to date. Although this data includes a comprehensive list of data breaches, whether large-scale or small, there are a few that stand out from the rest as some of the worst data breaches in history in terms of resulting costs and the number of records compromised. This list of eight of the worst breaches in history highlights the cause of the breach and the effects on the public and business sectors.
Making Vulnerability Assessments a Priority in 2016
The vulnerability assessment of an organization's applications and data is critical given the increasing number of automated and targeted attacks. Businesses must proactively identify potential vulnerabilities to prevent breaches. This article discusses two highly-effective ways to identify vulnerabilities: vulnerability scanning and penetration testing.
What Is the EU General Data Protection Regulation?
It has been a long time coming, but the new EU data security and privacy law, also known as the General Data Protection Regulation (GDPR), is finally close to being finalised and will likely go into effect sometime in 2017. This article includes an outline of the GDPR and why it is important for organizations to not panic over changes to the existing data rules; the current Data Protection Directive (DPD) and why the EU felt the need to change to the GDPR; some of the more important vocabulary included with the new law; and outlines of the new articles contained with the GDPR and how they will affect organizations.
Is Your Business Winter Ready?
Have you formulated a plan to avoid grinding to a halt should your employees find themselves cut-off or the office inaccessible that includes keeping data safe? The answer could be to have adequate infrastructure in place that allows workers to securely work from home, while stranded anywhere sensible with an internet connection. This article examines what technologies are there to help, and what security implications that need to be considered.
5 Steps to Securing Data Workflows in Your Organization
With all organizations having data flowing constantly into and out of them, the risk of malware infecting the system is greatly increased. To protect against these threats, most organizations have anti-malware solutions implemented at the different entry points, including email, web and portable media, in an attempt to stop malware from entering the organization's network. But is this the most effective way to stop malware? This article highlights why implementing a secure data workflow is more beneficial to organizations than single solutions at different entry points; the five steps organizations need to take to implement a secure data workflow; and how the use of multiple anti-malware engines can assist an organizations secure data workflow even further.
6 Steps to Secure Retailing
The article highlights the stats and facts behind how retail has become the new favourite playground for hackers; why it is important for retailers to keep themselves safe from possible data breaches; the 6 best ways for retailers to secure their businesses from attacks, including securing web applications and reviewing logs regularly; and how focusing on reducing threats can reduce the window of opportunity for criminals.
Is Machine Learning Cybersecurity's Latest Pipe Dream?
A recurring claim at security conferences is that "security is a big data, machine learning (ML), and artificial intelligence (AI) problem." This is unfortunately wildly optimistic, and wrong in general. While certain security problems can be addressed by ML/AI algorithms, in general the problem of detecting a malicious actor amidst the vast trove of information collected by most organizations is not one of them.
User Behavior Based Biometrics: The New Frontier
Gone are the days when online security could be trusted to a simple username and password combination or simple identity checks. As fraudsters got better at bending and breaking the system, e-commerce and digital banking initiatives had to keep pace, creating tough rule-based systems to check for fraud and adding new technology like IP detection and Device ID. But even these measures are no longer enough. As this article explains, the next great leap in digital security isn't based on a device or a password, but on the user themselves--User Behavior Based Biometrics.
A Look Back at SCADA Security in 2015
It should come as no surprise that SCADA systems and ICS that control key functions in critical infrastructure are especially at risk of cyber attack. This article reviews the current state of SCADA security; present a 2015 timeline that that highlights the growing risk of SCADA attacks; and discusses technologies you can use to bolster the security in SCADA and ICS systems.
Protecting the Oil and Gas Industry from email Threats
According to a recent report from the US Industrial Control Systems Cyber Emergency Response Team (ICS-CERT), the energy sector is facing a significant rise in cyber attacks. The high volume of business communications conducted via email within this industry give hackers quite the window of opportunity to intercept sensitive information through the use of spear phishing. This article by OPSWAT's Doug Rangi describes spear phishing attacks that have occurred in various sectors of oil and gas, along with recommendations on how the industry can boost their cyber security and specifically adopt new preventative measures to protect against these and other email-borne threats.
Predicting the Cyber Security Future in 2016
In this article, Lancope CTO TK Keanini provides a brief retrospective on 2015, including the biggest patterns seen from within the cyber security industry; highlights the biggest trends to expect in 2016; from cracking as a service to DNA breaches; and discusses how these trends will impact businesses and individuals alike and have long reaching implications.
Top 5 Predictions for Online Fraud in 2016
As 2015 comes to a close, all of us fighting fraud may start preparing for the upcoming fraud battle in 2016. As mobile apps and web services continue to increase in number and functionality, they remain an attractive target for fraudsters. Meanwhile, cyber attackers have continued to adapt to evade traditional security defenses using the latest mobile hacker tools and cloud technology to impersonate legitimate users. If you are a consumer-facing web or mobile app, you are up against a much more numerous and advanced adversary than ever before. Here are some online threat trends you're likely to encounter in 2016.
Chimera Changes the Ransomware Game
Ransomware is an ever growing issue within the cyber security industry. With the announcement of the new Chimera variant, what was already a large nuisance has been turned into a real threat to organizations and individuals alike. This article highlights what ransomware is and the staggering damages it can cause financially; how the new Chimera variant has changed the ransomware game from a nuisance to a real threat; the damaging effect this strain of ransomware could have, looking at high-profile breahes from the past year; and why an inside out security approach is the best way to fight these types of threats.
Mobile Wallets: The New Fraud Frontier
With a company's bottom line, brand reputation and customer loyalty on the line, how can institutions secure payments via mobile wallets? The answer is in User Behavioral Analytics. This article highlights the different types of mobile payments that are currently being used, and how they work; why financial institutions have held back on developing their own mobile banking apps; and how utilizing user behavioral analytics can help detect good users more accurately within mobile payments and improve the overall customer experience.
6 CyberHacks That Will Affect Your Life in 2016
As we are quickly marching toward the end of another year, Stephen Newman, CTO of Damballa, discusses the new types of cyber attackes that will likely see in 2016. He points out that these new types of attacks will draw everyone's attention to the lack of privacy and security in our interconnected world.
The Threat Within: 3 Out of 4 Companies Affected by Internal Information Security Incidents
Costly cyberattacks are now almost routine for businesses, but while many organizations are focusing on external attackers, it's important to also look at threats from within. According to the IT Security Risks Survey conducted by Kaspersky Lab and B2B International, 73% of companies have been affected by internal information security incidents. The survey also found that the largest single cause of confidential data losses is by employees (42%).
5 Tips for Shrinking the Elephant in the Room: Careless Employees
While it is important for organizations to be aware of the possibility of all types of insider threats, and to continue to invest in training courses and awareness programs, mistakes will continue to be made, making it more important to focus on the one thing that you can control: your data. This article by Dietrich Benjes, VP EMEA at Varonis, outlines the different types of insider threats facing your organization; how the more mundane insider threats are as serious than the less frequent 'corporate espionage' types; why organizations should focus on what they can control—their data; and the top 5 tips you can take in order to take control of the insider threat issue.
Russia’s Undeclared Cyber Wars
Post-Soviet Russia continues to exercise a get-tough attitude toward its former possessions. With each successful foray, its treatment toward the newly independent states that were once part of the Russian Empire becomes more and more assertive if not more aggressive. The excerpt from Vladimir Putin and Russia's Imperial Revival discusses Russia's cyberwar tactics and analyzes its 2007 Cyber War with Estonia.