GAO Report Addresses Potential Security Risks of Foreign-Manufactured Equipment
One of my favorite threats. This report "addresses (1) how network providers and equipment manufacturers help ensure the security of foreign-manufactured equipment used in commercial communications networks, (2) how the federal government is addressing the risks of such equipment, and (3) other approaches for addressing these risks and issues related to these approaches."
I still think there's a pervasive "ostrich head in sand" attitude about this.
Video Series Available for Introduction to Security and Network Forensics
Bill Buchanan, author of Introduction to Security and Network Forensics, has created a series of videos to accompany the textbook. There is a video for each chapter, as well as many of the labs. Still, you really should read the book.
Overview of Data Anonymization
This is an excerpt from The Complete Book of Data Anonymization: From Planning to Implementation by Balaji Raghunathan.
IT Security's 50 Shades of Gray
It's the disparity between theoretical approaches and real-life operations that makes it necessary to approach whitelisting with pragmatism. Because right now the major problem with whitelisting is that it is very expensive from the point of view of human involvement. You can't completely eliminate that expense, but you can at least minimize it by keeping user workflows unimpeded while the decision-makers look closely into those 50 shades of gray.
Ferris Information Security and Intelligence Professor Gogolin Awarded Fulbright Scholarship to Teach in Chile
Greg Gogolin is the author of Digital Forensics Explained.
Twenty Critical Security Controls, Part 3: Malware Defenses and Application Security
The first installment of this series covered the "Inventory of Authorized and Unauthorized Devices" and the "Inventory of Authorized and Unauthorized Software." The second article covered two more Controls designed to offer guidance on managing secure hardware and software configurations on a variety of devices, as well as the implementation of continuous vulnerability assessments and remediation efforts. It’s time to take a closer look at Controls 5 and 6 of the CSIS 20 Critical Security Controls, which deal with malware defenses and application security, respectively.
Twenty Critical Security Controls, Part 2: Configurations and Vulnerability Assessments
The Center for Strategic and International Studies (CSIS) recently released Version 4 of the Twenty Critical Security Controls. The critical controls identified by the workgroup focus on four basic tenets. This article looks at two more Controls designed to offer guidance on managing secure hardware and software configurations on a variety of devices, as well as implementing continuous vulnerability assessments and remediation efforts.
Twenty Critical Security Controls: Part 1
The Center for Strategic and International Studies (CSIS) recently released Version 4 of the Twenty Critical Security Controls. The critical controls identified by the workgroup focus on four basic tenets. This series of three articles is intended to highlight the specific requirements you need to understand, and can later be used as a checklist.
Verizon's 2013 Data Breach Investigations Report
"This year’s DBIR combines the expertise of 19 organizations from around the globe. Download the report to discover stats that might surprise you, from the percentage of espionage-related attacks to the astonishing length of time it often takes to spot a security breach. By knowing today’s threats, you can better protect your organization tomorrow."
What Security Managers Can Learn from Brazil: Frontline in the Global Cyber Wars
Brazil is now the number one country in the world for the use of banking malware. The high levels of e-commerce in Europe and the low levels of security often involved suggest that this is likely to be a prime target for Brazilian cyber criminals, and the organizations that buy the data they steal.
Android Security: Attacks and Defenses
Starting with an introduction to Android architecture and applications, this book covers security features and issues
specific to Android (platform and applications), including possible attacks and means to prevent them. Authors Anmol Misra and Abhishek Dubey describe mobile devices pen-testing methodology and techniques for DLP (Data Leak Prevention). They also discusses advanced topics including reverse engineering and forensics, malware analysis, secure coding and hardening guidelines for Android, and how to perform threat modeling for Android mobile devices/applications and incorporate them into enterprise SDLC processes.
Symantec Internet Security Threat Report Reveals Increase in Cyberespionage
Symantec’s Internet Security Threat Report, Volume 18 (ISTR) today revealed a 42 percent surge during 2012 in targeted attacks compared to the prior year. Designed to steal intellectual property, these targeted cyberespionage attacks are increasingly hitting the manufacturing sector as well as small businesses, which are the target of 31 percent of these attacks. Small businesses are attractive targets themselves and a way in to ultimately reach larger companies via "watering hole" techniques. In addition, consumers remain vulnerable to ransomware and mobile threats, particularly on the Android platform.
How Cybercriminals Are Exploiting Bitcoin and Other Virtual Currencies
Here is a detailed analysis from Jaime Blasco, Labs Director at AlienVault, regarding the virtual currency, Bitcoin, and how cybercriminals are exploiting this currency.
Authentication: The Text Factor
Lars Nielsen of SMS PASSCODE explains why multi-factor authentication is moving from traditional token-based preset codes to real-time connected and mobile systems, and the provisioning and security benefits this offers.
System State Intelligence and the Intrusion Kill Chain
In kill chain analysis, an attacker has to progress through stages before they achieve their objective, and it takes just one successful mitigation effort to thwart the attacker. SSI can increase the timeliness and accuracy of security incident detection efforts and increase the overall effectiveness of all network security tools.
Segmentation and the Private Cloud
From a security perspective, you have to consider how you want to physically segment your network. Cloud computing pushes the economy of scale, and that is typically achieved by setting up a single virtual cluster for all your computing needs. However, security requirements might dictate a different agenda of pooling your computing and storage resources. It might also drive your decision making around firewall technology, and where to draw the physical fences versus virtual ones. This is an excerpt from Securing Cloud and Mobility: A Practitioner’s Guide by Ian Lim, E. Coleen Coolidge, and Paul Hourani.
The CISO as the Man-in-the-Middle
The CISO has become the new Man-in-the-Middle, increasingly caught between the Executive World where he must effectively connect security to the business, and the more familiar Technical World where the CISO must continue to effectively communicate in terms of controls and benchmarks.
Combating Cyber-Attacks Against the Financial Community
News media in the U.S. are abuzz with stories about cyber-attacks on top banks as financial institutions emerge as the prime targets of cyber-criminals. Reports suggest that since September 2012, cyber-attacks on bank networks have exploded. Cyber-criminals are now siphoning off login credentials of employees and administrative passwords of IT resources, using techniques that include spam and phishing emails, keystroke loggers, and Remote Access Trojans (RAT). Bolstering internal controls as detailed in this article will ensure that privileged identities will not be compromised; even if a hacker manages to penetrate the perimeter. Similarly, they will mitigate threats due to attacks by malicious insiders.
Cyber Security Challenges in 2013
This article discusses the key three cyber security challenges for this year: Increase in Exploit Kits, an increase in mobile device cyber-security threats and an increase in sophistication of threats. Then it outlines how businesses can combat these attacks, providing useful security tips.
Information Security Policy Development for Compliance: ISO/IEC 27001, NIST SP 800-53, HIPAA Standard, PCI DSS V2.0, and AUP V5.0
Compliance standards, of which there are many, can be and should be used as a guide to write comprehensive and effective security policies. Many standards cover much of the same topics, but state the requirements in a slightly different way. This book provides a simplified way to write policies that meet the major regulatory requirements, without having to manually look up each and every control. It supplies a way to address the regulatory requirements of the organization by writing policy statements that address these requirements.
The Next Cybersecurity Threat Cycle Is Here. Are You Prepared?
The first PC viruses appeared more than 25 years ago. Little did we realize that this was just the beginning of what would become a series of threat waves. Today, we find ourselves combatting advanced malware, targeted attacks and advanced persistent threats (APTs). This article discusses how you can raise your game to defeat this new class of attackers.
The Hunt for Red October: 2013's Sequel
The recent "Red October" wave of concerted cyber assaults demonstrates that social engineering is by far the most potent tool in the hacker's arsenal. These attacks occur nearly every day and are often successful, regardless of technical controls and countermeasures deployed within corporate networks. This article discusses the attacks and the ways in which your enterprise can protect its assets.
Call for Chapters: "Case Studies in Intelligent Computing" and "Case Studies in Secure Computing"
Handbook of SCADA and Control Systems Security
The availability and security of many services we rely upon are routinely put at risk by cyber threats. This new book outlines security concepts, methodologies, and relevant information pertaining to SCADA systems and technology that quietly operate in the background of utility and industrial facilities worldwide. The book supplies information for securing industrial automation/process control systems as part of a critical infrastructure protection program. The authors present a best practices approach to securing business management environments at the strategic, tactical, and operational levels.
How a Simple Storyboard Helps Command Attention and Get Results (Virtually)
You're in the process of designing your presentation and creating your meeting agenda. Since you will be leading the meeting from a conference room with several of the senior leaders, with others participating from various locations, you know that a critical success factor will be keeping everyone absorbed, engaged and enthusiastically participating in a productive dialogue. In the article, Nancy Settle-Murphy and Sheryl Lindsell-Roberts offer practical approaches for presenting important recommendations that grab and keep peoples' attention, wherever they are.
Check out Nancy's new book, Leading Effective Virtual Teams: Overcoming Time and Distance to Achieve Exceptional Results
Why One-Size-Fits-All Web Content Filtering Doesn’t Work: Setting New Web Access Policies with Next-Generation Web Filters
The Internet is an essential tool, but it also presents risks to productivity, e-safety and network security. Web filtering provides powerful tools to address these issues, but taking a "one-size-fits-all" approach isn't enough to meet the dynamic and diverse needs of most organizations. Instead, a genuine real-time Web filtering solution is needed to ensure categorization and filtering of Web page content keeps up to date with the ever-growing Internet.
Is DNA Really Personally Identifiable Information (PII)? No. Maybe? Yes!
Biometric data is at the limits of what current personal data privacy laws consider worthy of protection. This type of identifier covers fingerprints, voiceprints, and facial images. While the risk factors are not nearly as threatening to consumers as more traditional PII, they do exist. Until recently, the dangers of biometric identification using DNA were more theoretical than real. That has suddenly changed. This article looks at the risk factors of biometric identification using DNA.
Virtualization Needs Physical Consideration
Why do people seem all too happy to do things in the virtual world they would never dream of doing in the real world? Organizations are happy to hand over bunches of keys that open every sensitive file and expose the softer underbelly of the network. Why do they do that? This article, written by Andrew Avanessian, Avecto’s VP of Professional Services, explores this and offers a virtual solution to the physical problems.
Effective Physical Security of a Mobile Device
This article explores the idea that it is impossible to provide effective physical security of a mobile device while using today’s technology and training practices. It discusses current mobile security technologies, and their limitations, and presents potential new future to solve the problems. Finally, it proposes a solution that utilizes many different aspects of security measures to provide the best protection.
Demystifying the Black Art of Keeping Data Secure: Enterprise Key and Certificate Management
Given the proliferation of valuable and often regulated information, organizations strive to carefully conceal it behind the best security technologies available. However, data remains only as secure as the encryption keys and certificates that safeguard it. And here lies the problem: enterprise key and certificate management (EKCM) is extremely complex. With hundreds of different companies providing these services, and even variable technologies used internally within organisations, EKCM is considered by those working in the IT space as a black art. Venafi’s EMEA Director Calum MacLeod takes a closer look at what’s needed to master this discipline.
Building Trust Calls for Different Approaches Across Different Cultures
This article, the first of a series, focuses on how different attributes, behaviors and attitudes are seen as trustworthy (or not) by a handful of cultures. Although it's true that all people deserve to be treated as individuals, virtual team leaders can accelerate the process of building trust across their teams by understanding certain patterns of behaviors within cultures.
Check out Nancy's new book, Leading Effective Virtual Teams: Overcoming Time and Distance to Achieve Exceptional Results
NEW! Excerpts from Recently Published Books
Why Measure Information Security?
This is an excerpt from PRAGMATIC Security Metrics: Applying Metametrics to Information Security by W. Krag Brotby and Gary Hinson.
Read Mich Kabay's review.
Fundamental Noise Concepts
This is an excerpt from Physical Principles of Wireless Communications, Second Edition by Victor L. Granatstein.
6 Next-Generation Firewall Policy Tips to Secure the Perimeter in the Application Age
This article explains why you need to understand what applications are needed by what users and provide access without slowing down business productivity and without opening security gaps for data leakage or malware. It also provide six next-gen firewall policy tips to secure the perimeter in the ‘application age.
2013 Predictions Countdown from Infosecurity Europe
It’s the time of year again when IT security experts predict what the next year will bring. Here are some predictions and trends that Infosecurity Europe exhibitors expect to see in 2013.
Data Leakage: This Time It's Personal
Almost daily the media report of confidential information being disposed of in park bins, laptops being found in taxis, and passwords being published on the Internet. While this is undoubtedly concerning, the findings from a global security study on data leakage have revealed that the data loss resulting from employee behaviour poses a much more extensive threat than many IT professionals believe. Here are some steps you can take to tackle data leakage.
How to Get Promoted in IT Security
It's hard enough these days to get a job. Getting promoted once you're there is even harder. This article highlights four areas that will help you get ahead.
Is Your Company Fair Game for a Spear Phishing Attack?
This article from PhishMe looks at how to spot and protect against spear phishing attacks. After explaining what spear phishing is, it provides tips about what sort of things in emails should raise a red flag, both in terms of the sender and the content, and recommendations for the procedures that companies and employees should follow.
Data Protection: One for All and All for One?
This article by Joanne Rogers of CS Risk Management looks at how the proposed Data Protection Regulation has ruffled feathers. Focusing on the implications for businesses and what an increase in potential fines will mean. An updated law that takes the increasing challenges of data security into account is long overdue, but will the potential benefits of the new regulation outweigh the perceived burdens?
8 Great Year-Round (Free!) Gifts Everyone on Your Team is Guaranteed to Love
So with all this talk of giving, Nancy Settle-Murphy got to thinking: How can we offer meaningful gifts to those we work with, especially those who are far away? And not just for holidays or birthdays or when we've achieved certain milestones - but on a regular basis, as a routine part of how we work together. How can we invoke this spirit of giving in such a way that it becomes second-nature? Here are some gift ideas that will strike a chord with team members near and far. They require very little extra time, and for the most part, they don't cost you a dime.
Check out Nancy's new book, Leading Effective Virtual Teams: Overcoming Time and Distance to Achieve Exceptional Results
NEW! Excerpts from Recently Published Books
New Directions of Modern Cryptography
This is an excerpt from New Directions of Modern Cryptography by Cao Zhenfu.
What Is Digital Forensics, and What Should You Know About It?
This is an excerpt from Digital Forensics Explained by Greg Gogolin.
HIPAA/HITECH Compliance Overview
This is an excerpt from The Definitive Guide to Complying with the HIPAA/HITECH Privacy and Security Rules by John J. Trinckes, Jr.
Complex Systems Engineering Principles
This is an excerpt from Leadership in Chaordic Organizations by Beverly Gay McCarter and Brian E. White .
Unique Challenges of Virtual Teams and Their Leaders
This is an excerpt from Leading Effective Virtual Teams: Overcoming Time and Distance to Achieve Exceptional Results by Nancy M. Settle-Murphy.
Generation Tech: Young, Gifted but a Long Way from Bad
Young employees take more risks with software. This doesn't have to be a problem. From the point of view of traditional, centralized IT, BYOD and consumer software are inherently difficult to assimilate. Admins are instinctively wary and with good reason. In conventional IT, the users are the source of most problems, starting with the misuse of software. But here's an intriguing thought; far from being negative and risky, perhaps the way Generation Y adopts new applications could have long-term benefits if a way can be found to accommodate the behaviour.
Social Networking: #Friend or #Foe
Social media can be a powerful business tool, but hackers are finding increasingly sophisticated ways to exploit our online relationships. This article by Joanne Rogers of CS Risk Management examines the many potential benefits and risks, and discusses what should be the key considerations for your enterprise when utilizing social media.
Windows Networking Tools: The Complete Guide to Management, Troubleshooting, and Security
This book discusses how built-in and third-party networking tools can be used to diagnose network problems and performance issues as well as enhance the security of computer systems. The author covers a variety of networking tools and demonstrates how they can be used to determine ahead of time whether or not existing Internet connectivity can support such activities as voice and video over IP, while coverage of other tools shows readers how to prevent keyboard hacking and negate the operation of unwanted advertisement trackers through checking for and eliminating different types of attack software.
Tapping the Quiet Power of Introverts in a Virtual World
In this article, Nancy Settle-Murphy explores ways that virtual team leaders can learn how to take advantage of the quiet power and special strengths of the introverts on their teams, instead of trying to make their introverts conform to the "extrovert ideal."
May the (En)Force(ment) Be With You: Security Lessons from Star Wars
From applying security policies to DLP and effective user authentication, there are many infosecurity lessons to be learned from the classic space opera. Terry Greer-King, Check Point's UK managing director, shows how companies can avoid the Empire's mistakes.
Symantec October Intelligence Report
Symantec released its October Intelligence Report. The report investigates a new social networking scam that leverages Instagram to gather personal details and get users to sign up for premium-rate mobile services, among other things. The report also tracks a more than 10% drop in the global spam rate (down from 75% of email traffic in September, down to 64.8% in October), and examines some of the possible reasons for the sudden drop.
Privacy Compliance Laws: Why the European Commission Has Finally Got It Right
The debate about privacy compliance has always been a heated one. Add to the mix new European Commission legislation and you have a recipe for not only a lively debate but also a controversy about the interference in privacy of a European bureaucracy. This article concentrates on examining the stances that have been taken, their validity and, more importantly, what an enterprise needs to do as it turns from merely talking shop to setting and implementing concrete policies on privacy.
Symantec Releases Its Security Predictions for 2013
Symantec released its security predictions for 2013 today. One of the key forecasts is that ransomware will surpass fake AV as the premiere cybercrime strategy in the coming year. Additional predictions revolve around Conflicts between nations, organizations and individuals will predominately take place in the cyber world; As users shift to mobile and cloud so will attackers, especially exploiting Secure Sockets Layer (SSL) Certificates used by mobile devices and applications; Madware continues to spike, particularly as companies seek to drive mobile ad revenue; and New security dangers and tricks for consumers on social networks.
Auerbach Information Management Service Archives Online with FREE Access
For years, the Auerbach Information Management Service (AIMS) was the go-to resourse from IT professionals of all stripes. Now, we've completed the first step in the process of putting the archives online, starting with Data Security Management. Other volumes will be online soon, so stay tuned.
Introduction to the Smart Grid
Our current grid system is quickly becoming obsolete. One solution to this problem is smart grid. Smart grids will be able to efficiently handle our increasing energy demands and reduce the environmental impact by incorporating renewable resources. This chapter discusses what smart grids are and the technology they use, and provides case studies of early implementations.
Privacy Professor Tips of the Month
Rebecca Herold, author of several Auerbach books and co-editor of the Encyclopedia of Information Assurance, publishes a monthly newsletter of "Privacy Professor Tips of the Month." Here's a link to all of the monthly Privacy Professor Tips to date.
SCADA Security: What Is an Industrial Control System?
Process control system (PCS), distributed control system (DCS), and supervisory control and data acquisition (SCADA) are names frequently applied to the systems that control, monitor, and manage large production systems. The systems are often in critical infrastructures industries, giving the security of PCS, DCS, and SCADA systems evaluated importance in the increasingly networked world we live in. This excerpt from Cybersecurity for Industrial Control Systems: SCADA, DCS, PLC, HMI, and SIS distinguishes between PCS, DCS, and SCADA systems, and looks at whether Industrial Control System security is different from than regular IT security.
Managing the Social Impact of Least Privilege Security
The technical problems associated with using Windows pre-Vista as a standard user, i.e., without administrative privileges, has left an expectation that users should have full control over their PCs, including the ability to install unauthorised software and change key operating system components. User Account Control (UAC) in Vista and Windows 7 had made it more practical to run with a standard user account and led many organizations to look seriously at removing administrative rights from end users. Yet if not planned thoroughly, this can not only bring unexpected technical problems, but a mutiny in the ranks.
Security Best Practice: Effective Enterprise Key and Certificate Management
Recent high-profile security breaches have cost millions in revenue and lost opportunities. These fears, along with new security standards and regulations, have driven IT professionals to deploy encryption more broadly. Organizations are struggling to properly manage and control these rapidly multiplying certificates and keys to prevent security breaches, system downtime and other disasters. It's a catch 22 situation, but it doesn't have to be.
HIPAA Security 101 Webinar
Todd Fitzgerald, author of Information Security Governance Simplified: From the Boardroom to the Keyboard, recently conducted a Webinar on HIPAA Security 101. You may view it at www.hipaacow.org.
Data Storage and Network Security
As IT moves farther from the relatively safe and secure confines of data center glasshouses and internal physical networks with interfaces for Wi-Fi mobile and Internet computing, security has become even more important than it was in the past. As networked storage enables storage and information resources to be accessed over longer distances and outside the safe confines of the data center, more security threats exist and more protection is needed.
Data Loss from Missing Mobile Devices Ranks as Top Mobile Device Threat
The Cloud Security Alliance (CSA) Mobile Working Group today released findings from Top Mobile Threats, a new survey that calls out the specific security concerns enterprise executives say are the real and looming threats to mobile device security in the enterprise environment. In addition to identifying the top threats, respondents also indicated a couple of additional concerns with 64 percent of respondents believing that NFC and proximity-based hacking will happen in 2013. Also 81 percent of respondents believe that insecure WiFi and rogue access points are already happening today.
10 Top Tips for Leading Great Lessons Learned Reviews in a Virtual World
When run well, a lessons learned review can yield big benefits. The trouble is, many teams approach a lessons learned review as a necessary evil has to be dealt with before they move onto the next project. In this article, Nancy Settle-Murphy and Kathleen Coyle, who is Senior Organizational Development & Training Consultant for Partners HealthCare System, apply many of the great tips found in Kathleen's excellent Top 10 Tips for Lessons Learned Reviews white paper to virtual teams, who face special challenges when it comes to designing lessons learned sessions.
Switch’s Content Addressable Memory (CAM) Table Poisoning Attack
LANs are configured to have switches that maintain a table called the Content Addressable Memory (CAM), which is used to map individual MAC (Media Access Control) addresses on the network to the physical ports on the switch. The switch’s CAM table poisoning attack is the malicious act of corrupting the entries in the switch’s CAM table so that the network traffic will be redirected away from the intended hosts. This malicious activity may create a DoS situation, as the switch becomes unable to forward packets to their real and legitimate destinations.
Cloud Maturity Study Reveals the Top 10 Issues Eroding Cloud Confidence
Findings from a joint Cloud Security Alliance (CSA) and ISACA survey show that government regulations, exit strategies and international data privacy dominate the Top 10 areas where confidence in the cloud is lowest. The Cloud Market Maturity study provides insight into the maturity of cloud computing and will help identify any changes in the market. The report, released today, provides detailed insight on the adoption of cloud services among all levels within today’s global enterprises and businesses, including the C-suite.
Networkless Working: The Future of the Public Sector?
Networkless connectivity combined with strong two-factor authentication allows straightforward user access, without constraints, to deliver a completely dynamic set up at the time of connection. So, whether you’re merging, re-merging, de-merging or just looking to introduce a more flexible working practice, securely, make sure its future proof and cost-effective. This article discusses implementing and managing secure access in a period of rapid change.
Anticipating and Managing Risk in a Dynamic Environment
This is a Comptroller General presentation delivered to the Federal Enterprise Risk Management Summit in Arlington, Virginia on September 17, 2012. Major topics of this presentation include mission goals for strategic planning framework, threats confronting U.S. national security interests, cybersecurity, fiscal sustainability and debt challenges, and recession affecting the federal budget.
Engineering Network Security: Tip 1
Sometimes you need to access your devices using a local account, when the RADIUS or TACACS servers are unavailable. For example, a WAN outage or failure of an authentication server could be a reason for this. In this case, we should always have a local account as backup created on our Cisco devices using the "Secret" keyword rather than the "Password" keyword in the username command. This shows examples of two options when creating local user accounts in IOS.
Proactive or Reactive Digital Forensics: Should That Be the Question?
This article explains the difference between proactive and reactive digital forensics and how they can help you and your organization to fight against malware and malicious activity.
9 Ways to Get (and Stay) Virtually Connected on a New Job
So, you're starting a new job. Trouble is, you'll be working quite a distance away from your new manager and most of your new team, with few opportunities for face-to-face (FTF) interactions. How can you overcome barriers of time and distance to forge a lasting connection to your new manager and team? In this article, Nancy Settle-Murphy and Beverly Winkler offer nine tips for making a great impression on your new manager (and the rest of the team), when you work from afar.
Top 10 Tips to Ensure Your Security: Prevent Data Loss, Keep the Hackers Away, and Protect Your Career
The more technology makes our working lives easier, the more it seems technology complicates our lives by making it easier for insiders with malicious intent and outsiders bent on stealing our secrets to steal our data. Whether you have done it recently or sometime in the past, you will have locked down and secured your corporate data and make sure that your organization cannot be breached. Need some guidance on how to do that without turning your office into your bedroom? Here are ten tips to prevent a data catastrophe.
Least Privilege: 10 Steps That Can Save You Money and Your Reputation
Every organization faces one challenge to their IT security position - the user. It doesn't matter how much security training and advice a person is given - if they want to, and can, do something then they will. Unfortunately, a user with admin rights - wittingly or unwittingly - is like a loose cannon. You just don't know when or where he's going to strike, and the results can be devastating. And once a problem occurs, it all too often turns into a downward spiral that can bring down your reputation and your business. This article outlines 10 logical reasons why every organization should develop a policy of least privilege.
Cybercrime Statistics Are Staggering and Growing, Helped by Keyloggers
Keyloggers are busy everyday stealing the keystrokes at nearly every major business in America. They all have sophisticated equipment, software and methods to protect their data, but we hear about attacks happening anyway. Dropbox is the latest victim of a keylogger, but more worrisome are the names that have been breached. From RSA, the world leader in secure access technology, to Yahoo, the Department of Homeland Security, Epsilon, Nissan, Visa, MasterCard, Facebook, LinkedIn, the list is endless. So how are hackers getting keyloggers on your system? It’s most commonly done through ...
Firewall Management, IPv6 and You
It is well known that most security incidents are caused by human error, so it comes as no surprise that recent research revealed misconfigurations are the greatest source of firewall-related risk and inefficiencies. The lack of experience and training for people dealing with IPv6 will make mistakes more likely, and IPv6 address complexity will exacerbate this because they are extremely difficult to read and do not lend themselves to memorization. Knowing that IPv6 migration will be a fact of life, here are some measures you can take to ensure migration efforts will not impede firewall management.
Security Awareness: Telling Them Once Is Never Enough
Unless IT security is a core element of someone's job, it is not necessarily considered their on-going development needs. Without an ongoing systematic and proactive user awareness programme, a strong security posture is in jeopardy. There is no cure for stupidity or genuine human error, but you can educate your workforce to help them make the right decisions and avoid unnecessary mistakes. Here are seven things you can do to make sure your workforce is security aware.
Stuxnet and Flame Indicate The Face of 21st Century Cyber Warfare
In June of 2010 the Stuxnet worm made it’s debut to the world. Joint engineered by the United States and Israel to cripple Iran’s nuclear efforts, it wasn’t long before the worm was altered and turned loose on the internet spawning a number of variations of the original worm and affecting computers around the world!
The Severity of Bugs: Are We Doomed?
Everyone hates software bugs. Developers hate them in their code and consumers hate them in their products. Here are some facts about bugs.
What the Gurus of Secure Collaboration Couldn't Tell You - How to Do It Right
The introduction of cloud-based file synchronization such as Amazon, Gmail and iCloud has led to a state of interconnectedness that even the most visionary writer of management-speak books could not have imagined. As David Gibson, VP of Strategy for Varonis Systems, outlines in this article, this slow creep of interconnection through consumerization is exposing organizations to potential criminal activity, major data breaches, increased insider threat and the multiplication of common albeit innocent mistakes. However, there is another way and he outlines a strategy for secure collaboration that can work within the enterprise.
Structuring Successful Virtual Meetings: A Counterintuitive Approach
The structures that work for great virtual meetings are many of the very same ones that work for successful large, face-face (FTF) meetings. Why? In large FTF meetings, we need to keep everyone productively engaged, give them opportunities to speak and be heard, and sequence all activities perfectly to make sure everything gets done on time. And, as is the case with virtual meetings, in a large FTF gathering, we often have little ability to influence or even observe what participants in the far corners of the room are doing. This article looks at five specific structures to consider as you design your next virtual meeting, all borrowed from large group FTF meeting best practices.
Cost-effective Solutions to the Growing Security Compliance Issue
Michael Hamelin, Chief Security Architect with security policy management specialists Tufin Technologies, explains how to extract maximum value from automated compliance audit software, and improve your organisation's security posture in the process.
Seven Ways to Plan against Cyberwarfare
It may not be particularly sensitive or sophisticated, and is generally associated with life and death battle on the front line, yet the old British Army adage "Proper Planning and Preparation Prevents Piss Poor Performance" (the "seven Ps") could not be more appropriate when battling the growing threat of Cyberwarfare. As organizations brace themselves for increasingly likely attacks, planning and preparation are everything. So here are some guidelines from Calum MacLeod, EMEA Director at Venafi that might be helpful, even if you're convinced that Excel does it all.
Enterprise Log Managers: An Unsexy, But Vital, Tool
Ultimately, the goal of Enterprise Log Management (ELM) is to get your most critical events escalated to your operations staff to react and respond with the appropriate actions. ELM in not SIEM, although they're interrelated. SIEM is more concerned with the larger view of your overall security landscape, whereas ELM is focused on a specific element of security: "What is happening where?" SIEM correlates data across varying data sources and environments, providing a more holistic view. Therefore, ELM is a subset and critical component of a SIEM program. Not all companies require a SIEM program. However, most companies would benefit from an ELM solution. For the purposes of this article, we'll stick to ELM.
When Users, Admins and Applications Go to War
What happens when the power of administrators managing Windows application crashes head-on into the needs of employees? This article examines two typical scenarios. The first in a small organization where a standard user asks to access an application, is given administrator rights, and is then armed with a huge amount of power, leaving the company open to serious security problems. The second scenario looks at where users are continually interrupted with User account control requests, blocking their work and productivity. These scenarios can be controlled and managed through simple privilege management’s layers.
Five of the Most Common Security Myths that Could Make You Vulnerable
All too often people hide behind what they 'want' to believe is true. Unfortunately, your personal beliefs and opinions will not prevent a ruthless individual from ransacking your network's filing cabinets. The easy road is not necessarily the secure one so, rather than wait for a hacker or malicious insider to burst your bubble, here's what misguided individuals tell me far too frequently. While some might argue that ignorance is bliss, when an organisation's security hangs in the balance remaining clueless isn't a viable option. In this article, Jane Grafton of Lieberman Software dispels five common security myths, and provides these five rules to help you regain control of your enterprise.
The Hidden Costs of Self-Signed SSL Certificates
To lower costs and increase the bottom line, some IT professionals are adopting a do-it-yourself approach to SSL security, putting their organizations at risk of costly security breaches and loss of trust. The article describes the various costs for both self-signed SSL certificates versus getting them from a leading CA. It shows that the costs of hardware, software, personnel and the certificates themselves will actually cost a company more than if they got them through a CA. In some cases, the cost may be double to do self-signed SSL certificates. Companies should thoroughly understand these costs when considering self-signed SSL certificates.
Two Thirds of Senior Management Don’t Know Where Their Company Data Is
Research from Varonis Systems has found that 67% of respondents say that senior management in their organizations either don’t know where all company data resides or are not sure. In addition, 74% of organizations reported that they do not have a process for tracking which files have been placed on third party cloud digital collaboration and storage services. With Bring Your Own Device (BYOD)—particularly mobile and tablet devices—and file synch services booming, companies are open to a wave of potential devastation. Files kept on third party cloud services can be lost, misplaced, accessed by unauthorized people or leave the company with the employee, causing data privacy and compliance issues.
Is Your Security Like Your Choice of Coffee?
So, what's security got to do with coffee I hear you ask? Well, what it aptly demonstrates is everyone knows what they want, and it's on their terms and not the coffee shop's.
Online File Sharing Poses Great Security Risks to SMBs
A new survey indicates that as online file sharing becomes increasingly common as a business practice, SMBs are more at risk than ever before. The SMB File Sharing Survey revealed that SMB employees are increasingly adopting unmanaged, personal-use online file sharing solutions without permission from IT. Symantec, who conducted the survey, recommends that SMBs implement some simple best practices to help ensure employees share files securely.
Could You Bring Your Company to Its Knees?
"Do as I say, not as I do" seems to resonate in the executive corridor of far too many organizations. In this cautionary tale, we use the saying to create a fictitious scenario. This is created to illustrate just how dangerous double standards can be with applied to information security policies and procedures. Our unfortunate protagonist is the managing director, who believes the rules don’t apply to him.
The Genesis of Privileged Identity: The Creation and Evolution of the Superuser
This article explains how important privileged identities are and what can happen when people within the company no longer know how they originated or indeed where they are, and yet it if often via these very identities that hackers find their way into an organization. It neatly explains why it is so important to manage these privileges and super user passwords. It also provides a link to a site that advertises large companies passwords. Although they are commonly available for all to see, many companies have no idea how to protect, manage, or secure them. It also provides the answers to protecting your privileged identities.
11 Leadership Tips for What to Do When Workloads Are Seriously Out of Whack
Say you're the leader of a team of hard-working professionals who work in different locations. It's crunch time, and pretty much everyone realizes they need to put aside their personal lives for the next few days (or maybe a tad longer) to meet a critical deadline. Trouble is, you discover that while some people are working feverishly to make sure the team meets the deadline, others are adamant that they are not willing to sacrifice their personal lives—again. Until now, your team has no explicit norms about addressing workload imbalance. Clearly, it's time to create some before people leap across the virtual table in frustration. Where should a virtual leader, or any leader, begin?
Building Security into Software
This excerpt from The 7 Qualities of Highly Secure Software discusses the need for building security into software. Building security in is about proactively designing and developing appropriate security controls into the software. The quality of building security in that will result in highly secure software can be achieved by addressing the people, the process, and the technology components in the software engineering process.
Public Key Infrastructure: Make or Break Time?
PKIs were catapulted into the spotlight recently following breaches at Comodo, Sony, and RSA Security. Should we be worried? Calum MacLeod, Venafi EMEA director, cautions on throwing the baby out with the bath water.
New EU Data Directive Will Drive Turning Point for Security
The European Commission is planning a raft of new directives on data security that commentators say will come to be seen as an important turning point. The new 24-hour data breach disclosure rules are a golden opportunity for organizations willing to embrace automation.
Research Uncovers What IT Security Wants Most from Big Data
More than two-thirds of IT people think Big Data should be a strategic priority according to research conducted by Varonis. More than half expect Big Data to be a strategic initiative over the next five years, but fewer than half of the respondents felt there was a clear definition of Big Data, even fewer felt they had adequate knowledge of Big Data products. When asked how they would like to use Big Data, the respondents had clear ideas. The top three most selected applications were: finding at risk sensitive data, identifying possible malicious activity and finding users with excessive access rights.
Information Robbery: The 2011 Internet Security Threat Report
Symantec recently released Volume XVII of its Internet Security Threat Report, which provides an overview and analysis of the current threat landscape. Among the key findings are targeted attacks are on the rise and they have spread to organizations of all sizes; politically motivated hacking continues to increase, and in 2011 such attacks resulted in the compromise of more than 187 million identities; and mobile devices are becoming a point of security concern and as mobile malware becomes more profitable, it will attract more cybercriminals.
The Top Five Web Security Issues
Are you ever safe online? Given the sophistication of today’s cybercriminals, a healthy dose of paranoia might be a good thing. There may be sturdy locks and web security guards at the front doors of your business, but the Internet allows criminals to bypass these protections and directly attack your most valued asset—your data. This article looks at the top five web security issues and how they might keep you looking over your digital shoulder to make sure your system doesn’t have a hacker hiding inside.
Is Loaphobia Causing Workers to Fear Losing Their Jobs?
Recent research by Avecto that found a fear in the workforce of not being able to hit deadlines, missing promotions or losing their jobs due to ‘loaphobia’ (Lack-of-Application-Phobia). This fear is well founded as the research found that 19% have missed a critical deadline as a result of being denied full access to an application, 14% lost a job and 6% missed a promotion.
Learning to Wear the European Union's Data Directive with Style
Should we be horrified by European bureaucracy or beat the drum for watertight data protection? Will the new rules allow for a balance between the data privacy needs of the citizens against the practical issues of managing data in the modern corporate environment? While many security professionals have expressed concerns about the technical problems associated with managing, protecting and auditing access to growing data stores, the reality is that with the right technology in place these issues can easily be solved. This article by David Gibson of Varonis Systems examines how the new European data directives on privacy are likely to impact on organizations in the UK and collaboration with their counterparts in the US.
Fake Feds Attack Hijacks Computers for Ransom
Trusteer CTO Amit Klein on a new use of the Citadel malware platform (a descendent of the Zeus Trojan) to deliver code ransomware that poses as the US Department of Justice and highjacks victims' computers.
My Boss Thinks I'm a Security Threat!
In this cautionary tale, Jane Grafton, Director of Product Development at Lieberman Software, interviewed a woman who should have known better. Her story is told in her own words. If this sounds all too familiar, there is some great advice at the end of this article to make your users more secure.
Zeus Targets Cloud Payroll Service to Siphon Money from Enterprises
Trusteer research that has discovered a Zeus attack that focuses on cloud payroll service providers. In this attack, Zeus captures a screenshot of the payroll services web page when a corporate user whose machine is infected with the Trojan visits this website. This allows Zeus to steal the user id, password, company number and the icon selected by the user for the image-based authentication system. These attacks are designed to route funds to criminals, and bypass industrial strength security controls maintained by larger businesses. The financial losses associated with this type of attack can be significant.
Companies Leaving the Security of their Data on Cloud to Chance
Most organizations are now using cloud computing in one form or another, yet businesses are omitting to check out the security controls surrounding their data. These are some preliminary findings from the 2012 Information Security Breaches Survey conducted by PwC in conjunction with Infosecurity Europe and supported by the department for Business, Innovation and Skills.
PricewaterhouseCoopers Releases 2012 Information Security Breaches Survey
According to the results of the 2012 Global State of Information Security Survey®, the majority of executives across industries and markets worldwide are confident in the effectiveness of their organization’s information security practices. Some of the key findings include ...
An Ethical Hacker's View on the Dangers of Mobile Malware and What Steps to Take to Stop It
Jaime Blasco, an ethical hacker at AlienVault, eats, sleeps and beats malware on a daily basis. What he doesn't know about hacking no-one knows, and what's really concerning him at the moment is the rise in mobile malware. In this article, Jaime looks at the type of malware that is hitting our phones and offers some great advice for personal and business users on what they can do to stop becoming a victim of mobile malware.
So You Think SharePoint Is Secure? Think Again!
SharePoint makes it easy to collaborate. It enables the sharing of ideas, information and expertise; managing documents from start to finish; publishing reports; and comprehensive searching. The problem is that it's for anyone to find things they shouldn't. The result is inappropriate snooping, and that spells trouble for every organization using the tool. If you're intending to harness the power of SharePoint without compromising security, with this three dimensional approach, no one function needs to have access rights to sensitive information.
IT Security Lessons that Australia Can Teach Us
The Australian Defence Signals Directorate could teach IT security professionals a thing or two when it comes to operating system and application whitelisting plus privilege controls: enforce Draconian rules and don't worry about upsetting users. Are there lessons to be learned from Aussie tough love?
National Security-Related Agencies Need to Better Address ITC Supply Chain Risks
The GAO has identified five threats to the IT supply chain that could create unacceptable risks. These threats stem from actions by foreign governments and counterfeiters who could exploit vulnerabilities. Officials at four departments stated that their respective agencies have not determined or tracked the extent to which their telecommunications networks contain foreign-developed equipment, software, or services. Federal agencies are not required to track this information, and officials from four components of the U.S. national security community believe that doing so would provide minimal security value relative to cost.
Threat Intelligence: What to Share, and Why?
Those in favor of sharing information show that although they've had some limited success, the process has been difficult to build out and integrate, and the results are mixed due to insufficient data. Those against sharing point to a few early experiments where they have publicly collaborated on data sharing, been burned by the public data being used as counter-intelligence, and promptly returned to either not sharing at all, or sharing within a very limited group. So how do we move forward?
The RSA Security Breach 12 Months Later
It's been 12 months since the security world woke to the news that RSA Security's systems had been compromised and, as the company has reluctantly confirmed, its many tens of millions of SecurID hardware tokens would have to be re-issued to clients. In this article, Andy Kemshall, CTO of SecurEnvoy, reviews the IT security fiasco and what could have been done to prevent the fallout.
Investigations in the Workplace: Investigation Defined
A workplace investigation is generally undertaken to learn something. The result is then used to prove or disprove an assertion, claim, or allegation. Thus, prosecution and litigation are a by-product of an investigation, not its purpose. Because of the ability to prove or disprove something, a properly employed workplace investigation can provide many dividends for the employer. In addition to uncovering facts and essential information needed to solve problems, a successful investigation helps restore order. It provides the employer the opportunity to analyze process and system failures and re-engineer them to prevent future problems.
You'd Be a Great (Virtual) Communicator If Only You Could Just Be Quiet
Listerning is the most important skill successful virtual leaders must have, which is usually hardest for them to cultivate. Why it's so important is pretty obvious. Virtual leaders must learn to listen for and interpret an enormous amount of information, within seconds, without benefit of body language or eye contact. And we're not just listening for the words that are (or are not) spoken, but also the tone, pauses, inflections, cadence, lilt, laughter, throat-clearing and perhaps the toughest of all, silence. In this article, Nancy Settle-Murphy of Guided Insights offers tips to cultivate better listening for leaders of virtual teams, where some or all members are geographically dispersed.