SMBs can’t just throw up their hands at cybersecurity, despite a probable dearth of resources. Since most aren't likely to magically receive a multimillion dollar cybersecurity budget windfall, we've provided our top 6 tips for how to manage security on a limited budget.
Is your organization adequately equipped to identify anomalous patterns across the network? If you're doubtful, it may be time to try out alternative models that will help you detect previously unknown attacks.
Given today’s content-driven society, it benefits cybersecurity and threat intelligence practitioners to gain some understanding of the psychological strategies and exploitation techniques within the intelligence and counterintelligence tradecraft.
One expert discusses the growing importance of DevOps within the enterprise, the initial steps organizations should be taking to implement a DevOps approach, and how to get buy-in from key stakeholders.
You picked them! Here's a look at the most read articles published on InfoSec Insider in 2017. From CASB to threat intelligence, you'll find a unique mix of some engaging content that answers some of your pressing questions.
A threat intelligence expert shares his experiences and advice when it comes to leveraging OSINT tools, highlighting the benefits to security organizations, but also discussing the legal ramifications one could face by accessing them.
By Katherine Henry & Brendan Hogan, Bradley Arant Boult Cummings LLC
December 18, 2017
Cybersecurity professionals can provide valuable input in their companies’ procurement of cyber insurance, and should be involved in all phases of cyber insurance procurement and management. Here are some important areas you should focus on.
Security professionals are over the hype surrounding threat intelligence. Now, they're aiming to find better ways to operationalize it. In this interview with Digital Shadows' Rick Holland, he explains why structured analytic techniques are an effective way to make sense and leverage your threat intelligence data.
Ixia Director of Application and Threat Intelligence, Steve McGregory, discusses how cyber attackers are evading network detection, and shares tips on how organizations can move towards better prevention and detection.
Trustwave Threat Intelligence Manager Karl Sigler discusses the non-traditional devices that security professionals should have on their radar and how thermostats can figuratively turn up the heat for infosec pros, and literally for the enterprise.
In a network perimeter-less world, enterprise security practitioners need ways to verify the authenticity of applications and the devices and users running those applications; firewalls just fall short.
In our last article, we discussed how disciplines like psychology and behavior-profiling can help us to better understand the adversary at the end of the keyboard. Now we are going to extend similar disciplines to ourselves as intel analysts.
Michael Daniel, the former cybersecurity advisor to President Obama and current president of the Cyber Threat Alliance, offers up his thoughts on why information sharing is a critical component of combatting cyber threats today.
Depending on your source, insider threat accounts for anywhere from 27% - 77% of all breaches. Despite the disparity in agreement about size of the problem, most security practitioners agree that the difficulty identifying insider threat is greater than identifying external threats.
If a small business CEO thinks about compliance, he or she might think it’s relegated to big businesses. Who else has the funding and the time to attend to compliance? And does it really matter anyway?
In biology, it is well known that genetic diversity creates strength in that it helps build resilience to disease, disorders, and other human ailments. At a community level, we also find strength in diversity.
It would be somewhat of an understatement to say that methods of communication have changed over the last 31 years. Yet in that time, laws pertaining to the privacy of those new types of communication have remained stuck in the past.
Leadership is a lot like playing in an orchestra. For those less familiar with an orchestra setting, let me explain. The basics: A traditional orchestra is made up of strings, woodwinds, brass, and percussion, plus keyboards.
The President of the United States is apparently using an Android phone, and likely an outdated version, at that. Despite reports that the newly inaugurated president was, in typical fashion, offered a “secure, encrypted device approved by the Secret Service,” it appears Mr. Trump prefers his own personal device. Don’t we all?
It’s true that cyberspace is growing by the day, and as companies and individuals add more information to internet-accessible sources, the risk of compromise of that data grows in parallel. With this greater risk comes more responsibility.
A funny thing happened on the way to designing threat intelligence programs….we forgot about the risks! We as an industry tend to buy a lot of tools, sift through a lot of data, and send out a bunch of reports, but we forget to ask what we are really doing all of this for.
The idea of a password as a security mechanism is sound: One user with an individual identity plus a unique, secret password. In the physical world, this combination often works as it should, since the user’s identity travels with the user (in effect, adding a second factor of identification).
That idea of checks for every customer action, the weight of it, the precautions put in place—armed security guards, security cameras, security alarms positioned in ample locations—all signal to would-be thieves that any attack on a bank is going to require serious skill, planning, and personal risk.
To say that the security vendor marketplace is crowded would be an understatement. For any problem a security team faces that can be aided with technology, look no farther than a conference expo floor and you’re sure to find (at least) dozens of self-proclaimed solutions in any given category.
As networked computers disappear into our bodies, working their way into hearing aids, pacemakers, and prostheses, information security has never been more urgent -- or personal. A networked body needs its computers to work well, and fail even better.
On this first day of a Donald Trump presidency, many people around the world are watching and wondering what is going to happen in corporate America. The speculation is no less prevalent in the security industry.
Cybersecurity staffing—and the industry shortage—is a frequent topic of conversation among security practitioners. But as nation state competition heats up, government and civilian agencies need to develop alternative hiring strategies if the U.S. wants to compete on a global scale.
Big data and the Internet of Things are two buzzwords that rang through the halls and show floors of security conferences across the nation for quite some time. Although ambiguous, the terms took the industry by storm.
As we continue to ramp up our efforts in providing you with a resourceful library of content you can rely on, we’ve decided to reflect on some of the top InfoSec insider articles of 2016, based on the engagement we’ve received from our readers.
“Security has a secret power: threat intelligence,” quipped Dave Ockwell-Jenner, Senior Manager, Security Threat & Operational Risk Management (STORM) at SITA, during MISTI’s recent Threat Intelligence Summit in New Orleans, Louisiana.
Indeed, effective, successful organizations are attempting to proactively identify threats and indicators of compromise before they present serious destruction to the victim organization. Even the most robust and mature threat intelligence programs, though, aren’t immune to a breach.
The days of focusing on the perimeter are over. Rather than waiting for the next cyberattack to strike, many security practitioners are focusing on the activity surrounding their critical assets, in addition to drafting incident response plans that activate once the inevitable breach occurs.
“Insider threat” — it’s a term that gets thrown around a lot in cybersecurity circles. Practitioners want to know who is responsible for attacks and how attacks are being perpetrated so defenses can be appropriately implemented and provisioned.
The All Powerful Breach…or threat thereof. How often do you, as a security practitioner, get asked by a colleague outside of the security team about the viability of a breach at your organization? Is a breach the meter by which security is measured?
MISTI’s Threat Intelligence Summit in New Orleans in just two weeks away, and like the city itself, we’re ready to laissez le bon temps rouler! Threat intelligence is serious business—it helps organizations understand emerging threats and prepare defenses appropriately.
Ransomware is just a cyber twist on the age-old crime of taking someone/something hostage and demanding a payout for safe return. Cyber criminals have quickly learned that getting at organizations’ data then deploying malware to encrypt it carries a low technical barrier to entry (as opposed to kidnapping a human).
By Dan Houser, Security Architect & Perspicacious Security Iconoclast
November 10, 2016
A study of recent hacking attacks on corporations makes it obvious that (weak) password credentials are being used both inside and outside organizations, and are frequently the credential protecting remote access to the enterprise and its "crown jewels."
By Rafal Los, Managing Director, Solutons Research and Development, Optiv
October 31, 2016
For nearly the last twenty years, enterprise security teams have been fighting threats to their business much like hapless teenagers fight demons in horror movies. Let me paint you a scene. Four people fleeing a horde of some type of evil take refuge in a run-down back woods cabin in the middle of nowhere.
By Antonio A. Rucci, Counterintelligence Special Agent (Retired), Information Technology & Technical Security Consultant
October 27, 2016
If you are engaged in in the information security (infosec) community for any length of time, regardless of whether you are Blue Team, Red Team, or Purple, one data point remains constant: You recognize the importance of partnering.
Employee mobility is no longer a privilege or nice-to-have, but a given in today’s workplace. At even very small organizations, it’s not uncommon to find executives or sales people who are on the road more often than they are settled in the office, and gone are the days when working remotely is considered the entitlement of a select few.
Security teams fight many battles. There are threats, vulnerabilities, exploits, improperly configured systems, legacy equipment, lean budgets, staffing shortages, and users who are fallible. Any of these things, alone, add up to challenge, but possibly the biggest challenge security teams face is the battle between the security department and the CIO.
How to help your end users manage their passwords, with additional practical steps to improve your system security. This guidance focuses on the end user (rather than the system owner responsible for determining password policy).
By Mark Arnold, Senior Research Analyst, Office of the CISO, Optiv
October 12, 2016
For companies on the path of cloud adoption, the fear that dark “clouds gathering” could impact business health and one's financial bottom is a source of anxiety. Despite recent data that show cloud adoption rates consistent growth over the last 18 months, a group of holdouts endure.
Cloud technology has been moving at a tremendous pace. For businesses, it seems to have happened in the blink of an eye. It’s faster and more agile, with the ability to re-architect an entire infrastructure. But why has this happened so quickly, and what does it mean for security practitioners?
Information security is more integral to business growth than ever, and robust, verifiable security can be a point of differentiation. For smaller organizations, security-as-a-service can be a useful option, but many organizations don’t know how or when the time is right to make the move.
By Marcos Colón
September 26, 2016
The cybersecurity industry is full of terms that both vendors and end users love to glom on to. Ok, maybe vendors lead the way, but their customers may not be doing a good job of speaking up and asking them to clarify what it is they do – taking the various mixed marketing messages as they come and running with it.
“You can’t just go to the shops and buy threat intelligence; it doesn’t come in a box.” This nugget of wisdom comes from Jim Hart, Vice President at AlixPartners LLP in the UK. Whilst upon reading, this idea is a big “no kidding,” yet many in the security industry still confuse threat intelligence feeds and tools with a threat intelligence program.
“Red team” vs. “blue team” exercises have been adapted into cybersecurity from the military and intelligence realms. As a means to simulate real-life threats and attack scenarios, organizations have been putting this methodology into play, either with internal resources, or by hiring outside experts to help find system issues.
The term cyber threat intelligence gets thrown around a lot, especially on show floors teeming with security practitioners being approached by vendors with the solution to all their problems. But fundamentally, are organizations successfully leveraging the tactics surrounding it?
Identity is who we are. It’s what we do and how we do it. In the digital realm, our identities are part of what affords access to the systems, tools, accounts, and functionality that make it possible to perform job responsibilities and effectively contribute to the organizations for which we work.
Political staffer Huma Abedin has been dominating media headlines as of late for a number of issues, including leaked emails uncovered by Citizens United and released publicly by Fox News. In the exposed emails, she refers to an intent to leave her mobile device, specifically a BlackBerry, behind during a 2009 trip to Russia.
Applications have become the technological underpinnings which enable employees to do their jobs faster, more accurately, and with greater ease. Applications have become so ubiquitous within organizations that most employees don’t even consider the tools with which they are working “applications” at all.
The European “right to be forgotten” is an important directive for both privacy and information security advocates. With roots as far back as 1995, a European Data Privacy Directive laid the foundation—and set regulations—for how EU citizens’ personal information must be protected and handled by “controllers of personal data."
When individual users are required to first accept usage policies and then interact with the website/application/tool by allowing it to collect information, both the user and the enterprise for which the user works are put in a position of risk. Why? Because the likelihood that he or she will read the policy is slim to none.
Cloud computing has been changing the way organizations operate for over a decade now. Without a doubt, the technology has evolved, offering varying levels of benefits along the way; agility, resiliency, and cost savings are chief among cloud’s attributes, as far as business owners and CFOs are concerned.
Information security teams face a serious problem when they are unable to detect the presence of a threat actor inside organizational systems. Knowing who has access to key applications is an imperative for trying to protect the company, yet according to a new report published by Okta that may not be a case.
The term “hacker” is thrown around liberally nowadays. It’s a surefire traffic-boosting headline, and the media seizes any opportunity to publish a story with a hacker connection, often positioning the word as a synonym for “malicious attacker.”
Many in the security industry, myself included, are guilty of falling into the trap of saying that security is a discipline in which the big “wins” come when “nothing happens.” It’s an easy statement to make, especially when working with business leaders who see only the end result (i.e., no breach, no media headline) and make this claim.
“We’ve seen breaches where the ‘partner effect’ has played a major role, but have you noticed that nobody seems to really know how to manage that risk well,” poses Pete Lindstrom, Vice President of Security Research at IDC.
Symantec and Kaspersky Lab simultaneously released information yesterday on “Strider” and “ProjectSauron” respectively. Strider, the attacker group, has reportedly been using a stealthy piece of malware called “Remsec” (Backdoor.Remsec) as part of ProjectSauron to spy on a small number of highly valuable targets in China, Russia, Belgium, and Sweden.
Totalitarians need to control everything they can—it’s a deep-seated need that stems from the (occasionally true) fear that someone, somewhere, is plotting their overthrow. It seems that the totalitarian impulse to control extends to communications first, whether it’s mail, telegraph, telephone, or Twitter.
There’s progress being made in the healthcare industry as it relates to information security. Yes, recent studies indicate that 90 percent of all healthcare organizations have been the victim of a data breach in the last two years.
Penetration testing is a mandatory component of any thorough information security program, as security pros know. Company networks are vast and complex, and security teams have the (often thankless) job of protecting everything that falls under the general category of “IT” or “IS.”
Listening to the political conventions these past two weeks, I couldn’t help but think about security: the conversations security practitioners have with senior management and other business units, the conversations practitioners have amongst themselves, and yes, even talks given at conferences.
On Tuesday, the White House issued its Presidential Policy Directive-41 (PPD-41), or “United States Cyber Incident Coordination” plan. The PPD follows on the heels of the Cybersecurity National Action Plan, the Obama administration’s attempt to button up cybersecurity efforts in the face of growing threats against U.S. entities.
Security teams spend a fair amount of time thinking about incident response. The probability of an information security incident occurring forces teams to consider how to manage intrusions, leaks, and other security vulnerabilities or exploits.
After last winter’s frosty standoff, Apple and Facebook are now making headlines for being in cahoots with the FBI. For a few years, the bureau has been tracking Kickass Torrents, a very popular file sharing site, and trying to link illegal reproduction and distribution of online media, including movies, TV shows, music, and video games.
The evolving threat landscape makes it incredibly difficult for security professionals to protect their organizations. You’d think that with the abundance of security solutions deployed they’d be able to manage cyber risk effectively, yet, the technology that’s intended to protect their organizations may be causing more problems.
Betterment, an online investment robo-advisor, is the first of its kind to surpass $5 billion in assets under management. Robo-advisors, for those unfamiliar, are automated, algorithm-based finance portfolio management services.
Security practitioners consistently deal with a slew of issues tied to protecting their organization’s most critical assets. When asked what keeps them up at night, it’s an endless list that features connected devices, shadow IT and making sense of the security and risk organization to board members.
Insider threat. Third-party risk. Phishing. Privilege escalation. Unencrypted sensitive data. This reads like a “Top 5” list of security concerns, but in fact it’s what allowed Su Bin, the owner of a Chinese aviation technology company, to help two Chinese nationals hack into Boeing’s network and steal more than 65GB of data from the defense contractor.
Privacy Shield, the much-anticipated new trans-Atlantic data transfer agreement between the EU and U.S., was approved yesterday by the European Commission. After months of debate and revisions, the Commission finally felt comfortable enough to rubber stamp the framework, which will actually undergo further analysis later this month.
The families of five terrorist attack victims filed a lawsuit in U.S. District Court on Monday. The families, claiming that Facebook enabled Palestinian militants to carry out deadly attacks in Israel, are suing for more than $1 billion, calling into question the responsibility of technology companies when it comes to security.
“A lot of security departments are swimming in the wrong direction,” says Raef Meeuwisse, Director of Cybersecurity at Cyber Simplicity Ltd. By this, Meeuwisse means that companies haven’t yet redirected the scope of their security programs—the tools, technologies, and processes—to reflect current threats.
Security practitioners have long decried the practices of password sharing. Now an appellate court has bolstered that sentiment by handing down a decision in United States v. Nosal, ruling that a former employee of executive search firm Korn/Ferry International has violated the Computer Fraud and Abuse Act.
Even small, home-spun businesses have a handful of third-party vendors with which they must connect to keep the lights on and the money flowing. Larger organizations might have hundreds or thousands of partners in the supply chain.
For security practitioners, the name of the game is risk management. These risks come in all shapes and sizes, from system vulnerabilities and the onslaught of evolving malware, to threats posed by insiders.
After the contentious Brexit vote last week, the British Parliament’s House of Commons Committee is investigating potential commandeering of an online petition calling for a second referendum on the matter.
Colleges and universities are generally considered settings for learning, openness, and ideas. Students and professors alike are encouraged to explore new thinking and push boundaries. The best academic universities on the planet have entire departments focused on researching subjects unconsidered universally.
The 2016 Cost of a Data Breach Study conducted by Ponemon Institute and sponsored by IBM was released in mid-June. One thing the report fails to do is focus on how organizations are improving or declining year over year. Luckily, past reports are still available, enabling a side-by-side look at a few of the key findings.
Several years after the introduction of DevOps, the security community continues to laud the method while scant few developers are hopping on the bandwagon. One of the issues is that “security” isn’t part of DevOps.
The mention of cloud services no longer strikes fear in the hearts of security practitioners like it did a decade ago. While some security folks are still wary of providers’ claims, few can doubt that many of the larger, more prevalent cloud providers offer as good or better security than some enterprise security teams.
Even under the best of circumstances, integrating cloud services and devices into an organization’s technology workflow can be challenging. In all fairness, integrating any new device or appliance into the technology stack requires careful planning, new processes, and often a bit of trial and error.
Cloud Security World 2016 finished up on Wednesday evening after two days of conversation around all-things-cloud security. “We’ve seen this before,” was a common refrain, and thankfully attendees have moved past the points of denying the existence of cloud services connected to their organizations and saying that cloud is “the largest” security concern.
Security is often a battle. In one corner we have the security team warning the rest of the business of the dangers of “X” or fighting to implement new policies and technologies that will help keep the business secure. In the other corner we have lines of business wanting and needing faster, better, more profitable enablement tools and processes.
OSINT, open source intelligence, is a great tool for companies looking to find threat information on the web. The wealth of information available can be overwhelming, clunky, and difficult to incorporate into a threat intelligence program, however.
China is once again making it more difficult for international organizations to conduct business in the country. Last year, the China Insurance Regulatory Commission (CIRC) announced draft rules that would require insurance carriers to buy and utilize “secure and controllable” solutions for IT.
Last night I watched as the driver of a rental moving truck took the top of the truck clear off as he drove under an overpass that was too low for clearance. The top scraped off a bit like the top of a sardine can; it peeled back and bits of curly-cued steal flew across Storrow Drive, one of the main crosstown parkways in Boston, MA.
The original Software Development Lifecycle (SDL) was built with waterfall-style development in mind. As we continue the transition into heavier reuse of components and less pure development, all with shorter release cycles, the SDL needs modernization in parallel to help ensure secure software.
The Internet of Things (IoT) is transforming the world in ways unimaginable 5-10 years ago. For many of us, IoT extends to the innovation of smartwatches, connected cars, and smart home devices, which have substantially changed the way we live.
Apple’s highly guarded and stringent software development process may start to chill out this summer, according to a report in The Information. The company is well known for its rigorous development practices, which helped it climb to the top of security practitioners’ lists as the platform of choice when selecting smartphones and mobile devices in recent years.
“Transportation Security Administration” may not actually refer to security, it seems, according to a report issued by the Office of Inspector General (OIG) of the Department of Homeland Security (DHS). The report details the results of an audit, conducted primarily to follow up on previously reported “deficiencies in information technology.”
We're all familiar with the many benefits of moving to the cloud, but taking the steps to do it can be daunting. At the end of the day, however, if you take time to understand the risks posed by the cloud and implement a comprehensive strategy for managing them, you can take full advantage of all the benefits that come from running fast in the cloud.
Ransomware is the hot, new buzzword in security. It is also a serious, escalating problem. Hospitals in Kentucky, Maryland, Ottawa, and California (among others) have had data held hostage in recent months; the U.S. House of Representatives blocked access to third-party email apps after ransomware attempts (or maybe unconfirmed attacks?) were perpetrated.
All organizations know that flexibility, productivity, and personalization were drivers of the BYOD movement that started to take hold five, six years ago. Nowadays, the term is barely used, but BYOD'ing is commonplace at 99% of organizations, according to a new study conducted by IBM and sponsored by ISMG.
The decline in TalkTalk's profits is undoubtedly due to the aftereffects of a cyberattack in which the names, phone numbers, and email addresses of a reported 157,000 customers were lost. In addition, during the same incident 21,000 bank account numbers were accessed.
Yesterday, mobile security firm, Wandera, released findings from the company’s research into the state of mobile application security. The report, “Assessing the Security of 10 Top Mobile Apps,” is an attention-grabber.
Advanced persistent threat. The term started sneaking into infosec nomenclature about ten years ago and reached its peak during 2010-2013, instigated by Stuxnet and trending steadily upward through the release of Mandiant’s APT1 report.
In today's dynamic business environment, organizations face pressure to reduce cost, improve process efficiency, and drive financial growth. The "faster, cheaper, better" approach also flows down to technology.
OSINT—or open source intelligence—is a wondrous thing. As security professionals know, this nearly endless sea of information provides both opportunities and drawbacks. Threat intelligence vendors, though, harness the vastness of the web to unearth tidbits of information.
Spy movie aficionados know that the most secure rooms and hiding places are protected by biometric authentication, requiring thieves to go to great lengths to gain entry. When the tables are turned, however, and the government needs access to information about said criminals, all they need to do is ask!
While cloud has technically existed in earlier forms—application service providers and hosted solutions, for instance—for almost twenty years, the current cloud marketplace offers a wide selection of services designed to meet the requirements of organizations looking to outsource certain aspects of operations.
In preparing for my Cloud Security World 2016 talk, "Automagic! Shifting Trust Paradigms Through Security Automation," I've been thinking a lot about what can be automated, how to automate, and how to demonstrate and measure value around all that jazz.
If you are a System Owner (SO) in a commercial organization or a federal agency, maneuvering through, understanding, and implementing federal security and privacy compliance requirements can be a difficult hurdle.
InfoSec World 2016 is now in the books. For the better part of a week, infosec pros took over The Contemporary Resort to discuss everything from building an incident response plan to leadership skills to active defense and trust.
Geopolitical cyber war is a fairly well established practice: You break into my nation-state thing; I’ll hack you back. President Obama and Chinese President Xi Jinping even met in Washington, D.C. this past September to discuss (and announce) the desire of both parties to curb intellectual property theft.
If Hollywood doesn’t make movie out of the Apple vs. FBI debate, someone is missing the boat. As proven by the recent Oscar winners, “Spotlight” and “The Big Short,” audiences eat up controversial subjects, especially when the impact of the controversy affects them or loved ones.
A recent story in the New York Times shared information on a new crop of secure messaging apps for smartphones. The article, posted in the “Personal Tech” section, offered snippets of information about the functionality of five different consumer-focused tools.
If you are going to be in Orlando in the beginning of April and are an information security professional, why wait in humid 90-minute long Disney lines when you can enjoy Orlando indoors at the Infosec World 2016 conference? Another benefit of the conference is that vendors at the expo give you t-shirts. This is the only free thing you'll find at Disney.
Major technology providers are not the only ones thinking about how to best protect user data. Users, too, are becoming increasingly concerned, and when those users are PhDs and professors at some of the world’s top universities, innovation is spawned.
We are currently engaged in a war to achieve victory over risk. Okay, perhaps "war" is not the right way to describe the status quo. None of us can ever achieve total victory over risk. Any expert will say some risk always persists in any activity we undertake.
Earlier this week American Express notified customers of a potential breach involving theft of account numbers, user names, and “some other” account information—most of the juicy ingredients necessary for fraud. The company was quick to mention that it is monitoring for fraud, but it was even quicker to deny responsibility for the incident.
Everything is heating up on Capitol Hill: President Obama is proffering a new Supreme Court Justice nominee. The next presidential race is as much a circus as it is a true campaign. Apple and the FBI are still going at it (while other government agencies have started speaking out in favor of encryption).
Technology is an inescapable part of our lives. Unless you live completely off the grid—grow your own food, never drive a car, transact with only the cash kept under your mattress inside your built-by-your-own-hands house—your personal information is collected, tracked, and exchanged by and among businesses.
Once upon a time, phones were only used to make calls. For most of us, our phone is a mobile office; central to a great deal of our daily activity, our phones are the hub through which our email, text messages, news, social media, calendars, driving directions, fitness goals, and so much more are all brought to us, organized, recorded, and shared.
Over 40,000 attendees and nearly 550 vendors are getting back to their inbox this week after having attended the gargantuan vendor show otherwise known as RSA. It was RSA’s silver anniversary, and as with each passing year, it gets BIGGER with age!
By Jonathan Sander, VP of Product Strategy, Lieberman Software
March 01, 2016
During the past couple of years, we've witnessed a series of devastating data breaches affecting some of the world's most renowned businesses, with each breach inflicting staggering costs in terms of financial and reputational damage.
Whatever side of the debate you’re on when it comes to Apple and the FBI, one thing is for certain: U.S. courts should not be using laws written in 1789 to make decisions about current technological capabilities.
Encryption is not a new invention. In fact, evidence of encrypted messages dates back to 1900 BC when the Egyptians wrote alternative symbols on pyramid walls to relay secret messages to one another. In modern times, though, encryption takes on a new meaning.
The security field needs more practitioners. The insanity that is our “always-connected” world necessitates more resources to manage, monitor, and maintain personal and enterprise data – from email accounts to mobile phones to chock-full-of-tech refrigerators.
The hype around advanced persistent threats (APTs) is as high as ever. Post-breach, hacked organizations sing the praises of their adversaries' skills. Practitioners are bombarded by industry marketing touting the latest APT detecting and killing technologies.
As debates about privacy versus encryption rage on, with the US, UK, and France on one side and Germany and the Netherlands on the other, Bruce Schneier, Kathleen Seidel, and Saranya Vijayakumar decided to take a look at the encryption products market and replicate a study conducted in 1999.
When you think of security metrics, what's the first thing that pops into your mind? OK, after you yawn, what's the first thing? While security metrics themselves may not exude excitement, what if your metrics quickly revealed just the type of information you need that leads to a decision or action that helps solve a business problem?
For as long as I can remember, I’ve heard that “users are the weakest link in the chain,” or even worse, “you can’t stop stupid.” This long-held view is not terribly productive to advancing information security, and it certainly doesn’t endear the security professional to the general public.
In a profession that’s designed around problem identification, it’s no wonder security professionals are often labeled “contrarians” or “trouble makers.” From the outside in, it looks like security’s job is to find problems even when operations are seemingly gliding along smoothly. Security pros are trained to slog through logs and find anomalies.
As a young man, I was given some advice that seemed too obvious to really be considered advice. It went something along the lines of, "If a person keeps a checkbook that's not accurate or up to date, don't hire them as your accountant..." As DevOps rises in popularity, I am reminded of this adage often.
By Jack Jones, EVP of Research & Development and co-founder at RiskLens
December 21, 2015
Would you ride on a space shuttle mission if you knew that the scientists and engineers who planned the mission and built the spacecraft couldn't agree on the definitions for mass, weight, and velocity?