It’s no mystery that the world of cybersecurity constantly faces a massive challenge. It has to pre-empt attacks, predict how hackers will use new attack vectors, and defend their environment against all existing attacks and attacks that may not even exist yet. In this feature, we go over one of the more obscure, but dangerous and difficult attacks to defense against—airborne attacks.
Security departments have evolved tremendously over the years, but so have cyber threats. As organizations become more aware that nearly no one can be trusted, whose job is it to watch the watchers? At this year’s RSA Conference in San Francisco, InfoSec Insider caught up with Forcepoint's Dr. Richard Ford who dives into the topic.
Cyber swindlers are continually looking to reinvent themselves, and their methods are becoming savvier. InfoSec Insider caught up with Digital Shadows CISO Rick Holland on the recent research that his team has conducted on cybercrime extortion, and how security practitioners can secure their organizations don't fall prey to these attacks.
By Brent White & Tim Roberts, Senior Security Consultants, Threat Services, NTT Security
March 28, 2019
While having strong IT security in place to secure sensitive data on devices and networks is critical, ensuring your organization practices strong physical security is equally important. Organizations need to prevent attackers from being able to walk in and walking out with data, systems, physical documents, or worse – a new connection to your network as a persistent threat.
By Steve Black, Professor of Law, Texas Tech University
March 26, 2019
Cyber law is focused on bringing more clarity to privacy questions that new technology introduce. It’s important for all security professionals to have a basic understanding of current and potential future cyber law concepts in order to stay compliant and ensure sensitive data stays safe.
Password security has undergone a significant transformation over the last few years. As a reaction to the insecure form of identity verification that is logging in with a password, technologies such as two-factor authentication (2FA), multi-factor authentication (MFA), and hardware keys. This begs the question—where does that leave passwords in 2019?
By Paul Rohmeyer, Program Director MS Information Systems, Stevens Institute of Technology
March 12, 2019
Today, there are highly specialized training options offered both in-person and online in the form of meetups, webinars, formal courses, and in-house and external conferences. The attractiveness (cost, convenience, and specialty) of these alternative options has driven cybersecurity talent to steer towards education avenues outside of traditional academia.
When you’re talking information security among your peers, it sounds like a totally different language than the rest of your organization speaks. This puts infosec professionals in a bind. On the one hand, security vulnerabilities exist throughout the company. Yet you, alone, are carrying the burden of knowing just how serious it can get. That’s why it’s up to you to create an information security communication strategy.
From steering clear of marketing buzz to the impact of misinformation, DeMISTIfying Security hosts Ed Moyle and Raef Meeuwisse point out the security assumptions that could be catastrophic to any security practitioner’s role.
We understand that some security professionals may not have the easiest time implementing the NIST Security Framework. That’s why we’ve created the “missing manual” on getting it right in this latest InfoSec Insider post.
Emotet is a highly sophisticated malware with a modular architecture, installing its main component first before delivering additional payloads. In this contributed article, Darktrace's Max Heinemeyer, director of threat hunting, breaks down the threat.
Last week we shared the first part of this two-part series on cyber threats in 2019. This week we wrap up the remainder of the insights we shared thanks to our conversation with subject matter expert Adrian Sanabria, VP of strategy and product at NopSec.
InfoSec Insider caught up with one SME that helped us put together a list of the looming threats your company should keep an eye on and how organizations can defend themselves accordingly. Here's a look at what you should have on your radar.
Social engineering is unique in the cybersecurity world as its scope of influence can vary widely on the software, hardware, and even psychological level. In this article, we’ll cover social engineering attacks and help you learn from recent developments in the space.
In last week's segment, Ed and Raef discussed some of the major developments in infosec in 2018. This week, they take out their crystal ball and look into 2019, sharing their thoughts on what many practitioners could expect.
In the latest installment of InfoSec Insider’s DeMISTIfying Security series, security experts Ed Moyle and Raef Meeuwisse return to review the major breaches, developments, and takeaways that you can get from information security events in 2018.
As 2018 wraps up, InfoSec Insider looks back at some of the most popular articles we've produced for our loyal audience. From communicating security metrics to the board and making sense of attack patterns, to key areas that you should focus your cybersecurity strategy on, here's a list of the top 10 articles.
A CISO’s list of responsibilities are vast. They need to protect, defend, and identify any risks and potential attacks that may hit their company’s environment. However, knowing what needs protection is its own challenge.
Security practitioners that are looking to migrate their business to the cloud in a successful manner have to consider quite a lot. That's why InfoSec Insider caught up with security leader and industry veteran Mark Arnold during this video interview where he quickly breaks down what you should and shouldn't be doing when it comes to the topic.
Today's IT playing field implores a higher state of alertness, not only within your enterprise but also outside of it. However, when it comes security, not all vendors are created equal. Some very likely have inferior security hygiene and practices that can affect you big time.
InfoSec Insider catches up with Debbie Hoffman, CEO of Symmetry Blockchain Advisors at the CSA Congress event, who clarifies what blockchain means to security leaders today, and any privacy implications they should be aware of.
The idea behind collaborative security is to change the security and threat landscape from the daunting “one vs. many” to “many vs. many,” embracing the power of knowledge and collaboration to protect valuable data.
In this walkthrough, InfoSec Insider experts Ed Moyle and Raef Meeuwisse demonstrate one useful exercise that can aid security practitioners in getting a lay of the land in their organization, serving as the perfect first step in ultimately measuring and reducing information security risks.
InfoSec Insider SMEs Ed Moyle and Raef Meeuwisse are back, but this time they're talking fundamentals. If you're an up-and-coming security warrior, you'll definitely want to heed this advice from the two infosec experts.
The government has urged the private sector to offer agencies secure cloud solutions through the FedRAMP accreditation, which establishes baseline standards for security assessment, authorization, and continuous monitoring. Here, we provide six key considerations to help guide FedRAMP accreditation efforts.
When is it time for your organization to share cybersecurity information with its competitors and how much should you be sharing? We interview two industry experts that provided us with their take on the topic in this featured video interview.
This will probably be a contentious point for some, but there are situations where a penetration test isn’t the best use of an organization’s resources. Here, we examine what is (and isn't) a pentest, and what its goals should be depending on your organization's needs.
Cyber threats are top of mind for board members, but communicating cyber threat intelligence may not be the easiest task for security leaders. In this recent interview with Tim Callahan, senior vice president and global security officer at Aflac provides some helpful tips that could go a long way.
Threat intelligence has transformed the information security world for the better but it’s not always leveraged in the best way possible by organizations and departments. InfoSec Insider spoke to threat intel expert Karl Sigler to get a sense of how organizations can maximize threat intelligence for their organization.
While patching vulnerabilities seems like a “low-hanging fruit” task for many security practitioners, it seems as though many still fail to do so. In this interview with application security expert Chris Eng, he highlights the common blind spots associated with vulnerability management.
InfoSec Insider catches up with cybersecurity experts on the lessons learned from the 2016 election hacks, and what the security practitioner of today could learn from those events. With early voting already in full swing, we take a brief look back at what occurred.
Ntrepid Corporation’s Chief Scientist Lance Cottrell chats with InfoSec Insider and offers up the major dos and don’ts tied to password management, as well as pinpoints the significant weaknesses in some of the systems we’ve come to rely on heavily.
We’ve seen the rules for data security change from relatively simple policies, such as simple access controls, to much more complex policy requirements with the implementation of GDPR. This article’s intended to cover three new perspectives that will influence data protection controls in the coming years.
Forcepoint’s Dr. Richard Ford discusses the impact that the 2016 election meddling had on the cybersecurity community, and the lessons learned that security practitioners should take note of, but most importantly, act on.
Tripwire's Tim Erlin chats with InfoSec Insider on the state of cyber hygiene in 2018, where we are, why we're there, and highlights different areas that security practitioners are failing to cover as it relates to securing the business.
What is the bottom line from a security perspective when it comes to mobile payments? In the current state of the ecosystem, mobile security expert Aaron Turner offers up his take and advice on the topic.
The idea that all internal networks should be considered trusted while external networks should be trusted was fundamentally wrong. This featured article describes why the move to the cloud has also accelerated the movement to Zero Trust.
The context around security events is essential to qualify if those events are false positives or worthy of a security response. However, today security operations are predominantly focused on event monitoring and rely on security analysts to reconstruct context.
GDPR was a major focus for many organizations this year. Whether it has been extensive business process mapping, understanding the purposes of personal data, or defining its scope. But now that it's here, what should security professionals focus on next?
Threat intelligence expert Dave Ockwell-Jenner discusses how organizations have changed the way they approach threat intelligence, and provides the primary Dos and Don’ts associated with developing a successful threat intelligence program.
Blockchain has become the new buzzword of choice across a wide spectrum of industries, such as finance, tech, and the information security industry. However, what blockchain is and what its applications are still seem to be unclear. This article sets the record straight.
Bugcrowd Founder Case Ellis discusses the evolution of bug bounty programs and their impact on information security, in addition to providing tips on the key areas to focus on when it comes to developing a bug bounty program at your organization.
Given the skills gap in information security, it's important for cybersecurity managers to diversify and expand the skill base of their team members. Here, we highlight how they can do it from a practical point of view.
The Cyber Threat Alliance’s Chief Analytic Officer Neil Jenkins provides update on the state of information sharing in 2018 and provides some insight on the steps security practitioners can take if they’re interested in sharing their threat data.
Summer will be over before you know it and for many of you, it might be time to hit the road again for business travel. Before you pack up all of your devices, you might want to keep some of this advice in mind to ensure your data is secure.
Cybereason’s Israel Barak discusses the approach that far too many businesses take when it comes to their security strategy and highlights the steps that security professionals should be seeking to rethink the programs and challenges they face tied to measurably reducing risk within the business.
Developing a threat hunting program may be challenging, but it doesn’t have to be. In this feature article, one subject matter expert provides us with a glimpse into her experience on the topic and what you can expect.
CA Veracode’s Chris Wysopal discusses how the 2016 presidential election hack broadened the horizon on how security warriors think about defending their data and offers up advice on what they should consider when it comes to protecting sensitive information.
Threat modeling is essential to becoming proactive and strategic in your operational and application security. In this feature article, you'll learn what threat modeling is, how it relates to threat intelligence, and how and why to start.
Trustwave’s Karl Sigler discusses the state of cyber threats in 2018 and suggests what areas of your security strategy you should focus on to take proactive steps in measurably reducing risk within the business.
The dark web is one of those elusive subjects that can often get misinterpreted. We spoke to Reclamere's Connie Mastovich to get her expert take on what the dark web is, what risk it poses to companies, and how to protect yourself from it.
Today, most reputable cloud service providers are security conscious, yet users remain responsible over many—but varying—aspects of information security. Here, we take a look at the three most common public cloud models that should be on your radar.
When a company falls victim to a cyber incident, security personnel are often in the line fire--especially when they've focused only on the technical side of the job. Here we provide some tips that can lessen the chances that any one person will bear the absolute blame.
With more everyday products being built with internet connectivity capabilities, cybersecurity practitioners have become concerned about the security and privacy of those devices. The state of IoT security is pretty grim, but will proposed guidance and regulations improve processes?
InfoSec Insidercatches up with NSS Labs CEO Vik Phatak who discussed what the state of measuring security performance is today, what approach practitioners should be taking, and the common mistake that security pros make when it comes to purchasing security solutions.
Tackling GDPR means knowing where all your data reside, even if they're outside of your direct control. Here we take a look at how you can tackle this initiative even if you're a bit late given the time of year and when the regulation goes into effect.
SMBs can’t just throw up their hands at cybersecurity, despite a probable dearth of resources. Since most aren't likely to magically receive a multimillion dollar cybersecurity budget windfall, we've provided our top 6 tips for how to manage security on a limited budget.
To help security leaders find new ways to better align with business colleagues, we turned to two experts to find out how they’re constantly maneuvering between technical requirements and fueling business priorities.
One expert discusses the growing importance of DevOps within the enterprise, the initial steps organizations should be taking to implement a DevOps approach, and how to get buy-in from key stakeholders.
You picked them! Here's a look at the most read articles published on InfoSec Insider in 2017. From CASB to threat intelligence, you'll find a unique mix of some engaging content that answers some of your pressing questions.
By Katherine Henry & Brendan Hogan, Bradley Arant Boult Cummings LLC
December 18, 2017
Cybersecurity professionals can provide valuable input in their companies’ procurement of cyber insurance, and should be involved in all phases of cyber insurance procurement and management. Here are some important areas you should focus on.
After conducting 80 interviews with security leaders and board members, these two experts discuss the findings of their research and offer a rare window into how each group viewed progress and setbacks in their oversight of cyber risk.
In our last article, we discussed how disciplines like psychology and behavior-profiling can help us to better understand the adversary at the end of the keyboard. Now we are going to extend similar disciplines to ourselves as intel analysts.
Depending on your source, insider threat accounts for anywhere from 27% - 77% of all breaches. Despite the disparity in agreement about size of the problem, most security practitioners agree that the difficulty identifying insider threat is greater than identifying external threats.
The security community often gets caught up in the latest and greatest tools and technologies, using those trends as a way to garner attention for the security program. But this strategy can backfire when it comes to real risk management and how seriously security is taken.
In biology, it is well known that genetic diversity creates strength in that it helps build resilience to disease, disorders, and other human ailments. At a community level, we also find strength in diversity.
While some security professionals have climbed the ranks based on their technical know-how, it’s the transition into the business leadership role that tends to present the challenges for chief security officers.
What is security’s purpose if not to help with risk management? Organizations run on varying degrees of risk—financial risk, operational risk, market risk, sociopolitical risk, etc.—and information security has become a big piece of the risk picture.
It would be somewhat of an understatement to say that methods of communication have changed over the last 31 years. Yet in that time, laws pertaining to the privacy of those new types of communication have remained stuck in the past.
Leadership is a lot like playing in an orchestra. For those less familiar with an orchestra setting, let me explain. The basics: A traditional orchestra is made up of strings, woodwinds, brass, and percussion, plus keyboards.
The President of the United States is apparently using an Android phone, and likely an outdated version, at that. Despite reports that the newly inaugurated president was, in typical fashion, offered a “secure, encrypted device approved by the Secret Service,” it appears Mr. Trump prefers his own personal device. Don’t we all?
It’s true that cyberspace is growing by the day, and as companies and individuals add more information to internet-accessible sources, the risk of compromise of that data grows in parallel. With this greater risk comes more responsibility.
The idea of a password as a security mechanism is sound: One user with an individual identity plus a unique, secret password. In the physical world, this combination often works as it should, since the user’s identity travels with the user (in effect, adding a second factor of identification).
The most fundamental part of incident response planning is to understand that it’s a living, breathing cycle. An organization can’t slap a plan together and expect that plan to carry the team through the next three to five years.
That idea of checks for every customer action, the weight of it, the precautions put in place—armed security guards, security cameras, security alarms positioned in ample locations—all signal to would-be thieves that any attack on a bank is going to require serious skill, planning, and personal risk.
As networked computers disappear into our bodies, working their way into hearing aids, pacemakers, and prostheses, information security has never been more urgent -- or personal. A networked body needs its computers to work well, and fail even better.
On this first day of a Donald Trump presidency, many people around the world are watching and wondering what is going to happen in corporate America. The speculation is no less prevalent in the security industry.
Security staff are infamous for declaring “security does not equal compliance” whenever the topic of compliance is mentioned by a non-security person. The reasoning behind this is sound: Compliance is a set of minimum requirements and auditable actions or technologies.
Cybersecurity staffing—and the industry shortage—is a frequent topic of conversation among security practitioners. But as nation state competition heats up, government and civilian agencies need to develop alternative hiring strategies if the U.S. wants to compete on a global scale.
The Children’s Commissioner for England released a report last week stating the need for sweeping changes to terms and conditions on social networking sites, particularly those with audiences largely comprised of children and young adults.
As we continue to ramp up our efforts in providing you with a resourceful library of content you can rely on, we’ve decided to reflect on some of the top InfoSec insider articles of 2016, based on the engagement we’ve received from our readers.
Many uncertainties await the world when the new United States administration takes office on January 20, 2017. The President-elect, while extremely vocal on the campaign trail, has been disconcertingly cagey in the weeks leading up to inauguration.
The New Year is close upon us and many security firms and media outlets are busy publishing 2017 predictions or “the year in review.” Rather than following suit, we’d like to propose a New Year’s resolution to all security practitioners (and office workers, in general, really).
While security practitioners are thinking about exploits, vulnerabilities, controls, and threat actors’ TTPs, what executives really want to know is, “When the company is the victim of an attack, what effect will that have on the rest of the company, and how quickly can employees resume?"
Indeed, effective, successful organizations are attempting to proactively identify threats and indicators of compromise before they present serious destruction to the victim organization. Even the most robust and mature threat intelligence programs, though, aren’t immune to a breach.
“Insider threat” — it’s a term that gets thrown around a lot in cybersecurity circles. Practitioners want to know who is responsible for attacks and how attacks are being perpetrated so defenses can be appropriately implemented and provisioned.
Over the past few years the security industry has seen a rise in the number of appointed CISOs. At companies where previously the security team was small, secluded, and likely managed by the CIO, it is refreshing that mention of a CISO is no longer followed by puzzled looks or blank stares.
Depending on your media outlet of choice, the current cybersecurity staffing shortage is either pressing or catastrophic. In either case, a staffing shortage exists and the industry needs to take more proactive steps to look beyond current talent pools to fill open positions, as well as positions that will be created as the industry continues to expand.
By Dan Houser, Security Architect & Perspicacious Security Iconoclast
November 10, 2016
A study of recent hacking attacks on corporations makes it obvious that (weak) password credentials are being used both inside and outside organizations, and are frequently the credential protecting remote access to the enterprise and its "crown jewels."
By Rafal Los, Managing Director, Solutons Research and Development, Optiv
October 31, 2016
For nearly the last twenty years, enterprise security teams have been fighting threats to their business much like hapless teenagers fight demons in horror movies. Let me paint you a scene. Four people fleeing a horde of some type of evil take refuge in a run-down back woods cabin in the middle of nowhere.
Until last Friday, Internet of Things (IoT) cyber attacks were largely more theoretical than practical, at least for those outside of the cybersecurity research realm. When Reddit, Twitter, Netflix, Spotify, and PayPal, among others, were taken offline or significantly slowed due to a massive distributed denial of service (DDoS) attack last week.
Rifts between the security team and other groups lead to inefficiency and reduced effectiveness. Information security isn’t getting as much done as is necessary in our breach-of-the-day world, yet old problems like failure to collaborate persist.
As a first time DerbyCon goer, I didn’t quite know what to expect. In its sixth year, DerbyCon is well known throughout the security community, and I’ve worked with several of the speakers, a few of the organizers, and met many security vendor representatives at MISTI and past-job events.
By many estimates, the demand for information security practitioners far exceeds availability. As security becomes an appreciable concern for large and small companies alike, it stands to reason that the industry is going to face a serious shortage in the coming years if new practitioners aren’t found or cultivated.
Like it or not, fall is right around the corner, and for many private enterprises, fall means Q4 which means facing the dreaded budgeting season. If budgeting itself weren’t cumbersome enough, cybersecurity budgets—even if they stand alone—are often part of a larger function.
Applications have become the technological underpinnings which enable employees to do their jobs faster, more accurately, and with greater ease. Applications have become so ubiquitous within organizations that most employees don’t even consider the tools with which they are working “applications” at all.
When individual users are required to first accept usage policies and then interact with the website/application/tool by allowing it to collect information, both the user and the enterprise for which the user works are put in a position of risk. Why? Because the likelihood that he or she will read the policy is slim to none.
Information security teams face a serious problem when they are unable to detect the presence of a threat actor inside organizational systems. Knowing who has access to key applications is an imperative for trying to protect the company, yet according to a new report published by Okta that may not be a case.
Calls for presentations: Depending on whom you ask, CFPs are either a great opportunity for subject matter experts to display knowledge and vie for a coveted spot on a conference program, or an absolute nightmare, as the intended speaker carefully calculates the best topic to submit.
Many in the security industry, myself included, are guilty of falling into the trap of saying that security is a discipline in which the big “wins” come when “nothing happens.” It’s an easy statement to make, especially when working with business leaders who see only the end result (i.e., no breach, no media headline) and make this claim.
“We’ve seen breaches where the ‘partner effect’ has played a major role, but have you noticed that nobody seems to really know how to manage that risk well,” poses Pete Lindstrom, Vice President of Security Research at IDC.
Symantec and Kaspersky Lab simultaneously released information yesterday on “Strider” and “ProjectSauron” respectively. Strider, the attacker group, has reportedly been using a stealthy piece of malware called “Remsec” (Backdoor.Remsec) as part of ProjectSauron to spy on a small number of highly valuable targets in China, Russia, Belgium, and Sweden.
On Tuesday, the White House issued its Presidential Policy Directive-41 (PPD-41), or “United States Cyber Incident Coordination” plan. The PPD follows on the heels of the Cybersecurity National Action Plan, the Obama administration’s attempt to button up cybersecurity efforts in the face of growing threats against U.S. entities.
Security teams spend a fair amount of time thinking about incident response. The probability of an information security incident occurring forces teams to consider how to manage intrusions, leaks, and other security vulnerabilities or exploits.
After last winter’s frosty standoff, Apple and Facebook are now making headlines for being in cahoots with the FBI. For a few years, the bureau has been tracking Kickass Torrents, a very popular file sharing site, and trying to link illegal reproduction and distribution of online media, including movies, TV shows, music, and video games.
The role of the CISO is changing. We hear about it every day: CISOs must become more business oriented and fine-tune communication skills so other executives consider heads of security business equals.
Privacy Shield, the much-anticipated new trans-Atlantic data transfer agreement between the EU and U.S., was approved yesterday by the European Commission. After months of debate and revisions, the Commission finally felt comfortable enough to rubber stamp the framework, which will actually undergo further analysis later this month.
The families of five terrorist attack victims filed a lawsuit in U.S. District Court on Monday. The families, claiming that Facebook enabled Palestinian militants to carry out deadly attacks in Israel, are suing for more than $1 billion, calling into question the responsibility of technology companies when it comes to security.
“A lot of security departments are swimming in the wrong direction,” says Raef Meeuwisse, Director of Cybersecurity at Cyber Simplicity Ltd. By this, Meeuwisse means that companies haven’t yet redirected the scope of their security programs—the tools, technologies, and processes—to reflect current threats.
Security practitioners have long decried the practices of password sharing. Now an appellate court has bolstered that sentiment by handing down a decision in United States v. Nosal, ruling that a former employee of executive search firm Korn/Ferry International has violated the Computer Fraud and Abuse Act.
Even small, home-spun businesses have a handful of third-party vendors with which they must connect to keep the lights on and the money flowing. Larger organizations might have hundreds or thousands of partners in the supply chain.
For security practitioners, the name of the game is risk management. These risks come in all shapes and sizes, from system vulnerabilities and the onslaught of evolving malware, to threats posed by insiders.
After the contentious Brexit vote last week, the British Parliament’s House of Commons Committee is investigating potential commandeering of an online petition calling for a second referendum on the matter.
Colleges and universities are generally considered settings for learning, openness, and ideas. Students and professors alike are encouraged to explore new thinking and push boundaries. The best academic universities on the planet have entire departments focused on researching subjects unconsidered universally.
Several years after the introduction of DevOps, the security community continues to laud the method while scant few developers are hopping on the bandwagon. One of the issues is that “security” isn’t part of DevOps.
The mention of cloud services no longer strikes fear in the hearts of security practitioners like it did a decade ago. While some security folks are still wary of providers’ claims, few can doubt that many of the larger, more prevalent cloud providers offer as good or better security than some enterprise security teams.
Security is often a battle. In one corner we have the security team warning the rest of the business of the dangers of “X” or fighting to implement new policies and technologies that will help keep the business secure. In the other corner we have lines of business wanting and needing faster, better, more profitable enablement tools and processes.
China is once again making it more difficult for international organizations to conduct business in the country. Last year, the China Insurance Regulatory Commission (CIRC) announced draft rules that would require insurance carriers to buy and utilize “secure and controllable” solutions for IT.
Last night I watched as the driver of a rental moving truck took the top of the truck clear off as he drove under an overpass that was too low for clearance. The top scraped off a bit like the top of a sardine can; it peeled back and bits of curly-cued steal flew across Storrow Drive, one of the main crosstown parkways in Boston, MA.
The Internet of Things (IoT) is transforming the world in ways unimaginable 5-10 years ago. For many of us, IoT extends to the innovation of smartwatches, connected cars, and smart home devices, which have substantially changed the way we live.
Apple’s highly guarded and stringent software development process may start to chill out this summer, according to a report in The Information. The company is well known for its rigorous development practices, which helped it climb to the top of security practitioners’ lists as the platform of choice when selecting smartphones and mobile devices in recent years.
“Transportation Security Administration” may not actually refer to security, it seems, according to a report issued by the Office of Inspector General (OIG) of the Department of Homeland Security (DHS). The report details the results of an audit, conducted primarily to follow up on previously reported “deficiencies in information technology.”
Ransomware is the hot, new buzzword in security. It is also a serious, escalating problem. Hospitals in Kentucky, Maryland, Ottawa, and California (among others) have had data held hostage in recent months; the U.S. House of Representatives blocked access to third-party email apps after ransomware attempts (or maybe unconfirmed attacks?) were perpetrated.
The decline in TalkTalk's profits is undoubtedly due to the aftereffects of a cyberattack in which the names, phone numbers, and email addresses of a reported 157,000 customers were lost. In addition, during the same incident 21,000 bank account numbers were accessed.
OSINT—or open source intelligence—is a wondrous thing. As security professionals know, this nearly endless sea of information provides both opportunities and drawbacks. Threat intelligence vendors, though, harness the vastness of the web to unearth tidbits of information.
Recently I was having a conversation with a good friend, a good friend who also happens to be a leadership and communication expert. We were discussing the topic of leadership in the security industry and how, while there are many bosses and executives, there are few truly excellent leaders in security today.
While cloud has technically existed in earlier forms—application service providers and hosted solutions, for instance—for almost twenty years, the current cloud marketplace offers a wide selection of services designed to meet the requirements of organizations looking to outsource certain aspects of operations.
Have you ever slowed your car while driving to gawk at an accident on the side of the road, or been frustrated by the car in front of you that did? Have you caught yourself mesmerized by a ridiculous YouTube video?
In preparing for my Cloud Security World 2016 talk, "Automagic! Shifting Trust Paradigms Through Security Automation," I've been thinking a lot about what can be automated, how to automate, and how to demonstrate and measure value around all that jazz.
Geopolitical cyber war is a fairly well established practice: You break into my nation-state thing; I’ll hack you back. President Obama and Chinese President Xi Jinping even met in Washington, D.C. this past September to discuss (and announce) the desire of both parties to curb intellectual property theft.
If Hollywood doesn’t make movie out of the Apple vs. FBI debate, someone is missing the boat. As proven by the recent Oscar winners, “Spotlight” and “The Big Short,” audiences eat up controversial subjects, especially when the impact of the controversy affects them or loved ones.
Major technology providers are not the only ones thinking about how to best protect user data. Users, too, are becoming increasingly concerned, and when those users are PhDs and professors at some of the world’s top universities, innovation is spawned.
We are currently engaged in a war to achieve victory over risk. Okay, perhaps "war" is not the right way to describe the status quo. None of us can ever achieve total victory over risk. Any expert will say some risk always persists in any activity we undertake.
Earlier this week American Express notified customers of a potential breach involving theft of account numbers, user names, and “some other” account information—most of the juicy ingredients necessary for fraud. The company was quick to mention that it is monitoring for fraud, but it was even quicker to deny responsibility for the incident.
Everything is heating up on Capitol Hill: President Obama is proffering a new Supreme Court Justice nominee. The next presidential race is as much a circus as it is a true campaign. Apple and the FBI are still going at it (while other government agencies have started speaking out in favor of encryption).
Are you valued as much a leader as you are a security resource (with a team)? It's the gut check question I ask of security leaders. In most cases, the answer is no. Most security leaders say they receive recognition for technical prowess, not for leadership.
U.S. Army Major General John H. Stanford was asked about how one becomes a leader. "When anyone asks me that question, I tell them I have the secret to success in life. The secret to success is to stay in love. Staying in love gives you the fire to really ignite other people."
Over 40,000 attendees and nearly 550 vendors are getting back to their inbox this week after having attended the gargantuan vendor show otherwise known as RSA. It was RSA’s silver anniversary, and as with each passing year, it gets BIGGER with age!
There is no shortage of quotes to capture the importance of trust: hard to earn, easy to lose, and essential to our success as security leaders. Yet a troubling trend is emerging: the trust we need to be successful as security leaders is eroding.
By Jonathan Sander, VP of Product Strategy, Lieberman Software
March 01, 2016
During the past couple of years, we've witnessed a series of devastating data breaches affecting some of the world's most renowned businesses, with each breach inflicting staggering costs in terms of financial and reputational damage.
The security field needs more practitioners. The insanity that is our “always-connected” world necessitates more resources to manage, monitor, and maintain personal and enterprise data – from email accounts to mobile phones to chock-full-of-tech refrigerators.
By Michael Santarcangelo, founder, Security Catalyst
February 14, 2016
A few decades ago, we advanced information security with a simple phrase: "the Internet is bad, a firewall is good." We linked the dangers of connecting to others online with a simple method of protecting our companies. Now our ever-changing networks face dynamic, evolving threats.
As debates about privacy versus encryption rage on, with the US, UK, and France on one side and Germany and the Netherlands on the other, Bruce Schneier, Kathleen Seidel, and Saranya Vijayakumar decided to take a look at the encryption products market and replicate a study conducted in 1999.
Almost every morning I wake up and read about another company that has been breached, and consumers' or patients' information has been stolen as a result. It's getting to be so common that social security numbers and credit card numbers posted on dark Web sites sell for less than a dollar each.
Security professionals spend a lot of time thinking about protecting their back end systems and the information contained therein. They think about the scariest and sneakiest vulnerabilities and what an exploit means in real terms: will this disrupt business operations? Will our company lose sensitive data? Will I be fired?
When you think of security metrics, what's the first thing that pops into your mind? OK, after you yawn, what's the first thing? While security metrics themselves may not exude excitement, what if your metrics quickly revealed just the type of information you need that leads to a decision or action that helps solve a business problem?
For as long as I can remember, I’ve heard that “users are the weakest link in the chain,” or even worse, “you can’t stop stupid.” This long-held view is not terribly productive to advancing information security, and it certainly doesn’t endear the security professional to the general public.
In a profession that’s designed around problem identification, it’s no wonder security professionals are often labeled “contrarians” or “trouble makers.” From the outside in, it looks like security’s job is to find problems even when operations are seemingly gliding along smoothly. Security pros are trained to slog through logs and find anomalies.
As a young man, I was given some advice that seemed too obvious to really be considered advice. It went something along the lines of, "If a person keeps a checkbook that's not accurate or up to date, don't hire them as your accountant..." As DevOps rises in popularity, I am reminded of this adage often.