Cyber Security Institute
Thursday, October 20, 2011
New SEC security breach rules no big game changer, experts say
Late last week the Securities and Exchange Commission issued new guidance informing public companies that, under certain circumstances, they may need to disclose cyber breach information, or even potential security breaches, if there is a certain level of risk of financial impact to corporate earnings.
Monday, August 01, 2011
Incident Response and Recovery May Be the Best Defense
The ever increasing list of breaches appearing on the Open Security Foundation’s DataLossDB Web site as well as companies being targeted by the AntiSec movement made up of groups including recently-raided Anonymous, AnonOps, TeaMp0isoN, and now-dormant LulzSec continues to show that no organization is immune to successful penetration from cyberthreats. [Written by my good friend BK DeLong, an independent consultant based in Boston, MA]
Thursday, June 30, 2011
‘Indestructible’ rootkit enslaves 4.5m PCs in 3 months
One of the world’s stealthiest pieces of malware infected more than 4.5 million PCs in just three months, making it possible for its authors to force keyloggers, adware, and other malicious programs on the compromised machines at any time. The latest TDL-4 version of the rootkit, which is used as a persistent backdoor to install other types of malware, infected 4.52 million machines in the first three months of this year, according to a detailed technical analysis published Wednesday by antivirus firm Kaspersky Lab.
Tuesday, June 28, 2011
Cyber attacks are escalating
Today, that highway is starting to resemble the route Mad Max traveled in The Road Warrior. Hardly a week goes by without seeing news reports about another corporation being sabotaged by hackers. This month on The Digital Future, Strategic News Service publisher Mark Anderson looks at the huge increase in Advanced Persistent Threats: efforts by nation-states to steal information and technology.
Microsoft patents spy tech for Skype
A newly patented Microsoft technology called Legal Intercept that would allow the company to secretly intercept, monitor and record Skype calls is stoking privacy concerns. Microsoft’s patent application for Legal Intercept was filed in 2009, well before the company’s $8.5 billion purchase of Skype in May. From Microsoft’s description of the technology in its patent application, Legal Intercept appears similar to tools used by telecommunication companies and equipment makers to comply with government wiretap and surveillance requests.
Federal agency issues new security rules for financial institutions
The federal agency that regulates banks today issued new rules for online security for financial institutions, instructing them to use minimal types of “layered security” and fraud monitoring to better protect against cybercrime. It’s the first time the Federal Financial Institutions Examination Council (FFIEC) has updated its rules since 2005, and the instructions to regulated financial services today focus on protecting high-dollar Automated Clearinghouse (ACH) transactions that have been targeted by sophisticated cybercrime groups that hijack business PCs in order to initiate fraudulent transactions.
Thursday, May 19, 2011
Oracle release enables dual IPv4-IPv6 provisioning, Ethernet support
… technology refreshes such as upgrading to IPv6,” said Liam Maxwell, vice … platform support for both IPv4 and IPv6 enables service providers to introduce … the operational complexities of a dual IPv4–IPv6 environment. Oracle Communications IP Service …
http://www.telecomengine.com/article/oracle-release-enables-dual-ipv4-ipv6-provisioning-ethernet-support
AOL Announces Participation in World IPv6 Day 19 May 2011 12:51 NewsAdvance.com
AOL Announces Participation in World IPv6 Day 19 May 2011 12:51 NewsAdvance.com
… a global “test flight” of IPv6 capabilities bringing together major web providers, … of supporting the migration from IPv4 to IPv6,” said Alex Gounares, CTO of … of its products and services with IPv6 in the future: For more information about …
http://www.businesswire.com/news/mgnewsadvance/20110519005467/en
Friday, May 06, 2011
Sophos acquires Astaro
Sophos buys Astaro.. wow, interesting move.
Symantec Announces Updates to Data Management, Protection and Endpoint Security Solutions
Symantec, at its Vision user conference that took place in Las Vegas this week, announced a series of updates to some of its core product offerings, spanning across its Endpoint Protection solutions to Enterprise Vault Archiving Software. Symantec Endpoint Protection Small Business Edition 12, also available as a public beta, and it will offer small organizations with limited IT staff and resources a solution they can easily deploy. In addition to the Endpoint Protection and Protection Center announcements, Symantec announced Symantec Enterprise Vault 10, Enterprise Vault.cloud, and Cloud Storage for Enterprise Vault to help organizations manage and discover their information with speed, efficiency and scale, on-premise and in the cloud.
Thursday, April 28, 2011
Symantec announces April 2011 MessageLabs Intelligence Report
This month analysis reveals that targeted attacks intercepted by Symantec.cloud rose to 85 per day, the highest figure since March 2009 when the figure was 107 per day in the run-up to the G20 Summit held in London that year. MessageLabs Intelligence has also revealed that shortened URLs have become increasingly popular recently, being used to lure people to click on advertising links; a practice known as click-fraud. In April, 1 in 168.6 emails contained malware and targeted attacks accounted for approximately 0.02% of these.
Dropbox 1.2 Experimental Build Fixes Security Issue
Attackers could use the file on any other computer with Dropbox to download all files of the original owner, without entering the Dropbox login credentials or notifications in the Dropbox dashboard that another device was used to download the data. Dropbox 1.2 introduces a new encrpyted database format to “prevent unauthorized access to local Dropbox client database” in addition to the security enhancements. This is related to the security issue, as the user who discovered the vulnerability in first place did uncover it by analyzing the local Dropbox client database.
Dropbox 1.2 Experimental Build Fixes Security Issue
Attackers could use the file on any other computer with Dropbox to download all files of the original owner, without entering the Dropbox login credentials or notifications in the Dropbox dashboard that another device was used to download the data. Dropbox 1.2 introduces a new encrpyted database format to “prevent unauthorized access to local Dropbox client database” in addition to the security enhancements. This is related to the security issue, as the user who discovered the vulnerability in first place did uncover it by analyzing the local Dropbox client database.
http://www.ghacks.net/2011/04/28/dropbox-1-2-experimental-build-fixes-security-issue/
VCs and IT Security Firms: Not Much Love in the Air
Although security breaches make the headlines regularly and Washington has plans to upgrade the security of the United States’ national infrastructure, up-and-coming IT security companies are having difficulty securing investment funds. “It seems there’s been a general shift among venture capitalists away from security,” Jim Pflaging, director and managing principal at SINET, stated at a private lunch at the 2011 IT Security Entrepreneurs’ Forum (ITSEF), held in Palo Alto recently.
Monday, April 25, 2011
AT&T starts selling ‘cell tower in a suitcase’
For the first time, AT&T is selling small, portable cellular antennas that will allow corporate and government customers to provide their own wireless coverage in remote or disaster-struck areas.
Wednesday, April 20, 2011
Data Security moves up the agenda & is now seen as important as cost savings within the public sect
The research, which was conducted using qualitative interview techniques with a range of public sector organisations across the UK shows that data security is now far higher on the agenda than in either of Becrypt’s previous two surveys. The research showed that there has been a significant change in attitudes to data security in the public sector, with 92% of those questioned now having specific policies for dealing with sensitive data.
Kaspersky -IT Security Policies Still Don’t Work According to New Research
Despite more than three quarters (77 per cent) of IT managers saying their company has a security policy in place for the use of tablets and smartphones, IT professionals are still downloading unauthorised applications onto their devices, according to online research released today by Kaspersky Lab, Europe’s largest anti-malware company.
Wednesday, April 13, 2011
Kerry-McCain privacy bill: What you need to know
A privacy bill of rights is something that tech pundits have talked about for years, but now Senators John Kerry and John McCain hope to make it a reality with a bipartisan bill in the Senate called the “The Commercial Privacy Bill of Rights Act of 2011.” The Kerry-McCain bill would force companies to let users opt out of data collection when used for behavioral ads or transfer to third parties. ... For sensitive information—religion, health records or other stuff that can cause physical or financial harm if made public—companies would need users’ consent through an opt-in.
Friday, April 01, 2011
Bank of America moves to further ramp up security with new CISO
Bank of America has named Patrick Gorman, a veteran government and corporate technology executive, as its new chief information security officer.
Friday, February 25, 2011
HIPAA privacy actions seen as warning
Department of Health and Human Services for HIPAA privacy violations should serve as a warning to all healthcare entities, say privacy analysts.
The agency announced on Thursday that it had imposed a civil monetary penalty of $4.3 million on health insurer Cignet Health for violating the Health Insurance Portability and Accountability Act’s privacy provisions. This week’s other enforcement action involved Massachusetts General Hospital, which agreed to pay HHS a total of $1 million to settle potential HIPAA privacy violations.
Wednesday, January 05, 2011
Help desk calls on the rise
At a time when IT is supposed to be getting simpler, less complex and easier to manage, more people are calling help desks for assistance than ever before, according to a new study. What HDI found is that the number of incidents reported to help desks via chat, e-mail, telephone, self-help systems, social media, the Web and walk-ins is rising, with 67% of all help desk operations experiencing increases in 2010.
Friday, December 03, 2010
To Improve Security, Get Your DAM Info Into SIEM
Database activity monitoring (DAM) and security information and event management (SIEM) technologies historically have worked separately. To gain a comprehensive view of the activity in the database and its surrounding environs, organizations need to feed their DAM information into a SIEM tool, analysts and other observers advise. “If all a customer is doing is trying to monitor a database, then clearly there isn’t a lot of leverage in using SIEM for that use case,” says Mike Rothman, analyst with Securosis.
Lost Laptops Cost Companies Billions, Study Says
A new survey shows U.S. businesses and other organizations are losing billions of dollars due to lost and stolen laptop computers. But two-thirds of the organizations surveyed do not take advantage of even basic security practices, such as encryption, backup, and anti-theft technologies, the study says. “The Billion Dollar Lost-Laptop Study,” conducted by Intel and the Ponemon Institute, analyzed the scope and circumstances of missing laptop PCs.
Monday, November 08, 2010
How to have a Disastrous Crisis
It can get better
These are the some things you should do when a crisis occurs if you really want things to go wrong. (I.e. You don’t want to do these thing)
Friday, November 05, 2010
So, what is a crisis or incident team? (Part 2 in the Crisis Team Series)
It is only by removing the boundaries of our perceptions that we can grow and expand in our capabilities.
So what is a crisis, or should we call it an incident? Different people have different perspectives according to their roles and responsibilities.
Tuesday, November 02, 2010
A new series of blog posts on Crisis Response
Now your are going to think that this is a strange thing to say but I like a good crisis. You’re immediate reaction could be “What!”
But when I refer to a good crisis, I am thinking of those that quickly protect, recover, and that the lessons learnt are really valuable for the future.
So I am going publish a couple of blog posts a week on my perspective on how to run an effective incident response team.
[PS: My bad, user registration is working now.. thank you to you know who you are, for letting me know.]
Tuesday, October 19, 2010
Web Host 1&1 Launches Server Management App for iPhone, iPad
Web host 1&1 Internet (www.1and1.co.uk) has launched a new, free iPhone app to manage 1&1 Dynamic Cloud Servers remotely at any time or location. According to 1&1’s Tuesday announcement, the 1&1 Dynamic Cloud Server app is now available free of charge from the Apple AppStore. Suitable for both private customers and businesses, the 1&1 Dynamic Cloud Server package can be of particular benefit to those that has fluctuating server requirements, as well as for start-up enterprises that cannot easily predict the future performance of their projects.
Monday, October 18, 2010
Cloud computing: how to navigate the legal and contractual pitfalls
With all of the hype about cloud computing, you’d think it is a novel concept that will revolutionise the IT industry. They were not initially called ‘cloud computing’—but ASP or Application Service Provider contracts, or hosted or managed service arrangements, to name a few aliases. The reason cloud computing is making a lot of noise these days is because the benefits that it can now bring are more tangible than a decade ago, with improvements in internet speeds, IT infrastructure and the increase in the number of service providers in the industry. The advantages of cloud include: scalability; cost control; opex versus capex advantages through reduced upfront payments; quicker IT deployment and better technology refresh; ‘greener’ IT solutions by avoiding over-provisioning of IT kit and centralising IT infrastructures within the cloud.
Four Big Trends Changing Computing, Gartner Says
Cloud computing, social computing, context-aware computing, and pattern-based strategy are the four big trends that will alter IT in the next few years, according to Peter Sondergaard, SVP of Research for Gartner. Opening Gartner Symposium, one of the biggest annual gatherings of IT professionals, Sondergaard and other Gartner analysts expounded on the topic of “new realities, rules, and opportunities” that they say are transforming the technology and practice of IT. While none of these trends is particularly new, taken together, they do have the potential of really changing IT.
CA Technologies Revamps Cloud Automation Suite
CA Technologies revamped and relaunched its CA Automation Suite for virtualized dynamic cloud computing environments, CA said Oct. 18. The new CA Automation Suite features two new products and enhancements to four other products, including The CA Server Automation, CA Virtual Automation, CA Client Automation and CA Workload Automation. CA realigned the automation suite with its overall cloud portfolio of products that automate, integrate and standardize the provisioning and nagement of physical, virtual and cloud resources, CA said. The revamp will make the product line more visible to customers, said Ryan Shopp, senior director of product marketing of the Virtualization and Automation group at CA Technologies. The refreshed automation suite is more business service-centric, so that IT managers can look at the application and know what it does and who it’s for, according to Shopp.