Cyber Security Institute
Advice
Tuesday, August 10, 2010
It’s time to be proactive on cybersecurity
In light of recent cyberespionage, the breakup of cybercrime rings, and the threats that sophisticated malware such as Stuxnet present to critical infrastructures, McAfee Labs researchers and industry experts call for a more proactive strategy for fighting cybercrime. “Cybercriminals prosper because they have very little reason to fear the consequences,” said Jeff Green, senior vice president of McAfee Labs. A new McAfee report, titled “Security Takes the Offensive,” is based on strategies compiled by international experts and issues a “call to arms” to the security industry.
Thursday, May 27, 2010
Email encryption must be prioritised
Most email not only passes through, but actually resides on at least two servers once it is sent by the originator; in many cases the number is greater. When you hit the ‘send’ button, you are not sending your message directly to the intended recipient. In a corporate environment the first stop for your mail is probably your internal mail server (the one where your inbox lives). Email can be intercepted at any point along this delivery chain by anyone with access to those servers, whether that be server administrators at the sender, ISP or recipient. In most cases the reason for failure to adopt encryption lies in the management and administrative overhead associated with creating and maintaining a public key server at the corporate level. At the end user level, the fact that the recipient of the as yet unwritten email has to pre-register somewhere and hand over a copy of their public key to sender before the conversation can even begin, has been enough to make most users rapidly revaluate their need for privacy and just hit the Send button.
Wednesday, May 26, 2010
Want Better Security? Reward Your Provider
Managed security contracts that reward providers for notifying their clients of breaches provide better security, according to a mathematical analysis conducted by three researchers at the University of Texas at Dallas and the Middle East Technical University. The research, which will be presented at the Workshop on the Economics of Information Security (WEIS) 2010 next month, analyzed a common type of contract used today in which a provider assesses a fee for its managed security service, but refunds part of the fee—as a penalty—if there is a breach. Using game-theory analysis, the researchers established that this commonly used contract model provides no incentive for the provider to notify its client of a breach. Two other contract models, however, are more likely to provide incentives for better security, the researchers say.
Thursday, January 21, 2010
5 tips for cybersecurity-training your employees
When Dennis Lauer joined the Millennium Challenge Corp. as chief information officer two years ago, the young federal program’s growing pains included a startling lack of security. It was an almost free-for-all atmosphere, he recalled. Employees installed Apple iTunes on the agency’s network and regularly downloaded malware via pop-ups that harbored malicious code. “Almost every day we had [surreptitious] viruses, and people didn’t know not to click on” them, Lauer said. The security situation began to change for the better when the office adopted new security policies and practices. Launched in 2004, MCC had adopted a few information technology shortcuts in the early years as the U.S. government corporation embarked on its mission of helping underdeveloped nations.
Wednesday, December 16, 2009
Supply Chain Security Threats: 5 Game-Changing Forces
Supply chain security is being remade by black swan events, economic blahs, and more. What can a CSO do to keep goods and information flowing? As any CSO knows, it’s not enough to mind your own business. You have to look after your business partners as well, across all links that connect to your supply chain—-whether that chain is physical or virtual. And that goes double in times of rapid change and high stress. “The threat environment is constantly changing,” says Ryan Brewer, CISO for the Centers for Medicare and Medicaid Services “Sometimes it’s hard to put your finger on what’s most important.” Who would have thought three years ago that piracy on the supply chain would be such a big concern? Sometimes the big worry is terrorism, sometimes it’s natural disasters, lately it’s malware. Here are the top five developments CSOs say have the biggest potential to wreak havoc on their supply chains.
Tuesday, December 08, 2009
Industrialisation Of Hacking Will Dominate The Next Decade
As we approach the dawn of a new decade, battle lines are firmly drawn with UK Organisation’s squaring up to Cyber Criminals. The industrialisation of hacking—Clear definitions of roles are developing within the hacking community forming a supply chain that starkly resembles that of drug cartels. The weapons of choice will be automated tools applied through botnets. His companyrecently tracked and analysed a compromise that affected hundreds of servers. The scale of this attack, and others like it, is enormous and would not be achievable without total automation.
Wednesday, December 02, 2009
Choosing SIEM: Security Info and Event Management Dos and Don’ts
Advice from the front lines on choosing and using a Security Information and Event Management (SIEM) product
SIEM: A Growing Market Worldwide revenue for SIEM was $663.3 million in 2008 and is expected to grow to $1.4 billion in 2013, which is a compound annual growth rate of 16 percent, according to IDC.
Meanwhile, Gartner estimates that SIEM was a $1 billion market in 2008, with growth of 30 percent that year. Historically, event management—-or SEM—-has driven this market, but today’s growth is mainly related to regulatory compliance, with secondary requirements for effective threat monitoring, according to Kelly Kavanaugh, an analyst at Gartner. For example, the Payment Card Industry Data Security Standard (PCI DSS) requires log management, and the Sarbanes-Oxley Act requires privileged user reporting, he says.
Friday, October 09, 2009
Six Steps Toward Better Database Security Compliance
In a sea of compliance initiatives, database security is often overlooked. But experts say no matter what the regulations say, securing the database is a critical part of any compliance effort. “What I’ve found in my experience is that the database is often the forgotten layer, even though it’s the layer where the crown jewels—the data—usually resides,” says Scott Laliberte, global leader of information security assessment services for Protiviti, which conducts third-party audit assessments for enterprises. But improving the security of the database as part of a larger compliance initiative is doable, experts say. The trick is to follow six steps toward database compliance.
Wednesday, September 02, 2009
Five Ways To Meet Compliance In A Virtualized Environment
RSA and VMware have released five best practices for locking down virtual environments and meeting compliance requirements. The steps comprise platform-hardening, configuration and change management, administrative access control, network security and segmentation, and audit logging.
Thursday, May 07, 2009
Expert Names Top 10 Audit Issues of 2009
As IT environments become more complex, enterprises rely on them more than ever before, said Michael Juergens, principle at Deliotte & Touche, speaking at the ISACA CACS audit and compliance conference. Top challenges include cloud computing, virtualization, and a company’s own employees. There may be a greater or lesser risk depending on your industry, technology, business processes, and other factors,” he added. He said that auditors should make a careful risk assessment at any enterprise that uses external cloud computing solutions. Juergens added that virtualization, often a key component of private clouds, carries the same risks as public clouds.
Monday, March 09, 2009
NIST suggests areas for further security metrics research
The National Institute of Standards and Technology (NIST) doesn’t have the answer for this, but scientists in its Computer Security Division have identified some areas for further research they hope might yield results.
Friday, February 20, 2009
Google’s Best practices against hacking
These days, the majority of websites are built around applications to provide good services to their users. In particular, are widely used to create, edit and administrate content. Due to the interactive nature of these systems, where the input of users is fundamental, it’s important to think about security in order to avoid exploits by malicious third parties and to ensure the best user experience.
Thursday, February 19, 2009
Gartner: Don’t assume SaaS is cheaper
The analyst firm said that there has been a “great deal of hype” around SaaS and that businesses had misconceptions about its cost. SaaS is cheaper during its first two years of use, Gartner said, but the total cost of ownership over five years would be lower for on-premises software. In its report “Fact-Checking: The Five Most-Common SaaS Assumptions,” Gartner also warned that SaaS was not necessarily faster to implement.
Wednesday, February 18, 2009
Clear Guide on How to Benefit from ISO27001 in a Windows® Environment Now Available
Independent compliance expert IT Governance has today announced the publication of Implementing ISO27001 in a Windows® Environment’ (http://www.itgovernance.co.uk/products/2207), a step-by-step guide on implementing this major security standard, written with the aim of helping project managers, IT and security staff develop a shared understanding of what controls are appropriate to mitigate identified risks - and how, within the Windows® environment, to apply them.
Friday, January 30, 2009
During Layoffs, Superior ID Management Is an Imperative
More than 125,000 people have lost their jobs in the last month alone, and not all will have the best of intentions toward their former employers. Companies reducing their work forces must lock down user accounts, and solution providers can assist with identity management solutions. Under pressure from sagging earnings, the premium coffeehouse earlier this week announced that it would close 300 stores and lay off more than 7,000 workers. Microsoft, Boeing, AstraZeneca, Sprint and Home Depot are among the household-name companies to slash thousands of jobs this week alone. Regardless of industry or size, all companies reducing their work forces share something in common—-all of their employees have some level of access to networks or applications.
Tuesday, January 13, 2009
Identity and access management 2009: Staff cuts, insider threats
What challenges will 2009 bring for identity and access management professionals?
Thursday, November 27, 2008
Human error is the No 1 IT security issue for UK companies
No matter how many policies and training schemes you put into operation, basic human error still poses the most likely threat to your company’s IT security according to IT directors. 86 percent of all IT directors polled believed that the most likely cause of an IT security issue came from their own employees.
Saturday, October 25, 2008
Forensic Teams Take On Hackers
The sophistication of today’s cybercriminals is evidenced by the 2008 CSI Computer Crime & Security Survey’s results indicating that stealthy, highly targeted attacks have gone from hypothetical a few years ago to a significant problem today. Because attackers are primarily motivated by financial gain, as soon as they have your data, it’s being converted into profit by selling identities and corporate secrets and draining bank accounts.
Thursday, October 02, 2008
Why Risk Management Doesn’t Work
Two reports published in the last two days are challenging conventional wisdom about how to calculate enterprise security risk—and recommending new evaluations that account for industry-specific threats and potential rewards. Verizon today issued a supplement to the data breach report it published earlier this year. The report, which compares risk factors in six different vertical industries based on actual forensic breach investigations in those industries, indicates that the likelihood of specific types of attacks varies radically from industry to industry. In a separate report, RSA’s Security for Business Innovation Council recommends a new process for calculating enterprise risk that more accurately weighs business rewards against potential security threats.
Wednesday, October 01, 2008
How to Minimize the Impact of a Data Breach
Thirty-one percent of customers—-nearly one-third of a company’s client base and revenue source—-are terminating their relationship with organizations following a data breach, according to a recent study by the Ponemon Institute. When it comes to a data breach, companies are making some major mistakes and as a result, customers are beating the street—-potentially paving a pathway for your fiercest competitor. The good news is you can prevent it and avoid the costly impact of a breach: first, by putting a proactive plan in place and second, by adopting tactics that maximize retention. Last year alone saw the exposure of nearly 128 million personal records.
Friday, September 12, 2008
Keys to Locking Down Storage Security on a Database
Enterprises most often keep their most valued data in structured storage inside a database of some kind, and hackers know it. Security consultant Ted Julian of Application Security offers a detailed look in several steps at how he believes database security should be implemented, starting with data discovery and moving all the way through the implementation of intrusion detection.
Thursday, July 17, 2008
Reinvigorate your Threat Modeling Process
We think about threats against our assets: our families, our jewelry, and our sentimental and irreplaceable photographs (well, those of us old enough to have photos that never existed in digital form do). We model threats based on architecture: there’s a wall here, a picture window there, and an easily climbed tree that we can use when we forget our keys. And we model threats based on attackers. We worry about burglars and kids falling into pools. We also worry about the weather, be it earthquakes, snow, or tornadoes. If I wanted to sound like a management consultant, I’d say you employ a mature, multi-dimensional assessment process, with a heavy reliance on heuristics and low reproducibility across instances.
Monday, June 23, 2008
Security and Business: Financial Basics
You need to find and use the right financial metrics to communicate security’s value to your company. Here are pros and cons of four: TCO, ROI, EVA and ALE.
Tuesday, May 13, 2008
The botnet business
Botnets have been in existence for about 10 years; experts have been warning the public about the threat posed by botnets for more or less the same period. Nevertheless, the scale of the problem caused by botnets is still underrated and many users have little understanding of the real threat posed by zombie networks (that is, until their ISP disconnects them from the Internet, or money is stolen from their credit cards, or their email or IM account is hijacked). This article discusses zombie networks or botnets: how they are created, who uses them to make money on them and how this is done.
Friday, January 18, 2008
Tech Insight: Incident Response
Tuesday, October 30, 2007
After a Data Breach
the tangle of state notification laws can be exasperating—and costly. There are already more than 30 different notification requirements on the books. With more than 30 state data-disclosure notification laws now on the books, officials at many companies doing interstate business are hoping that cohesive national legislation will smooth out the nuances among differing statutes.
Wednesday, October 10, 2007
Bringing Security into the Development Process
Vendors and analysts warn that the open culture of application development can lead to security vulnerabilities and data leaks. When it comes to data leaks, most of the talk is about hackers breaking into networks or employees e-mailing and downloading sensitive information. But some vendors are paying more attention to the preproduction environment, where there are often security holes big enough to push a hard drive through. “The development environment and quality assurance environment have always been…significantly more open and free,” said Louis Carpenito, former vice president of information security business strategy at Symantec.
Monday, October 08, 2007
The top 10 reasons why Web sites get hacked
Web security is at the top of customers’ minds after many well-publicized personal data breaches, but the people who actually build Web applications aren’t paying much attention to security, experts say.
Thursday, September 13, 2007
Email Encryption Gets Easier
But are these new methods enough to convince enterprises to secure their messages with in-house systems – or that they even need to?x
Wednesday, August 29, 2007
Security Economics
Salaries for IS practitioners have been rising constantly, the market for security products and services is much bigger than it was five or ten years ago, and more firms are entering it. Years ago it was pretty blunt, concentrating on web defacements and Denial of Service takedowns “the hackers are coming”. Now, sleek statistics from reputable firms or institutions are used, so the language has also become more grown up: “organizations should secure,”, “we must ensure that every piece of critical information in a company is appropriately secured”, etc. The problem with these approaches is that the need for security is not personalized enough to trigger a buying decision.