Access Control

Access control is the assignment of permissions to systems and network resources. Based on the entitlements created, access control is how a subject (person or entity) communicates and interacts with objects (networks, applications, programs, files, databases, etc.). 

Keep reading...

Tips for Selecting a Cloud-based Solution

This decade has emerged as the "decade of the cloud." While cloud has technically existed in earlier forms—application service providers and hosted solutions, for instance—for almost twenty years, the current cloud marketplace offers a wide selection of services designed to meet the requirements of organizations looking to outsource certain aspects of operations.

Keep reading...

Domain Hijacking

Domain hijacking is a less frequently discussed but no less harmful attack on a company's or individual's Web presence. To establish a website, a domain name ("Companyabc.com") and a Web server (hosting service) must be procured. When a domain is hijacked, the attacker takes control of the domain registrar, a company that has been accredited by the Internet Corporation for Assigned Names and Numbers (ICANN) or a national country code top-level domain (TLD) account, to manipulate communication between the domain name and Web server. In effect, the attacker is interrupting the communication and redirecting traffic from one domain name server to another, using the new domain server for his/her own purposes. Once under new control, the criminal(s) can use the replicated name server (associated with the public-facing website) to send traffic to a new IP address and defraud visitors, interrupt private communications between the server and user, access visitors' account information (steal passwords/credentials), hold a domain hostage from the rightful owner, deface the website, interrupt service, serve up malware, or perpetrate pharming or phishing attacks. It is often extremely difficult to distinguish between the legitimate website and the coopted website.

Keep reading...

Applying Critical Thinking to Security FUD – Highlights from InfoSec World 2016

By Katherine Teitler 

April 19, 2016

Have you ever slowed your car while driving to gawk at an accident on the side of the road, or been frustrated by the car in front of you that did? Have you caught yourself mesmerized by a ridiculous YouTube video? This is the current state of the Internet of Things security—it’s captivating and as a result, there’s been a whole lot of vulnerability hunting in the space. The more “OMG! This is what can happen!!” that appears in the media, the more we are drawn to it. Catastrophic, hyperbolic, apocalyptic movie plot scenarios sell, but unfortunately in security, falling into the FUD trap leaves us chasing the current drama instead of focusing on real, tangible security shortfalls.

Keep reading...

What Shouldn't Be Automated, Really?

In preparing for my Cloud Security World 2016 talk, "Automagic! Shifting Trust Paradigms Through Security Automation," I've been thinking a lot about what can be automated, how to automate, and how to demonstrate and measure value around all that jazz. It has, however, occurred to me recently that perhaps I've been looking at this question all wrong; it’s not necessarily a question of whether something should be automated, rather it's a question of what shouldn't be automated.

Keep reading...

Maneuvering, Understanding, and Applying Federal Compliance Requirements

If you are a System Owner (SO) in a commercial organization or a federal agency, maneuvering through, understanding, and implementing federal security and privacy compliance requirements can be a difficult hurdle. The Federal Information Security Management Act (FISMA) and the Federal Risk and Authorization Management Program (FedRAMP) are two very similar and yet very complex and time-consuming federal compliance requirements. When it comes to cloud –based technologies, the process can be even trickier since the data that will be stored in the cloud is now handed off to a third party, who may be located in a different jurisdiction, one not subject to U.S. federal requirements. In addition, your data may be co-mingled with other companies' data, and those companies may have entirely different security and compliance requirements.

Keep reading...

Highlights from Infosec World 2016 talk: May I have your Retention?

By Katherine Teitler 

April 13, 2016

The entire security industry knows we have a staffing problem. With demand for security talent far greater than supply, companies with the right resources are positioned to lure top talent from competitors while everyone else is scrambling to find anyone with adequate technical acumen to learn the craft. In today’s world, though, “adequate” doesn’t quite cut it, and there’s scant time in which to become an expert.

So here we are again, back to doom and gloom…

Keep reading...

Insider Threat

The term "insider threat" refers to the potential for an insider at an organization, such as an employee or contractor, to maliciously cause harm to company-owned or company-confidential data or systems. In recent years, the term has expanded to include third parties, such as suppliers, partners, or other third parties that have legitimate knowledge of and access to networks, applications, and data

Keep reading...

By Katherine Teitler 

April 11, 2016

InfoSec World 2016 is now in the books. For the better part of a week, infosec pros took over The Contemporary Resort to discuss everything from building an incident response plan to leadership skills to active defense and trust. One-size-fits-all does not apply when it comes to security, since every organization faces distinct challenges based on its threat profile, industry, internal resources, architecture, external network, and more, but a few themes emerged throughout the event.

Keep reading...

By Katherine Teitler 

April 7, 2016

You know the saying: Bigger isn’t necessarily better. When it comes to conferences, however, knowing your audience’s interests and preferences is key to putting on a great event. Audience inclinations can also indicate subtle shifts in the market that haven’t yet fully emerged, or they can highlight the fact that there are some legacy issues we still haven’t mastered.

Keep reading...

Shellshock

The Shellshock Bash bug was a remote code execution vulnerability first disclosed on September 24, 2014. A researcher named Stéphane Chazelas initially discovered the bug and contacted Bash's maintainer, Chet Ramey so he could develop a patch. 

Keep reading...

China announces a new association that will improve the country’s cybersecurity

By Katherine Teitler 

April 4, 2016

Geopolitical cyber war is a fairly well established practice: You break into my nation-state thing; I’ll hack you back. President Obama and Chinese President Xi Jinping even met in Washington, D.C. this past September to discuss (and announce) the desire of both parties to curb intellectual property theft. This move came after several U.S. companies and government agencies admitted falling victim to major data breaches, supposedly at the hands of Chinese adversaries (N.B., the Chinese government has neither rebutted nor substantiated the accusation). Shortly thereafter, President Obama proposed a $19 billion Cyber Security National Action Plan aimed at protecting U.S. citizens, enterprises, and governments.

Keep reading...

A “win” for the FBI doesn’t mean a loss for user data privacy

By Katherine Teitler 

March 30, 2016

If Hollywood doesn’t make movie out of the Apple vs. FBI debate, someone is missing the boat. As proven by the recent Oscar winners, “Spotlight” and “The Big Short,” audiences eat up controversial subjects, especially when the impact of the controversy affects them or loved ones. Apple vs. the FBI is not, by most equations, as monumental as the global economic crisis of 2008-2009 or the abuse scandal of the Catholic Church, but it has gotten a rise out of the public, law enforcement, and security and privacy advocates across the globe. It has brought into question the matter of how much control users have over their personal data, and how much technology providers can and should be doing to protect customers’ right to privacy; everyone involved is taking this matter very, very personally.

Keep reading...

Intrustion Prevention System

The intrusion prevention system, or IPS, was first introduced in the mid-2000s. It is a rules-based network security appliance that monitors network traffic for anomalous or malicious activity. An IPS is used to identify potential threats, intrusions, or policy violations; log events; and report and/or block potentially malicious traffic.

Keep reading...

Message encrypting apps are helping users take privacy into their own hands

By Katherine Teitler 

March 28, 2016

A recent story in the New York Times shared information on a new crop of secure messaging apps for smartphones. The article, posted in the “Personal Tech” section, offered snippets of information about the functionality of five different consumer-focused tools. These apps, if only generically, likely are not new news to security professionals (most of whom have long considered themselves “professionally paranoid”), but it is noticeable when mainstream media is disseminating information about data encryption to the general public.

Keep reading...

NanoCore Trojan

The NanoCore Trojan is a modular Remote Access Trojan (RAT) that first appeared in 2013. When executed, it exploits a backdoor and runs in the background of .NET machines to interrupt command and control and steal information from the compromised computer.

Keep reading...

Researchers are paving the way to user-controlled app data privacy

By Katherine Teitler 

March 22, 2016

Major technology providers are not the only ones thinking about how to best protect user data. Users, too, are becoming increasingly concerned, and when those users are PhDs and professors at some of the world’s top universities, innovation is spawned.

Last week, MIT News posted an announcement about Sieve, a secure, cryptographic system that allows users to control the type of data access the applications with which they interact receive. Frank Wang, a PhD candidate in electrical engineering and computer science at MIT, first had machinations of such a system while using his Fitbit over a year ago. 

Keep reading...

So, How is that Risk Management Thing Workin' For Ya?

We are currently engaged in a war to achieve victory over risk. Okay, perhaps "war" is not the right way to describe the status quo. None of us can ever achieve total victory over risk. Any expert will say some risk always persists in any activity we undertake. So instead, let's say we are currently engaged in a battle to control risks. Of course, the real battle is not to control risk, but to prevent the risks from serving as openings through which threats can exploit vulnerabilities. There seems to be no end to that battle; there are occasional wins and even more frequent substantial, continuing losses. So, perhaps we are not controlling risks, just trying to manage the adversities we experience. Oh, that's right, the 21st century is all about risk management.

Keep reading...

Event Search

Download Catalog Dark Blue 300x58

Subscribe to Newsletter LightBlue 2 300x58

Register Mobile Security Summit 300x58

Ransomware ad

MIS|TI Tweets

ACL MISTI Grey 300x58

Please choose your region

Submit
Select a Region
United States
United Kingdom/Ireland
Africa
Americas
Asia-Pacific
Europe
Middle East

By continuing to use misti.com you will be agreeing to the website Terms and Conditions, the Privacy Policy, and the Use of cookies while using the website.