Infosec Insider

It’s no mystery that the world of cybersecurity constantly faces a massive challenge. It has to pre-empt attacks, predict how hackers will use new attack vectors, and defend their environment against all existing attacks and attacks that may not even exist yet. In this feature, we go over one of the more obscure, but dangerous and difficult attacks to defense against—airborne attacks.

In this article, we’ll go over what devices infosec departments should have an eye on and how to tackle the challenge of BYOD head-on. For an expert’s perspective, we spoke to Georgia Weidman, founder of Shevirah, a mobile and IoT testing company.

Cybersecurity awareness training is a critical component to your security hygiene. The most effective training programs are offered frequently and use available frameworks, focus points, tools, and tactics to build a culture where cybersecurity is embraced, not avoided or shunned.

What's the state of artificial intelligence in the enterprise today? More importantly, how can the security and risk department benefit from its benefits to measurably reduce risk within the business? InfoSec Insider caught up with Neil Larkins, CTO at Egress Software, who breaks it down for us.

InfoSec Insider catches up with Armis co-founders Yevgeny Dibrov and Nadir Izrael who discuss the current climate as it relates to IoT security, and offer up some dos and don’ts when it comes to connected devices within the enterprise.

Tripwire's Tim Erlin chats with InfoSec Insider on the state of cyber hygiene in 2018, where we are, why we're there, and highlights different areas that security practitioners are failing to cover as it relates to securing the business.

For consumers looking for an easier-to-use login experience, there is a solution: push authentication. This approach is a vast improvement over sending a one-time passcode via SMS and is truly the most secure method of 2FA.

The rise of IoT has introduced new challenges to security in the enterprise. Like most security challenges, protecting against threats is the basic work of good IT hygiene. Organizations can adopt existing identity management best practices to meet this new challenge.

What is the bottom line from a security perspective when it comes to mobile payments? In the current state of the ecosystem, mobile security expert Aaron Turner offers up his take and advice on the topic.

Summer will be over before you know it and for many of you, it might be time to hit the road again for business travel. Before you pack up all of your devices, you might want to keep some of this advice in mind to ensure your data is secure.

IoT, home automation, government surveillance, and new privacy regulations all pose a challenge to your organization, but you don't have to let those challenges eat you alive.

You picked them! Here's a look at the most read articles published on InfoSec Insider in 2017. From CASB to threat intelligence, you'll find a unique mix of some engaging content that answers some of your pressing questions.

Aetna CSO Jim Routh discusses why he believes passwords are obsolete, how he’s done away with them at Aetna, and why and how security managers can take a similar approach.

Trustwave Threat Intelligence Manager Karl Sigler discusses the non-traditional devices that security professionals should have on their radar and how thermostats can figuratively turn up the heat for infosec pros, and literally for the enterprise.

A discussion on the impact that IoT attacks have had on enterprises, and tips on what security managers can do to face these challenges head on.

In a brief filed with the Supreme Court earlier this month, 15 major U.S.-based technology companies petitioned the court on the subject of digital data. 

The proposed "Internet of Things Cybersecurity Improvement Act of 2017" signals a shift in attitudes about cybersecurity's impact on public safety.

Connected devices are trickling into the enterprise. While these four devices should be monitored by security managers, they may not currently be on their radar.

Enterprise security professionals have been lax in our demands for visibility into how cellular networks put our organizations at risk. 

Identity in the digital world has always been a point of contention for information security practitioners. 

A run-through of the four best practices that every security manager should follow when implementing a bring-your-own-device policy.

When WikiLeaks released a repository of hacking tools and techniques used by the CIA, the initial reaction was shock and awe, followed quickly by piqued interest, then a bit of annoyance. 

Consumer-grade mobile devices have been inserted into corporate environments while security teams are forced to sit on the sidelines of decision making. 

The majority of people don’t even know every place their personal information has been provided or acquired, and it’s this quagmire that keeps privacy officers up at night.

When I started working in security I was taught, like most of us, to adopt a risk management control framework such as NIST, ISO, PCI, etc. and measure the alignment of security practices with control standards, procedures, and policies from the framework. 

While some security professionals have climbed the ranks based on their technical know-how, it’s the transition into the business leadership role that tends to present the challenges for chief security officers. 

Just when you thought the infamous “Nigerian Prince” was a ubiquitously understood joke, it seems the security industry still has a long way to go when it comes to phishing. 

The President of the United States is apparently using an Android phone, and likely an outdated version, at that. Despite reports that the newly inaugurated president was, in typical fashion, offered a “secure, encrypted device approved by the Secret Service,” it appears Mr. Trump prefers his own personal device. Don’t we all?

As networked computers disappear into our bodies, working their way into hearing aids, pacemakers, and prostheses, information security has never been more urgent -- or personal. A networked body needs its computers to work well, and fail even better.

As the results of the Anthem breach investigation make their rounds, the security industry is reminded once again that phishing is a highly effective attack method.

Many uncertainties await the world when the new United States administration takes office on January 20, 2017. The President-elect, while extremely vocal on the campaign trail, has been disconcertingly cagey in the weeks leading up to inauguration. 

The New Year is close upon us and many security firms and media outlets are busy publishing 2017 predictions or “the year in review.” Rather than following suit, we’d like to propose a New Year’s resolution to all security practitioners (and office workers, in general, really).

Today, many organizations’ executive teams and boards of directors conflate cybersecurity and risk. Risk management is a broader practice than security alone, but cybersecurity is an increasingly “big ticket item” on boards’ agendas—alongside other more traditional risk discussions—since it’s clear that a major breach can impact the organization in meaningful ways. 

Last week, as much of the U.S. was inconvenienced by the widespread DDoS attack on many popular websites, Joomla! casually released a notice warning of a critical patch to its software.

Rumblings about the security talent deficit are pervasive. Just like news of recent breaches, it’s hard to get through a week without reading an article, viewing a webcast, or attending a conference during which the subject is not addressed. 

Twenty minutes before the talk was scheduled to begin, attendees anxiously queued up outside the center ballroom to hear Chris Hadnagy present Mindreading for Fun and Profit Using DISC. Hadnagy, a renowned social engineer and DerbyCon staple, promised to share with the audience “how to use a quick and easy profiling tool to make targets feel as if you can read their minds.”

By many estimates, the demand for information security practitioners far exceeds availability. As security becomes an appreciable concern for large and small companies alike, it stands to reason that the industry is going to face a serious shortage in the coming years if new practitioners aren’t found or cultivated.

Unless you're oblivious to the news, you're well aware that the information security industry is getting a lot of attention. Be it the headline-grabbing breaches taking place on a seemingly frequent basis, or the fact that the number of digital internet-connected devices per capita is increasing constantly.

Like it or not, fall is right around the corner, and for many private enterprises, fall means Q4 which means facing the dreaded budgeting season. If budgeting itself weren’t cumbersome enough, cybersecurity budgets—even if they stand alone—are often part of a larger function. 

Political staffer Huma Abedin has been dominating media headlines as of late for a number of issues, including leaked emails uncovered by Citizens United and released publicly by Fox News. In the exposed emails, she refers to an intent to leave her mobile device, specifically a BlackBerry, behind during a 2009 trip to Russia.  

Information security teams face a serious problem when they are unable to detect the presence of a threat actor inside organizational systems. Knowing who has access to key applications is an imperative for trying to protect the company, yet according to a new report published by Okta that may not be a case.

Calls for presentations: Depending on whom you ask, CFPs are either a great opportunity for subject matter experts to display knowledge and vie for a coveted spot on a conference program, or an absolute nightmare, as the intended speaker carefully calculates the best topic to submit.

  The evolving threat landscape makes it incredibly difficult for security professionals to protect their organizations. You’d think that with the abundance of security solutions deployed they’d be able to manage cyber risk effectively, yet, the technology that’s intended to protect their organizations may be causing more problems.

All organizations know that flexibility, productivity, and personalization were drivers of the BYOD movement that started to take hold five, six years ago. Nowadays, the term is barely used, but BYOD'ing is commonplace at 99% of organizations, according to a new study conducted by IBM and sponsored by ISMG.

Yesterday, mobile security firm, Wandera, released findings from the company’s research into the state of mobile application security. The report, “Assessing the Security of 10 Top Mobile Apps,” is an attention-grabber.

A recent story in the New York Times shared information on a new crop of secure messaging apps for smartphones. The article, posted in the “Personal Tech” section, offered snippets of information about the functionality of five different consumer-focused tools.

Once upon a time, phones were only used to make calls. For most of us, our phone is a mobile office; central to a great deal of our daily activity, our phones are the hub through which our email, text messages, news, social media, calendars, driving directions, fitness goals, and so much more are all brought to us, organized, recorded, and shared.

The security field needs more practitioners. The insanity that is our “always-connected” world necessitates more resources to manage, monitor, and maintain personal and enterprise data – from email accounts to mobile phones to chock-full-of-tech refrigerators.