There are a slew of threats aimed at industrial control systems, and security warriors in that space need to constantly be on their toes. We caught up with Sergio Caltagirone, vice president of threat intelligence at Dragos, who shared how infosec pros in the ICS world can get started with threat profiling.
Cybersecurity remains a persistent challenge in information technology, and for IT security professionals, AI and other tools are valuable for organically managing cybersecurity without depending on vendors that might have more sophisticated tools and experience using them.
In this follow-up video, the DeMISTIfying Security experts discuss two recent containerization-related issues and how the modern-day security warrior can venture into the unknown to effectively tackle challenges such as this.
So many vendors, so little budget. Security departments are constantly tasked to know how to properly allocate funds to staffing, resources, tools, solutions, software, vendors, third-party contractors, and more. Even an unlimited budget wouldn’t help as security departments can find themselves bloated with software or vendors, leading to an inefficiently run department.
From steering clear of marketing buzz to the impact of misinformation, DeMISTIfying Security hosts Ed Moyle and Raef Meeuwisse point out the security assumptions that could be catastrophic to any security practitioner’s role.
In this article, we’ll go over what devices infosec departments should have an eye on and how to tackle the challenge of BYOD head-on. For an expert’s perspective, we spoke to Georgia Weidman, founder of Shevirah, a mobile and IoT testing company.
Last week the DeMISTIfying Security hosts explored the Zero Trust model. This follow-up segment takes things one step further as security veteran Ed Moyle explains how you can get a jump on kickstarting Zero Trust within your organization.
The only thing worse than having a huge problem is having a huge problem and not realizing it. Believe it or not, many organizations are in the latter boat right now. Specifically, many organizations are undergoing a proliferation of secrets at a scale and scope that eclipses the ability of mechanisms and controls they may have in place to keep them protected.
Emotet is a highly sophisticated malware with a modular architecture, installing its main component first before delivering additional payloads. In this contributed article, Darktrace's Max Heinemeyer, director of threat hunting, breaks down the threat.
Last week we shared the first part of this two-part series on cyber threats in 2019. This week we wrap up the remainder of the insights we shared thanks to our conversation with subject matter expert Adrian Sanabria, VP of strategy and product at NopSec.
In the latest edition of MISTI’s DeMISTIfying Security, Ed and Raef dissect the zero trust model. From the pros and cons, to the obstacles you may face rolling out this philosophical approach to security, this week’s segment will shed new light on this topic.
InfoSec Insider caught up with one SME that helped us put together a list of the looming threats your company should keep an eye on and how organizations can defend themselves accordingly. Here's a look at what you should have on your radar.
The term threat hunting has been tossed around a lot, but what does it actually mean and can your cybersecurity playbook benefit from it? Many organizations are tapping into its benefits, so we've decided to provide you with a breakdown in this feature article.
Social engineering is unique in the cybersecurity world as its scope of influence can vary widely on the software, hardware, and even psychological level. In this article, we’ll cover social engineering attacks and help you learn from recent developments in the space.
In last week's segment, Ed and Raef discussed some of the major developments in infosec in 2018. This week, they take out their crystal ball and look into 2019, sharing their thoughts on what many practitioners could expect.
Artificial intelligence is found in homes across the globe, and it's also being leveraged by troves of organizations across the country. But how mature is the technology and how open should you be to adopting it as part of your security strategy? In this exclusive interview, we catch up with one expert who breaks it down for us.
In the latest installment of InfoSec Insider’s DeMISTIfying Security series, security experts Ed Moyle and Raef Meeuwisse return to review the major breaches, developments, and takeaways that you can get from information security events in 2018.
Like it or not, the digital transformation era is here. But what does that actually mean--and more importantly--what does that mean to you? We caught up with Zscaler's Business Value Consulting Leader, Jason Georgi, who broke it down for InfoSec Insider.
InfoSec Insider catches up with the Cloud Security Alliance's Jim Reavis, who shares what security leaders should be focusing on when it comes to cloud security in 2019. You'll want to take note of these insights and predictions.
As 2018 wraps up, InfoSec Insider looks back at some of the most popular articles we've produced for our loyal audience. From communicating security metrics to the board and making sense of attack patterns, to key areas that you should focus your cybersecurity strategy on, here's a list of the top 10 articles.
Security practitioners that are looking to migrate their business to the cloud in a successful manner have to consider quite a lot. That's why InfoSec Insider caught up with security leader and industry veteran Mark Arnold during this video interview where he quickly breaks down what you should and shouldn't be doing when it comes to the topic.
The idea behind collaborative security is to change the security and threat landscape from the daunting “one vs. many” to “many vs. many,” embracing the power of knowledge and collaboration to protect valuable data.
In this walkthrough, InfoSec Insider experts Ed Moyle and Raef Meeuwisse demonstrate one useful exercise that can aid security practitioners in getting a lay of the land in their organization, serving as the perfect first step in ultimately measuring and reducing information security risks.
InfoSec Insider SMEs Ed Moyle and Raef Meeuwisse are back, but this time they're talking fundamentals. If you're an up-and-coming security warrior, you'll definitely want to heed this advice from the two infosec experts.
This will probably be a contentious point for some, but there are situations where a penetration test isn’t the best use of an organization’s resources. Here, we examine what is (and isn't) a pentest, and what its goals should be depending on your organization's needs.
InfoSec Insider catches up with Armis co-founders Yevgeny Dibrov and Nadir Izrael who discuss the current climate as it relates to IoT security, and offer up some dos and don’ts when it comes to connected devices within the enterprise.
Conducting penetration testing via simulated attacks on your organization's network is the best way to help your business evaluate the strength of your network security protocols and identify any backdoors, weaknesses, and gaps between different security tools, and prioritize risk. This contributed article explains why.
Data privacy and protection is an often underappreciated aspect of information security, but in many ways, it provides the foundational groundwork for a well-established security environment that offers internal and external reassurance. Here's why and how you should train up your team.
On Tuesday InfoSec Insider kicked off a how-to video series that focuses on topics surrounding the challenges that our readers face on a daily basis. In this companion video, security expert Ed Moyle provides a deep dive on how you can protect your organization from cryptocurrency mining malware and cryptojacking.
Security experts Ed Moyle and Raef Meeuwisse dissect the topic of cryptocurrency mining malware and cryptojacking; what it means to you as a security professional and how you can protect the enterprise from it.
What's the best way to detect network risks and other vulnerabilities from cyber threats? If you guessed a pen test, then you're right. In this feature article, we've created a no-nonsense that answers pertinent questions about penetration testing.
Arctic Wolf's Sam McLane sits with InfoSec Insider at the Black Hat Conference in Las Vegas to discuss the major dos and don'ts when it comes to incident response, in addition to some misconceptions that some security practitioners may have on the topic.
At the end of the day, PowerShell is an enormously flexible, valuable, and helpful tool in any enterprise administrator’s toolbox, so “turning it off” isn’t really a viable option for most shops. In this informative feature, subject matter expert Ed Moyle explains why.
Tripwire's Tim Erlin chats with InfoSec Insider on the state of cyber hygiene in 2018, where we are, why we're there, and highlights different areas that security practitioners are failing to cover as it relates to securing the business.
By Jackson Shaw, VP of Product Strategy, One Identity
August 28, 2018
The rise of IoT has introduced new challenges to security in the enterprise. Like most security challenges, protecting against threats is the basic work of good IT hygiene. Organizations can adopt existing identity management best practices to meet this new challenge.
Threat modeling is essential to becoming proactive and strategic in your operational and application security. In this feature article, you'll learn what threat modeling is, how it relates to threat intelligence, and how and why to start.
Cylance’s Colt Blackmore discusses why leveraging AI isn’t limited to purchasing an out-of-the-box solution and details the critical steps that security practitioners should take to successfully utilizing the technology to their organization’s advantage.
The dark web is one of those elusive subjects that can often get misinterpreted. We spoke to Reclamere's Connie Mastovich to get her expert take on what the dark web is, what risk it poses to companies, and how to protect yourself from it.
Farsight CTO Merike Kaeo discusses why DNS is still be underutilized as a security tool today, shares some examples of lessons-learned that could apply to you, and provides steps you can take to ensure you’re taking advantage of your DNS infrastructure.
When it comes to making security purchasing decisions, many practitioners tend to follow the crowd. But given the variables tied to making those decisions, that may not be the best route to go. Here's why.
Cisco's Edna Conway shares her insight on what infosec leaders can do to ensure that security becomes an active discussion about the way you operate within the business, rather than an added bolt-on feature.
Bugcrowd’s Keith Hoodlet outlines the importance of attack driven development and offers up the key steps security practitioners should take for this approach to have a positive impact on their overall security strategy.
Uber’s Melanie Ensign discusses the relationship between the communications function and infosec teams and offers up some uncommon communication tips for security leaders that may have a skewed view of the communications department within their organization.
Given the troves of education information, training, and technology available to security professionals, you’d think they’d be a step ahead of malicious actors. But this overabundance of information may actually be causing more harm than good. Here’s what one expert had to say about the “fog of more.”
Are you taking the right approach when it comes to threat intelligence? We caught up with one subject matter expert that provides some uncommon tips on developing a successful threat intelligence program.
Today's threat landscape is like a tentacled sea monster that security practitioners have to battle on a daily basis. In this feature story, we highlight the top five most likely cyber risks to organizations today.
Tackling GDPR means knowing where all your data reside, even if they're outside of your direct control. Here we take a look at how you can tackle this initiative even if you're a bit late given the time of year and when the regulation goes into effect.
Phishing attacks aren't going anywhere any time soon. In fact, these scams have only grown in popularity among attackers. This helpful article dispels the four common phishing myths to help employees and outside partners be even more adept at identifying these crimes.
Is your organization adequately equipped to identify anomalous patterns across the network? If you're doubtful, it may be time to try out alternative models that will help you detect previously unknown attacks.
Given today’s content-driven society, it benefits cybersecurity and threat intelligence practitioners to gain some understanding of the psychological strategies and exploitation techniques within the intelligence and counterintelligence tradecraft.
You picked them! Here's a look at the most read articles published on InfoSec Insider in 2017. From CASB to threat intelligence, you'll find a unique mix of some engaging content that answers some of your pressing questions.
By Katherine Henry & Brendan Hogan, Bradley Arant Boult Cummings LLC
December 18, 2017
Cybersecurity professionals can provide valuable input in their companies’ procurement of cyber insurance, and should be involved in all phases of cyber insurance procurement and management. Here are some important areas you should focus on.
Security professionals are over the hype surrounding threat intelligence. Now, they're aiming to find better ways to operationalize it. In this interview with Digital Shadows' Rick Holland, he explains why structured analytic techniques are an effective way to make sense and leverage your threat intelligence data.
Ixia Director of Application and Threat Intelligence, Steve McGregory, discusses how cyber attackers are evading network detection, and shares tips on how organizations can move towards better prevention and detection.
Trustwave Threat Intelligence Manager Karl Sigler discusses the non-traditional devices that security professionals should have on their radar and how thermostats can figuratively turn up the heat for infosec pros, and literally for the enterprise.
In a network perimeter-less world, enterprise security practitioners need ways to verify the authenticity of applications and the devices and users running those applications; firewalls just fall short.
In our last article, we discussed how disciplines like psychology and behavior-profiling can help us to better understand the adversary at the end of the keyboard. Now we are going to extend similar disciplines to ourselves as intel analysts.
Michael Daniel, the former cybersecurity advisor to President Obama and current president of the Cyber Threat Alliance, offers up his thoughts on why information sharing is a critical component of combatting cyber threats today.
We’ve all heard about the security staffing shortage; it attracts a lot of press and is hard to ignore. If you’re currently working for an organization that is not hiring, you, yourself, might be receiving regular calls from recruiters about one of the estimated 1 million open positions. Maybe you’re even covertly scoping out your next job opportunity.
Depending on your source, insider threat accounts for anywhere from 27% - 77% of all breaches. Despite the disparity in agreement about size of the problem, most security practitioners agree that the difficulty identifying insider threat is greater than identifying external threats.
The hurdles chief information security officers face today are more daunting than ever, given the evolving threat landscape, but most importantly, the current state of technology within the enterprise.
When I started working in security I was taught, like most of us, to adopt a risk management control framework such as NIST, ISO, PCI, etc. and measure the alignment of security practices with control standards, procedures, and policies from the framework.
While some security professionals have climbed the ranks based on their technical know-how, it’s the transition into the business leadership role that tends to present the challenges for chief security officers.
What is security’s purpose if not to help with risk management? Organizations run on varying degrees of risk—financial risk, operational risk, market risk, sociopolitical risk, etc.—and information security has become a big piece of the risk picture.
As a person who currently focuses on security awareness, hearing about or witnessing successful phishing attacks is frustrating. What is more frustrating is listening to security professionals blame users for falling for a phishing message instead of looking at themselves.
Leadership is a lot like playing in an orchestra. For those less familiar with an orchestra setting, let me explain. The basics: A traditional orchestra is made up of strings, woodwinds, brass, and percussion, plus keyboards.
It’s true that cyberspace is growing by the day, and as companies and individuals add more information to internet-accessible sources, the risk of compromise of that data grows in parallel. With this greater risk comes more responsibility.
A funny thing happened on the way to designing threat intelligence programs….we forgot about the risks! We as an industry tend to buy a lot of tools, sift through a lot of data, and send out a bunch of reports, but we forget to ask what we are really doing all of this for.
The most fundamental part of incident response planning is to understand that it’s a living, breathing cycle. An organization can’t slap a plan together and expect that plan to carry the team through the next three to five years.
To say that the security vendor marketplace is crowded would be an understatement. For any problem a security team faces that can be aided with technology, look no farther than a conference expo floor and you’re sure to find (at least) dozens of self-proclaimed solutions in any given category.
Big data and the Internet of Things are two buzzwords that rang through the halls and show floors of security conferences across the nation for quite some time. Although ambiguous, the terms took the industry by storm.
After planning to prepare to attend a security conference and deliberating your engagement strategy onsite, the next step in maximizing your security conference experience is thinking through how to get the most out of the information, ideas and advice provided during the event.
In part one of this series on “Maximizing Your Security Conference Experience in 2017” we explored how preparing to attend an industry conference can yield positive results in terms of extracting value onsite. It’s not enough, though, to create a plan then sit back and wait for it to unfold.
Jumping back into work at the start of a new year propels many to evaluate plans and commit to better habits, greater value, and generally getting the most out of work and/or life. It’s good to take a step back and think through what worked during the past year, what didn’t, and muse on how to maximize one’s efforts.
Earlier this year, Forbes published its view of the “10 Most Stressful Jobs in 2016.” Admittedly, the security profession isn’t as physically dangerous as fighting fires or piloting an airplane, but security comes with its own unique set of threats that make day-to-day work incredibly stressful.
As we continue to ramp up our efforts in providing you with a resourceful library of content you can rely on, we’ve decided to reflect on some of the top InfoSec insider articles of 2016, based on the engagement we’ve received from our readers.
Many uncertainties await the world when the new United States administration takes office on January 20, 2017. The President-elect, while extremely vocal on the campaign trail, has been disconcertingly cagey in the weeks leading up to inauguration.
“Security has a secret power: threat intelligence,” quipped Dave Ockwell-Jenner, Senior Manager, Security Threat & Operational Risk Management (STORM) at SITA, during MISTI’s recent Threat Intelligence Summit in New Orleans, Louisiana.
Indeed, effective, successful organizations are attempting to proactively identify threats and indicators of compromise before they present serious destruction to the victim organization. Even the most robust and mature threat intelligence programs, though, aren’t immune to a breach.
The days of focusing on the perimeter are over. Rather than waiting for the next cyberattack to strike, many security practitioners are focusing on the activity surrounding their critical assets, in addition to drafting incident response plans that activate once the inevitable breach occurs.
Over the past few years the security industry has seen a rise in the number of appointed CISOs. At companies where previously the security team was small, secluded, and likely managed by the CIO, it is refreshing that mention of a CISO is no longer followed by puzzled looks or blank stares.
The All Powerful Breach…or threat thereof. How often do you, as a security practitioner, get asked by a colleague outside of the security team about the viability of a breach at your organization? Is a breach the meter by which security is measured?
Ransomware is just a cyber twist on the age-old crime of taking someone/something hostage and demanding a payout for safe return. Cyber criminals have quickly learned that getting at organizations’ data then deploying malware to encrypt it carries a low technical barrier to entry (as opposed to kidnapping a human).
Today, many organizations’ executive teams and boards of directors conflate cybersecurity and risk. Risk management is a broader practice than security alone, but cybersecurity is an increasingly “big ticket item” on boards’ agendas—alongside other more traditional risk discussions—since it’s clear that a major breach can impact the organization in meaningful ways.
Cybersecurity is a lot like driving; towns and cities and their respective road crews can keep roads in ace condition and post all kinds of clearly marked signs for speed limits, road hazards, dangerous curves, blind driveways, and the like. Police can patrol the roads for dangerous or illegal driving.
With the recent Dyn distributed denial of service (DDoS) attack lighting up media headlines, enterprise security practitioners are being asked how to ensure that the organizations for which they work aren’t the next DDoS victims.
Cybersecurity has been gaining traction as a “board level topic” over the past several years. While boards of directors, along with executive management, all want the answer to, “How secure are we,” security professionals know that that answer doesn’t often come wrapped in a tidy little box.
By Rafal Los, Managing Director, Solutons Research and Development, Optiv
October 31, 2016
For nearly the last twenty years, enterprise security teams have been fighting threats to their business much like hapless teenagers fight demons in horror movies. Let me paint you a scene. Four people fleeing a horde of some type of evil take refuge in a run-down back woods cabin in the middle of nowhere.
By Antonio A. Rucci, Counterintelligence Special Agent (Retired), Information Technology & Technical Security Consultant
October 27, 2016
If you are engaged in in the information security (infosec) community for any length of time, regardless of whether you are Blue Team, Red Team, or Purple, one data point remains constant: You recognize the importance of partnering.
Until last Friday, Internet of Things (IoT) cyber attacks were largely more theoretical than practical, at least for those outside of the cybersecurity research realm. When Reddit, Twitter, Netflix, Spotify, and PayPal, among others, were taken offline or significantly slowed due to a massive distributed denial of service (DDoS) attack last week.
Employee mobility is no longer a privilege or nice-to-have, but a given in today’s workplace. At even very small organizations, it’s not uncommon to find executives or sales people who are on the road more often than they are settled in the office, and gone are the days when working remotely is considered the entitlement of a select few.
How to help your end users manage their passwords, with additional practical steps to improve your system security. This guidance focuses on the end user (rather than the system owner responsible for determining password policy).
Remember the “telephone game” played at parties when you were a kid? One person would make up a sentence or phrase which she or he then whispered into the ear of the person sitting next to him/her in a circle. That person would, in turn, whisper what he/she had heard into the ear of the next person in the circle.
Defining a “good” chief information security officer is difficult. On one side, many CISOs have risen through the security ranks due to their technical prowess and were thus handed a “business position,” asked to manage a team, and required to start briefing the executive suite on the state of the company’s security.
Risk management practices date as far back as the Renaissance period, but modern-day risk management, the version we all know and love/hate today, started taking shape only about 40 years ago when risk managers—mainly focused calculating insurance at the time—started looking for alternatives to insurance policies to manage risk.
By Mark Arnold, Senior Research Analyst, Office of the CISO, Optiv
October 12, 2016
For companies on the path of cloud adoption, the fear that dark “clouds gathering” could impact business health and one's financial bottom is a source of anxiety. Despite recent data that show cloud adoption rates consistent growth over the last 18 months, a group of holdouts endure.
Cloud technology has been moving at a tremendous pace. For businesses, it seems to have happened in the blink of an eye. It’s faster and more agile, with the ability to re-architect an entire infrastructure. But why has this happened so quickly, and what does it mean for security practitioners?
Information security is more integral to business growth than ever, and robust, verifiable security can be a point of differentiation. For smaller organizations, security-as-a-service can be a useful option, but many organizations don’t know how or when the time is right to make the move.
Ah, the highly controversial call for presentations review process! Many infosec industry events use a CFP to find qualified speakers and tease out fresh topics. From a conference programmer’s perspective, the CFP submission process helps uncover new speakers, and it’s a productive way to learn what’s on the minds of industry speakers.
As a first time DerbyCon goer, I didn’t quite know what to expect. In its sixth year, DerbyCon is well known throughout the security community, and I’ve worked with several of the speakers, a few of the organizers, and met many security vendor representatives at MISTI and past-job events.
Twenty minutes before the talk was scheduled to begin, attendees anxiously queued up outside the center ballroom to hear Chris Hadnagy present Mindreading for Fun and Profit Using DISC. Hadnagy, a renowned social engineer and DerbyCon staple, promised to share with the audience “how to use a quick and easy profiling tool to make targets feel as if you can read their minds.”
By Marcos Colón
September 26, 2016
The cybersecurity industry is full of terms that both vendors and end users love to glom on to. Ok, maybe vendors lead the way, but their customers may not be doing a good job of speaking up and asking them to clarify what it is they do – taking the various mixed marketing messages as they come and running with it.
“Red team” vs. “blue team” exercises have been adapted into cybersecurity from the military and intelligence realms. As a means to simulate real-life threats and attack scenarios, organizations have been putting this methodology into play, either with internal resources, or by hiring outside experts to help find system issues.
By many estimates, the demand for information security practitioners far exceeds availability. As security becomes an appreciable concern for large and small companies alike, it stands to reason that the industry is going to face a serious shortage in the coming years if new practitioners aren’t found or cultivated.
The term cyber threat intelligence gets thrown around a lot, especially on show floors teeming with security practitioners being approached by vendors with the solution to all their problems. But fundamentally, are organizations successfully leveraging the tactics surrounding it?
Unless you're oblivious to the news, you're well aware that the information security industry is getting a lot of attention. Be it the headline-grabbing breaches taking place on a seemingly frequent basis, or the fact that the number of digital internet-connected devices per capita is increasing constantly.
Identity is who we are. It’s what we do and how we do it. In the digital realm, our identities are part of what affords access to the systems, tools, accounts, and functionality that make it possible to perform job responsibilities and effectively contribute to the organizations for which we work.
Political staffer Huma Abedin has been dominating media headlines as of late for a number of issues, including leaked emails uncovered by Citizens United and released publicly by Fox News. In the exposed emails, she refers to an intent to leave her mobile device, specifically a BlackBerry, behind during a 2009 trip to Russia.
The European “right to be forgotten” is an important directive for both privacy and information security advocates. With roots as far back as 1995, a European Data Privacy Directive laid the foundation—and set regulations—for how EU citizens’ personal information must be protected and handled by “controllers of personal data."
Cloud computing has been changing the way organizations operate for over a decade now. Without a doubt, the technology has evolved, offering varying levels of benefits along the way; agility, resiliency, and cost savings are chief among cloud’s attributes, as far as business owners and CFOs are concerned.
Totalitarians need to control everything they can—it’s a deep-seated need that stems from the (occasionally true) fear that someone, somewhere, is plotting their overthrow. It seems that the totalitarian impulse to control extends to communications first, whether it’s mail, telegraph, telephone, or Twitter.
There’s progress being made in the healthcare industry as it relates to information security. Yes, recent studies indicate that 90 percent of all healthcare organizations have been the victim of a data breach in the last two years.
Penetration testing is a mandatory component of any thorough information security program, as security pros know. Company networks are vast and complex, and security teams have the (often thankless) job of protecting everything that falls under the general category of “IT” or “IS.”
Listening to the political conventions these past two weeks, I couldn’t help but think about security: the conversations security practitioners have with senior management and other business units, the conversations practitioners have amongst themselves, and yes, even talks given at conferences.
The evolving threat landscape makes it incredibly difficult for security professionals to protect their organizations. You’d think that with the abundance of security solutions deployed they’d be able to manage cyber risk effectively, yet, the technology that’s intended to protect their organizations may be causing more problems.
Betterment, an online investment robo-advisor, is the first of its kind to surpass $5 billion in assets under management. Robo-advisors, for those unfamiliar, are automated, algorithm-based finance portfolio management services.
Insider threat. Third-party risk. Phishing. Privilege escalation. Unencrypted sensitive data. This reads like a “Top 5” list of security concerns, but in fact it’s what allowed Su Bin, the owner of a Chinese aviation technology company, to help two Chinese nationals hack into Boeing’s network and steal more than 65GB of data from the defense contractor.
“A lot of security departments are swimming in the wrong direction,” says Raef Meeuwisse, Director of Cybersecurity at Cyber Simplicity Ltd. By this, Meeuwisse means that companies haven’t yet redirected the scope of their security programs—the tools, technologies, and processes—to reflect current threats.
After the contentious Brexit vote last week, the British Parliament’s House of Commons Committee is investigating potential commandeering of an online petition calling for a second referendum on the matter.
Colleges and universities are generally considered settings for learning, openness, and ideas. Students and professors alike are encouraged to explore new thinking and push boundaries. The best academic universities on the planet have entire departments focused on researching subjects unconsidered universally.
The 2016 Cost of a Data Breach Study conducted by Ponemon Institute and sponsored by IBM was released in mid-June. One thing the report fails to do is focus on how organizations are improving or declining year over year. Luckily, past reports are still available, enabling a side-by-side look at a few of the key findings.
Several years after the introduction of DevOps, the security community continues to laud the method while scant few developers are hopping on the bandwagon. One of the issues is that “security” isn’t part of DevOps.
The mention of cloud services no longer strikes fear in the hearts of security practitioners like it did a decade ago. While some security folks are still wary of providers’ claims, few can doubt that many of the larger, more prevalent cloud providers offer as good or better security than some enterprise security teams.
Even under the best of circumstances, integrating cloud services and devices into an organization’s technology workflow can be challenging. In all fairness, integrating any new device or appliance into the technology stack requires careful planning, new processes, and often a bit of trial and error.
OSINT, open source intelligence, is a great tool for companies looking to find threat information on the web. The wealth of information available can be overwhelming, clunky, and difficult to incorporate into a threat intelligence program, however.
The original Software Development Lifecycle (SDL) was built with waterfall-style development in mind. As we continue the transition into heavier reuse of components and less pure development, all with shorter release cycles, the SDL needs modernization in parallel to help ensure secure software.
Ransomware is the hot, new buzzword in security. It is also a serious, escalating problem. Hospitals in Kentucky, Maryland, Ottawa, and California (among others) have had data held hostage in recent months; the U.S. House of Representatives blocked access to third-party email apps after ransomware attempts (or maybe unconfirmed attacks?) were perpetrated.
“Not even spring breakers, coffee makers, movers and shakers, or working-from home fakers…” This is the voiceover from a Kraft Macaroni & Cheese commercial. Even a company that manufacturers processed foods with no discernable nutritional value pits “movers and shakers” against work-from-home employees, as if, inherently, anyone who regularly works outside of an office is lazy and has questionable ethics.
All organizations know that flexibility, productivity, and personalization were drivers of the BYOD movement that started to take hold five, six years ago. Nowadays, the term is barely used, but BYOD'ing is commonplace at 99% of organizations, according to a new study conducted by IBM and sponsored by ISMG.
The decline in TalkTalk's profits is undoubtedly due to the aftereffects of a cyberattack in which the names, phone numbers, and email addresses of a reported 157,000 customers were lost. In addition, during the same incident 21,000 bank account numbers were accessed.
Yesterday, mobile security firm, Wandera, released findings from the company’s research into the state of mobile application security. The report, “Assessing the Security of 10 Top Mobile Apps,” is an attention-grabber.
Advanced persistent threat. The term started sneaking into infosec nomenclature about ten years ago and reached its peak during 2010-2013, instigated by Stuxnet and trending steadily upward through the release of Mandiant’s APT1 report.
In today's dynamic business environment, organizations face pressure to reduce cost, improve process efficiency, and drive financial growth. The "faster, cheaper, better" approach also flows down to technology.
Spy movie aficionados know that the most secure rooms and hiding places are protected by biometric authentication, requiring thieves to go to great lengths to gain entry. When the tables are turned, however, and the government needs access to information about said criminals, all they need to do is ask!
If you are a System Owner (SO) in a commercial organization or a federal agency, maneuvering through, understanding, and implementing federal security and privacy compliance requirements can be a difficult hurdle.
InfoSec World 2016 is now in the books. For the better part of a week, infosec pros took over The Contemporary Resort to discuss everything from building an incident response plan to leadership skills to active defense and trust.
Geopolitical cyber war is a fairly well established practice: You break into my nation-state thing; I’ll hack you back. President Obama and Chinese President Xi Jinping even met in Washington, D.C. this past September to discuss (and announce) the desire of both parties to curb intellectual property theft.
If Hollywood doesn’t make movie out of the Apple vs. FBI debate, someone is missing the boat. As proven by the recent Oscar winners, “Spotlight” and “The Big Short,” audiences eat up controversial subjects, especially when the impact of the controversy affects them or loved ones.
A recent story in the New York Times shared information on a new crop of secure messaging apps for smartphones. The article, posted in the “Personal Tech” section, offered snippets of information about the functionality of five different consumer-focused tools.
If you are going to be in Orlando in the beginning of April and are an information security professional, why wait in humid 90-minute long Disney lines when you can enjoy Orlando indoors at the Infosec World 2016 conference? Another benefit of the conference is that vendors at the expo give you t-shirts. This is the only free thing you'll find at Disney.
We are currently engaged in a war to achieve victory over risk. Okay, perhaps "war" is not the right way to describe the status quo. None of us can ever achieve total victory over risk. Any expert will say some risk always persists in any activity we undertake.
How effective is your communication? How do you fare when asked to explain security risks? What about when defending the need for investment? Are you effective? How do you know? How do you measure your communication efforts?
Earlier this week American Express notified customers of a potential breach involving theft of account numbers, user names, and “some other” account information—most of the juicy ingredients necessary for fraud. The company was quick to mention that it is monitoring for fraud, but it was even quicker to deny responsibility for the incident.
U.S. Army Major General John H. Stanford was asked about how one becomes a leader. "When anyone asks me that question, I tell them I have the secret to success in life. The secret to success is to stay in love. Staying in love gives you the fire to really ignite other people."
Technology is an inescapable part of our lives. Unless you live completely off the grid—grow your own food, never drive a car, transact with only the cash kept under your mattress inside your built-by-your-own-hands house—your personal information is collected, tracked, and exchanged by and among businesses.
Once upon a time, phones were only used to make calls. For most of us, our phone is a mobile office; central to a great deal of our daily activity, our phones are the hub through which our email, text messages, news, social media, calendars, driving directions, fitness goals, and so much more are all brought to us, organized, recorded, and shared.
By George Gerchow, Director, Product Management for Security & Compliance, Sumo Logic
March 09, 2016
From Amber restaurant to Jillian’s at the Metreon, The Marriott Marquee to coffee shops, Chevy's, and of course the Tonga Room at the famous Fairmont Hotel, business meetings light up the conference with a constant exchange of information between colleagues, partners, customers, and attendees.
Over 40,000 attendees and nearly 550 vendors are getting back to their inbox this week after having attended the gargantuan vendor show otherwise known as RSA. It was RSA’s silver anniversary, and as with each passing year, it gets BIGGER with age!
There is no shortage of quotes to capture the importance of trust: hard to earn, easy to lose, and essential to our success as security leaders. Yet a troubling trend is emerging: the trust we need to be successful as security leaders is eroding.
Whatever side of the debate you’re on when it comes to Apple and the FBI, one thing is for certain: U.S. courts should not be using laws written in 1789 to make decisions about current technological capabilities.
By Dave McPhee, Information Security Manager, Caterpillar
February 23, 2016
Information security and the business need to be in a partnership, not a dictatorship with one party demanding the other follow certain rules and guidelines. Through a true partnership, information security risks can be mitigated and business disruptions limited, thereby creating an improved relationship and organizational efficacy.
Encryption is not a new invention. In fact, evidence of encrypted messages dates back to 1900 BC when the Egyptians wrote alternative symbols on pyramid walls to relay secret messages to one another. In modern times, though, encryption takes on a new meaning.
The hype around advanced persistent threats (APTs) is as high as ever. Post-breach, hacked organizations sing the praises of their adversaries' skills. Practitioners are bombarded by industry marketing touting the latest APT detecting and killing technologies.
As debates about privacy versus encryption rage on, with the US, UK, and France on one side and Germany and the Netherlands on the other, Bruce Schneier, Kathleen Seidel, and Saranya Vijayakumar decided to take a look at the encryption products market and replicate a study conducted in 1999.
Almost every morning I wake up and read about another company that has been breached, and consumers' or patients' information has been stolen as a result. It's getting to be so common that social security numbers and credit card numbers posted on dark Web sites sell for less than a dollar each.
Security professionals spend a lot of time thinking about protecting their back end systems and the information contained therein. They think about the scariest and sneakiest vulnerabilities and what an exploit means in real terms: will this disrupt business operations? Will our company lose sensitive data? Will I be fired?
When you think of security metrics, what's the first thing that pops into your mind? OK, after you yawn, what's the first thing? While security metrics themselves may not exude excitement, what if your metrics quickly revealed just the type of information you need that leads to a decision or action that helps solve a business problem?
By Wendy Nather, Research Director at the Retail Cyber Intelligence Sharing Center
January 12, 2016
How do you secure that which you don't control? This is the big question for every enterprise, since no organization exists in a vacuum. From third-party commercial software (including operating systems) to open source, custom-written applications, there are plenty of attack vectors that cause concern.
By Jack Jones, EVP of Research & Development and co-founder at RiskLens
December 21, 2015
Would you ride on a space shuttle mission if you knew that the scientists and engineers who planned the mission and built the spacecraft couldn't agree on the definitions for mass, weight, and velocity?