The IIA defines operational auditing as "Defining, measuring, evaluating, and improving the economy, efficiency, and performance effectiveness of the organization's operations and constituent activities irrespective of function, purpose, or level within the organizational structure." The chapter from Operational Assessment of IT explains what this means and how to apply it in the context of operational assessment of ICT.
Instantly Improve Your Team Communications by Overturning 9 Dangerous Myths
Whether running a project team or managing a group, most team leaders assume that their communications skills are pretty decent. So when they send emails, post documents, ping people on IM, or lead team meetings, they imagine that people are ready, willing and able to hear what they have to say. Magical thinking? You bet. This article shares some common instances of wishful thinking, or irrationally optimistic assumptions, which often lead to frustration and disappointment for leaders and their teams. As a counterpoint, it provides a tips to ground that wishful thinking more in reality, resulting in communications that actually may be nothing short of magical.
5 Dangerous Misconceptions When Sharing Your Personal Data
As the developing Pokemon Go security breach demonstrates, the world is now structured with a thin layer of reassurance while underneath the hood the cogs aren't necessarily whirring with our interests as consumers at heart. The same applies to many of our interactions with service providers. This article highlights and debunks five popular misconceptions around sharing personal data.
Software Quality Assurance: Defect Management
This chapter from Software Quality Assurance: Integrating Testing, Security, and Audit deals with the conceptual aspects of defect management. There are three parts in this chapter. Part 1 discusses the basic concepts of a defect and why a defect happens. Part 2 introduces the practical methodologies of how to manage the defects. In this section, some sample documents and templates are provided to manage the defect properly. Part 3 discusses and analyzes the root causes of defects and provides recommendations of how to prevent defects in the future.
3 Effective Bomb Protection Solutions and Why Your Business Needs Them
It is a sad fact that the harsh realities of life mean that today's businesses have to factor in bomb protection solutions as part of their security objectives. Blast protection is now required in an ever growing list of situations, particularly where the public or sensitive information are concerned. One of the most important aspects of business is always being prepared for the unexpected, and by having bomb protection in place companies have the opportunity to reduce the potential of personal injury and property damage should an unfortunate event occur. With that in mind, here's a list of three effective bomb protection solutions and why your business needs to have such contingencies in place.
Dissemination and Reporting of Electronically Stored Information
This chapter from the new, second edition of Electronically Stored Information discusses the reasons and the methods for sharing the data we have so carefully acquired, preserved, and managed. There are several reasons and each may engender different approaches or procedures appropriate to the specific needs of those situations. These approaches include the format in which the data are produced, the content, the timing of release, and the actual physical media and process for delivering the electronic information. It also discusses reporting protocols and suggest some ideas to ensure that the reports you create are clear and concise. Finally, it presents tips for participating in depositions or as an expert witness.
Building Cyber Awareness: What I Would Do First
Cyber security experts are often asked what strides an organization should take in order to measurably reduce their exposure to cyber threat actors, and their relentless cyber-attacks. Deploying the right security technologies obviously makes good sense. However, no matter how much security technology you deploy, it will never completely replace good common sense. Most cyber-attacks that result in data theft involve the human element, and the dreaded 'click.' That is, the act of an employee being fooled by a phishing E-mail and clicking a link or attachment that installs malicious software without detection. Reducing this single liability would serve to improve anyone's defensive posture. This article discusses how to solve this problem.
Spring Clean Your Network with Automated Access Management
Most of us partake in the annual ritual of cleaning our homes, cars, offices, and workshops. But, what about our organization's software? Organizations need to take some time to look at all of the software, applications, accounts and licenses they have available for the company and clean house of those that are no longer needed but possibly being paid for. These applications aren't just a waste of space on the company's network. They may be costing the company hundreds or even thousands of dollars every year for unused licenses. Even worse, they may actually be a security risk! This article explains why this is an issue; how to mitigate it; and outlines the types of solutions or guidelines to put in place.
All Seeing, All Knowing Border Control: Endpoint Detection and Response
The evolutionary arms race between hackers and cyber-defenders has led to the rapid disruption of the traditional managed security service provider (MSSP) market. As vendors scramble to stay relevant, this has led to a sea of sales messages and acronyms, including the advent of EDR and proactive threat hunting. Breaking this down, we have EDR (Endpoint Detection and Response), the word proactive (the mainstay of copyright teams globally), and threat hunting (why wouldn’t you want that), but marketing aside, what does this actually mean? Read this article and you'll know.
The Game Changer: Next Generation Cyber Security
With the threat landscape constantly changing, and most organizations accepting that it is now less a case of when they get attacked, but if we get attacked, it is time for a game changer. By actively pursuing attackers within your own infrastructure, and hunting them down, companies will be able to dramatically reduce the number of days an attacker is sitting on their network. This article highlights why actively pursuing attackers within your network will change the way you look at security; the best ways to be more proactive within your network environment; and how the cloud and migrating your systems to a cloud environment opens the opportunity to go on the offensive.
New Considerations for Securing the Mobile Enterprise
The FBI dropped its suit against Apple to build a skeleton key to unlock the iPhone after it developed its own means to access the iPhone linked to the San Bernardino terrorist shootings. This has unprecedented implications for personal privacy as well as business privacy. Now law enforcement has the means top access data on any iPhone seized as part of an investigation or in connection to any crime. It also seems likely that the same iPhone-breaking technology will make it's way into the hands of hackers and cyber criminals. This article considers what impact will this have on mobile strategies for business; what impact will this new iPhone skeleton key have on company BYOD strategies; what threat do mobile devices pose as a hacker interface to access enterprise technology; and what are the liability considerations for businesses who equip their staff with iPhones.
Combat Rude Behavior with Radical Civility
The ability to thrive is the best way to ward off the negative effects of bad behavior. Two related, but distinct, paths can help get you there. Thriving cognitively occurs when we focus on improving our performance, learning new things, and finding ways to propel ourselves forward. Thriving affectively means that we are healthy of body and mind, and feel energized both inside and outside of work. These tips, taken together, can help you create a kind of personal armor that can help repel the damaging effects of rude behavior.
We're Going on a Threat Hunt: Why Enterprise Cybersecurity Reminds Me of a Classic Children's Book
Not all enterprise threats are going to be big. In fact, lots of smaller issues, if unaddressed, can add up to the infosec equivalent to the Death of a Thousand Cuts. Being fixated on the big logoed vulnerabilities talked about in the media means you will always be on the defensive. To regain the upper hand, organizations need to focus on the little things, like practicing sound security fundamentals, while at the same time transforming their security model from one based on playing defence to a proactive one based on comprehensive security assurance.
Analyzing and Securing Social Networks
This chapter from Analyzing and Securing Social Networks sets the stage to discuss both social media analytics and security. It discusses various applications of social media analytics. Then it considers applying various data mining techniques for social network analysis (SNA), before discussing security and privacy aspects.
The Evolution of Ransomware
A recent study found that 80% of organizations experienced an IT security incident in 2015, with 53% of respondents having a concern for ransomware in 2016. But, how did we get here? And how can we avoid these growing attacks in the coming year and beyond? In general, all ransomware pretty much works the same, but each variation of it does something slightly different. This article discusses the history of ransomwarefrom the first known ransomware to GPCode, CryptoLocker, Cryptowall, and Locky with many others in between. It closes with a discussion of 2016 ransomware predictions, as well as how to mitigate future malware attacks.
Cloaking Is the New Perimeter
Cloaking is the ability to hide assets in plain site so that bad actors have no idea the asset exists. Using a castle analogy, this article delves into what it takes to use cloaking to protect the assets within the perimeter of the organization's walls as well as when the assets are in motion or distributed outside the perimeter.
Tackling Tough Issues Remotely, When Your Boss Is the Problem
We hear a lot about how virtual leaders can deal effectively with workplace conflicts and performance problems. But we don't hear nearly as much about how to confront tough issues from the remote worker's point of view. And that's precisely what Sue Shellenbarger, Work and Family columnist for the Wall Street Journal, wanted to know when she contacted Nancy Settle-Murphy recently for an interview. Since Sue's questions were so insightful, Nancy has paraphrased three of them here, along with a few replies.
Balancing the Risk and Opportunity of Deep Customer Data Analytics
For Big Data to power new insights, it is critical that firms move their core customer and transaction histories into these new environments in addition to any new data sources that may be brought in. This often means taking data once stored and processed on the highly-secure mainframe and move it off-platform. This, paired with many high-profile breaches of consumer data, has driven heightened security and compliance regulations around how personal data is stored, analyzed and used by large enterprises. There are many steps--both policy- and technology-driven--that you can take to initiate these projects while balancing compliance and security.
The Hotel Industry Has a PoS Malware Problem
Based on the spike in hotel data heists recently, the industry is falling seriously short when it comes to security. With BlackPoS and other RAM-scraper variants finding good hotels to vacation in, it's startling to think that very little seems to have been learnt from these types of attacks. This article highlights the increase in point of sale (PoS) malware, particularly within the hotel industry; a typical PoS malware attack scenario, from entry to exfiltration; the best ways to defend against these types of attacks, including employee education and data governance; and how User Behaviour Analytics (UBA) can help identify an attacker earlier in the kill chain and prevent the loss of important data such as credit card details.
What You Need to Know about the EU General Data Protection Regulation
The EU's General Data Protection Regulation (GDPR) has achieved final approval after a long two year process. Now that the GDPR has been finalized, and is due to take effect in the later part of 2017, this article outlines the key points that should resonate the most with organizations.
Biometrics: The Physical Attributes vs. Behavioral Patterns Privacy Debate
In a world where we can no longer rely on authentication based on 'static elements,' we are increasingly seeing biometric-based authentication technology used as a way to verify users. But the use of biometric factors is rapidly becoming an area of concern from a data privacy and security perspective. This article highlights why it is no longer viable for organizations to only rely on traditional, static forms of identification, such as passwords; the difference between physical and behavioral biometrics, and why behavioral biometrics is able to provide a higher level of security for online activities; and why behavioral biometrics are far more privacy-friendly than physical biometrics, and are far less invasive.
8 of the Largest Data Breaches of All Time
According to the ITRC (Identity Theft Resource Center), there were 5,754 data breaches between November 2005 and November 2015 that have exposed 856,548,312 records. According to their data, there were 783 breaches in 2014, the largest number of data breaches in a single year to date. Although this data includes a comprehensive list of data breaches, whether large-scale or small, there are a few that stand out from the rest as some of the worst data breaches in history in terms of resulting costs and the number of records compromised. This list of eight of the worst breaches in history highlights the cause of the breach and the effects on the public and business sectors.
Making Vulnerability Assessments a Priority in 2016
The vulnerability assessment of an organization's applications and data is critical given the increasing number of automated and targeted attacks. Businesses must proactively identify potential vulnerabilities to prevent breaches. This article discusses two highly-effective ways to identify vulnerabilities: vulnerability scanning and penetration testing.
What Is the EU General Data Protection Regulation?
It has been a long time coming, but the new EU data security and privacy law, also known as the General Data Protection Regulation (GDPR), is finally close to being finalised and will likely go into effect sometime in 2017. This article includes an outline of the GDPR and why it is important for organizations to not panic over changes to the existing data rules; the current Data Protection Directive (DPD) and why the EU felt the need to change to the GDPR; some of the more important vocabulary included with the new law; and outlines of the new articles contained with the GDPR and how they will affect organizations.
Is Your Business Winter Ready?
Have you formulated a plan to avoid grinding to a halt should your employees find themselves cut-off or the office inaccessible that includes keeping data safe? The answer could be to have adequate infrastructure in place that allows workers to securely work from home, while stranded anywhere sensible with an internet connection. This article examines what technologies are there to help, and what security implications that need to be considered.
5 Steps to Securing Data Workflows in Your Organization
With all organizations having data flowing constantly into and out of them, the risk of malware infecting the system is greatly increased. To protect against these threats, most organizations have anti-malware solutions implemented at the different entry points, including email, web and portable media, in an attempt to stop malware from entering the organization's network. But is this the most effective way to stop malware? This article highlights why implementing a secure data workflow is more beneficial to organizations than single solutions at different entry points; the five steps organizations need to take to implement a secure data workflow; and how the use of multiple anti-malware engines can assist an organizations secure data workflow even further.
6 Steps to Secure Retailing
The article highlights the stats and facts behind how retail has become the new favourite playground for hackers; why it is important for retailers to keep themselves safe from possible data breaches; the 6 best ways for retailers to secure their businesses from attacks, including securing web applications and reviewing logs regularly; and how focusing on reducing threats can reduce the window of opportunity for criminals.
Fire Up Your Communications Mojo in a Virtual World
Public speaking is a full-body sport. To keep people engaged and maintain a strong presence when face-to-face, you must use your full body: your posture, gestures, voice, eye contact, and movement. Demonstrating a compelling presence is no less important in the virtual world, but it's done a bit differently. Here are some tips.
Is Machine Learning Cybersecurity's Latest Pipe Dream?
A recurring claim at security conferences is that "security is a big data, machine learning (ML), and artificial intelligence (AI) problem." This is unfortunately wildly optimistic, and wrong in general. While certain security problems can be addressed by ML/AI algorithms, in general the problem of detecting a malicious actor amidst the vast trove of information collected by most organizations is not one of them.
User Behavior Based Biometrics: The New Frontier
Gone are the days when online security could be trusted to a simple username and password combination or simple identity checks. As fraudsters got better at bending and breaking the system, e-commerce and digital banking initiatives had to keep pace, creating tough rule-based systems to check for fraud and adding new technology like IP detection and Device ID. But even these measures are no longer enough. As this article explains, the next great leap in digital security isn't based on a device or a password, but on the user themselves--User Behavior Based Biometrics.
A Look Back at SCADA Security in 2015
It should come as no surprise that SCADA systems and ICS that control key functions in critical infrastructure are especially at risk of cyber attack. This article reviews the current state of SCADA security; present a 2015 timeline that that highlights the growing risk of SCADA attacks; and discusses technologies you can use to bolster the security in SCADA and ICS systems.
Protecting the Oil and Gas Industry from email Threats
According to a recent report from the US Industrial Control Systems Cyber Emergency Response Team (ICS-CERT), the energy sector is facing a significant rise in cyber attacks. The high volume of business communications conducted via email within this industry give hackers quite the window of opportunity to intercept sensitive information through the use of spear phishing. This article by OPSWAT's Doug Rangi describes spear phishing attacks that have occurred in various sectors of oil and gas, along with recommendations on how the industry can boost their cyber security and specifically adopt new preventative measures to protect against these and other email-borne threats.
Predicting the Cyber Security Future in 2016
In this article, Lancope CTO TK Keanini provides a brief retrospective on 2015, including the biggest patterns seen from within the cyber security industry; highlights the biggest trends to expect in 2016; from cracking as a service to DNA breaches; and discusses how these trends will impact businesses and individuals alike and have long reaching implications.
Top 5 Predictions for Online Fraud in 2016
As 2015 comes to a close, all of us fighting fraud may start preparing for the upcoming fraud battle in 2016. As mobile apps and web services continue to increase in number and functionality, they remain an attractive target for fraudsters. Meanwhile, cyber attackers have continued to adapt to evade traditional security defenses using the latest mobile hacker tools and cloud technology to impersonate legitimate users. If you are a consumer-facing web or mobile app, you are up against a much more numerous and advanced adversary than ever before. Here are some online threat trends you're likely to encounter in 2016.
Chimera Changes the Ransomware Game
Ransomware is an ever growing issue within the cyber security industry. With the announcement of the new Chimera variant, what was already a large nuisance has been turned into a real threat to organizations and individuals alike. This article highlights what ransomware is and the staggering damages it can cause financially; how the new Chimera variant has changed the ransomware game from a nuisance to a real threat; the damaging effect this strain of ransomware could have, looking at high-profile breahes from the past year; and why an inside out security approach is the best way to fight these types of threats.
Mobile Wallets: The New Fraud Frontier
With a company's bottom line, brand reputation and customer loyalty on the line, how can institutions secure payments via mobile wallets? The answer is in User Behavioral Analytics. This article highlights the different types of mobile payments that are currently being used, and how they work; why financial institutions have held back on developing their own mobile banking apps; and how utilizing user behavioral analytics can help detect good users more accurately within mobile payments and improve the overall customer experience.
6 CyberHacks That Will Affect Your Life in 2016
As we are quickly marching toward the end of another year, Stephen Newman, CTO of Damballa, discusses the new types of cyber attackes that will likely see in 2016. He points out that these new types of attacks will draw everyone's attention to the lack of privacy and security in our interconnected world.
The Threat Within: 3 Out of 4 Companies Affected by Internal Information Security Incidents
Costly cyberattacks are now almost routine for businesses, but while many organizations are focusing on external attackers, it's important to also look at threats from within. According to the IT Security Risks Survey conducted by Kaspersky Lab and B2B International, 73% of companies have been affected by internal information security incidents. The survey also found that the largest single cause of confidential data losses is by employees (42%).
5 Tips for Shrinking the Elephant in the Room: Careless Employees
While it is important for organizations to be aware of the possibility of all types of insider threats, and to continue to invest in training courses and awareness programs, mistakes will continue to be made, making it more important to focus on the one thing that you can control: your data. This article by Dietrich Benjes, VP EMEA at Varonis, outlines the different types of insider threats facing your organization; how the more mundane insider threats are as serious than the less frequent 'corporate espionage' types; why organizations should focus on what they can control—their data; and the top 5 tips you can take in order to take control of the insider threat issue.
How Timeshifting Truly Transformed a Top-Performing Virtual Team
Basically, "timeshifting" means that a team can work together when it can't be together, either physically or virtually. Um, okay. But what does that really mean, and how do you accomplish it? This edition of Nancy Settle-Murphy's Communiqué shares just a few creative and insightful tips on how to make this happen.. You’re not going to want to miss a single one.
Russia’s Undeclared Cyber Wars
Post-Soviet Russia continues to exercise a get-tough attitude toward its former possessions. With each successful foray, its treatment toward the newly independent states that were once part of the Russian Empire becomes more and more assertive if not more aggressive. The excerpt from Vladimir Putin and Russia's Imperial Revival discusses Russia's cyberwar tactics and analyzes its 2007 Cyber War with Estonia.
10 Facts You Need to Know About Data Breaches
2014 was dubbed as "the year of the data breach." With many new data breaches dominating the headlines in 2015, including Anthem, the White House, banking attacks, and the latest employee data theft at the US federal government, one can only imagine what the name for 2015 will be: the year of even more data breaches? According to the Ponemon Institute, 43% of companies experienced a data breach in 2014. Not only is the number of data breaches rising, the number of records stolen per breach is increasing as well as the cost per stolen record. It is apparent that current security measures are not sufficient to protect organisations from data breaches. This article highlights the top 10 most interesting, remarkable and troubling facts about data breaches.
Leading the Internal Audit Function
In this book, Lynn Fountain presents lessons learned from her extensive experience as a CAE to help internal auditors understand the challenges, issues, and potential alternative solutions when executing the role. The book explains how to clarify management expectations for the internal audit and balance those expectations with the IIA Standards. It examines the concept of risk-based auditing and explains how to determine whether management and the internal audit team have the same objectives. It also looks at the internal auditor's role in corporate governance and fraud processes.
If You See Marty McFly, Can You Tell Him ...
In honor of 'Back to the Future Day' (in case you're not a fan, October 21, 2015 is the day Marty McFly visits in the 1989 second film in the trilogy.) This article, written for fun by Martyn Ruks, Technical Director of MWR InfoSecurity, looks at the technology of the fictional 2015 and ponders just how secure it is.
Combating Account Takeover
Account takeovers are quickly becoming the new favorite fraud tactic for hackers. With personal data all at the top of the thieves' hit list, a small data breach can quickly expand into a wave of personal information that could cause problems for the fraud victim years down the track. This article discusses how small data breaches can mean big returns for criminals and hackers; why login details are key to fraudsters stealing your personal data; and how technology such as behavioral analytics can stop fraudsters before they acquire your details.
5 Things You Need to Know About the Proposed EU General Data Protection Regulation
European regulators are inches away from finalizing the General Data Protection Regulation (GDPR), which is a rewrite of the existing rules of the road for data protection and privacy spelled out in their legacy Data Protection Directive (DPD). The GDPR will likely be approved by the end of 2015 (or early 2016) and go into effect in 2017. Even before the recent European Justice Commission ruling against Facebook, organizations, including U.S. multinationals that handle EU personal information, will soon be required to comply with tougher rules to prove they're actively protect personal data. Based on the latest proposal from the EU Council, this article from Varonis outlines the five key things you need to know about the proposed GDPR.
Managing Performance from Afar Made Easier: 10 Tips for a Happier Outcome
It can be awkward to give someone tough feedback when they're miles away. And that's the least of it. Without visual cues, the delivery of even the most well-meaning and thoughtful performance feedback can have the opposite effect. It can damage relationships, erode trust, sap motivation, and in reality, it can actually weaken performance, instead of strengthening it. In this edition of Communiqué, Nancy Settle-Murphy embellishs on a few tips from her Tips for Leading Amazingly Productive Virtual Teams guide.
The Difference between SIEM and UBA
Insider threats continue to be a top security concern and, as employees go rogue, User Behavior Analytics (UBS) is proving to be an effective insider threat prevention technology that is instrumental for IT security. For those companies who already use a Security Identity Event Management (SIEM) tool to monitor use for threat management, the question may be "Do we need UBA?" Although at first glance they may appear to be very similar, they in fact do different things and, in some use cases, it may be better to have both rather than one or the other. This article provides an overview of both SIEM and UBA, how they work and their pros and cons; a comparison of the two tools, and how they differ; and recommendations to help you decide which one is best for your organization.
The Privacy Professor's October Tips: Who Ya' Gonna Call to Protect Your Privacy?
The latest tips from Rebecca Herold, The Privacy Professor. Her latest book is Data Privacy for the Smart Grid, co-written with Christine Hertzog.
3 Reasons Why the Nuclear Industry Is a Good Cyber-Security Example
With the security of government facilities being of upmost importance in today's cyber-society, it is a positive sign to see industries such as the nuclear industry excelling in how they handle the implementation of security systems that can protect them against threats. This article discussed why the nuclear industry is a prime example of good cyber-security practices; the top three examples of how the nuclear industry is leading the way in cyber-security; and how other industries can follow in the nuclear industry's footsteps.
The Seven Deadly Sins of Incident Response
In today's cyber-society, where we are witnessing an endless barrage of attacks on government and enterprise networks, it is clear that organizations need to be more proactive when it comes to security and protecting themselves. Despite this, more companies are still committing the "7 deadly sins" when it comes to incident response. Taking this into consideration, this article highlights why it is important for companies to have a built in incident response function; lists the top 7 mistakes companies are making when attempting to build an incident response function; and provides tips for how to deploy an effective incident response function and keep your organization safe from attackers.
Protecting Medical Record Data
After a slew of data breaches in 2014, the FBI warned the healthcare industry that cyber-criminals would be directing more attention their way in 2015. The healthcare industry, valued at $3 trillion, has become an increasingly valuable target for cyber criminals and, in some cases, a much easier target to attack, due to their often less than adequate investment in cyber security. What is it about the healthcare industry that has captured the cyber criminal’s interest in the last few years? This article from OPSWAT discusses reasons for the popularity of medical data theft and gives advice on how to prevent future breaches.
It's What People Aren't Saying That Leaders Most Need to Hear
In this article, Nancy Settle-Murphy uses a hypothetical example, representing a composite of some of our actual clients, to show how unmet expectations can undermine trust, demotivate teams, and chip away at relationship equity. It provides some practical steps for self-aware leaders who know they can do much more to create the kind of environment where every team member can flourish.
Top 3 Factors Driving the Rise in Data Breaches
It comes as no surprise that the number of companies falling victim to data breaches is on the rise. These stories are making headlines, and making CEOs and employees alike nervous that they will be the next victim. As computers are getting faster, so are hacking attempts. Hackers are now more capable than ever to implement their plans. This article outlines the top three factors that are contributing to the rise of data breaches.
McAfee Labs Threats Report: August 2015
In this report, a dozen thought leaders from Intel Security share their views on the changes they have witnessed in the cyberthreat landscape and the evolution of security technology over the past five years. The report also compares what really happened to what we thought would happen over the past five years--from new approaches to cyberattacks to the economics of cybercrime; details techniques cyberthieves use to exfiltrate valuable data, moving it from your network to theirs; and separates fact from fiction about potential malware attacks on graphics processing units (GPUs).
How to Solve the Five Biggest Email Security Problems
By now we all know that if email is not properly managed, it can cause major security headaches, including infected machines, system downtime and embarrassing data breaches. With nuisances such as spam being mostly blocked by anti-spam products, organizations need to focus their attention on other major security issues that are being less successfully defended against. But what are the biggest email security problems that companies face today and how can they be solved? This article discusses how to solve the five biggest email security problems, including the five biggest email security problems that are facing companies today. It also provides tips and advice on software that can help you better protect your company against email threats.
Cybercrime as a Business—Part 3: The Evolution of the Arms Race
Part 2 talked about the criminal lifestyle of the computer as it got infected (from MalSpam, to exploit, to Trojan, to ransom), and how you, an "involuntary contribution associate" would enrich various criminals. Initially, things were simpler. Electronic banking was so easy, it was just a username and password and nothing else. But then banks started to get worried because it was too simple. Today they're using two factor authentication and SMS messaging verification with mobile phones, but this hasn't stopped the criminals because they are able to infect your phone as well. Part 3 discusses the evolution of the arms race.
Cybercrime as a Business—Part 2
Part 1 talked about using the cloud for business the criminal way, the benefits of the cloud, and how everything that applies to a regular business in the cloud also applies to the criminal business in the cloud, using examples of MyShop.biz and MyCrime.biz. Part 2 talks about the scheme, or the step-by-step process, that your computer goes through when it gets infected by things like Trojans and ransomware and what you can do to avoid that.
Avoiding the High Cost of Ambiguous Decisions
Truly bad decisions are made every day, often because the decision-making process is murky, and needed conversations are rushed. What is a better approach to facilitating group decisions? Joining Nancy M. Settle-Murphy, the author of Leading Effective Virtual Teams: Overcoming Time and Distance to Achieve Exceptional Results, in writing this Communiqué is her friend and colleague Rick Lent, president of Meeting for Results. Although the concepts can be applied to any kind of meeting, we offer tips for those who lead virtual meetings, where you lose vital visual cues.
Cybercrime as a Business—Part 1
Criminals are business people too and just as the Internet and related technologies such as cloud computing have revolutionized traditional business models and created new opportunities, so they have for the criminal business. This three-part series discusses the ways that criminals use the Internet to more efficiently steal money from the rest of us. It also touches upon what happens when you become an involuntary contribution association, as well as provides examples of how the arms race between criminals and those defending them has evolved. People have gotten a little bit smarter about stopping these things, but so have the attackers.
Facial Recognition Technology: Commercial Uses, Privacy Issues, and Applicable Federal Law
Facial recognition technology, which can verify or identify an individual from a facial image, has rapidly improved in performance and now can surpass human performance in some cases. The Department of Commerce has convened stakeholders to review privacy issues related to commercial use of this technology, which GAO was also asked to
The Ripple Effect of Identity Theft
As a society, we hear about data breaches all the time, but we rarely hear about what happens to the stolen data afterwards. We may not think much of losing one username and password combo or having to cancel a credit card, but each piece of data doesn't just disappear. It gets collected and combined into the tool of choice for today's fraudsters; one that is so difficult to overcome that we've had to rebuild how we do internet security. This article discusses the ripple effect of identity theft: what happens to data once stolen, the rise of account takeover, and how to protect yourself from data thieves.
The Financial Industry's Biggest Threat
With all the data breaches and cyber attacks that the financial sector has suffered recently, it is no surprise that cyber security is now seen as the top concern. Nearly half of financial services respondents cited cyber risk as the single biggest threat to the financial industry, and 80% listed it as one of the top five risks, according to a recent study. Cyber risk was listed far ahead of other concerns such as geopolitical risk, the impact of new regulations, and the US economic slowdown. This article looks at what financial organizations should be doing to protect themselves against data breaches.
Security Countermeasure Selection and Budgeting Tools
This chapter from the second edition of Risk Analysis and Security Countermeasure Selection explains what makes a security countermeasure effective or ineffective, the functions of security countermeasures, infiltration and attack scenarios, attack objectives, criminal offender types, criminal offender countermeasures, how to develop countermeasure effectiveness metrics, and how to develop a Decision Matrix to help decision makers reach consensus on a specific countermeasure when there are many points of view to consider.
Protests or Profiteering: The Hack Remains in Same
Whether it's cyber terrorism, hacktivism, or just another set of hackers trying to get famous by jumping on the media's hot topic, the key to fighting back is threat intelligence. Staying ahead of future attacks requires a proper investment in intelligence groups who have the proper tools, people and processes to deliver up-to-date intelligence.
How Can Hospitals Protect Their Medical Equipment from Malware?
The challenges in protecting hospitals from cyber attacks are very similar to those faced in ICS and SCADA environments; the equipment used in hospitals is not user-serviceable and therefore often running out-of-date software or firmware. This creates a dangerous situation. The medical industry isn't alone in fighting this threat. They don't have to invent new techniques for preventing infection, they simply need to adapt the proven strategies employed by other industries.
Recent Data Breaches Illustrate Need for Strong Controls across Federal Agencies
The GAO has identified a number of challenges federal agencies face in addressing threats to their cybersecurity. In an effort to bolster cybersecurity across the federal government, several government-wide initiatives, spearheaded by the Department of Homeland Security (DHS) and the Office of Management and Budget (OMB), are under way. While these initiatives are intended to improve security, no single technology or tool is sufficient to protect against all cyber threats. Rather, agencies need to employ a multi-layered, "defense in depth" approach to security that includes well-trained personnel, effective and consistently applied processes, and appropriate technologies.
Maintaining Security despite Enterprise Mobility
This article provides some solutions your company can incorporate so that it doesn't have to forego the positive effects of enterprise mobility. Keep in mind that, to some degree, there's only so much you can do. Hackers are more sophisticated than ever before and that trend isn't going to reverse any time soon. Still, while there’s no way to guarantee you won't ever be a target, many hackers just want easy ones; it's nothing personal. If you make your business tougher to break into, they'll go elsewhere.
IT Performance Improvement: What's in the Latest Issue
In latest edition of IT Performance Improvement, "Assessment and Recovery of Projects in Trouble" by Soren Lyngso. "Payment Card Industry Data Security Standard (PCI-DSS)" by Abhay Bhargav. "Information Security for Systems" by Brook S. E. Schoenfield. Alfonso Bucero on "Developing Trust." "Turn Nine Common Virtual Meeting Misconceptions Inside Out" by Nancy Settle-Murphy and Steve Bather.
Five Ways to Improve SCADA Security
SCADA attacks are on the rise. Given these challenges, what can be done to improve the security of critical infrastructure? Here are five ways to improve SCADA security.
Multilevel Modeling of Secure Systems in QoP-ML
This book introduces the Bogdan Ksiezopolski's quality of protection modeling language (QoP-ML), which provides the multilevel modeling language for making abstraction of security systems that put emphasis on the details concerning quality of protection. The analysis of the secure systems can be performed automatically by means of an automated quality of protection analysis tool. Based on the multilevel analysis, the foundations of the new decision support system can be introduced. The book includes a number of examples and case studies that illustrate the QoP analysis process by the QoP-ML.
McAfee Labs Threats Report: May 2015
For the first time ever, the report explores attacks on firmware. It also highlights the emergence of new families of ransomware and Adobe Flash vulnerability exploits. Key topics include a huge surge in powerful and clever ransomware encrypts files and holds them hostage until the ransom is paid; new Adobe Flash exploits target the growing number of vulnerabilities that have not been patched by users; and persistent and virtually undetectable attacks by the Equation Group that reprogram hard disk drives and solid state drive firmware.
Just Because You're Silent, You May Not Be Really Listening
Most communications skills courses tend to focus on making people more articulate, effective and expressive through writing, speaking and presenting. Listening is rarely a focus. In this article from Communiqué, Nancy Settle-Murphy offers some practical tips for making you a better listener.
Call for Chapters: Information Security Management Handbook, Seventh Edition
The new edition of the handbook is following the National Cybersecurity Workforce Framework.
Insider Threats: DOD Should Strengthen Management and Guidance to Protect Classified Information and Systems
The GAO reports that without an identified program office dedicated to oversight of insider-threat programs, DOD may not be able to ensure the collection of all needed information and could face challenges in establishing goals and in recommending resources and improvements to address insider threats.
Why Insider Threats Are Succeeding
As corporate networks expand in scope and geographic area, it has become easier for insider threats to access sensitive data and inflict catastrophic damage. While the malicious insider comes with a different set of challenges than other security concerns, organizations can protect themselves with the right tools and mindset. Early detection of these attackers can keep a security event from becoming a high-profile data breach.
This excerpt from Securing Systems: Applied Security Architecture and Threat Models discusses deployment models for endpoint anti-malware software.
Operational Models of Corporate Security Intelligence
This excerpt from Corporate Security Intelligence and Strategic Decision Making discusses why it is useful to have a model of intelligence to help guide structures, processes, and the deployment of resources. It then introduces a simple security intelligence model, applicable to any scale of deployment. Finally, it discuss aspects of a common dedicated countercrime model (the National Intelligence Model).
Why the Padlock Symbol and Green Bar Appear in Your Browser, and Why You Should Care
Consumers trust that when they enter their credit or debit card numbers and other sensitive information into the online checkout page, those companies are taking appropriate steps to secure that information. However, the same cannot be said of the consumers themselves. Those are some of the key findings of the CA Security Council (CASC) 2015 Consumer Trust Survey report. The good news: most shoppers can significantly improve their security postures by following some simple precautions, and by developing a better understanding of the technologies retailers can deploy to protect shoppers.
Turn 9 Common Virtual Meeting Misconceptions Inside Out
The basic premise: Successful virtual meetings require a thoughtful discipline that demonstrates a deep sense of respect for all participants, enabling them to be full and equal participants in the conversation. We also believe that any kind of meeting should be held only when discussions are needed. (If content review is required, let people do that somewhere else.) This article by Nancy M. Settle-Murphy refutes nine of the most popular misconceptions people hold about virtual meetings, and offer some practical tips that can help transform virtual meetings from mediocre to memorable. Nancy M. Settle-Murphy is author of Leading Effective Virtual Teams: Overcoming Time and Distance to Achieve Exceptional Results.
Fifteen Years After the ILoveYou Bug: Has the Face of Malware Changed?
Where were you when the ILOVEYOU bug started spreading on May 4, 2000, exactly 15 years ago? Was your computer one of the tens of millions of PCs the Love Letter attacked? How are malware changed in the last 15 years? Read on ...
Internet, Social Media, and Cyber Attacks on Critical Infrastructures
The increasing number of both people and devices becoming connected in cyberspace will greatly impact specific portions of our nation's critical infrastructure. Those infrastructures most immediately impacted will be the electrical grid system, transportation, and telecommunications. Other infrastructure sectors will also be impacted, such as food, water systems, emergency services, and banking and financial services, but the impact on their performance and continuity of service will not be as profound as the former. The salient point is that as societies become so interconnected to both their devices and the critical services they require, this increasing dependency may well increase our vulnerability to disruption of our critical infrastructures.
Privacy Threats Come from All Corners
The types of personal information crooks, marketers, surveilliers, and others are after varies greatly. You can see it in the kinds of organizations under attack from black-market entreprenuers, just-because-I-can hackers, and even Chinese computer manufacturers. Increasingly, consumers must practice diligent privacy practices with every entity they allow access to their personal information. Read on for tips on doing exactly that.
Flip Your (Virtual) Meetings - Learning from Our Best Teachers
To stave off boredom and stimulate learning that lasts longer than a class period, my kids' teachers are experimenting with "flipped classrooms." Rather than lecturing at kids with a bunch of PowerPoints during the precious classroom time, the teachers assign the content in advance. This way, sutdents come to class ready to debate ideas and apply what they've learned in ways that make the topics come alive. Let's take a page from teachers who have seen great results by flipping their classrooms. Here are a few steps to get you started.
Sorry, Symantec. Antivirus Is Not Dead.
This whitepaper highlights why there is still a need for end-point security protection; how the rise of 'crimeware' has highlighted the need for all users to protect their networks endpoints; despite 100% single antivirus protection no longer being a realistic expectation, organizations and individuals still have a need for antivirus security solutions; and how multi-scanning technology and anti-malware software can work alongside APT protection in helping prevent organizations from malicious attacks.
Protecting Critical Infrastructure from Threats
Portable media are a primary vector for cyber-attack. They are often the only way to transport files to and from secure areas. This article outlines a secure data workflow that organizations can implement in order to balance their security needs against their operational requirements, as well as how best to approach the crafting of security policies that address the inclusion of portable media while ensuring adherence to EO 13636.
Hacking the Human Operating System
McAfee Labs released a report, Hacking the Human Operating System, that examines how social engineering bypasses the "human firewall" and what you can do to better protect your people and your organization against these attacks.
Why Client-Side Encryption Is the Next Best Idea in Cloud-Based Data Security
In today's always-on digital climate, the complex and constantly evolving range of security threats is intimidating, leading many of us to consider whether or not our data can ever truly be safe from theft or loss. High-profile data security breaches haven't helped. Although it may be impossible to ever completely guarantee protection from potential data loss, client-side encryption is emerging as a viable alternative to end-to-end encryption and other less robust technologies--equipping today's personal and business users with the highest possible level of security for sensitive data and files.
Self-Service Reset Password Solutions: Issues Addressed and Problems Solved
You're thinking about implementing a self-service reset password solution, but you are not quite sure if it is worth it or if it will benefit your organization. The following checklist provides an easy overview of issues you might face, as well as solutions to how a password reset solution can easily solve these issues in addition to saving you time and money.
Concepts of Database Security
An excerpt from Multilevel Security for Relational Databases. It includes "Database Concepts," "Relational Database Security Concepts," and "Access Control in Relational Databases."
Onslaught of New Ransomware Strains
Ransomware is now a common term in our vocabulary, but it continues to evolve. The release below warns of an onslaught of new flavors and how they can be found and averted. The tactics range from using help files to infect along with phishing emails. Games are also now being targeted, bad news for those with teenagers in the house.
Basics of Security and Cryptography
An excerpt from Practical Cryptography: Algorithms and Implementations Using C++ edited by Saiful Azad and Al-Sakib Khan Pathan. It includes "The Perimeter of Cryptography in Practice" and "Things That Cryptographic Technologies Cannot Do."
In recent years with constantly updated browser versions, browser security features are becoming more powerful. This chapter from Web Security: A WhiteHat Perspective introduces some major browser security features.