Information Security Today is brought to you by Auerbach Publications


IT Management


Risk Management

Business Continuity and Disaster Recovery Planning


Operations and Data Center

Networking and Telecommunications

Project Management

IT Performance Improvement


Auerbach Information Management Service

Editorial Calendar


Contributor Guidelines

Contact Editor


New Books

Securing Cyber-Physical Systems edited by Al-Sakib Khan Pathan; ISBN 978-1-4987-0098-6
Leading the Internal Audit Function by Lynn Fountain; ISBN 978-1-4987-3042-6
Global Information Warfare: The New Digital Battlefield, Second Edition by Andrew Jones and Gerald L. Kovacich; ISBN 978-1-4987-0325-3
Mathematical Foundations of Public Key Cryptography by Xiaoyun Wang, Guangwu Xu, Mingqiang Wang, and Xianmeng Meng; ISBN 978-1-4987-0223-2
The Complete Guide for CPP Examination Preparation, 2nd Edition by Anthony V. DiSalvatore; ISBN 978-1-4987-0522-6
Business Continuity Planning: A Project Management Approach by Ralph L. Kliem; ISBN 978-1-4822-5178-4

Click on a book cover for more information or to order.
SAVE 20% AND GET FREE SHIPPING when you order these or any book online! Simply enter this code--813DA--at checkout.

Chimera Changes the Ransomware Game
Ransomware is an ever growing issue within the cyber security industry. With the announcement of the new Chimera variant, what was already a large nuisance has been turned into a real threat to organizations and individuals alike. This article highlights what ransomware is and the staggering damages it can cause financially; how the new Chimera variant has changed the ransomware game from a nuisance to a real threat; the damaging effect this strain of ransomware could have, looking at high-profile breahes from the past year; and why an inside out security approach is the best way to fight these types of threats.

Mobile Wallets: The New Fraud Frontier
With a company's bottom line, brand reputation and customer loyalty on the line, how can institutions secure payments via mobile wallets? The answer is in User Behavioral Analytics. This article highlights the different types of mobile payments that are currently being used, and how they work; why financial institutions have held back on developing their own mobile banking apps; and how utilizing user behavioral analytics can help detect good users more accurately within mobile payments and improve the overall customer experience.

6 CyberHacks That Will Affect Your Life in 2016
As we are quickly marching toward the end of another year, Stephen Newman, CTO of Damballa, discusses the new types of cyber attackes that will likely see in 2016. He points out that these new types of attacks will draw everyone's attention to the lack of privacy and security in our interconnected world.

The Threat Within: 3 Out of 4 Companies Affected by Internal Information Security Incidents
Costly cyberattacks are now almost routine for businesses, but while many organizations are focusing on external attackers, it's important to also look at threats from within. According to the IT Security Risks Survey conducted by Kaspersky Lab and B2B International, 73% of companies have been affected by internal information security incidents. The survey also found that the largest single cause of confidential data losses is by employees (42%).

5 Tips for Shrinking the Elephant in the Room: Careless Employees
While it is important for organizations to be aware of the possibility of all types of insider threats, and to continue to invest in training courses and awareness programs, mistakes will continue to be made, making it more important to focus on the one thing that you can control: your data. This article by Dietrich Benjes, VP EMEA at Varonis, outlines the different types of insider threats facing your organization; how the more mundane insider threats are as serious than the less frequent 'corporate espionage' types; why organizations should focus on what they can control—their data; and the top 5 tips you can take in order to take control of the insider threat issue.

EDPACS Greatest Hits
For a limited time, you can read the best articles published in EDPACS: The EDP Audit, Control, and Security newsletter. EDPACS is the world's longest running IT audit newsletter. Published monthly, the newsletter supports the audit and control community with highly-regarded guidance in the fields of audit, control, and security. In addition, EDPACS regularly explores current and emerging issues around IT governance.

How Timeshifting Truly Transformed a Top-Performing Virtual Team
Basically, "timeshifting" means that a team can work together when it can't be together, either physically or virtually. Um, okay. But what does that really mean, and how do you accomplish it? This edition of Nancy Settle-Murphy's Communiqué shares just a few creative and insightful tips on how to make this happen.. You’re not going to want to miss a single one.

Russia’s Undeclared Cyber Wars
Post-Soviet Russia continues to exercise a get-tough attitude toward its former possessions. With each successful foray, its treatment toward the newly independent states that were once part of the Russian Empire becomes more and more assertive if not more aggressive. The excerpt from Vladimir Putin and Russia's Imperial Revival discusses Russia's cyberwar tactics and analyzes its 2007 Cyber War with Estonia.

10 Facts You Need to Know About Data Breaches
2014 was dubbed as "the year of the data breach." With many new data breaches dominating the headlines in 2015, including Anthem, the White House, banking attacks, and the latest employee data theft at the US federal government, one can only imagine what the name for 2015 will be: the year of even more data breaches? According to the Ponemon Institute, 43% of companies experienced a data breach in 2014. Not only is the number of data breaches rising, the number of records stolen per breach is increasing as well as the cost per stolen record. It is apparent that current security measures are not sufficient to protect organisations from data breaches. This article highlights the top 10 most interesting, remarkable and troubling facts about data breaches.

Leading the Internal Audit Function
In this book, Lynn Fountain presents lessons learned from her extensive experience as a CAE to help internal auditors understand the challenges, issues, and potential alternative solutions when executing the role. The book explains how to clarify management expectations for the internal audit and balance those expectations with the IIA Standards. It examines the concept of risk-based auditing and explains how to determine whether management and the internal audit team have the same objectives. It also looks at the internal auditor's role in corporate governance and fraud processes.

If You See Marty McFly, Can You Tell Him ...
In honor of 'Back to the Future Day' (in case you're not a fan, October 21, 2015 is the day Marty McFly visits in the 1989 second film in the trilogy.) This article, written for fun by Martyn Ruks, Technical Director of MWR InfoSecurity, looks at the technology of the fictional 2015 and ponders just how secure it is.

Combating Account Takeover
Account takeovers are quickly becoming the new favorite fraud tactic for hackers. With personal data all at the top of the thieves' hit list, a small data breach can quickly expand into a wave of personal information that could cause problems for the fraud victim years down the track. This article discusses how small data breaches can mean big returns for criminals and hackers; why login details are key to fraudsters stealing your personal data; and how technology such as behavioral analytics can stop fraudsters before they acquire your details.

5 Things You Need to Know About the Proposed EU General Data Protection Regulation
European regulators are inches away from finalizing the General Data Protection Regulation (GDPR), which is a rewrite of the existing rules of the road for data protection and privacy spelled out in their legacy Data Protection Directive (DPD). The GDPR will likely be approved by the end of 2015 (or early 2016) and go into effect in 2017. Even before the recent European Justice Commission ruling against Facebook, organizations, including U.S. multinationals that handle EU personal information, will soon be required to comply with tougher rules to prove they're actively protect personal data. Based on the latest proposal from the EU Council, this article from Varonis outlines the five key things you need to know about the proposed GDPR.

Managing Performance from Afar Made Easier: 10 Tips for a Happier Outcome
It can be awkward to give someone tough feedback when they're miles away. And that's the least of it. Without visual cues, the delivery of even the most well-meaning and thoughtful performance feedback can have the opposite effect. It can damage relationships, erode trust, sap motivation, and in reality, it can actually weaken performance, instead of strengthening it. In this edition of Communiqué, Nancy Settle-Murphy embellishs on a few tips from her Tips for Leading Amazingly Productive Virtual Teams guide.

The Difference between SIEM and UBA
Insider threats continue to be a top security concern and, as employees go rogue, User Behavior Analytics (UBS) is proving to be an effective insider threat prevention technology that is instrumental for IT security. For those companies who already use a Security Identity Event Management (SIEM) tool to monitor use for threat management, the question may be "Do we need UBA?" Although at first glance they may appear to be very similar, they in fact do different things and, in some use cases, it may be better to have both rather than one or the other. This article provides an overview of both SIEM and UBA, how they work and their pros and cons; a comparison of the two tools, and how they differ; and recommendations to help you decide which one is best for your organization.

The Privacy Professor's October Tips: Who Ya' Gonna Call to Protect Your Privacy?
The latest tips from Rebecca Herold, The Privacy Professor. Her latest book is Data Privacy for the Smart Grid, co-written with Christine Hertzog.

3 Reasons Why the Nuclear Industry Is a Good Cyber-Security Example
With the security of government facilities being of upmost importance in today's cyber-society, it is a positive sign to see industries such as the nuclear industry excelling in how they handle the implementation of security systems that can protect them against threats. This article discussed why the nuclear industry is a prime example of good cyber-security practices; the top three examples of how the nuclear industry is leading the way in cyber-security; and how other industries can follow in the nuclear industry's footsteps.

The Seven Deadly Sins of Incident Response
In today's cyber-society, where we are witnessing an endless barrage of attacks on government and enterprise networks, it is clear that organizations need to be more proactive when it comes to security and protecting themselves. Despite this, more companies are still committing the "7 deadly sins" when it comes to incident response. Taking this into consideration, this article highlights why it is important for companies to have a built in incident response function; lists the top 7 mistakes companies are making when attempting to build an incident response function; and provides tips for how to deploy an effective incident response function and keep your organization safe from attackers.

Protecting Medical Record Data
After a slew of data breaches in 2014, the FBI warned the healthcare industry that cyber-criminals would be directing more attention their way in 2015. The healthcare industry, valued at $3 trillion, has become an increasingly valuable target for cyber criminals and, in some cases, a much easier target to attack, due to their often less than adequate investment in cyber security. What is it about the healthcare industry that has captured the cyber criminal’s interest in the last few years? This article from OPSWAT discusses reasons for the popularity of medical data theft and gives advice on how to prevent future breaches.

It's What People Aren't Saying That Leaders Most Need to Hear
In this article, Nancy Settle-Murphy uses a hypothetical example, representing a composite of some of our actual clients, to show how unmet expectations can undermine trust, demotivate teams, and chip away at relationship equity. It provides some practical steps for self-aware leaders who know they can do much more to create the kind of environment where every team member can flourish.

Top 3 Factors Driving the Rise in Data Breaches
It comes as no surprise that the number of companies falling victim to data breaches is on the rise. These stories are making headlines, and making CEOs and employees alike nervous that they will be the next victim. As computers are getting faster, so are hacking attempts. Hackers are now more capable than ever to implement their plans. This article outlines the top three factors that are contributing to the rise of data breaches.

McAfee Labs Threats Report: August 2015
In this report, a dozen thought leaders from Intel Security share their views on the changes they have witnessed in the cyberthreat landscape and the evolution of security technology over the past five years. The report also compares what really happened to what we thought would happen over the past five years--from new approaches to cyberattacks to the economics of cybercrime; details techniques cyberthieves use to exfiltrate valuable data, moving it from your network to theirs; and separates fact from fiction about potential malware attacks on graphics processing units (GPUs).

How to Solve the Five Biggest Email Security Problems
By now we all know that if email is not properly managed, it can cause major security headaches, including infected machines, system downtime and embarrassing data breaches. With nuisances such as spam being mostly blocked by anti-spam products, organizations need to focus their attention on other major security issues that are being less successfully defended against. But what are the biggest email security problems that companies face today and how can they be solved? This article discusses how to solve the five biggest email security problems, including the five biggest email security problems that are facing companies today. It also provides tips and advice on software that can help you better protect your company against email threats.

Cybercrime as a Business—Part 3: The Evolution of the Arms Race
Part 2 talked about the criminal lifestyle of the computer as it got infected (from MalSpam, to exploit, to Trojan, to ransom), and how you, an "involuntary contribution associate" would enrich various criminals. Initially, things were simpler. Electronic banking was so easy, it was just a username and password and nothing else. But then banks started to get worried because it was too simple. Today they're using two factor authentication and SMS messaging verification with mobile phones, but this hasn't stopped the criminals because they are able to infect your phone as well. Part 3 discusses the evolution of the arms race.

Cybercrime as a Business—Part 2
Part 1 talked about using the cloud for business the criminal way, the benefits of the cloud, and how everything that applies to a regular business in the cloud also applies to the criminal business in the cloud, using examples of and Part 2 talks about the scheme, or the step-by-step process, that your computer goes through when it gets infected by things like Trojans and ransomware and what you can do to avoid that.

Avoiding the High Cost of Ambiguous Decisions
Truly bad decisions are made every day, often because the decision-making process is murky, and needed conversations are rushed. What is a better approach to facilitating group decisions? Joining Nancy M. Settle-Murphy, the author of Leading Effective Virtual Teams: Overcoming Time and Distance to Achieve Exceptional Results, in writing this Communiqué is her friend and colleague Rick Lent, president of Meeting for Results. Although the concepts can be applied to any kind of meeting, we offer tips for those who lead virtual meetings, where you lose vital visual cues.

Cybercrime as a Business—Part 1
Criminals are business people too and just as the Internet and related technologies such as cloud computing have revolutionized traditional business models and created new opportunities, so they have for the criminal business. This three-part series discusses the ways that criminals use the Internet to more efficiently steal money from the rest of us. It also touches upon what happens when you become an involuntary contribution association, as well as provides examples of how the arms race between criminals and those defending them has evolved. People have gotten a little bit smarter about stopping these things, but so have the attackers.

Facial Recognition Technology: Commercial Uses, Privacy Issues, and Applicable Federal Law
Facial recognition technology, which can verify or identify an individual from a facial image, has rapidly improved in performance and now can surpass human performance in some cases. The Department of Commerce has convened stakeholders to review privacy issues related to commercial use of this technology, which GAO was also asked to examine.

The Ripple Effect of Identity Theft
As a society, we hear about data breaches all the time, but we rarely hear about what happens to the stolen data afterwards. We may not think much of losing one username and password combo or having to cancel a credit card, but each piece of data doesn't just disappear. It gets collected and combined into the tool of choice for today's fraudsters; one that is so difficult to overcome that we've had to rebuild how we do internet security. This article discusses the ripple effect of identity theft: what happens to data once stolen, the rise of account takeover, and how to protect yourself from data thieves.

The Financial Industry's Biggest Threat
With all the data breaches and cyber attacks that the financial sector has suffered recently, it is no surprise that cyber security is now seen as the top concern. Nearly half of financial services respondents cited cyber risk as the single biggest threat to the financial industry, and 80% listed it as one of the top five risks, according to a recent study. Cyber risk was listed far ahead of other concerns such as geopolitical risk, the impact of new regulations, and the US economic slowdown. This article looks at what financial organizations should be doing to protect themselves against data breaches.

Security Countermeasure Selection and Budgeting Tools
This chapter from the second edition of Risk Analysis and Security Countermeasure Selection explains what makes a security countermeasure effective or ineffective, the functions of security countermeasures, infiltration and attack scenarios, attack objectives, criminal offender types, criminal offender countermeasures, how to develop countermeasure effectiveness metrics, and how to develop a Decision Matrix to help decision makers reach consensus on a specific countermeasure when there are many points of view to consider.

Protests or Profiteering: The Hack Remains in Same
Whether it's cyber terrorism, hacktivism, or just another set of hackers trying to get famous by jumping on the media's hot topic, the key to fighting back is threat intelligence. Staying ahead of future attacks requires a proper investment in intelligence groups who have the proper tools, people and processes to deliver up-to-date intelligence.

How Can Hospitals Protect Their Medical Equipment from Malware?
The challenges in protecting hospitals from cyber attacks are very similar to those faced in ICS and SCADA environments; the equipment used in hospitals is not user-serviceable and therefore often running out-of-date software or firmware. This creates a dangerous situation. The medical industry isn't alone in fighting this threat. They don't have to invent new techniques for preventing infection, they simply need to adapt the proven strategies employed by other industries.

Recent Data Breaches Illustrate Need for Strong Controls across Federal Agencies
The GAO has identified a number of challenges federal agencies face in addressing threats to their cybersecurity. In an effort to bolster cybersecurity across the federal government, several government-wide initiatives, spearheaded by the Department of Homeland Security (DHS) and the Office of Management and Budget (OMB), are under way. While these initiatives are intended to improve security, no single technology or tool is sufficient to protect against all cyber threats. Rather, agencies need to employ a multi-layered, "defense in depth" approach to security that includes well-trained personnel, effective and consistently applied processes, and appropriate technologies.

Maintaining Security despite Enterprise Mobility
This article provides some solutions your company can incorporate so that it doesn't have to forego the positive effects of enterprise mobility. Keep in mind that, to some degree, there's only so much you can do. Hackers are more sophisticated than ever before and that trend isn't going to reverse any time soon. Still, while there’s no way to guarantee you won't ever be a target, many hackers just want easy ones; it's nothing personal. If you make your business tougher to break into, they'll go elsewhere.

IT Performance Improvement: What's in the Latest Issue
In latest edition of IT Performance Improvement, "Assessment and Recovery of Projects in Trouble" by Soren Lyngso. "Payment Card Industry Data Security Standard (PCI-DSS)" by Abhay Bhargav. "Information Security for Systems" by Brook S. E. Schoenfield. Alfonso Bucero on "Developing Trust." "Turn Nine Common Virtual Meeting Misconceptions Inside Out" by Nancy Settle-Murphy and Steve Bather.

Five Ways to Improve SCADA Security
SCADA attacks are on the rise. Given these challenges, what can be done to improve the security of critical infrastructure? Here are five ways to improve SCADA security.

Multilevel Modeling of Secure Systems in QoP-ML
This book introduces the Bogdan Ksiezopolski's quality of protection modeling language (QoP-ML), which provides the multilevel modeling language for making abstraction of security systems that put emphasis on the details concerning quality of protection. The analysis of the secure systems can be performed automatically by means of an automated quality of protection analysis tool. Based on the multilevel analysis, the foundations of the new decision support system can be introduced. The book includes a number of examples and case studies that illustrate the QoP analysis process by the QoP-ML.

McAfee Labs Threats Report: May 2015
For the first time ever, the report explores attacks on firmware. It also highlights the emergence of new families of ransomware and Adobe Flash vulnerability exploits. Key topics include a huge surge in powerful and clever ransomware encrypts files and holds them hostage until the ransom is paid; new Adobe Flash exploits target the growing number of vulnerabilities that have not been patched by users; and persistent and virtually undetectable attacks by the Equation Group that reprogram hard disk drives and solid state drive firmware.

Just Because You're Silent, You May Not Be Really Listening
Most communications skills courses tend to focus on making people more articulate, effective and expressive through writing, speaking and presenting. Listening is rarely a focus. In this article from Communiqué, Nancy Settle-Murphy offers some practical tips for making you a better listener.

Call for Chapters: Information Security Management Handbook, Seventh Edition
The new edition of the handbook is following the National Cybersecurity Workforce Framework.

Insider Threats: DOD Should Strengthen Management and Guidance to Protect Classified Information and Systems
The GAO reports that without an identified program office dedicated to oversight of insider-threat programs, DOD may not be able to ensure the collection of all needed information and could face challenges in establishing goals and in recommending resources and improvements to address insider threats.

Why Insider Threats Are Succeeding
As corporate networks expand in scope and geographic area, it has become easier for insider threats to access sensitive data and inflict catastrophic damage. While the malicious insider comes with a different set of challenges than other security concerns, organizations can protect themselves with the right tools and mindset. Early detection of these attackers can keep a security event from becoming a high-profile data breach.

Endpoint Anti-malware
This excerpt from Securing Systems: Applied Security Architecture and Threat Models discusses deployment models for endpoint anti-malware software.

Operational Models of Corporate Security Intelligence
This excerpt from Corporate Security Intelligence and Strategic Decision Making discusses why it is useful to have a model of intelligence to help guide structures, processes, and the deployment of resources. It then introduces a simple security intelligence model, applicable to any scale of deployment. Finally, it discuss aspects of a common dedicated countercrime model (the National Intelligence Model).

Why the Padlock Symbol and Green Bar Appear in Your Browser, and Why You Should Care
Consumers trust that when they enter their credit or debit card numbers and other sensitive information into the online checkout page, those companies are taking appropriate steps to secure that information. However, the same cannot be said of the consumers themselves. Those are some of the key findings of the CA Security Council (CASC) 2015 Consumer Trust Survey report. The good news: most shoppers can significantly improve their security postures by following some simple precautions, and by developing a better understanding of the technologies retailers can deploy to protect shoppers.

Turn 9 Common Virtual Meeting Misconceptions Inside Out
The basic premise: Successful virtual meetings require a thoughtful discipline that demonstrates a deep sense of respect for all participants, enabling them to be full and equal participants in the conversation. We also believe that any kind of meeting should be held only when discussions are needed. (If content review is required, let people do that somewhere else.) This article by Nancy M. Settle-Murphy refutes nine of the most popular misconceptions people hold about virtual meetings, and offer some practical tips that can help transform virtual meetings from mediocre to memorable. Nancy M. Settle-Murphy is author of Leading Effective Virtual Teams: Overcoming Time and Distance to Achieve Exceptional Results.

Fifteen Years After the ILoveYou Bug: Has the Face of Malware Changed?
Where were you when the ILOVEYOU bug started spreading on May 4, 2000, exactly 15 years ago? Was your computer one of the tens of millions of PCs the Love Letter attacked? How are malware changed in the last 15 years? Read on ...

Internet, Social Media, and Cyber Attacks on Critical Infrastructures
The increasing number of both people and devices becoming connected in cyberspace will greatly impact specific portions of our nation's critical infrastructure. Those infrastructures most immediately impacted will be the electrical grid system, transportation, and telecommunications. Other infrastructure sectors will also be impacted, such as food, water systems, emergency services, and banking and financial services, but the impact on their performance and continuity of service will not be as profound as the former. The salient point is that as societies become so interconnected to both their devices and the critical services they require, this increasing dependency may well increase our vulnerability to disruption of our critical infrastructures.

Privacy Threats Come from All Corners
The types of personal information crooks, marketers, surveilliers, and others are after varies greatly. You can see it in the kinds of organizations under attack from black-market entreprenuers, just-because-I-can hackers, and even Chinese computer manufacturers. Increasingly, consumers must practice diligent privacy practices with every entity they allow access to their personal information. Read on for tips on doing exactly that.

Flip Your (Virtual) Meetings - Learning from Our Best Teachers
To stave off boredom and stimulate learning that lasts longer than a class period, my kids' teachers are experimenting with "flipped classrooms." Rather than lecturing at kids with a bunch of PowerPoints during the precious classroom time, the teachers assign the content in advance. This way, sutdents come to class ready to debate ideas and apply what they've learned in ways that make the topics come alive. Let's take a page from teachers who have seen great results by flipping their classrooms. Here are a few steps to get you started.

Sorry Symantec. Antivirus Is Not Dead.
This whitepaper highlights why there is still a need for end-point security protection; how the rise of 'crimeware' has highlighted the need for all users to protect their networks endpoints; despite 100% single antivirus protection no longer being a realistic expectation, organizations and individuals still have a need for antivirus security solutions; and how multi-scanning technology and anti-malware software can work alongside APT protection in helping prevent organizations from malicious attacks.

Protecting Critical Infrastructure from Threats
Portable media are a primary vector for cyber-attack. They are often the only way to transport files to and from secure areas. This article outlines a secure data workflow that organizations can implement in order to balance their security needs against their operational requirements, as well as how best to approach the crafting of security policies that address the inclusion of portable media while ensuring adherence to EO 13636.

Hacking the Human Operating System
McAfee Labs released a report, Hacking the Human Operating System, that examines how social engineering bypasses the "human firewall" and what you can do to better protect your people and your organization against these attacks.

Why Client-Side Encryption Is the Next Best Idea in Cloud-Based Data Security
In today's always-on digital climate, the complex and constantly evolving range of security threats is intimidating, leading many of us to consider whether or not our data can ever truly be safe from theft or loss. High-profile data security breaches haven't helped. Although it may be impossible to ever completely guarantee protection from potential data loss, client-side encryption is emerging as a viable alternative to end-to-end encryption and other less robust technologies--equipping today's personal and business users with the highest possible level of security for sensitive data and files.

Self-Service Reset Password Solutions: Issues Addressed and Problems Solved
You're thinking about implementing a self-service reset password solution, but you are not quite sure if it is worth it or if it will benefit your organization. The following checklist provides an easy overview of issues you might face, as well as solutions to how a password reset solution can easily solve these issues in addition to saving you time and money.

IT Performance Improvement: What's New March 2015
"A Reality Check for Project Managers" by Lynda Bourne. "What Is Project Management Maturity?" by J. Kent Crawford. "The Scope of Project Scope Management" by Jamal Moustafaev. John Monroe's and regular columnist Nancy Settle-Murphy's "How to Create a 12-Month Plan in Just Two Hours."

Concepts of Database Security
An excerpt from Multilevel Security for Relational Databases. It includes "Database Concepts," "Relational Database Security Concepts," and "Access Control in Relational Databases."

Onslaught of New Ransomware Strains
Ransomware is now a common term in our vocabulary, but it continues to evolve. The release below warns of an onslaught of new flavors and how they can be found and averted. The tactics range from using help files to infect along with phishing emails. Games are also now being targeted, bad news for those with teenagers in the house.

Basics of Security and Cryptography
An excerpt from Practical Cryptography: Algorithms and Implementations Using C++ edited by Saiful Azad and Al-Sakib Khan Pathan. It includes "The Perimeter of Cryptography in Practice" and "Things That Cryptographic Technologies Cannot Do."

Browser Security
In recent years with constantly updated browser versions, browser security features are becoming more powerful. This chapter from Web Security: A WhiteHat Perspective introduces some major browser security features.

What Is the Role of a CISO?
Andrew Wild, Lancope's new CISO, has spent over 25 years developing effective, customer-driven information security, incident response, compliance and secure networking programs for IT and security organizations. Here he discusses the role of the CISO, how it has changed over the years, and what tools and skills a CISO needs.

Security and Provenance
This chapter from Secure Data Provenance and Inference Control with Semantic Web discusses scalability issues for a secure provenance framework with building a scalable framework is the major goal. Then is discusses aspects of an access control language for provenance. Finally, it discusses graph operations on provenance, using graph structures to represent provenance.

Ten Tips to Avoid Massive Data Breaches. Don’t Be the Next Sony!
With Sony recently setting aside $15M to investigate the reasons for and remediate the damage caused by last year's data breach, many organizations—from large enterprises to small business—are wondering what they need to do make sure they aren’t the next big data breach headline. The good news is that most data breaches can be prevented by a common sense approach, coupled with some key IT security adjustments.

Cyber-security: Changing the Economics!
The impact of recent cyber attacks will be felt for years to come, perhaps having risen to a new level of hurt with the Target and Sony attacks. With a Fortune 500 CEO ousted and a Hollywood movie held hostage, cyber-security is on the minds of chief executives and board members as they gather in their first meetings of 2015. How can a massive organization with complex systems and networks prevent itself from becoming the next Target or Sony? Is there any hope? Yes, there is hope! However, we have to change the economics of cyber attacks.

Top 2014 Security Hacks and How Managed Services Could Have Helped
This list of the top security hacks from 2014 explains how managed services could have helped in each situation. The list includes a short Q&A that further details these hacks and potential managed service remedies, as well as information about proactive vs. reactive cloud security, best practices in avoiding security breaches, and more.

Critical Infrastructure Executives Complacent about Internet of Things Security
Tripwire, Inc. today announced the results of an extensive study conducted by Atomik Research on the security of the "Enterprise of Things" in critical infrastructure industries. The study examined the impact that emerging security threats connected with the Internet of Things (IoT) have on enterprise security. Study respondents included 404 IT professionals and 302 executives from retail, energy and financial services organizations in the U.S. and U.K.

The Smart Grid and Privacy
This chapter from Data Privacy for the Smart Grid discusses the emerging privacy risk and the need for privacy policies, reviews relevant privacy laws, regulations, and standards, and outlines privacy-enhancing technologies and new privacy challenges.

Cisco Annual Security Report Reveals Widening Gulf between Perception and Reality of Cybersecurity Readiness
The Cisco 2015 Annual Security Report reveals that organizations must adopt an 'all hands on deck' approach to defend against cyber attacks. Attackers have become more proficient at taking advantage of gaps in security to evade detection and conceal malicious activity. Defenders, namely, security teams, must be constantly improving their approach to protect their organization from these increasingly sophisticated cyber attack campaigns. These issues are further complicated by the geopolitical motivations of the attackers and conflicting requirements imposed by local laws with respect to data sovereignty, data localization and encryption.

How to Create a 12-Month Plan in Just Two Hours
There's something about the blank slate of a brand new year that makes it a perfect time to get your group together and lay down plans for the next 12 months. Sounds like a good idea in theory, but it can be near impossible to persuade people to hunker down in a meeting room for a couple of days when their 'day jobs' are so demanding. In this article Nancy Settle-Murphy describes how (and why) a processed called the Magic Wall works in a face-to-face (FTF) setting, and explores how some of these concepts might be played out virtually.

The Lean Leader: A Personal Journey of Transformation
In The Lean Leader, Robert B. Camp uses a compelling novel format to tackle the nuts and bolts of leading a Lean transformation. You'll follow along as the characters face real crises and what seem to be unreasonable deadlines. After reading this book, you'll know how to shed the decision-making tasks that have cluttered their days and delegate those decisions to employees who are closer to the action. You'll also learn how to look over the horizon to define and communicate a new course of action and compel others to follow. Click here to read Chapter 1.

In this chapter from Techniques and Sample Outputs that Drive Business Excellence, H. James Harrington and Chuck Mignosa discuss brainstorming (creative brainstorming), a technique used by a group to quickly generate large lists of ideas, problems, or issues. The emphasis is on quantity of ideas, not quality.

Widespread Employee Access to Sensitive Files Puts Critical Data at Risk
It's been 18 months since Snowden demonstrated the inability of the Puzzle Palace to identify and mitigate internal threats. Now, a new survey suggests--not surprisingly--that most organizations are having difficulty balancing the need for improved security with employee productivity demands. Employees with needlessly excessive data access privileges represent a growing risk for organizations due to both accidental and conscious exposure of sensitive or critical data.

2014-2015 Security Surprises, Challenges and Predictions
As 2014 comes to a close, it is time to cast 2015 security predictions and look back at 2014 predictions to see what we got right, what we got wrong, and what surprised us. Here TK Keanini, Lancope CTO, takes retrospective look at his 2014 predictions, and projects 2015.

7 Ways to Keep Stakeholders Close in a Virtual World
Even though our intentions may be similar when working face-to-face and virtually, how we go about initiating and cultivating stakeholder relationships can be very different. Here are a few tips from Nancy Settle-Murphy, author of Leading Effective Virtual Teams: Overcoming Time and Distance to Achieve Exceptional Results, for engaging stakeholders virtually for projects that really matter.

5 Ways You Can Stay Protected Online This Holiday Shopping Season
With two of the biggest shopping days of the year--Black Friday and Cyber Monday--taking place this month, many consumers will turn to online channels to avoid hectic crowds and long checkout lines. While shopping online is convenient, e-commerce comes with its fair share of disadvantages, one of which is cybersecurity risks. Whether you choose to shop on Black Friday, Cyber Monday, or at any other point during the holiday shopping season, they must keep security top-of-mind to avoid falling victim to scams and potentially fraudulent transactions. Here are key tips to keep in mind.

Four Questions to Consider When Building a Security Platform
While most security professionals have come to grips with the fact that at some point they will fall victim to a compromise, the approach to security by and large still revolves around responding after something bad has occurred. Now this is by no means the fault of the security professional alone. The tools they have at their disposal, most of which offer a siloed view into their security posture, many times restrict their capabilities. To truly make the shift towards Continuous Advanced Threat Protection, security professionals need to evaluate tools and processes with a fresh set of eyes. This article outlines the four things to consider when making this necessary shift in security approach.

Cyber Economics
The economics of cyber threats are simple: cyber attacks are easy to organize and cheap to enact. Any computer anywhere can become the front line of an attack, which is not only difficult to defend against but leads to the need for constant vigilance and flexible defensive moves, both of which are rather more costly. CIOs and CISOs need to reverse these economics and change the game in their favor by driving down the cost to defend and increasing the cost to attack.

Breaking the Wall of Silence in a Virtual World
If you have ever led a virtual meeting, this scenario is familiar: You pose a brilliant provocative question, hoping to trigger a flurry of insightful responses. And instead, you hear ... Nothing. Nada. Zippo. Zilch. So what’s your next step? There are many techniques for generating more active participation in the virtual world. But first, you have to try to figure out the reasons for the silence. If you guess wrong, you might drive people further away from the virtual table. In this article from Communique, Nancy Settle-Murphy, author of Leading Effective Virtual Teams: Overcoming Time and Distance to Achieve Exceptional Results, explores some of the typical causes for a lack of participation, and will offer some remedies to help break through that painful wall of silence.

Basic Concepts of Multilevel Database Security
Mandatory access control (MAC) is a method of restricting unauthorized users from accessing objects that contain some sensitive information. An implementation of MAC is multilevel security (MLS), which has been developed mainly for computer and database systems at highly sensitive government organizations such as the intelligence community or the U.S. Department of Defense. This chapter from Multilevel Security for Relational Databases introduces the basic concepts of multilevel database security.

Subscribe to Information Security Today

Google Reader or Homepage
Add to My Yahoo!

Bookmark and Share

Search the Site

The Blog


From Our Authors

Nancy Settle-Murphy: CommuniqueManaging Performance from Afar Made Easier: 10 Tips for a Happier Outcome

Rebecca Herold: Privacy Professor Tips of the Month—Who Ya' Gonna Call to Protect Your Privacy?


November 30, 2015 - Kuala Lumpur to Host Conference on Paradigm Shift in Cyber Intrusions and Challenges of Securing Large Systems and Infrastructures

November 19, 2015 - Trend Micro 2016 Threat Predictions Forecast an Uptick in Online Extortion and Hacktivism


5th Annual Oil & Gas Cyber Security Conference on November 30-1st December 1, 2015 in London, United Kingdom

The Android Developer Conference on December 1-3, 2015 in Santa Clara, California

Next Generation DevOps on December 2, 2015 in London, England

Cyber Security Exchange on December 6-8, 2015 in Florida

Cyber Security for Healthcare Exchange on December 6-8, 2015 at the Omni Orlando Resort at Champions Gate, Florida

SharePoint Fest on December 8-10, 2015 in Chicago

Nice Global Forum on Homeland Security and Crisis Management on February 2-5, 2016 in Nice, France

E&P Information and Data Management on February 3-4, 2016, in London, United Kingdom

SPTechCon: The SharePoint Technology Conference on February 21-24, 2016 in Austin, Texas

SharePoint Fest on March 1-3, 2016 in Denver

connect:ID 2016 on March 14-16, 2016 in Washington, DC

InfoSec World 2016 on April 4-6, 2016 at Disney's Contemporary Resort in Lake Buena Vista, Florida

SharePoint Fest on April 27-29, 2016 in Washington, DC


Here are links to all Rebecca Herold's monthly Privacy Professor Tips to date.

Guided Insights

© Copyright 2015 Auerbach Publications