Fifteen Years After the ILoveYou Bug: Has the Face of Malware Changed?
Where were you when the ILOVEYOU bug started spreading on May 4, 2000, exactly 15 years ago? Was your computer one of the tens of millions of PCs the Love Letter attacked? How are malware changed in the last 15 years? Read on ...
Internet, Social Media, and Cyber Attacks on Critical Infrastructures
The increasing number of both people and devices becoming connected in cyberspace will greatly impact specific portions of our nation's critical infrastructure. Those infrastructures most immediately impacted will be the electrical grid system, transportation, and telecommunications. Other infrastructure sectors will also be impacted, such as food, water systems, emergency services, and banking and financial services, but the impact on their performance and continuity of service will not be as profound as the former. The salient point is that as societies become so interconnected to both their devices and the critical services they require, this increasing dependency may well increase our vulnerability to disruption of our critical infrastructures.
Privacy Threats Come from All Corners
The types of personal information crooks, marketers, surveilliers, and others are after varies greatly. You can see it in the kinds of organizations under attack from black-market entreprenuers, just-because-I-can hackers, and even Chinese computer manufacturers. Increasingly, consumers must practice diligent privacy practices with every entity they allow access to their personal information. Read on for tips on doing exactly that.
Flip Your (Virtual) Meetings - Learning from Our Best Teachers
To stave off boredom and stimulate learning that lasts longer than a class period, my kids' teachers are experimenting with "flipped classrooms." Rather than lecturing at kids with a bunch of PowerPoints during the precious classroom time, the teachers assign the content in advance. This way, sutdents come to class ready to debate ideas and apply what they've learned in ways that make the topics come alive. Let's take a page from teachers who have seen great results by flipping their classrooms. Here are a few steps to get you started.
Sorry Symantec. Antivirus Is Not Dead.
This whitepaper highlights why there is still a need for end-point security protection; how the rise of 'crimeware' has highlighted the need for all users to protect their networks endpoints; despite 100% single antivirus protection no longer being a realistic expectation, organizations and individuals still have a need for antivirus security solutions; and how multi-scanning technology and anti-malware software can work alongside APT protection in helping prevent organizations from malicious attacks.
Rebecca Herold's Privacy Professor Tips for May
Data breaches, phishing scams and high-profile email "scandals" in the political world have shone a much-needed spotlight on privacy and data security issues. Consumers are beginning to pay closer attention to the threats and vulnerabilities posed by new technologies and expanded connectivity. Take advantage of the increased curiosity to further educate your peers, colleagues, friends and family. Read on for a few pointers that may get you started.
Protecting Critical Infrastructure from Threats
Portable media are a primary vector for cyber-attack. They are often the only way to transport files to and from secure areas. This article outlines a secure data workflow that organizations can implement in order to balance their security needs against their operational requirements, as well as how best to approach the crafting of security policies that address the inclusion of portable media while ensuring adherence to EO 13636.
Hacking the Human Operating System
McAfee Labs released a report, Hacking the Human Operating System, that examines how social engineering bypasses the "human firewall" and what you can do to better protect your people and your organization against these attacks.
Why Client-Side Encryption Is the Next Best Idea in Cloud-Based Data Security
In today's always-on digital climate, the complex and constantly evolving range of security threats is intimidating, leading many of us to consider whether or not our data can ever truly be safe from theft or loss. High-profile data security breaches haven't helped. Although it may be impossible to ever completely guarantee protection from potential data loss, client-side encryption is emerging as a viable alternative to end-to-end encryption and other less robust technologies--equipping today's personal and business users with the highest possible level of security for sensitive data and files.
Self-Service Reset Password Solutions: Issues Addressed and Problems Solved
You're thinking about implementing a self-service reset password solution, but you are not quite sure if it is worth it or if it will benefit your organization. The following checklist provides an easy overview of issues you might face, as well as solutions to how a password reset solution can easily solve these issues in addition to saving you time and money.
IT Performance Improvement: What's New March 2015
"A Reality Check for Project Managers" by Lynda Bourne. "What Is Project Management Maturity?" by J. Kent Crawford. "The Scope of Project Scope Management" by Jamal Moustafaev. John Monroe's and regular columnist Nancy Settle-Murphy's "How to Create a 12-Month Plan in Just Two Hours."
Concepts of Database Security
An excerpt from Multilevel Security for Relational Databases. It includes "Database Concepts," "Relational Database Security Concepts," and "Access Control in Relational Databases."
Onslaught of New Ransomware Strains
Ransomware is now a common term in our vocabulary, but it continues to evolve. The release below warns of an onslaught of new flavors and how they can be found and averted. The tactics range from using help files to infect along with phishing emails. Games are also now being targeted, bad news for those with teenagers in the house.
Basics of Security and Cryptography
An excerpt from Practical Cryptography: Algorithms and Implementations Using C++ edited by Saiful Azad and Al-Sakib Khan Pathan. It includes "The Perimeter of Cryptography in Practice" and "Things That Cryptographic Technologies Cannot Do."
In recent years with constantly updated browser versions, browser security features are becoming more powerful. This chapter from Web Security: A WhiteHat Perspective introduces some major browser security features.
What Is the Role of a CISO?
Andrew Wild, Lancope's new CISO, has spent over 25 years developing effective, customer-driven information security, incident response, compliance and secure networking programs for IT and security organizations. Here he discusses the role of the CISO, how it has changed over the years, and what tools and skills a CISO needs.
Security and Provenance
This chapter from Secure Data Provenance and Inference Control with Semantic Web discusses scalability issues for a secure provenance framework with building a scalable framework is the major goal. Then is discusses aspects of an access control language for provenance. Finally, it discusses graph operations on provenance, using graph structures to represent provenance.
Ten Tips to Avoid Massive Data Breaches. Don’t Be the Next Sony!
With Sony recently setting aside $15M to investigate the reasons for and remediate the damage caused by last year's data breach, many organizations—from large enterprises to small business—are wondering what they need to do make sure they aren’t the next big data breach headline. The good news is that most data breaches can be prevented by a common sense approach, coupled with some key IT security adjustments.
Cyber-security: Changing the Economics!
The impact of recent cyber attacks will be felt for years to come, perhaps having risen to a new level of hurt with the Target and Sony attacks. With a Fortune 500 CEO ousted and a Hollywood movie held hostage, cyber-security is on the minds of chief executives and board members as they gather in their first meetings of 2015. How can a massive organization with complex systems and networks prevent itself from becoming the next Target or Sony? Is there any hope? Yes, there is hope! However, we have to change the economics of cyber attacks.
Top 2014 Security Hacks and How Managed Services Could Have Helped
This list of the top security hacks from 2014 explains how managed services could have helped in each situation. The list includes a short Q&A that further details these hacks and potential managed service remedies, as well as information about proactive vs. reactive cloud security, best practices in avoiding security breaches, and more.
Critical Infrastructure Executives Complacent about Internet of Things Security
Tripwire, Inc. today announced the results of an extensive study conducted by Atomik Research on the security of the "Enterprise of Things" in critical infrastructure industries. The study examined the impact that emerging security threats connected with the Internet of Things (IoT) have on enterprise security. Study respondents included 404 IT professionals and 302 executives from retail, energy and financial services organizations in the U.S. and U.K.
The Smart Grid and Privacy
This chapter from Data Privacy for the Smart Grid discusses the emerging privacy risk and the need for privacy policies, reviews relevant privacy laws, regulations, and standards, and outlines privacy-enhancing technologies and new privacy challenges.
Cisco Annual Security Report Reveals Widening Gulf between Perception and Reality of Cybersecurity Readiness
The Cisco 2015 Annual Security Report reveals that organizations must adopt an 'all hands on deck' approach to defend against cyber attacks. Attackers have become more proficient at taking advantage of gaps in security to evade detection and conceal malicious activity. Defenders, namely, security teams, must be constantly improving their approach to protect their organization from these increasingly sophisticated cyber attack campaigns. These issues are further complicated by the geopolitical motivations of the attackers and conflicting requirements imposed by local laws with respect to data sovereignty, data localization and encryption.
How to Create a 12-Month Plan in Just Two Hours
There's something about the blank slate of a brand new year that makes it a perfect time to get your group together and lay down plans for the next 12 months. Sounds like a good idea in theory, but it can be near impossible to persuade people to hunker down in a meeting room for a couple of days when their 'day jobs' are so demanding. In this article Nancy Settle-Murphy describes how (and why) a processed called the Magic Wall works in a face-to-face (FTF) setting, and explores how some of these concepts might be played out virtually.
The Lean Leader: A Personal Journey of Transformation
In The Lean Leader, Robert B. Camp uses a compelling novel format to tackle the nuts and bolts of leading a Lean transformation. You'll follow along as the characters face real crises and what seem to be unreasonable deadlines. After reading this book, you'll know how to shed the decision-making tasks that have cluttered their days and delegate those decisions to employees who are closer to the action. You'll also learn how to look over the horizon to define and communicate a new course of action and compel others to follow. Click here to read Chapter 1.
In this chapter from Techniques and Sample Outputs that Drive Business Excellence, H. James Harrington and Chuck Mignosa discuss brainstorming (creative brainstorming), a technique used by a group to quickly generate large lists of ideas, problems, or issues. The emphasis is on quantity of ideas, not quality.
Widespread Employee Access to Sensitive Files Puts Critical Data at Risk
It's been 18 months since Snowden demonstrated the inability of the Puzzle Palace to identify and mitigate internal threats. Now, a new survey suggests--not surprisingly--that most organizations are having difficulty balancing the need for improved security with employee productivity demands. Employees with needlessly excessive data access privileges represent a growing risk for organizations due to both accidental and conscious exposure of sensitive or critical data.
2014-2015 Security Surprises, Challenges and Predictions
As 2014 comes to a close, it is time to cast 2015 security predictions and look back at 2014 predictions to see what we got right, what we got wrong, and what surprised us. Here TK Keanini, Lancope CTO, takes retrospective look at his 2014 predictions, and projects 2015.
7 Ways to Keep Stakeholders Close in a Virtual World
Even though our intentions may be similar when working face-to-face and virtually, how we go about initiating and cultivating stakeholder relationships can be very different. Here are a few tips from Nancy Settle-Murphy, author of Leading Effective Virtual Teams: Overcoming Time and Distance to Achieve Exceptional Results, for engaging stakeholders virtually for projects that really matter.
5 Ways You Can Stay Protected Online This Holiday Shopping Season
With two of the biggest shopping days of the year--Black Friday and Cyber Monday--taking place this month, many consumers will turn to online channels to avoid hectic crowds and long checkout lines. While shopping online is convenient, e-commerce comes with its fair share of disadvantages, one of which is cybersecurity risks. Whether you choose to shop on Black Friday, Cyber Monday, or at any other point during the holiday shopping season, they must keep security top-of-mind to avoid falling victim to scams and potentially fraudulent transactions. Here are key tips to keep in mind.
Four Questions to Consider When Building a Security Platform
While most security professionals have come to grips with the fact that at some point they will fall victim to a compromise, the approach to security by and large still revolves around responding after something bad has occurred. Now this is by no means the fault of the security professional alone. The tools they have at their disposal, most of which offer a siloed view into their security posture, many times restrict their capabilities. To truly make the shift towards Continuous Advanced Threat Protection, security professionals need to evaluate tools and processes with a fresh set of eyes. This article outlines the four things to consider when making this necessary shift in security approach.
The economics of cyber threats are simple: cyber attacks are easy to organize and cheap to enact. Any computer anywhere can become the front line of an attack, which is not only difficult to defend against but leads to the need for constant vigilance and flexible defensive moves, both of which are rather more costly. CIOs and CISOs need to reverse these economics and change the game in their favor by driving down the cost to defend and increasing the cost to attack.
Breaking the Wall of Silence in a Virtual World
If you have ever led a virtual meeting, this scenario is familiar: You pose a brilliant provocative question, hoping to trigger a flurry of insightful responses. And instead, you hear ... Nothing. Nada. Zippo. Zilch. So what’s your next step? There are many techniques for generating more active participation in the virtual world. But first, you have to try to figure out the reasons for the silence. If you guess wrong, you might drive people further away from the virtual table. In this article from Communique, Nancy Settle-Murphy, author of Leading Effective Virtual Teams: Overcoming Time and Distance to Achieve Exceptional Results, explores some of the typical causes for a lack of participation, and will offer some remedies to help break through that painful wall of silence.
Basic Concepts of Multilevel Database Security
Mandatory access control (MAC) is a method of restricting unauthorized users from accessing objects that contain some sensitive information. An implementation of MAC is multilevel security (MLS), which has been developed mainly for computer and database systems at highly sensitive government organizations such as the intelligence community or the U.S. Department of Defense. This chapter from Multilevel Security for Relational Databases introduces the basic concepts of multilevel database security.
McAfee Report Reveals Organizations Choose Network Performance Over Advanced Security Features
McAfee today published a new report titled Network Performance and Security, exploring the challenges organizations face in deploying security protections while still maintaining an optimally performing network infrastructure. The report uncovered that an alarming number of organizations are now disabling advanced firewall features in order to avoid significant network performance degradation.
Android Malware Evolution
The evolution of Android malware, while mapping closely to the desktop trends, is often viewed at an accelerated pace. Malware and botnets have had time to grow and trial different methods of infections and potential uses, and the authors of the mobile counterparts are definitely applying these learned lessons. As explained in the chapter from Android Malware and Analysis, there are clear indicators that these are often the same groups working toward extending their list of infected machines to the Android world.
2014 Internet Security Threat Report
The Internet Security Threat Report provides an overview and analysis of the year in global threat activity. The report is based on data from the Symantec Global Intelligence Network, which Symantec's analysts use to identify, analyze, and provide commentary on emerging trends in the dynamic threat landscape.
8 Ways to Stop Interruptions from Derailing Your Next Virtual Meeting
In this edition of Communique, Nancy Settle-Murphy explores practical steps that virtual meeting leaders can take to anticipate and effectively handle interruptions and other types of disruptions that may throw virtual meetings off-course.
New F-Secure Threat Report: Ransomware Rising, Even on Android
The first half 2014 saw an increase in online attacks that lock up user data and hold it for ransom -- even on mobile devices. According to F-Secure Labs' brand new 1H 2014 Threat Report, rising numbers of attacks from malicious software known as ransomware underscore the importance of data security for home, enterprise and government users. To find out the top countries for Android malware, the safest online market for mobile apps, and for more details about all the threats to PC, Mac and mobile, check out the full 1H 2014 Threat Report.
The Top 10 Ways to Combat Insider Threats
An adversary who attacks an organization from within can prove fatal to the organization and is generally impervious to conventional defenses. But there are things you can do to mitigate the risk. Below is Lancope's Top 10 Ways to Combat Insider Threats.
Survey of Secure Computing
Secure computing spans a wide spectrum of areas, including protocol-based security issues, denial of service, web and cloud, mobile, database, and social- and multimedia-related security issues, just to name a few. Even as threats present themselves, active mechanisms and good preparation can help to minimize incidents and losses arising from them, but it is also to be noted that security in computing is still a long way from complete. This chapter from Case Studies in Secure Computing: Achievements and Trends presents a survey of common issues in security attacks and defenses in computing through the application of cryptography and the aid of security models for securing systems.
Don't Leave Remote Participants Hanging: 8 Tips for a Meeting of Equals
Let's face it: It's almost impossible to make remote callers feel like they're on equal footing with people who are gathered in the conference room for the big meeting. But with some thoughtful planning, you can come pretty close. Taking the perspective of a frustrated remote participant, Nancy Settle-Murphy, author of Leading Effective Virtual Teams: Overcoming Time and Distance to Achieve Exceptional Results, offers eight tips for people who plan and run "hybrid" meetings, consisting of people who are gathered face-to-face and those who join from afar. Here she assumes that the meeting planners are using WebEx and phone conferencing, but these tips can apply with almost any kind of virtual meeting set-up.
"Digital Forensics Explained" Cited as Expert Testimony in US Supreme Court Case
Greg Gogolin's book, Digital Forensics Explained, was cited eight times in a recent US Supreme Court case. The case concerned whether evidence admitted at petitioner’s trial was obtained in a search of petitioner’s cell phone that violated petitioner’s Fourth Amendment rights. Greg's book was cited as expert testimony.
Beyond PCI Compliance
An organization begins a journey when it achieves PCI compliance. It is usually a starting point for a continuing path to information security and assurance. It is very important for the organization to understand the potential challenges and effectively address them after they achieve successful PCI compliance. This excerpt from PCI Compliance: The Definitive Guide briefly discuss the challenges and success factors that the organization must be aware of to maintain compliance and achieve optimum information security for the enterprise.
Before You Take Your Next Trip
I don't know if you've ever read Stratfor's guidance on personal security, such as "Taming Chaos with a Personal Plan," but this new book, Personal Security: A Guide for International Travelers, provides a comprehensive approach to personal security and safety when travelling, or even while at home. To support your pre-trip preparations, this chapter, "Before You Go," maps out expert advice and lessons from real life cases to give you insights into basic planning questions.
Ethical Hacking: The Postexploitation Phase
After you have successfully exploited a target and managed to gain access to it, you enter the postexploitation phase, which is the last phase of the penetration testing process. Read on to learn how to exploit our targets further, escalating privileges and penetrating the internal network even more.
Building a Penetration Testing Lab
What do you need to build an effective pentesting lab? This checklist from Bruce Middleton's new book, Conducting Network Penetration and Espionage in a Global Environment, details exactly what you need.
Physical and Cybersecurity Have Converged
People have been talking about this for years. Now, convergence--the IP-enablement of everyday business functions creating an overlap of physical and cyber security issues--is no longer a "concept." It is now a reality, or should be. Ask Target, where hackers accessed the company's network via an attack on the third party provider for the heating/ventilation/air conditioning (HVAC) system to steal the financial information of more than 110 million customers.
Heartbleed Disclosure Timeline InfoGraphic
This infographic looks at the vulnerability from March 21-April 7 from the perspective of NCSC-FI, Codenomicon, Google, Open SSL and other providers. In addition to the factual timeline, there is some analysis/commentary as well.
This report is based on Arthur D. Little’s survey of 50 market experts in Europe, as well as comprehensive secondary market research. This report provides an overview of the digital signature technology, its current and potential market, as well as the benefits and challenges it brings. It also presents examples of practical applications of digital signature solutions.
Data classification is the practice of assigning information into predefined groups where each group has a common risk and corresponding security controls. This excerpt from JJ Stapleton's Security without Obscurity: A Guide to Confidentiality, Authentication, and Integrity discusses how information can be organized into categories based on its impact of unauthorized disclosure due to insider or outsider threats. It also discusses the concept of data tagging of other attributes that affect data management.
What You Need to Know First about Penetration Testing
This is an excerpt from Conducting Network Penetration and Espionage in a Global Environment by Bruce Middleton.
Introduction to Wireless Intrusion Detection Systems
This is an excerpt from The State of the Art in Intrusion Prevention and Detection edited by Al-Sakib Khan Pathan.
If you are struggling to make sense of security metrics, then check out Security MetaMetrics. Run by Krag Brotby and Gary Hinson, the website supports the global community adopting innovative measurement techniques. If you believe that you can’t manage what you don't measure, then visit Security MetaMetrics today and take the first step to measure and manage information security properly.
Anonymity in Network Communication
In today’s interactive network environment, where various types of organizations and individuals are eager to monitor and track Internet use, anonymity is one of the most powerful resources available to counterbalance the threat of unknown spectators and to ensure Internet privacy. Find out more in this excerpt from Anonymous Communication Networks: Protecting Privacy on the Web by Kun Peng.
This month's issue of IT Performance Improvement focuses on Big Data. David Garmus provides "A Guide to Sizing and Estimating Projects." Michael West discusses how to measure the effects of process improvement. Carl Lehmann provides an overview of Kaplan and Norton's Balanced Scorecard. Also in this issue, Marco Sampietro and Tiziano Villa on "Reducing Change on Projects" and Nancy Settle-Murphy and Beatrice Briggs on building consensus.
This is an excerpt from Security for Service Oriented Architectures by Walter Williams.
Future Trends in WAN Security
This is an excerpt from Intrusion Detection in Wireless Ad-Hoc Networks edited by Nabendu Chaki and Rituparna Chaki.
Security Issues in Machine-to-Machine Communication
This is an excerpt from Security for Multihop Wireless Networks edited by Shafiullah Khan and Jaime Lloret Mauri.
Overcoming Top 10 Facilitation Fears
If you'd rather walk through fire than facilitate a virtual meeting, you're not alone! In this month's Communique, Nancy Settle-Murphy, author of Leading Effective Virtual Teams: Overcoming Time and Distance to Achieve Exceptional Results, and her colleague Dr. Keri Pearlson answer a few common questions from people who are thrust into the role of meeting facilitator, and would prefer to do practically anything but facilitate!