Information Security Today is brought to you by Auerbach Publications


IT Management


Risk Management

Business Continuity and Disaster Recovery Planning


Operations and Data Center

Networking and Telecommunications

Project Management

IT Performance Improvement


Auerbach Information Management Service

Editorial Calendar


Contributor Guidelines

Contact Editor


New Books

Android Malware and Analysis by Ken Dunham, Shane Hartman, Manu Quintans, Jose Andre Morales, and Tim Strazzere; ISBN 978-1-4822-5219-4
Biometric Technology: Authentication, Biocryptography, and Cloud-Based Architecture by Ravi Das; ISBN 978-1-4665-9245-2
Practical Cryptography: Algorithms and Implementations Using C++ edited by Saiful Azad and Al-Sakib Khan Pathan: ISBN 978-1-4822-2889-2
Multilevel Security for Relational Databases by Osama S. Faragallah, El-Sayed M. El-Rabaie, Fathi E. Abd El-Samie, Ahmed I. Sallam, and Hala S. El-SayedI ISBN 978-1-4822-0539-8
Ethical Hacking and Penetration Testing Guide by Rafay Baloch; ISBN 9781482231618
The Frugal CISO: Using Innovation and Smart Approaches to Maximize Your Security Posture by Kerry Ann Anderson; ISBN 9781482220070

Click on a book cover for more information or to order.
SAVE 20% AND GET FREE SHIPPING when you order these or any book online! Simply enter this code--813DA--at checkout.

What Is the Role of a CISO?
Andrew Wild, Lancope's new CISO, has spent over 25 years developing effective, customer-driven information security, incident response, compliance and secure networking programs for IT and security organizations. Here he discusses the role of the CISO, how it has changed over the years, and what tools and skills a CISO needs.

Security and Provenance
This chapter from Secure Data Provenance and Inference Control with Semantic Web discusses scalability issues for a secure provenance framework with building a scalable framework is the major goal. Then is discusses aspects of an access control language for provenance. Finally, it discusses graph operations on provenance, using graph structures to represent provenance.

Ten Tips to Avoid Massive Data Breaches. Don’t Be the Next Sony!
With Sony recently setting aside $15M to investigate the reasons for and remediate the damage caused by last year's data breach, many organizations—from large enterprises to small business—are wondering what they need to do make sure they aren’t the next big data breach headline. The good news is that most data breaches can be prevented by a common sense approach, coupled with some key IT security adjustments.

Cyber-security: Changing the Economics!
The impact of recent cyber attacks will be felt for years to come, perhaps having risen to a new level of hurt with the Target and Sony attacks. With a Fortune 500 CEO ousted and a Hollywood movie held hostage, cyber-security is on the minds of chief executives and board members as they gather in their first meetings of 2015. How can a massive organization with complex systems and networks prevent itself from becoming the next Target or Sony? Is there any hope? Yes, there is hope! However, we have to change the economics of cyber attacks. -->

Top 2014 Security Hacks and How Managed Services Could Have Helped
This list of the top security hacks from 2014 explains how managed services could have helped in each situation. The list includes a short Q&A that further details these hacks and potential managed service remedies, as well as information about proactive vs. reactive cloud security, best practices in avoiding security breaches, and more.

Critical Infrastructure Executives Complacent about Internet of Things Security
Tripwire, Inc. today announced the results of an extensive study conducted by Atomik Research on the security of the "Enterprise of Things" in critical infrastructure industries. The study examined the impact that emerging security threats connected with the Internet of Things (IoT) have on enterprise security. Study respondents included 404 IT professionals and 302 executives from retail, energy and financial services organizations in the U.S. and U.K.

The Smart Grid and Privacy
This chapter from Data Privacy for the Smart Grid discusses the emerging privacy risk and the need for privacy policies, reviews relevant privacy laws, regulations, and standards, and outlines privacy-enhancing technologies and new privacy challenges.

Cisco Annual Security Report Reveals Widening Gulf between Perception and Reality of Cybersecurity Readiness
The Cisco 2015 Annual Security Report reveals that organizations must adopt an 'all hands on deck' approach to defend against cyber attacks. Attackers have become more proficient at taking advantage of gaps in security to evade detection and conceal malicious activity. Defenders, namely, security teams, must be constantly improving their approach to protect their organization from these increasingly sophisticated cyber attack campaigns. These issues are further complicated by the geopolitical motivations of the attackers and conflicting requirements imposed by local laws with respect to data sovereignty, data localization and encryption.

How to Create a 12-Month Plan in Just Two Hours
There's something about the blank slate of a brand new year that makes it a perfect time to get your group together and lay down plans for the next 12 months. Sounds like a good idea in theory, but it can be near impossible to persuade people to hunker down in a meeting room for a couple of days when their 'day jobs' are so demanding. In this article Nancy Settle-Murphy describes how (and why) a processed called the Magic Wall works in a face-to-face (FTF) setting, and explores how some of these concepts might be played out virtually.

The Lean Leader: A Personal Journey of Transformation
In The Lean Leader, Robert B. Camp uses a compelling novel format to tackle the nuts and bolts of leading a Lean transformation. You'll follow along as the characters face real crises and what seem to be unreasonable deadlines. After reading this book, you'll know how to shed the decision-making tasks that have cluttered their days and delegate those decisions to employees who are closer to the action. You'll also learn how to look over the horizon to define and communicate a new course of action and compel others to follow. Click here to read Chapter 1.

In this chapter from Techniques and Sample Outputs that Drive Business Excellence, H. James Harrington and Chuck Mignosa discuss brainstorming (creative brainstorming), a technique used by a group to quickly generate large lists of ideas, problems, or issues. The emphasis is on quantity of ideas, not quality.

Privacy Predictions 2025!
After posting their IT predictions for next year, Varonis decided to assign themselves an even more challenging task. Using recent headlines from the tech press as a baseline, they tried to extrapolate ahead to the year 2025. Where might today's stories about technology and privacy lead to in ten years if we don't change how we manage IT security today?

2015 Security Forecasts

2015 Security Predictions: Retail Repeats, Ransomware, and More by Tom Cross, Director of Security Research, Lancope, Inc.

Six Enterprise IT Predictions for 2015 by David Gibson, VP, Varonis Systems

Security Threat Trends and Predictions 2015 Report by James Lyne, Global Head of Security Research, Sophos

What Was, What Is, and What Should Never Be: A Look at Security in 2014, 2015 and Beyond by Stephen Coty, Chief Security Evangelist, Alert Logic

McAfee Labs Threats Report: November 2014
Key topics in the November 2014 issue of the McAfee® Labs Threats Report and the significant impact of the recently-discovered BERserk vulnerability in RSA signature verification software and how cybercriminals exploit the trust we place in devices and websites. It also discusses some of the threat trends they expect to see in 2015.

Widespread Employee Access to Sensitive Files Puts Critical Data at Risk
It's been 18 months since Snowden demonstrated the inability of the Puzzle Palace to identify and mitigate internal threats. Now, a new survey suggests--not surprisingly--that most organizations are having difficulty balancing the need for improved security with employee productivity demands. Employees with needlessly excessive data access privileges represent a growing risk for organizations due to both accidental and conscious exposure of sensitive or critical data.

2014-2015 Security Surprises, Challenges and Predictions
As 2014 comes to a close, it is time to cast 2015 security predictions and look back at 2014 predictions to see what we got right, what we got wrong, and what surprised us. Here TK Keanini, Lancope CTO, takes retrospective look at his 2014 predictions, and projects 2015.

7 Ways to Keep Stakeholders Close in a Virtual World
Even though our intentions may be similar when working face-to-face and virtually, how we go about initiating and cultivating stakeholder relationships can be very different. Here are a few tips from Nancy Settle-Murphy, author of Leading Effective Virtual Teams: Overcoming Time and Distance to Achieve Exceptional Results, for engaging stakeholders virtually for projects that really matter.

5 Ways You Can Stay Protected Online This Holiday Shopping Season
With two of the biggest shopping days of the year--Black Friday and Cyber Monday--taking place this month, many consumers will turn to online channels to avoid hectic crowds and long checkout lines. While shopping online is convenient, e-commerce comes with its fair share of disadvantages, one of which is cybersecurity risks. Whether you choose to shop on Black Friday, Cyber Monday, or at any other point during the holiday shopping season, they must keep security top-of-mind to avoid falling victim to scams and potentially fraudulent transactions. Here are key tips to keep in mind.

Four Questions to Consider When Building a Security Platform
While most security professionals have come to grips with the fact that at some point they will fall victim to a compromise, the approach to security by and large still revolves around responding after something bad has occurred. Now this is by no means the fault of the security professional alone. The tools they have at their disposal, most of which offer a siloed view into their security posture, many times restrict their capabilities. To truly make the shift towards Continuous Advanced Threat Protection, security professionals need to evaluate tools and processes with a fresh set of eyes. This article outlines the four things to consider when making this necessary shift in security approach.

Cyber Economics
The economics of cyber threats are simple: cyber attacks are easy to organize and cheap to enact. Any computer anywhere can become the front line of an attack, which is not only difficult to defend against but leads to the need for constant vigilance and flexible defensive moves, both of which are rather more costly. CIOs and CISOs need to reverse these economics and change the game in their favor by driving down the cost to defend and increasing the cost to attack.

Breaking the Wall of Silence in a Virtual World
If you have ever led a virtual meeting, this scenario is familiar: You pose a brilliant provocative question, hoping to trigger a flurry of insightful responses. And instead, you hear ... Nothing. Nada. Zippo. Zilch. So what’s your next step? There are many techniques for generating more active participation in the virtual world. But first, you have to try to figure out the reasons for the silence. If you guess wrong, you might drive people further away from the virtual table. In this article from Communique, Nancy Settle-Murphy, author of Leading Effective Virtual Teams: Overcoming Time and Distance to Achieve Exceptional Results, explores some of the typical causes for a lack of participation, and will offer some remedies to help break through that painful wall of silence.

Basic Concepts of Multilevel Database Security
Mandatory access control (MAC) is a method of restricting unauthorized users from accessing objects that contain some sensitive information. An implementation of MAC is multilevel security (MLS), which has been developed mainly for computer and database systems at highly sensitive government organizations such as the intelligence community or the U.S. Department of Defense. This chapter from Multilevel Security for Relational Databases introduces the basic concepts of multilevel database security.

McAfee Report Reveals Organizations Choose Network Performance Over Advanced Security Features
McAfee today published a new report titled Network Performance and Security, exploring the challenges organizations face in deploying security protections while still maintaining an optimally performing network infrastructure. The report uncovered that an alarming number of organizations are now disabling advanced firewall features in order to avoid significant network performance degradation.

Android Malware Evolution
The evolution of Android malware, while mapping closely to the desktop trends, is often viewed at an accelerated pace. Malware and botnets have had time to grow and trial different methods of infections and potential uses, and the authors of the mobile counterparts are definitely applying these learned lessons. As explained in the chapter from Android Malware and Analysis, there are clear indicators that these are often the same groups working toward extending their list of infected machines to the Android world.

2014 Internet Security Threat Report
The Internet Security Threat Report provides an overview and analysis of the year in global threat activity. The report is based on data from the Symantec Global Intelligence Network, which Symantec's analysts use to identify, analyze, and provide commentary on emerging trends in the dynamic threat landscape.

8 Ways to Stop Interruptions from Derailing Your Next Virtual Meeting
In this edition of Communique, Nancy Settle-Murphy explores practical steps that virtual meeting leaders can take to anticipate and effectively handle interruptions and other types of disruptions that may throw virtual meetings off-course.

New F-Secure Threat Report: Ransomware Rising, Even on Android
The first half 2014 saw an increase in online attacks that lock up user data and hold it for ransom -- even on mobile devices. According to F-Secure Labs' brand new 1H 2014 Threat Report, rising numbers of attacks from malicious software known as ransomware underscore the importance of data security for home, enterprise and government users. To find out the top countries for Android malware, the safest online market for mobile apps, and for more details about all the threats to PC, Mac and mobile, check out the full 1H 2014 Threat Report.

The Top 10 Ways to Combat Insider Threats
An adversary who attacks an organization from within can prove fatal to the organization and is generally impervious to conventional defenses. But there are things you can do to mitigate the risk. Below is Lancope's Top 10 Ways to Combat Insider Threats.

Survey of Secure Computing
Secure computing spans a wide spectrum of areas, including protocol-based security issues, denial of service, web and cloud, mobile, database, and social- and multimedia-related security issues, just to name a few. Even as threats present themselves, active mechanisms and good preparation can help to minimize incidents and losses arising from them, but it is also to be noted that security in computing is still a long way from complete. This chapter from Case Studies in Secure Computing: Achievements and Trends presents a survey of common issues in security attacks and defenses in computing through the application of cryptography and the aid of security models for securing systems.

Don't Leave Remote Participants Hanging: 8 Tips for a Meeting of Equals
Let's face it: It's almost impossible to make remote callers feel like they're on equal footing with people who are gathered in the conference room for the big meeting. But with some thoughtful planning, you can come pretty close. Taking the perspective of a frustrated remote participant, Nancy Settle-Murphy, author of Leading Effective Virtual Teams: Overcoming Time and Distance to Achieve Exceptional Results, offers eight tips for people who plan and run "hybrid" meetings, consisting of people who are gathered face-to-face and those who join from afar. Here she assumes that the meeting planners are using WebEx and phone conferencing, but these tips can apply with almost any kind of virtual meeting set-up.

"Digital Forensics Explained" Cited as Expert Testimony in US Supreme Court Case
Greg Gogolin's book, Digital Forensics Explained, was cited eight times in a recent US Supreme Court case. The case concerned whether evidence admitted at petitioner’s trial was obtained in a search of petitioner’s cell phone that violated petitioner’s Fourth Amendment rights. Greg's book was cited as expert testimony.

Beyond PCI Compliance
An organization begins a journey when it achieves PCI compliance. It is usually a starting point for a continuing path to information security and assurance. It is very important for the organization to understand the potential challenges and effectively address them after they achieve successful PCI compliance. This excerpt from PCI Compliance: The Definitive Guide briefly discuss the challenges and success factors that the organization must be aware of to maintain compliance and achieve optimum information security for the enterprise.

Before You Take Your Next Trip
I don't know if you've ever read Stratfor's guidance on personal security, such as "Taming Chaos with a Personal Plan," but this new book, Personal Security: A Guide for International Travelers, provides a comprehensive approach to personal security and safety when travelling, or even while at home. To support your pre-trip preparations, this chapter, "Before You Go," maps out expert advice and lessons from real life cases to give you insights into basic planning questions.

Ethical Hacking: The Postexploitation Phase
After you have successfully exploited a target and managed to gain access to it, you enter the postexploitation phase, which is the last phase of the penetration testing process. Read on to learn how to exploit our targets further, escalating privileges and penetrating the internal network even more.

Building a Penetration Testing Lab
What do you need to build an effective pentesting lab? This checklist from Bruce Middleton's new book, Conducting Network Penetration and Espionage in a Global Environment, details exactly what you need.

Physical and Cybersecurity Have Converged
People have been talking about this for years. Now, convergence--the IP-enablement of everyday business functions creating an overlap of physical and cyber security issues--is no longer a "concept." It is now a reality, or should be. Ask Target, where hackers accessed the company's network via an attack on the third party provider for the heating/ventilation/air conditioning (HVAC) system to steal the financial information of more than 110 million customers.

Heartbleed Disclosure Timeline InfoGraphic
This infographic looks at the vulnerability from March 21-April 7 from the perspective of NCSC-FI, Codenomicon, Google, Open SSL and other providers. In addition to the factual timeline, there is some analysis/commentary as well.

Digital Signatures
This report is based on Arthur D. Little’s survey of 50 market experts in Europe, as well as comprehensive secondary market research. This report provides an overview of the digital signature technology, its current and potential market, as well as the benefits and challenges it brings. It also presents examples of practical applications of digital signature solutions.

Data Classification
Data classification is the practice of assigning information into predefined groups where each group has a common risk and corresponding security controls. This excerpt from JJ Stapleton's Security without Obscurity: A Guide to Confidentiality, Authentication, and Integrity discusses how information can be organized into categories based on its impact of unauthorized disclosure due to insider or outsider threats. It also discusses the concept of data tagging of other attributes that affect data management.

What You Need to Know First about Penetration Testing
This is an excerpt from Conducting Network Penetration and Espionage in a Global Environment by Bruce Middleton.

Introduction to Wireless Intrusion Detection Systems
This is an excerpt from The State of the Art in Intrusion Prevention and Detection edited by Al-Sakib Khan Pathan.

Security MetaMetrics
If you are struggling to make sense of security metrics, then check out Security MetaMetrics. Run by Krag Brotby and Gary Hinson, the website supports the global community adopting innovative measurement techniques. If you believe that you can’t manage what you don't measure, then visit Security MetaMetrics today and take the first step to measure and manage information security properly.

Anonymity in Network Communication
In today’s interactive network environment, where various types of organizations and individuals are eager to monitor and track Internet use, anonymity is one of the most powerful resources available to counterbalance the threat of unknown spectators and to ensure Internet privacy. Find out more in this excerpt from Anonymous Communication Networks: Protecting Privacy on the Web by Kun Peng.

Big Data
This month's issue of IT Performance Improvement focuses on Big Data. David Garmus provides "A Guide to Sizing and Estimating Projects." Michael West discusses how to measure the effects of process improvement. Carl Lehmann provides an overview of Kaplan and Norton's Balanced Scorecard. Also in this issue, Marco Sampietro and Tiziano Villa on "Reducing Change on Projects" and Nancy Settle-Murphy and Beatrice Briggs on building consensus.

Service-Oriented Architecture
This is an excerpt from Security for Service Oriented Architectures by Walter Williams.

Future Trends in WAN Security
This is an excerpt from Intrusion Detection in Wireless Ad-Hoc Networks edited by Nabendu Chaki and Rituparna Chaki.

Security Issues in Machine-to-Machine Communication
This is an excerpt from Security for Multihop Wireless Networks edited by Shafiullah Khan and Jaime Lloret Mauri.

Overcoming Top 10 Facilitation Fears
If you'd rather walk through fire than facilitate a virtual meeting, you're not alone! In this month's Communique, Nancy Settle-Murphy, author of Leading Effective Virtual Teams: Overcoming Time and Distance to Achieve Exceptional Results, and her colleague Dr. Keri Pearlson answer a few common questions from people who are thrust into the role of meeting facilitator, and would prefer to do practically anything but facilitate!

The Hybrid (Frugal) CISO
This excerpt from Kerry Ann Anderson's The Frugal CISO: Using Innovation and Smart Approaches to Maximize Your Security Posture presents theFrugal CISO as a hybrid professional. Frugal CISOs possess a diverse set of qualities and is adaptable in choosing to utilize them depending upon the specific circumstances in which they are operating. Being able to adapt to a variety of environments and circumstances is fundamental to information security that is dynamic and constantly under pressure to securely manage new technical innovations.

Killer Music: Hackers Exploit Vulnerabilities in Media Players to Infect User Machines with Advanced Malware
Listening to music can have a positive impact on our brain. And of course, music improves our mood because it triggers the release of the "pleasure chemical" Dopamine. But what most organizations don’t realise is that, while music can have a positive impact on its employees, the media players employees use to listen to their music of choice, or watch videos, can expose them, their machines, and their organization to risk of exploits and advanced malware infections.

Introduction to Wireless Intrusion Detection Systems
This excerpt from The State of the Art in Intrusion Prevention and Detection categorizes the typical operation of a common WIDS into six sections. These six categories are relevant for any IDS although the focus in the descriptions has concentrated on wireless IDSs. Discussion of the major attributes of each of these categories demonstrates that the choice of IDS characteristics can influence the performance of subsequent stages. Poor choices in the design of lower stages in the WIDS process can impact on the outcome of the entire system, leading to cascading suboptimal performance.

Internet Exploitation: The Web, Your Computer, Your IT System
In this excerpt from Trade Secret Theft, Industrial Espionage, and the China Threat, Carl Roper details vulnerabilities and attacks from hardware, software, and firmware (supply chain security issues) as well as network attacks.

McAfee Labs 2014 Threats Predictions Report: Cybercriminals Will Exploit Mobile Devices, the Cloud, and PCs
New technologies that enable business—like the cloud and mobile devices—are also attracting the attention of cybercriminals. In 2014, hackers are expected to exploit new attack surfaces and expand and refine their stealthy attack maneuvers. A view of what's expected in 2014: The BYOD trend is fueling attacks on mobile devices that will target enterprise infrastructures; Cybercrime exploits will become more difficult to detect than ever before; Nearly all major social media platforms will be subject to theft of user authentication credentials for the purpose of extracting user identity data.

Mobile Medical Devices
This is an excerpt from Chapter 6 of Wi-Fi Enabled Healthcare by Ali Youssef, Douglas McDonald II, Jon Linton, Bob Zemke, and Aaron Earle.

Before You Decide to Outsource
This is an excerpt from Chapter 3 of Managing Risk and Security in Outsourcing IT Services: Onshore, Offshore and the Cloud by Frank Siepmann.

Subscribe to Information Security Today

Google Reader or Homepage
Add to My Yahoo!

Bookmark and Share

Search the Site

The Blog


From Our Authors

Nancy Settle-Murphy: CommuniqueMaking Virtual Meetings Come Alive: It's Everyone's Job

Rebecca Herold: Privacy Professor Tips of the Month—Show Some Love for Privacy This Month


Agile Programme and Project Management Conference on February 26, 2015 in London, England

European Smart Grid Cyber Security on March 9-10, 2015 in London, UK

Wearables TechCon on March 9-11, 2014 in Santa Clara, California

Infosec World 2015 on March 23-23, 2015 at Disney's Contemporary Resort, Orlando, Florida

8th Oil & Gas Telecommunications conference on March 25-26, 2015 in London

Mobile Dev + Test Conference on April 12-17, 2015 in San Diego, California

Big Data TechCon on April 26-28, 2015 in Boston

Software Testing Conference on May 3–8, 2015 in Orlando

The Women In Technology International (WITI) Summit on May 31-June 2, 2015 in San Jose, California

Cyber Security for Financial Services Exchange on June 14-16, 2015 in Charlotte, North Carolina


Here are links to all Rebecca Herold's monthly Privacy Professor Tips to date.

Guided Insights

© Copyright 2015 Auerbach Publications