Key IT Security Trends for 2012
Kroll Ontrack announced the most important technology trends for the coming year. However, businesses that want to benefit from these trends need to look at adopting iron clad information management and security strategies to ensure data security and data loss avoidance.
Online Merchants Made Most Progress against Fraud in 13 Years
CyberSource today announced results of its 13th annual survey of eCommerce fraud. The overall picture: merchants are making gains against fraud but the battle continues. The fraud rate by order (the percentage of orders that turned out to be fraudulent) dropped from 0.9 percent in 2010 to 0.6 percent in 2011-the lowest in the 13 year history of the survey. But the cost of combating fraud continues to grow. Dollar losses were up, manual review continued to climb, and merchants reiterated their concern that fraud is becoming more difficult to detect. 27 percent of respondents said they are engaged in mobile commerce and initial indicators regarding fraud in that channel are promising.
Untangle Your Virtual Team with 10 Most-Needed Norms
In this article, Nancy Settle-Murphy of Guided Insights provides 10 "best practices" norms that can do the most to save time, reduce frustration and boost productivity of virtual teams. Extracted from one of her Bridging the Distance Virtual Leadership workshop series, these examples include specific actions that can support each one. For this piece, she touches on virtual meetings, decision-making, the use of email, shared documents and scheduling, areas for which a lack of explicit norms can cause especially thorny problems for virtual teams.
Ben Rothke: Security Reading Room
Review of Defense Against the Black Arts: How Hackers Do What They Do and How to Protect Against It.
Lean Management
One of the concepts that is gaining popularity is called Lean management or Lean performance. It’s based on the principles from Toyota’s production system (TPS). These concepts helped take Toyota from a small car company to one of the market leaders in the automotive industry in terms of quality and efficiency. The primary goal is to get rid of waste that occurs in the product process. For most Lean efforts everything is based around the muda (waste). Muda translates into any activity that is wasteful, meaning it does not add any value or is unproductive. Seven activities fall into this category.
Passwords Are Not Enough: Why Enterprises Need Strong Authentication, Too
In this article, Tim Matthews, Symantec’s director of User Authentication, discussing the uselessness of passwords and what organizations should be doing to keep data how it should be--safe and under the right control at all times. He then explains how strong, or two-factor, authentication is a simple and flexible alternative to the antiquated password.
Monitoring the User Experience
One of the great challenges of network administrators is monitoring of the user experience. It's become something of a buzzword, with management telling the network team to do it, without any actual indication of what they want. Without clear direction, it's nearly impossible to know what metrics will be meaningful, and then how to configure monitoring solutions in order to produce useful data. And yet the overall goal of everything IT does is to make the user is able to access the resources needed to be productive. Users won't care if they have state-of-the-art endpoints if the network itself is slow. That, as Brad Reinboldt of Network Instruments explains, means that monitoring the back end of the user experience is vital for IT.
Cybersecurity: Public Sector Threats and Responses
This accessible primer focuses on the convergence of globalization, connectivity, and the migration of public sector functions online. It examines emerging trends and strategies from around the world and identifies the challenges you need to be aware of. Offering practical guidance for addressing contemporary risks, the book considers global trends, national and local policy approaches, and practical considerations. Suitable for classroom use, Kim J. Andreasson's book will help you understand the threats facing today’s governments at all levels and the issues that must be considered when thinking about cybersecurity from a policy perspective.
Security Is Broken
When discussing the information security sector, the word "broken" crops up quite often in magazines, journals, conferences, blogs, and other sources. In his book The Myths of Security, John Viega says about security, "A lot of little things are just fundamentally wrong, and the industry as a whole is broken." So, if it's broken, can it be fixed? This is a Herculean-like task Ian Tibble has assumed.
Organizational Change: Ignore Roadblocks at Your Peril by Nancy Settle-Murphy
We all have different ways of dealing with roadblocks, based on our personalities, perceived sense of urgency, navigational abilities, experience dealing with similar roadblocks, and other factors. And so it is when we encounter resistance to organizational change, a very particular type of roadblock, that tends to stop even the most experienced leaders in their tracks. Just as drivers must determine how best to handle different types of roadblocks that block their paths, so, too, must company leaders learn how to anticipate and address resistance to organizational change. In this article, Nancy Settle-Murphy of Guided Insights offers tips for determining just how formidable that roadblock is, and deciding which interventions make the most sense to remove the roadblock, or at least to minimize the inconvenience.
Data Mining Applications for Security
While data mining technologies have exploded over the past two decades, the developments in information technologies have resulted in an increasing need for security. As a result, there is now an urgent need to develop secure systems. However, as systems are being secured, malware technologies have also exploded. Therefore, it is critical that we develop tools for detecting and preventing malware. This excerpt discusses the various applications of data mining to support information security.
The Pentration Testing Framework
What is a framework? Moreover, how does it apply to attacking a system? Finally, is a framework a methodology? A framework is collection of measurable tasks, whereas a methodology is a specific set of inputs, processes, and their outputs. A framework provides a hierarchy of steps, taking into consideration the relationships that can be formed when executing a task given a specific method. How does this apply to penetration testing?
The ABCs of a Persuasive Security Awareness Program
This chapter explores and exploits the scientific body of knowledge around the psychology of how humans behave and make decisions. Using psychological principles that social scientists and psychologists have discovered over the past 50 years, we can produce security awareness programs that are more personal, relevant, and persuasive. Ultimately, knowing, understanding, and applying what we know about the engines of personal behavior will allow us to write more effective awareness programs.
6 Steps to Security Policy Excellence
Striking the right balance between risk mitigation and the commercial demands of the business is an essential skill, which must be adapted according to the nature of your industry and the size, culture and risk appetite of your organization. This role needs to have clear ownership at senior management level. Organizations need to take a systematic and proactive approach to risk mitigation if they are to be better prepared to satisfy evolving legal and regulatory requirements, manage the costs of compliance and realize competitive advantage. Achieving and maintaining policy compliance becomes more difficult to sustain as organizations grow, become more geographically dispersed and more highly regulated. But, it doesn't have to be this way.
What Is Insider Computer Fraud?
An organization's employees are often more intimate with its computer system than anyone else. Many also have access to sensitive information regarding the company and its customers. This makes employees prime candidates for sabotaging a system if they become disgruntled or for selling privileged information if they become greedy. This excerpt introduces the fundamental elements of computer fraud, then discusses insider threat concepts, concerns, and defenses.
Protecting Mobile Data: When Is Enough, Enough?
This article discusses how the dramatic increase in smart mobile device use makes it impossible for organizations to know everywhere their potentially sensitive data will travel. It provides an in-depth analysis on how encryption technology can be used to round out a defense in-depth approach to mobile security to ensure sensitive corporate data is protected no matter where it might end up. It also provides practical best practices organizations should follow when implementing mobile-specific encryption policies.
Whitelisting
Documenting all network resources and being able to use whitelisting will give the enterprise more control over those resources and lessen the risk to the enterprise. The upfront work for implementing whitelisting will require a larger effort. Once completed, the whitelisting will enable the enterprise to specifically know what resources are available and who has access to what resources. Overall, implementing whitelisting will reduce the risk of findings during a compliance audit.
Terrorism: An Overview
What do you know about terrorism? Yes, it's a violent, destructive, political act. What else? If you can't easily explain terrorism, then is excerpt from The Counterterrorism Handbook: Tactics, Procedures, and Techniques, Fourth Edition will help bring you up to speed.
Security Risk Assessment Approaches
There are nearly as many security risk assessment approaches as there are organizations that perform them. There are strengths and weaknesses within each approach, but the applicability of the approach to your specific environment, objective, and available resources will be the biggest driving factor in selection of the appropriate approach. The following briefly describes some of the differences between currently available approaches to assist in your understanding and to aid in the selection process.
Smart Card Security: The SIM/USIM Case
Open smart card-based platforms used by mobile systems are new generation trusted personal devices with enhanced flexibility in terms of connectivity and interoperability. Smart cards can host several applications and allow new applications to be added after their issuance. This excerpt from Security of Mobile Communications discusses some of the known and well-documented attacks against smart card-based systems. A particular interest will be given to the attacks against the smart card itself, its interaction with the system, and the API and OS it uses.
Rootkits: The Ultimate Malware Threat
Fifteen years ago, damage and disruption due to virus and worm infections also comprised one of the most serious types of security risks. Things have changed considerably since then; certain types of malicious code ("malware") other than viruses and worms have moved to the forefront of risks that organizations currently face. Rootkits in particular now represent what might safely be called the ultimate malware threat. This chapter covers the ins and outs of rootkits, the relationship between rootkits and security-related risk, how to prevent rootkits from being installed in the first place, and how to detect and recover when rootkits have been installed in victim systems.
Hacking Windows
Many people have the opinion that security does not count when an attacker has physical access to your computer. Jesse Varsalone, co-author of Defense against the Black Arts: How Hackers Do What They Do and How to Protect against It, strongly disagree with that opinion. Security always counts, especially when an attacker is able to get physical access to your box. It does not have to be "game over" just because an attacker gets physical access to your machines. There are measures you can take to secure your computers from physical attack. This chapter will discuss what measures can be taken to secure a Microsoft Windows operating system and how vulnerable these systems can be when proper precautions are not taken.
Security Countermeasure Goals and Strategies
The term security countermeasures implies correctly that they are measures taken to counter a threat action. In an ideal world, security countermeasures would be so effective as to completely eliminate the will of potential threat actors to take action. This excerpt from Risk Analysis and Security Countermeasure Selection by Thomas Norman explains why security countermeasures are required, and the elements of countermeasure objectives, goals, and strategies.
Targeted Network Attacks
In recent years, your company has made substantial investments into its information security infrastructure, which have had a major impact on the detection and eradication of typical malware threats. These investments notwithstanding, companies are still often not aware of a more significant threat to their network: network attacks that are targeted specifically for their organization. This whitepaper gives a broad overview of some common methods used by hackers during targeted network attacks and some steps your organization can take to combat them.
Establishing a Patch Management Policy
The main reason for the implementation of a patch management policy is to define the process which IT security teams must follow to ensure that their systems and applications are up-to-date, known vulnerabilities are addressed and that the organization is compliant with several regulations and standards. So, what should your patch management policy cover?
Virtual Meetings: Design for Worst-Case Scenarios for Best Outcomes
This article offers some practical tips for anticipating and addressing problems that arise frequently during virtual meetings. Of course, in an ideal world, we think through every possible risk and mitigate each one before a problem occurs. But in the real world, which admittedly is not quite perfect, we can only take our best guess about what might go wrong and plan accordingly.
Integration: The Missing Link in the Cloud
Cloud computing or cloud-based solutions have been portrayed as a panacea for companies looking for the flexibility and scalability they need to grow their businesses, while keeping costs down. Unfortunately for many businesses, data, application or business-to-business (B2B) integration is an afterthought when evaluating the cloud, and it becomes the stumbling block that prevents companies from realizing the cloud’s true benefits. Companies should absolutely look at how the cloud could improve their agility and business impact. There are three key rules when evaluating a cloud migration or implementation.
Productivity vs. Security
Enterprises are increasingly concerned about the risk in cyber threats, and the rising number of incidents revealed publicly justifies their worries. Yes, budgets are being reduced and technology departments are being asked to cut resources. Attackers use the downturn in security enforcement to step up the pace of exploitation at a time when an enterprise can ill afford downtime, decreased productivity, stolen data, lost sales and a damaged enterprise reputation. This is the "security paradox" or "productivity versus security. This debate is becoming harder to implement as single point external attacks have moved toward multi-source external attacks and the model of the "trusted employee" is being eroded.
Does Your Business Continuity Plan Cover Cyberattacks?
In this day and age, most companies, regardless of whether a single office or a large international conglomerate, are reliant on computer systems to function. If you were attacked tomorrow, the reality is it will shut you down. How long it takes to get back up and running, if at all, is down to you. Sit up, take note, and plan for the inevitable.
Strong Virtual Leadership + a Few Essential Tools = Great Collaboration
As a successful leader of virtual teams, you know you have what it takes to keep the team motivated and focused: choosing the best combination of tools to enable this team to collaborate and communicate in lockstep. Fortunately, your company has invested heavily in collaboration tools over the last few years. Your team needs to determine which tools will work best, under what conditions, to achieve these ambitious goals, from afar. Here's a "short list" of "must have" tools for geographically dispersed teams, or for any type of team that relies on virtual collaboration tools to get work done.
Realizing the Benefits of Vulnerability Management in the Cloud
In this white paper, Gordon MacKay, CTO of Digital Defense, Inc., discusses two types of vulnerability management deliveries: cloud-based and premised-based. I highlight several challenges with vulnerability management and I argue that a cloud-based vulnerability management delivery keeps organizations more secure as compared to a premise-based solution.
Tips on Living with and Managing Microsoft Outlook PST Files
IT administrators know that mailbox quotas imposed on network users encourage the use of Microsoft Outlook's AutoArchive feature, which creates personal storage (PST) files. Messages and attachments often contain sensitive company data that should be part of a central store. Difficult to locate and manage, PSTs clog up local drives and server space and are rarely included in normal security and backup processes. The need to use PST files can have a negative impact on business productivity. On the other hand, managing and living with PSTs scattered around the network may not be a problem for some organizations. The following PST management tips from C2C are intended to help you determine whether action should be taken and how to live with PST files.
Protection of Sensitive Data
The amount of data that a staff member comes across daily can be enormous. It is not possible to protect all the data that a staff member can come across. The enterprise needs to document what constitutes sensitive data (data classification policy) and identify the level of protection required. This article discusses the physical (not logical through access control) protection of sensitive data and what to consider in the environment.
Security Patch Management: Getting Started
This excerpt provides initial insight into the patch management process, and concludes with additional background on the patch management process and how to get started.
How to Tilt the Work-Life Balance in your Favor in a 24x7 World
Is achieving "work-life balance" really possible in an always-on, constantly connected world? In this article, Nancy Settle-Murphy offers some observations and practical tips for those who want to reclaim more of the "life" in that elusive work-life balance equation.
IPv6: An Introduction and Overview
IPv6 is the next-generation Internet Protocol. The current version of the Internet Protocol, IPv4, has been in use for almost 30 years and exhibits some challenges in supporting emerging demands for address space cardinality, high-density mobility, multimedia, and strong security. This is particularly true in developing domestic and defense department applications utilizing peer-to-peer networking. IPv6 is an improved version of the Internet Protocol that is designed to coexist with IPv4 and eventually provide better internetworking capabilities than IPv4.
Why Risk Management?
A CIO must deliver IT services to enable the business to run effectively. The CIO must also protect information to prevent it from being lost or stolen. The CIO walks on the edge of a sword, balancing service delivery on one side and liabilities on the other. Straying too far on either side will result in failure, and that failure may be catastrophic.
Balancing Network Security and Business Impact
When a business transaction over the Internet is worth a few thousand or more, one thinks twice before suspending any kind of traffic to the website, even if, in some cases, these transactions are highly susceptible to a cyber attack. How much money a business may lose as a result of the wrongful implementation of a security measure is "precious" information that every network manager would know to appreciate. Simulation of the required security action, before implementation, in real network environments that carry real business transactions, would allow for the collection, analysis and correlation of business related information and thus, would provide a way to predict the business impact. This article introduces the concept of business impact analysis (BIA), and discusses applicable technologies that can support it.
Factors Impacting Information Security in Selection of a Compliance Methodology, Taxonomy, or Framework
Compliance in technology information security and assurance requires detailed investigation and selection of a credible practiced single or combination MTF that produces measurable results while providing high accuracy in front and back end evaluation. The selection of a validated MTF that is appropriate for the applications and systems deployed contributes to an increased accuracy rate in the identification of emerging risks, threats and vulnerabilities. This article emphasizes the importance of selecting an approved single or combination of Methodology, Taxonomy, or Framework (MTF) when assessing information security compliance assessment.
The Cyber Warfare Threat
A nation-state leveraging offensive cyber warfare with hostile intent embodies the worst aspects of the vintage hacker, the indiscriminate scope of the script kiddies, and the targeted hostile intent to maximize damage of the cybercriminal combine. Cyber warfare units of military and intelligence organizations are furnished with unprecedented resources. A nation-state's offensive cyber warfare assets have plentiful resources and training, and no fear of criminal prosecution. The morality of their acts is typically limited to that of the government they serve; as two of the more sophisticated cyber warfare actors are North Korea and China, this is a chilling thought. So, the question becomes this: what can be done about managing the risk imposed by these developments?
FISMA Requirements Case Study
In analyzing FISMA and breaking down its requirements from an agency perspective, a useful approach for the CISO to take is to clarify its requirements in four categories: general requirements, requirements for senior agency officials, requirements for CIOs, and requirements for agency information security programs. These categories are addressed in the following four sections, in which agency perspectives are reflected according to what Pat Howard has observed in his experiences with implementing FISMA-based information security programs at the federal agency level.
The Strategic PMO: Aligning Projects and Strategy
The Strategic Project Management Office (SPMO) not only provides all the services individual projects and department-level project offices, it serves as the critical link between executive vision and the work of the enterprise. By providing a standard organizational methodology for planning, executing, staffing, prioritizing, and learning from all the projects that comprise today’s organization, the SPMO gives organizational life a coherence that has long been lacking. Let’s explore just what an SPMO can do for your organization.
Cyber Attack Toolkits Dominate the Internet Threat Landscape
Attack toolkits are increasingly available to an unskilled black market that is eager to participate in the speedy spread of malware. Not only are toolkits more widely available, but they are also advanced enough to evade detection while automating processes. Developers of toolkits are selling a product that is fueling the growth of a self-sustaining, profitable, and increasingly organized global underground economy.
Key Cloud Strategies: First Steps
When any organization is looking at adopting a new technology, success comes from proper planning, and clouds aren’t an exception to this oft-ignored rule. The temptation is to do a physical-to-virtual migration just by "jumping into the deep end of the pool." Here the fallacy is that the virtualized server can’t be that much different from a physical server. Well, yes and no: It can feel the same, but there are some differences that could potentially bite you. This article discusses a few that we’ve stumbled across.
Time to Re-write the Security Rulebook as Social Networking Goes to Work
Social networking and Web 2.0 applications are second nature to young people entering the workplace. For them email is slow and old-fashioned. They bring their Facebook, Twitter, YouTube and other identities to the office with them. At the same time, they use professional social networking such as LinkedIn and other business-oriented online communities for more work-related duties. As social technology in the office reaches critical mass, organizations need to pursue a secure social media strategy alongside their traditional email-based security measures. For those that do not adapt, catching up has the potential to be a major problem.
Can a Government Prevent a DDoS Attack on One of Its Systems?
On December 8, 2010, a group of hackers launched DDoS (distributed denial of service) attacks against the Visa and Paypal web servers and also on a Swedish Government website. The attacks were successful and the services offered by all these sites were severely disrupted. If major corporations, who operate in a multi-national environment, couldn't prevent these attacks can the UK Government stop such an attack on one of their web services? Well, the simple answer is no, or maybe "probably not." To understand why this could be so we need to consider what a DDoS attack is and how it differs from a DoS (denial of service) attack. Then we can consider what could be done to mitigate it.
Mobile Device Security: What Are You Trying to Protect?
The risk many organizations face through mobile data moving around their networks or the mishandling of data on mobile devices is enormous, and without a concentrated effort to place effective controls on this type of data, the risk will continue to rise. However, many of these efforts are based on little more than the idea that there is some type of data out there called "mobile data," that it can reside on things called "mobile devices," and that somehow this "data" on these "devices" must be protected. Unfortunately, neither of these terms has a clear definition, and without those clear definitions, there cannot be a satisfactory answer to the question, "What are you trying to protect?"
