January 2, 2012
A list of threats that we read/discussed in 2011….and agreed that some of them may become major threats in near future. Mobile and Cloud security are going to be the most talked about security issues in 2012 (though, Cloud is missing from this list).
Emerging threats from 2011 are on track to become the major players for cyberactivity in 2012, including mobile banking, “legal” spam and virtual currency. McAfee Labs also predicts that attacks involving political motivation or notoriety will also make headlines, including high-profile industrial attacks, cyberwarfare demonstrations and hacktivist attacks targeting public figures.
Posted in Risk Management, Security Strategy, Threat Management | Leave a Comment »
January 2, 2012
Elinor Mills / cnet
The researchers, who can make thousands of dollars for reporting just one security hole on the social-networking site, can use the card to make purchases, just like a credit card, or create a PIN and take money out of an ATM. As the researchers find more bugs, Facebook can add more money to the account.
Posted in DDoS, Security Strategy, Threat Management | Leave a Comment »
December 31, 2011
Potential Information Security Threats (Funny video)
Posted in Uncategorized | Leave a Comment »
December 17, 2011
Electronic Authentication Guideline (NIST Special Publication 800-63-1), from the NIST expands the options for government agencies that need to verify the identity of users of their Web-based services.
This recommendation provides technical guidelines for Federal agencies implementing electronic authentication and is not intended to constrict the development or use of standards outside of this purpose. The recommendation covers remote authentication of users (such as employees, contractors, or private individuals) interacting with government IT systems over open networks. It defines technical requirements for each of four levels of assurance in the areas of identity proofing, registration, tokens, management processes, authentication protocols and related assertions. This publication supersedes NIST SP 800-63.
Posted in Authentication, Laws and Regulations, Policy and Governance, Risk Management | Leave a Comment »
December 10, 2011
This report outlines the Obama Administration’s road map of priorities for government agencies that sponsor research and development on cyber-security.
As recommended in the Cyberspace Policy Review’s near-term action plan, Trustworthy Cyberspace replaces the piecemeal approaches of the past with a set of coordinated research priorities whose promise is to “change the game,” resulting in a trustworthy cyberspace. As called for in the policy review’s mid-term action plan, this plan identifies opportunities to engage the private sector in activities for transitioning promising R&D into practice. In addition, and consistent with the PCAST recommendations, it prioritizes the development of a “science of security” to derive first principles and the fundamental building blocks of security and trustworthiness.
Posted in Laws and Regulations, Policy and Governance, Security Strategy | Leave a Comment »
December 10, 2011
Jaikumar Vijayan / ComputerWorld
Federal CIO Steven VanRoekel Thursday unveiled the Federal Risk and Authorization Management Program (FedRAMP), which establishes a set of baseline security and privacy standards that all cloud service providers will need to meet in order to sell their products to government agencies.
The program requires that all federal agencies use only FedRAMP-certified cloud services and technologies for public clouds, private clouds, hybrid clouds and community clouds. The program also covers all cloud service models, including Software as a Service (SaaS) and Platform as a Service (PaaS).
Posted in Cloud Computing, Laws and Regulations, Senate or House Bill, Standard / Framework | Leave a Comment »
December 1, 2011
Tom Spears / Ottawa Citizens
To people who want to encrypt data, this is a potential source of randomly-chosen numbers that are used as a “key” to lock and unlock sensitive data — military transmissions, banking transactions, or your email.
The idea is that if no one knows how the key was created in the first place, hackers and code-breakers won’t be able to figure out the secret and decode the messages.
Posted in Communication, Cryptography, Threat Management | Leave a Comment »
November 26, 2011
Rober Lemos / Dark Reading
Separating persistent threats from more opportunistic cybercrime-focused attacks is not easy, but can help inform defense, according to security experts. Block an opportunistic attack and the crisis is averted; block a persistent attacker and they will come back tomorrow…
…..
In many cases, the patterns are not clear. Even “advanced” attackers will only use, for example, the minimum force necessary to compromise a network. In some cases, attackers have rented botnets; in others, they’ve used standard cybercrime tools.
Posted in Application Security, Information Security, Social Engineering / Phishing, Training / Awareness | Leave a Comment »
November 26, 2011
Richard Dreger / InformationWeek
To provide segmentation, you need the physical hardware team, and maybe the systems team, to configure the SAN disk arrays to balance performance, storage, and access requirements. Sure, you could physically carve up the disks and give different slices to each customer to provide a physical boundary, but this concept is anathema to performance-minded shops and the private cloud model.
Posted in Cloud Computing, Infrastructure Security, Security Strategy | Leave a Comment »
November 24, 2011
William Jackson / GCN
The system, which is being tested in a lab environment, uses a host-based agent to “learn” a user’s behavior and to look for anomalous behavior or other signatures, said computer scientist and project leader Justin Beaver.
……….
Among the characteristic information leveraged by the system are system call sequences. Each function on a computer initiates a series of calls for services. This occurs at a low level in the operating system, out of the user’s view, and creates a characteristic pattern for each user over time. Researchers found that normal patterns remain surprisingly consistent for individuals as they switch between computers and jobs.
Posted in Risk Management, Secure Coding, Social Engineering / Phishing, Training / Awareness | Leave a Comment »
November 24, 2011
By Ellen Nakashima / Washington Post
It’s easy to feel overwhelmed by the increasingly bad news in cyberspace, but there are a few bright spots. Government and commercial techies are finding some success in trying to protect computer users — often from their own careless behavior.
Posted in Consumer Information Protection, Cybersecurity, Information Security, Infrastructure Security | Leave a Comment »
November 24, 2011
Websense
With an influx of bring your own devices (BYOD) and mobility, social media exploding, cloud computing knocking, and other operational challenges thrown in for good measure, if 2011 was the shocker, then 2012 is likely to be the kitchen sink of security concern
Posted in Report / Paper, Security Strategy, Survey | Leave a Comment »
November 21, 2011
Dan Parsons / National Defense Magazine
The goal is to demonstrate better accuracy in predicting near-term and middle-term events than an opinion poll by the end of the four-year experiment. In the first year, Warnaar is seeking to achieve a 20 percent improvement over traditional polling methods. If its predictions turn out more accurate, the program will be made available to government decision makers.
Questions from informed policy makers could then be fed into ACES and predictions would be based on weighted answers from program participants.
Posted in Communication, Metrics, Security Strategy, Survey | Leave a Comment »
November 21, 2011
ENISA’s Report
The top risk for individuals utilising life-logging devices and scenarios is the threat to privacy that accompany using them. Loss of control over this data might result in individuals being subjected to financial fraud or unauthorised access might result in reputational harm or discrimination and exclusion. This risk is compounded by the nature of life-logging in that apart from privacy threat to individuals coming from commercial entities and governmental agencies, there is also a threat of deliberate or accidental data collection about one person by other individuals.
Dependency on the availability of certain devices or services is also increasing the risks for individuals, as the mobile devices, sensors or services become more attractive targets for attackers. In this direction, it is particularly important the link between tangible and intangible assets, as we can also see in Future Internet scenarios; a related risk is the loss of autonomy.
Finally, we should consider risks such as psychological damage, related to discrimination, exclusion, harassing, cyberstalking, child grooming, feeling of being continuously under surveillance (paranoid behaviour), pressures related to work performance, peering into other peoples life etc.
Posted in Consumer Information Protection, Risk Management, Social Engineering / Phishing, Tech and Laws | Leave a Comment »
November 21, 2011
ENISA’s Report
The top risk for individuals utilising life-logging devices and scenarios is the threat to privacy that accompany using them. Loss of control over this data might result in individuals being subjected to financial fraud or unauthorised access might result in reputational harm or discrimination and exclusion. This risk is compounded by the nature of life-logging in that apart from privacy threat to individuals coming from commercial entities and governmental agencies, there is also a threat of deliberate or accidental data collection about one person by other individuals.
Dependency on the availability of certain devices or services is also increasing the risks for individuals, as the mobile devices, sensors or services become more attractive targets for attackers. In this direction, it is particularly important the link between tangible and intangible assets, as we can also see in Future Internet scenarios; a related risk is the loss of autonomy.
Finally, we should consider risks such as psychological damage, related to discrimination, exclusion, harassing, cyberstalking, child grooming, feeling of being continuously under surveillance (paranoid behaviour), pressures related to work performance, peering into other peoples life etc.
Posted in Uncategorized | Leave a Comment »
November 11, 2011
J. Nicholas Hoover / InformationWeek
“We are losing ground because we are inherently divergent from the threat,” she said, noting that while the size of viruses has remained small over the years, the defensive security apparatus continues to grow. “Such divergences are the seeds of surprise, and this [size disparity] is a striking example of why it’s currently easier to play offense rather than defense in cyber. This is not to suggest that we stop doing what we are doing in cybersecurity. But if we continue only down the current path, we will not converge with the threat.”
Posted in Laws and Regulations, Risk Management, Security Strategy | Leave a Comment »
November 5, 2011
Ron Condon / SearchSecurity
Berners-Lee also outlined the notion of a security friendly Web interface in which users would be able to divide their lives into their different activities – for instance, family, work, public – each of which could be colour coded and assigned a different level of privacy, set by the user. This way, even when filling out a form, the different fields could be given different colours according to their privacy rating. This kind of approach, he said, could create “an explosion of interesting new applications.”
Posted in Cryptography, Information Security, Privacy | Leave a Comment »
November 5, 2011
Eric Chabrow / BankInfoSecurity
The National Institute of Standards and Technology said the draft publication defines high-priority requirements for standards, official guidance and technology developments that need to be met in order for agencies to accelerate their migration of existing IT systems to the cloud computing model. “A key contribution of the roadmap effort is to focus the discussion to achieve a clear understanding between the government and private sector, particularly on the specific technical steps – standards, guidance and technology solutions – needed to move federal IT from its current early-cloud state to a cloud-based foundation, as envisioned in the Federal Cloud Computing Strategy.
Posted in Cloud Computing, Infrastructure Security, Laws and Regulations, Policy and Governance | Leave a Comment »
October 29, 2011
ComputerWorld / Nancy Gohring
The Small Biz Cyber Planner will ask a series of questions such as “Does your business use credit cards?” and “Does your business have a public website?” Based on the responses, it will generate a planning guide to help companies put in place basic policies to protect against cyberthreats.
Posted in Policy and Governance, Security Strategy, Tech and Laws | Leave a Comment »
October 29, 2011
ExecutiveGov / Katelyn Noland
The alternate Internet would be built with the intention of securing critical systems where there would be strict access rules and those who are allowed entry must report any suspicious behavior.
Posted in Infrastructure Security, Policy and Governance, Risk Management | Leave a Comment »
