Archive for the ‘Information Security’ Category
November 26, 2011
Rober Lemos / Dark Reading
Separating persistent threats from more opportunistic cybercrime-focused attacks is not easy, but can help inform defense, according to security experts. Block an opportunistic attack and the crisis is averted; block a persistent attacker and they will come back tomorrow…
…..
In many cases, the patterns are not clear. Even “advanced” attackers will only use, for example, the minimum force necessary to compromise a network. In some cases, attackers have rented botnets; in others, they’ve used standard cybercrime tools.
Posted in Application Security, Information Security, Social Engineering / Phishing, Training / Awareness | Leave a Comment »
November 5, 2011
Ron Condon / SearchSecurity
Berners-Lee also outlined the notion of a security friendly Web interface in which users would be able to divide their lives into their different activities – for instance, family, work, public – each of which could be colour coded and assigned a different level of privacy, set by the user. This way, even when filling out a form, the different fields could be given different colours according to their privacy rating. This kind of approach, he said, could create “an explosion of interesting new applications.”
Posted in Cryptography, Information Security, Privacy | Leave a Comment »
October 1, 2011
Ericka Chickowski / Dark Reading
While database security activities in and of themselves might not necessarily be enormous tasks to tackle individually, it is scale that trips up organization. It can take a long time to implement a carefully planned security program blanketed across hundreds or even thousands of databases. In the meantime, organizations can’t afford to leave critical data flapping in the wind. By segmenting the network and compartmentalizing data by criticality, you can effectively perform a database security triage to put other compensating controls around the most important data.
Posted in Information Security, Infrastructure Security, Risk Management | Leave a Comment »
August 20, 2011
Cebula and Young / Carnegie Mellon
This report presents a taxonomy of operational cyber security risks that attempts to identify and organize the sources of operational cyber security risk into four classes: (1) actions of people, (2) systems and technology failures, (3) failed internal processes, and (4) external events. Each class is broken down into subclasses, which are described by their elements. This report discusses the harmonization of the taxonomy with other risk and security activities, particularly those described by the Federal Information Security Management Act (FISMA), the National Institute of Standards and Technology (NIST) Special Publications, and the CERT Operationally Critical Threat, Asset, and Vulnerability EvaluationSM (OCTAVE®) method.
Posted in Information Security, Policy and Governance, Report / Paper, Risk Management | Leave a Comment »
July 10, 2011
Rich Mogull / Dark Reading
We security pundits, researchers, and vendors tend to forget how hard real-world operational IT is. If you’re small, you can control more, but you have fewer resources at your disposal. If you’re large, you still struggle for resources, but now at an enormous scale. It’s a no-win situation because no one can be perfect all the time. Or even some of the time.
……
Security is hard. It’s even harder at scale. And we need to stop pretending that even the most basic of practices are always simple, and start focusing on how to make them more effective and easier to manage in a messy, ugly, real world.
Posted in Cybersecurity, Information Security, Security Strategy, Threat Management | Leave a Comment »
June 19, 2011
Daniel Solove / Salon
But it is the job of the courts to balance privacy against security, and they can’t do this job if they refuse to evaluate whether the security measure is really worth the tradeoff. Deference is an abdication of the court’s role in ensuring that the government respects constitutional rights. The deference argument is one that impedes any effective balancing of interests.
Posted in Information Security, Privacy, Tech and Laws | Leave a Comment »
January 24, 2011
This is one of the best examples of the relation between data, security, and risk. Russell Thomas discusses how Data reports on the past, Security is a judgement about the present and Risk is the cost of the future that we need to reduce by balancing “how secure we want to be” and “how much risk can we take”.
..to measure security we need to add inference and judgement processes that extend our data into the present, given the threat landscape we believe we are facing. But to make a judgement about security and make decisions about alternative security postures, we need a useful estimate of risk to decide how much security is enough.
To tie these all together over time requires effective social learning processes, including model validation through experiments and data analysis. Likewise, risk estimation and security judgement processes tell us what data we need to collect and how to analyze it.
Posted in Information Security, Metrics, Risk Management, Security Strategy | Leave a Comment »
November 13, 2010
Georgia Tech Information Security Center (GTISC) is forecasting three key cyber security areas where threats are expected to increase and evolve:
* Cyber Threats Targeting Physical Systems: As infrastructure services such as electric grid and utilities become networked and connect to the Internet, they will face greater risk of disruption and misuse. In addition, cyber attack is also a growing risk for healthcare systems as more medical offices and hospitals become connected.
* Botnets: Specifically large-scale attacks that utilize more targeted malware to evade detection; in addition cyber criminals are now making more efficient use of malicious software and have been re-launching previously thwarted attacks.
* Mobile Devices and Social Networking: As more open mobile device platforms grow in popularity and more applications become available, these devices will become more attractive targets of attacks. In addition, cyber criminals are using Twitter and Facebook accounts to lure users into handing over personal and sensitive information.
Posted in Cybersecurity, Information Security, Report / Paper, Security Strategy | Leave a Comment »
October 30, 2010
PwC published a research study “Information Security 2020” focused on the commercial aspects of Information Security, primarily illustrating trends in the UK Information Security market.
Information Security is often considered to have three components; technology, processes and people. Technology has been a key aspect of Information Security in recent years, but increasingly, organisations are realising that processes and people are overlooked components when developing holistic approaches to Information Security. By 2020, there may be a reversion to technology being the key strand to Information Security, driven by significant increases in the volume of data, speed of processing and communication technology, and the emergence of more complex and automated threats.
Posted in Information Security, Report / Paper, Security Strategy, Survey | Leave a Comment »
October 6, 2010
Verizon released its 2010 Payment Card Industry Compliance Report which is based on an analysis done using the data collected from approx 200 organizations. Key findings, as listed on page 3 of the report, include -
- 22% of organizations were validated compliant at the time of their Initial Report on Compliance (IROC). These tended to be year after year repeat clients.
- On average, organizations met 81% of all test procedures defined within PCI DSS at the IROC stage. Naturally,there was some variation around this number but not many (11% of clients) passed less than 50% of tests.
- Organizations struggled most with requirements 10 (track and monitor access), 11 (regularly test systemsand processes), and 3 (protect stored cardholder data).
- Requirements 9 (restrict physical access), 7 (restrict access to need-to-know), and 5 (use and update anti-virus) showed the highest implementation levels.
- Sub-requirement 3.4 (render the Primary Account Number (PAN) unreadable) was met through compensating controls far more often than anyother in the standard.
- Organizations do not appear to be prioritizing their compliance efforts based on the PCI DSSPrioritized Approach published by the PCI Security Standards Council.
- Overall, organizations that suffered a data breach were 50% less likely to be compliant than a normal population of PCI clients.
- All of the top 10 threat actions leading to the compromise of payment card data are well within scope of the PCIDSS. For most of them, multiple layers of relevant controls exist across the standard that mitigate risk posed by these threat actions.
Posted in Consumer Information Protection, Information Security, PCI, Report / Paper | Leave a Comment »
September 28, 2010
A quite old (Sep 2009), long (300+ pages), detailed IS manual.
The Australian Government Information Security Manual provides a framework that enables you to address both new and existing security risks to your systems while allowing you to conduct your business effectively. While this manual sets down minimum requirements for information security, it provides the flexibility to adapt the requirements to suit your own business needs by using a rigorous risk management process.
Posted in Application Security, Consumer Information Protection, Cybersecurity, Information Security, Report / Paper | Leave a Comment »
September 26, 2010
M a n y articles, peer-reviewed papers, and frameworks have been published to evaluate the investment decisions made on the acquisition of security technologies by an organisation and demonstrate progress on intangible Information Security goals. In their recently published article, Jamil and Ahmad have used an interesting approach to answer questions like – how can an excellent IS program create value? or how is success defined in IS organization? or how can we develop an IS program focused on value creation?
The quality of your information security operations can directly affect the success of your organization, for better or worse. Viewing information security as a cumbersome compliance exercise diminishes its usefulness to the business, and the false sense of security that comes with shallow compliance may be destructive.
Implementing a holistic information security program that focuses on the customer while emphasizing competitive advantage and operational efficiency can actually create value and drive success. Los Alamos’s approach, which combines the balanced scorecard with the novel information security value sphere, is one path to achieving information security excellence.
Posted in Information Security, Metrics, Security Strategy | Leave a Comment »
September 19, 2010
I concur with Adrian; we can build compliers that can catch security flaws in the code or run the code through the best SCA (Source Code Analysis) tools but until we create a culture of project managers and developers understanding the value of early identification and mitigation of security vulnerabilities, we’ll not be able to bake security in the SDLC process.
I am all for automating as much security as we can into the development process, especially as a check on developer activities. Nothing wrong with that — we do it today. But to think that we can automate security and remove it from the hands of developers is naive to the point of being surreal. Timing attacks, logic attacks, and architectural flaws do not show up to a compiler or any form of pre/post automated checks.
Posted in Application Security, Information Security, Secure Coding | Leave a Comment »
September 18, 2010
In the aftermath of the worst global economic jolt in 30 years, information security confronts a new economic order. Findings from the 2011 Global State of Information Security Survey
Because security sits at the heart of the business, its spending drivers—the factors emphasized most prominently and most often by executives seeking funding for security-related initiatives—tend to be very closely aligned with the “hot priorities” of the business, whatever they might be at the time. In short, security’s spending drivers are susceptible to what we might call the “flavor of the year.”
Posted in Cybersecurity, Information Security, Report / Paper, Survey | Leave a Comment »
September 18, 2010
DARPA/FBO’s New RFP on Declassification
Promotion of new technologies to support declassification. Striking the critical balance between openness and secrecy is difficult but a necessary part of our democratic form of government. Striking this balance becomes more difficult as the volume and complexity of the information increases. Improving the capability of departments and agencies to identify still-sensitive information and to make declassified information available to the public are integral parts of the classification system.”
Posted in Cryptography, Information Security | Leave a Comment »
May 18, 2010
Should we be worried?
When it comes to secure messaging, nothing beats quantum cryptography, a method that offers perfect security. Messages sent in this way can never be cracked by an eavesdropper, no matter how powerful.
At least, that’s the theory. Today, Feihu Xu, Bing Qi and Hoi-Kwong Lo at the University of Toronto in Canada say they have broken a commercial quantum cryptography system made by the Geneva-based quantum technology startup ID Quantique, the first successful attack of its kind on a commercially-available system.
Posted in Application Security, Communication, Cryptography, Information Security, Infrastructure Security | Leave a Comment »
