Archive for the ‘Security Strategy’ Category
January 2, 2012
A list of threats that we read/discussed in 2011….and agreed that some of them may become major threats in near future. Mobile and Cloud security are going to be the most talked about security issues in 2012 (though, Cloud is missing from this list).
Emerging threats from 2011 are on track to become the major players for cyberactivity in 2012, including mobile banking, “legal” spam and virtual currency. McAfee Labs also predicts that attacks involving political motivation or notoriety will also make headlines, including high-profile industrial attacks, cyberwarfare demonstrations and hacktivist attacks targeting public figures.
Posted in Risk Management, Security Strategy, Threat Management | 1 Comment »
January 2, 2012
Elinor Mills / cnet
The researchers, who can make thousands of dollars for reporting just one security hole on the social-networking site, can use the card to make purchases, just like a credit card, or create a PIN and take money out of an ATM. As the researchers find more bugs, Facebook can add more money to the account.
Posted in DDoS, Security Strategy, Threat Management | Leave a Comment »
December 10, 2011
This report outlines the Obama Administration’s road map of priorities for government agencies that sponsor research and development on cyber-security.
As recommended in the Cyberspace Policy Review’s near-term action plan, Trustworthy Cyberspace replaces the piecemeal approaches of the past with a set of coordinated research priorities whose promise is to “change the game,” resulting in a trustworthy cyberspace. As called for in the policy review’s mid-term action plan, this plan identifies opportunities to engage the private sector in activities for transitioning promising R&D into practice. In addition, and consistent with the PCAST recommendations, it prioritizes the development of a “science of security” to derive first principles and the fundamental building blocks of security and trustworthiness.
Posted in Laws and Regulations, Policy and Governance, Security Strategy | Leave a Comment »
November 26, 2011
Richard Dreger / InformationWeek
To provide segmentation, you need the physical hardware team, and maybe the systems team, to configure the SAN disk arrays to balance performance, storage, and access requirements. Sure, you could physically carve up the disks and give different slices to each customer to provide a physical boundary, but this concept is anathema to performance-minded shops and the private cloud model.
Posted in Cloud Computing, Infrastructure Security, Security Strategy | Leave a Comment »
November 24, 2011
Websense
With an influx of bring your own devices (BYOD) and mobility, social media exploding, cloud computing knocking, and other operational challenges thrown in for good measure, if 2011 was the shocker, then 2012 is likely to be the kitchen sink of security concern
Posted in Report / Paper, Security Strategy, Survey | Leave a Comment »
November 21, 2011
Dan Parsons / National Defense Magazine
The goal is to demonstrate better accuracy in predicting near-term and middle-term events than an opinion poll by the end of the four-year experiment. In the first year, Warnaar is seeking to achieve a 20 percent improvement over traditional polling methods. If its predictions turn out more accurate, the program will be made available to government decision makers.
Questions from informed policy makers could then be fed into ACES and predictions would be based on weighted answers from program participants.
Posted in Communication, Metrics, Security Strategy, Survey | Leave a Comment »
November 11, 2011
J. Nicholas Hoover / InformationWeek
“We are losing ground because we are inherently divergent from the threat,” she said, noting that while the size of viruses has remained small over the years, the defensive security apparatus continues to grow. “Such divergences are the seeds of surprise, and this [size disparity] is a striking example of why it’s currently easier to play offense rather than defense in cyber. This is not to suggest that we stop doing what we are doing in cybersecurity. But if we continue only down the current path, we will not converge with the threat.”
Posted in Laws and Regulations, Risk Management, Security Strategy | Leave a Comment »
October 29, 2011
ComputerWorld / Nancy Gohring
The Small Biz Cyber Planner will ask a series of questions such as “Does your business use credit cards?” and “Does your business have a public website?” Based on the responses, it will generate a planning guide to help companies put in place basic policies to protect against cyberthreats.
Posted in Policy and Governance, Security Strategy, Tech and Laws | Leave a Comment »
September 11, 2011
Securosis
How do you answer the inevitable question “Are we good at security?” If you are like most organizations, you stutter quite a bit and then fall back to either irrelevant numbers (like AV or patch coverage) or a qualitative assessment – “We had 2 incidents last month, down from 5 the prior month prior”. Either way, the answer isn’t what management needs, or deserves.
Posted in Metrics, Security Strategy | Leave a Comment »
July 16, 2011
Stefanie Hoffman / CRN
The 19-page document, called the “Department of Defense Strategy for Operating in Cyberspace,” establishes that cyber space be a domain protected by the U.S. military in the same way it defends land, sea and air.
In general, the strategy calls for new ways to bolster defenses of critical cyber infrastructure, such as the computer networks of the U.S. military and defense contractors, while developing new weapons and methods to retaliate against U.S. adversaries launching cyber attacks.
Posted in Report / Paper, Risk Management, Security Strategy, Tech and Laws, Uncategorized | Leave a Comment »
July 10, 2011
The Framework and Process Reference guide exposure drafts are available for download from the ISACA site.
This foundational COBIT volume introduces the following, which combine to provide a comprehensive, effective framework to support the governance and management of enterprise information and related technology:
- Principles
- Drivers
- Benefits
- Enablers
- Other aspects
The COBIT 5 Process Reference Guide incorporates and is the successor to COBIT 4.1, Val IT and Risk IT processes. It describes the:
- Goals cascade
- Process model
- Process reference model
- Detailed processes
The online questionnaire will remain open until 31 July 2011.
Posted in Policy and Governance, Risk Management, Security Strategy, Standard / Framework | Leave a Comment »
July 10, 2011
Rich Mogull / Dark Reading
We security pundits, researchers, and vendors tend to forget how hard real-world operational IT is. If you’re small, you can control more, but you have fewer resources at your disposal. If you’re large, you still struggle for resources, but now at an enormous scale. It’s a no-win situation because no one can be perfect all the time. Or even some of the time.
……
Security is hard. It’s even harder at scale. And we need to stop pretending that even the most basic of practices are always simple, and start focusing on how to make them more effective and easier to manage in a messy, ugly, real world.
Posted in Cybersecurity, Information Security, Security Strategy, Threat Management | Leave a Comment »
July 2, 2011
Sounds like the right move…
This new security challenge was on the agenda at the June 8th-9th meeting of NATO defence ministers in Brussels. Ministers agreed on an action plan and on a revised cyber defence policy which will not only ensure a quicker and more effective protection of NATO’s own network, but also provide the Allies and Partners with more assistance in preventing the cyber attacks, coping with them and limiting their impact.
The new strategy requires that all NATO structures be brought under a centralised protection system, and that all of its networks be monitored round the clock as of 2012.
Posted in Laws and Regulations, Policy and Governance, Security Strategy, Tech and Laws | Leave a Comment »
May 30, 2011
The Whitehouse unveiled a proposal for a Cybersecurity legislation -
Our critical infrastructure – such as the electricity grid, financial sector, and transportation networks that sustain our way of life – have suffered repeated cyber intrusions, and cyber crime has increased dramatically over the last decade. The President has thus made cybersecurity an Administration priority
……..
This legislative proposal is the latest achievement in the steady stream of progress we are making in securing cyberspace and completes another near-term action item identified in the Cyberspace Policy Review.
Posted in Cybersecurity, Security Strategy, Senate or House Bill | Leave a Comment »
April 30, 2011
Interesting proposal submitted by LEWP
The Presidency of the LEWP presented its intention to propose concrete measures towards creating a single secure European cyberspace,” according to brief minutes of the meeting.
The secure European cyberspace would have a “virtual Schengen border”, it adds, referring to the treaty that allows freedom of movement within the EU but imposes controls on entry to the bloc.
There would also be “virtual access points” whereby “the Internet Service Providers would block illicit contents on the basis of the EU ‘black-list’”, the proposal says.
Posted in Cybersecurity, Laws and Regulations, Security Strategy | Leave a Comment »
February 3, 2011
This is a follow up to the 2008 report “Securing Cyberspace for the 44th Presidency”, published by Center for Strategic and International Studies (CSIS), which included 25 recommendations for change. Now two years later, CSIS published this report to review where progress has been made on these recommendations and where action is necessary. The report identified 10 key areas where the nation must take action. The report starts with
2010 should have been the year of cybersecurity. It began with a major exfiltration of data from Google and other Fortune 500 companies, saw the Department of Defense describe how its classified networks had been compromised, watched the Stuxnet worm cut through industrial control systems, and ended with annoying denial of service attacks over Wikileaks.
and suggest cloud as one of the solutions -
Cloud computing has weaknesses, but it also offers the opportunity to aggregate and automate cyber defense. Much of the burden of security will shift from consumers and businesses to service providers that may be better equipped to meet advanced challenges.
which is correct but it’ll not come free – data security during transmission from end user to cloud and authentication will be two big ticket items that we need to pay for. The report ends with……and with what will not work.
Many of the solutions still advocated for cybersecurity are well past their sell-by date. Public-private partnerships, information sharing, and self-regulation, are remedies we have tried for more than a decade without success. We need new concepts and new strategies if we are to reduce the risks in cyberspace to the United States.
Posted in Cybersecurity, Policy and Governance, Privacy, Report / Paper, Risk Management, Security Strategy, Tech and Laws, Threat Management | Leave a Comment »
February 2, 2011
In his recent “Building Security In” article Gunnar Peterson talks about the driving forces and challenges of moving critical systems to the cloud.
The main trends that will drive security architecture are visibility and verification, which we can pithily sum up as “Don’t trust. And verify.”
Enterprises are often told, even by security luminaries, that they must trust the cloud, but that’s bunk. Sure, they must rely on some access control and other security services that are beyond their control. However, this can be partly mitigated by visibility services offered by gateways (chokepoints) and monitoring (audit event logging). In other words, a nickel’s worth of visibility trumps a dollar of access control.
…………
Many enterprise systems have two security modes: untrusted and fully trusted. Cloud security requires a partial-trust model.
Posted in Application Security, Infrastructure Security, Security Strategy, Threat Management | Leave a Comment »
January 24, 2011
This is one of the best examples of the relation between data, security, and risk. Russell Thomas discusses how Data reports on the past, Security is a judgement about the present and Risk is the cost of the future that we need to reduce by balancing “how secure we want to be” and “how much risk can we take”.
..to measure security we need to add inference and judgement processes that extend our data into the present, given the threat landscape we believe we are facing. But to make a judgement about security and make decisions about alternative security postures, we need a useful estimate of risk to decide how much security is enough.
To tie these all together over time requires effective social learning processes, including model validation through experiments and data analysis. Likewise, risk estimation and security judgement processes tell us what data we need to collect and how to analyze it.
Posted in Information Security, Metrics, Risk Management, Security Strategy | Leave a Comment »
January 23, 2011
We all know our priorities for 2011 – protect Cloud, Social Networks, Mobile Devices, Critical Infrastructure. But this not uncommon…any device or environment that get more power or which we get dependent upon goes up in the hackers’ list and the fight starts. Before we start with 2011 list, we still have some carryover items from 2010 (Wikileaks, stuxnet, etc.) that we need to close ASAP. To make it easy for security professionals, Mathew has put together an enumerated list of top 10 security predictions for 2011 -
- Smaller Botnets Muscle Up
- DDoS Attacks Deny More With Less
- Smartphones Trigger Data Breaches
- Hacking Gets Industrialized — More Effective, Less Expensive
- Social Networks Feel More Pain
- Crimeware As A Service
- Specialized Malware Moves Past PCs And Servers
- Insider Attacks Still Unstoppable
- Government Security Gets A “Fraud Department”
- Cyber War Vs. Online Protests, Censorship, Political Attacks
Posted in Cybersecurity, Infrastructure Security, Metrics, Security Strategy, Threat Management | Leave a Comment »
