Archive for the ‘Training / Awareness’ Category

APT Or Not APT? Depends upon how clear the patterns are!

November 26, 2011

Rober Lemos / Dark Reading

Separating persistent threats from more opportunistic cybercrime-focused attacks is not easy, but can help inform defense, according to security experts. Block an opportunistic attack and the crisis is averted; block a persistent attacker and they will come back tomorrow…

…..

In many cases, the patterns are not clear. Even “advanced” attackers will only use, for example, the minimum force necessary to compromise a network. In some cases, attackers have rented botnets; in others, they’ve used standard cybercrime tools.

Posted in Application Security, Information Security, Social Engineering / Phishing, Training / Awareness | Leave a Comment »

A tool to identify malicious insiders

November 24, 2011

William Jackson / GCN

The system, which is being tested in a lab environment, uses a host-based agent to “learn” a user’s behavior and to look for anomalous behavior or other signatures, said computer scientist and project leader Justin Beaver.

……….

Among the characteristic information leveraged by the system are system call sequences. Each function on a computer initiates a series of calls for services. This occurs at a low level in the operating system, out of the user’s view, and creates a characteristic pattern for each user over time. Researchers found that normal patterns remain surprisingly consistent for individuals as they switch between computers and jobs.

Posted in Risk Management, Secure Coding, Social Engineering / Phishing, Training / Awareness | Leave a Comment »

Cybersecurity Education Strategic Plan

September 14, 2011

Ispitzner / SecuringTheHuman Blog

NIST (the US National Institute of Standards and Technology) recently published a draft version on its strategy for promoting cyber security awareness and education. From page 2 of the document, the three stated goals are.

  1. Raise awareness among the American public about the risks of online activities.
  2. Broaden the pool of skilled workers capable of supporting a cyber-secure nation.
  3. Develop and maintain an unrivaled, globally competitive cybersecurity workforce.

Posted in Report / Paper, Security Strategy, Training / Awareness | Leave a Comment »

Quantifying current state of cybercrime

February 17, 2011

Just two weeks ago, we all saw the end of an era when DHS annouced that the color coded threat system will be phased out and replaced with new system known as National Terrorism Advisory System.

Today, Norton released Cybercrime Index, which quantifies the state of cybercrime and converts danger level into a simple number. Is it beginning of a new era?

At the top level, the CyberCrime Index takes this data and creates a number evaluating the relative risk of the threats of the day. However, it also provides a more in-depth look at active threats, threat trends, and provides advice on what kinds of behaviors are being most heavily targeted that day.

Posted in Anti Virus, Infrastructure Security, Risk Management, Threat Management, Training / Awareness | Leave a Comment »

Computer Takeover Alert!

January 20, 2011

Will this stop the multiplication of bots?

Online customers, he said, may not want their service provider to cut off their Internet access if their computer is infected. And they may balk at being forced to keep their computers free of botnets or infections.

But they may be amenable to having their Internet provider warn them of cyberattacks and help them clear the malicious software off their computers by providing instructions, patches or anti-virus programs.

They may even be willing to pay a small price each month for the service – in much the same way that telephone customers used to pay a minimal monthly charge to cover repairs.

Posted in Anti Virus, Cybersecurity, DDoS, Threat Management, Training / Awareness | Leave a Comment »

Global Risk 2011

January 17, 2011

Last week, the World Economic Forum (WEF) published sixth edition of Global Risks 2011. For those who are wondering what does WEF have to do with IT Risk Management….the report is not about technology risk, its about global risk landscape.

New Report Warns Current Global Governance Systems Lack Capacity to Deal with Global Risks. It aims to enhance the understanding of how a comprehensive set of 37 selected global risks are evolving, how their interaction impacts a variety of stakeholders, and what trade-offs are involved in managing them.

Posted in Report / Paper, Risk Management, Training / Awareness | Leave a Comment »

Top Five Myths of Security Awareness

December 30, 2010

Not the best, but its a good summary of things that can be done for User Awareness.

If an attacker tries enough times, he will even trick the most highly trained individuals.  But risk is all about mitigation, not elimination.  Anti-virus does not catch all malware, SDLC does not catch all bugs, IDS sensors and logging do not detect all incidents and patching does not solve all vulnerabilities.  It is all about layers of mitigation.  Awareness is nothing but another control, the same approach applies.

Posted in Cybersecurity, Risk Management, Training / Awareness | Leave a Comment »

Follow

Get every new post delivered to your Inbox.

Join 994 other followers