Balancing the Sharing of Information

CyberSecurity Journal

Subscribe to CyberSecurity Journal: eMailAlertsEmail Alerts newslettersWeekly Newsletters
Get CyberSecurity Journal: homepageHomepage mobileMobile rssRSS facebookFacebook twitterTwitter linkedinLinkedIn


Top Stories

Every time there’s a notable cybersecurity breach, someone (even me) writes a comprehensive primer on the proper way to create “secure” passwords. Lather, rinse, repeat. Until a few years ago, everyone (including me) based their password advice on a 2003 paper from the National Institute of Standards and Technology (NIST), with the catchy title “NIST Special Publication 800-63.” The paper recommended that passwords be cryptic, contain special characters, and be as close to nonsense as possible. I was in a camp I called “How to Make a Cryptic Password You Can Easily Remember.” The short version was this: take a phrase you know, such as a favorite quote from a movie, and use the first letter of each word. For example, Sheriff Brody’s famous line from Jaws, “I think we’re gonna need a bigger boat,” becomes 1twgn@bb. The trick was using Leet (a technique where letters ... (more)

Effective SOC and an Automated Process | @ThingsExpo #IoT #M2M #Cybersecurity

Why 2017 Is the Time to Invest in an Effective SOC and an Automated Process Every Security Operations Center (SOC) manager and security analyst is struggling to some degree to stay one step ahead of the dramatic growth in cybercrime and the ransomware epidemic. In fact, according to the Cybersecurity Market Report published by Cybersecurity Ventures, a cyber security research and publishing firm, spending on cybersecurity is predicted to top $1 trillion between 2017 and 2021. There are plenty of very real and costly examples that show why organizations are increasing their spending for cybersecurity. While the high profile Mirai attacks with the Dyn IoT botnet attack affecting more than 100,000 endpoints is just the latest, the reality is that this is just the tip of the emerging iceberg. With a developing reality of billions of under-protected Internet of Things (... (more)

Thwarting Ransomware Attacks | @CloudExpo #BigData #ML #Cybersecurity

Having an Actionable Disaster Recovery Plan Is Crucial in Thwarting Ransomware Attacks As we have seen over and over again, a new wave of ransomware attacks has been plaguing large parts of Europe over the last couple of weeks. While the affected individuals and organizations are struggling with the very tangible business impact of the loss of revenue and operations, it's critical to step back and review what else one could do to mitigate and minimize the damage from such attacks in the future. Not everyone seems to be agreeing on the exact name of the attack - however this particular strain is apparently from a family of attacks that uses EternalBlue, an exploit developed by NSA, along with an MS Office / WordPad vulnerability discovered earlier this year. While the previous ransomware attack was known as WannaCry, this latest attack goes by several names - Petya... (more)

Network Security Today | @CloudExpo #Cloud #AI #SDN #Security #Analytics

In its 2017 State of Malware Report, Malwarebytes Labs recorded a 267 percent increase in ransomware between January 2016 and November 2016, with over 400 different variants in total. The report noted that while malware authors mostly relied on ransomware to make the bulk of their revenues, there was an increase in ad fraud as well. Botnets and mobile malware also continue to expand and evolve. The report predicts that until IoT devices become secure out of the box, botnets will get even bigger and pose an even greater threat to the internet - and any company connected to it. Financial services organizations are facing a relentless and determined cyber assault. Many recent factors have converged to create greater complexity and threat opportunity in the network, undermining the effectiveness of security prevention solutions. Bring Your Own Device (BYOD) can act as a... (more)

Enterprise Architecture: The Key to Cybersecurity

When I first discuss security in our Licensed ZapThink Architect (LZA) SOA course, I ask the class the following question: if a building had 20 exterior doors, and you locked 19 of them, would you be 95% secure? The answer to this 20-doors problem, of course, is absolutely not – you’d be 0% secure, since the bad guys are generally smart enough to find the unlocked door. While the 20-doors problem serves to illustrate how important it is to secure your Services as part of a comprehensive enterprise IT strategy, the same lesson applies to enterprise Cybersecurity in general: applying inconsistent security policies across an organization leads to weaknesses hackers are only too happy to exploit. However, when we’re talking about the entire enterprise, the Cybersecurity challenge is vastly more complex than simply securing all your software interfaces. Adequate security ... (more)

BIOS: Overview and Security

Computer security has become much harder to manage in recent years, and this is due to the fact that attackers continuously come up with new and more effective ways to attack our systems. As attackers become increasingly sophisticated we as security professionals must ensure that they do not have free rein over the systems that we are hired to protect. An attack vector that many people forget to consider is the boot process, which is almost completely controlled by the BIOS. The BIOS is a privileged piece of software that is generally ignored by day-to-day users and thus they are usually unable to comprehend the importance of it in our computers. The Basic Input/Output System was first invented by Gary Kildall for use in his operating system CP/M and this became what we now know as the conventional BIOS system. The BIOS appeared in IBM-compatible PCs around 1975 an... (more)

Windows Least Privilege Management and Beyond

Click Here to Download This Whitepaper Now! For Windows environments, it is critical that organizations can delegate administration and establish granular privileges quickly and efficiently to restrict administrators so they only access the servers and resources required to perform their job and only during the approved times to perform specific tasks. This white paper examines the security, compliance and efficiency issues surrounding least privilege management for Windows servers, and explains where native Windows tools fall short. It then describes how Centrify's DirectAuthorize component for Windows eliminates the problem of too many users having broad and unmanaged administrative powers by delivering secure delegation of privileged access and granularly enforcing who can perform what administrative functions. Click Here to Download This Whitepaper Now! ... (more)

Due Diligence in the Cloud | @CloudExpo #IoT #M2M #BigData #DevOps

How to Establish Security and Privacy "Due Diligence" in the Cloud The traditional, on-premise computing model has established processes, accreditations, certifications, governance and compliance rules - FISMA, NERC CIP, HIPAA, PCI-DSS, IRS 1075. While the security industry is aggressively addressing the technical security gaps in cloud-driven services, many organizations using cloud services are struggling to implement and adapt strategic processes, procedures, and controls for cloud governance and due diligence. In her session at 17th Cloud Expo, Maria C. Horton, Founder and Chief Executive Officer of EmeSec Incorporated, discussed: Security and privacy due diligence requirements driving data governance for cloud The implications of continuous monitoring and compliance in the cloud Adaptation of data loss prevention and incidence response activities Download Slide... (more)

[session] Be Smarter Than the Hacker | @CloudExpo #SSL #IoT #Cybersecurity

As Our Partner You Don't Have to Be Smarter Than the Hacker: How Not to Get Robbed on the Internet In the 21st century, security on the Internet has become one of the most important issues. We hear more and more about cyber-attacks on the websites of large corporations, banks and even small businesses. When online we're concerned not only for our own safety but also our privacy. We have to know that hackers usually start their preparation by investigating the private information of admins - the habits, interests, visited websites and so on. On the other hand, our own security is in danger because privacy online must go hand-in-hand with safety. With so many different SSL certificates and vendors available we are concerned about the level of security and reliability. In his session at 19th Cloud Expo, Ark Szczurowski, founder and CEO of SSLGURU.com, will discuss how... (more)

Cloud Computing in 2013

Marc Andreesen said recently that 2012 will be remembered as the year of SaaS. What he meant is that SaaS has been around for a while, but it came of age this year, with examples of successes such as the Workday IPO. No one questions the significance of SaaS any more. But the year 2013 will see a shift to PaaS (Platform as a Service) with “most” new activities. There is already a blurring of the lines between IaaS and PaaS, as seen from Amazon’s AWS stack. But programmatic interface in PaaS will dominate as we move forward, catering to the developer community. The incumbents such as IBM, Oracle, SAP, Microsoft, and Adobe (representing “on-premise” software) will have to combat with pure-play cloud players. I saw a list of cloud pioneers and new cloud tools that are be worth sharing. Among the names (arguably) of cloud pioneers here are the often quoted – Warren Vo... (more)

The Importance of Private Clouds

Few days ago I noticed a question on a LinkedIn group that made me thinking how important is the notion of private clouds. First, let's briefly look at what is the difference between public, private and community clouds as well as hybrid clouds. Once again those are very well defined in NIST Definition of Cloud Computing but stated with simple words they are: Private Cloud is cloud infrastructure that belong to single organization (enterprise, university, government organization etc.) that is hosted either on or off premise and is managed by the organization or third party contracted by the organization. The key point for private cloud is that the infrastructure is dedicated to this particular organization. Very often though you will notice that the term is used for cloud infrastructure that is hosted in the organization's datacenter. Community Cloud is very similar ... (more)