I’m not arguing for an eggshell model of security - crunchy on the outside, squishy on the inside - but it makes things much easier to be able to address an application server’s security requirements without the need to assume that whatever security you implement on an application level is all you will have.I’m not arguing for an eggshell model of security - crunchy on the outside, squishy... more
In Estonia the State Department has arranged for a series of meetings/lectures and discussions for Mr. Clinton. In addition to visiting the NATO Center Mr. Clinton will meet with representatives of the Estonian government, private sector entities, law enforcement, university and primary education professionals.In Estonia the State Department has arranged for a series of meetings/lectures and... more
If you own the business, you own the strategy and execution and you can not outsource accountability. Be careful about falling for the siren song of technology – it is there to support your business, not define it.If you own the business, you own the strategy and execution and you can not outsource... more
ANSI Identity Theft Standards Panel webinar “Lessons from the Data Breach at Heartland” by Bob Carr, CEO of Heartland Payment Systems; Carnegie Mellon University Software Engineering Institute Insider Threat Workshop; U.S. Department of Homeland Security Critical Infrastructure and Key Resources; ISAlliance/NIST/DHS VoIP & Unified Communications Automated Security and Assurance Project; IT Sector Coordinating Council Protective Programs and Research and Development (PPRD)…ANSI Identity Theft Standards Panel webinar “Lessons from the Data Breach at... more
Nielsen Online reported that by the end of 2008 social networking had overtaken email in terms of worldwide reach. Sites such as Facebook, Twitter, Myspace and Linkedin provide users with a way to build and interact with a community in real time on a familiar platform at a very low cost.Nielsen Online reported that by the end of 2008 social networking had overtaken email... more
The RFI is classified, but in general terms, it seeks information on prospective technical, end-to-end solutions that will help to protect the federal (.gov) cyber domain, and to facilitate cybersecurity improvements affecting the private sector. Registration will remain open until July 22, 2009.The RFI is classified, but in general terms, it seeks information on prospective... more
RSA and IDG released two new research studies that examine the far-reaching security implications of promising technologies such as cloud computing, virtualization, social networking and mobile communications, and explore the pivotal business risks and rewards they represent to organizations worldwide.RSA and IDG released two new research studies that examine the far-reaching security... more
From The Internet Security Alliance: Virtual-machine exploit lets attackers take over host; T-Mobile confirms stolen data is genuine; Webhost hack wipes out data for 100,000 sites; Texas DPS trying to catch up after virus, new design.From The Internet Security Alliance: Virtual-machine exploit lets attackers take over... more
Trade secrets and confidential information truly are the crown jewels of many businesses. This is the information that allows businesses to compete effectively, and that provides a competitive edge. Despite the critical nature of this information, my experience is that many business people do not understand what they should be doing to protect the crown jewels. I repeatedly see posts on LinkedIn and elsewhere asking for a “form” or a link to a “free site” to get an NDA. Given the potential value of the information, this cavalier approach is surprising.Trade secrets and confidential information truly are the crown jewels of many... more
From The Internet Security Alliance: The ISAlliance is leading a project to develop an industry led, cost effective SCAP solution for VoIP and Unified Communications with the goal of providing a secure playing field for corporations as they deploy VoIP and related technologies.From The Internet Security Alliance: The ISAlliance is leading a project to develop an... more
T-mobile customers are awakening this morning to reports that hacker/extortionists have victimized the cellular carrier through a massive network breach resulting in the theft of untold amounts of corporate and customer data, which they’re threatening to sell to the highest bidder.T-Mobile says it is investigating.T-mobile customers are awakening this morning to reports that hacker/extortionists... more
A large internet service provider said data for as many as 100,000 websites was destroyed by attackers who targeted a zero-day vulnerability in a widely-used virtualization application.A large internet service provider said data for as many as 100,000 websites was... more
There is something wrong here and PCI DSS is exposing it, not causing it. “When people say PCI is too hard, many really mean to say compliance is not cheap. The business risks and ultimate costs of non-compliance, however, can vastly exceed implementing PCI DSS – such as fines, legal fees, decreases in stock equity, and especially lost business. Implementing PCI DSS should be part of a sound, basic enterprise security strategy, which requires making this activity part of your ongoing business plan and budget.”There is something wrong here and PCI DSS is exposing it, not causing it. “When... more
It’s no surprise that since the true realization of the money crash last September, sources of funding have dramatically tightened up. Most of us understand that desperate times require desperate measures, but be careful – if you’re seeking funding or working with someone who is; there be dragons out there… I’ve managed investor related due diligence issues over the years primarily by bringing transparency to decision makers before any deal is made – unfortunately, some call too late and we have to roll in to “how to fix it” mode.It’s no surprise that since the true realization of the money crash last September,... more
By Steven Fox, Founder of SecureLexicon: A cross-industry survey of 150 IT managers and technical staff showed that 20% of that population either admitted to cheating on an IT audit or knew someone that did. Ruvi Kitov, CEO of Tufin Technologies, noted that the rate of auditor deception is likely higher than the survey suggests. Andy Bokor, COO of Trustwave, added that some IT professional respond to compliance pressures by describing their environments in a positive, yet false light.By Steven Fox, Founder of SecureLexicon: A cross-industry survey of 150 IT managers... more
By Richard Stiennon, Chief Research Analyst, IT-Harvest: eSoft has determined that there has been a major spike in fraudulent pharmacy sites just this past week. Much like the fake SpySweeper site these pharma-fraud sites present a convincing storefront that appears to sell Viagra and Cialis. They have a sophisticated shopping cart system and take your money but do not bother with actually fulfilling orders. eSoft provided me with data on seven different templates they have discovered. The quantity is amazing.By Richard Stiennon, Chief Research Analyst, IT-Harvest: eSoft has determined that... more
From The Internet Security Alliance: The current technologies are woefully inadequate. They can deter the average script kiddies but provide little defense against foreign state sponsored attacks and espionage, which represent 5% of the threat responsible for some of the most serious damage. Signature-based intrusion detection, firewalls, and anti virus technologies are all deployed, but they do little to identify or prevent more sophisticated adversaries.From The Internet Security Alliance: The current technologies are woefully inadequate.... more
Google identifies the ten domains responsible for compromising the most number of sites on the internet. In response to a recent surge in websites being infected with malware, Google has revealed the top ten most popular malware sites in the last couple of months.Google identifies the ten domains responsible for compromising the most number of... more
The malware logs the magnetic-stripe data and personal identification number of cards used at an infected machine and provides an intuitive interface for retrieving the information using the ATM’s receipt printer, according to analysts from Spider Labs, the research arm of security firm Trustwave. Since late 2007 or so, there have been at least 16 updates to the software, an indication that the authors are working hard to perfect their tool.The malware logs the magnetic-stripe data and personal identification number of cards... more
The document, a draft declaration of U.S. nuclear facilities to the U.N. nuclear watchdog agency, contained descriptions of sensitive civilian sites, including the locations of facilities that store enriched uranium and other materials used in nuclear weapons. It was available for about a day on a Government Printing Office Web site before inquiries by news organizations prompted its hasty removal.The document, a draft declaration of U.S. nuclear facilities to the U.N. nuclear... more