What could be worse: a vague and hastily thrown together mashup of security protections masquerading as a security framework or standard, or having the government get into the act? Now you don't have to choose: you can have the worst of both worlds! Follow the US Congress hearings on PCI! Or, follow the commentary into the hearings on Twitter (which is fairly random and noisy, but probably makes just as much sense). Read more →
« February 2009 | Main | April 2009 »
Posts from March 2009
31 March 2009
US Congress PCI hearings
Posted by Rob Slade on 31 March 2009 at 09:12 PM in Cybersecurity Certifications, Cybersecurity Training, Government , IT Security, Operations Security, Risk | Permalink
|
Comments (0)
The Insecure Air Freshener
At a recent trip to an office building, in the restroom there was, up in the corner, a battery-powered air freshener that automatically sprays potpourri scent every half hour. It is a white box about the size of 2 stacked VHS tapes (remember those?) mounted up in the corner against crimson tile. And it had, to my amazement, a brass lock to keep the lid securely closed. The lock was a simple, inexpensive brass lock anyone can buy at Home Depot for a few bucks, screwed into the plastic side with standard gold-colored screws. So, I was wondering...why was it... Read more →
Posted by Don Franke on 31 March 2009 at 08:02 AM | Permalink
|
Comments (9)
|
TrackBack (0)
29 March 2009
GhostNet
The tracking (and scope) of GhostNet, a significant example of the use of malware and botnets for espionage. Some items of this were given in a story in the New York Times. There is also related work in a report out of Cambridge (full report in PDF)(which, like everything else Ross Anderson has written, is worth reading regardless of your level of interest). Read more →
Posted by Rob Slade on 29 March 2009 at 06:46 PM in Cybersecurity Training, Digital Forensics, IT Security, Legal, Malware, Network Security, Operations Security, Privacy, Risk | Permalink
|
Comments (0)
|
TrackBack (0)
25 March 2009
Security- Beyond Compliance
Compliance will not always guarantee that your information security assets are well protected. Security is beyond compliance. An example In the last week of Januray 2009, Heartland Payment Systems announced that their network were compromised and hackers accessed their customer information.Hackers had access to Heartland's network for more than a week. Heartland is one of the largest payment processor in the world which process more than 11 million transactions a day and more than $80 billion in transactions a year. Heartland were PCI DSS compliant but they did not notice the hacker activities until they were alerted by Visa and... Read more →
Posted by Praveen Karunakaran on 25 March 2009 at 05:19 PM in IT Security | Permalink
|
Comments (0)
|
TrackBack (0)
24 March 2009
Computer Re-use Optimisation Project
In the course of operations, recycling of old computers is an issue. The confidentiality dangers of object reuse are reasonably well known. However, when the time comes to get rid of a bunch of old (and rather toxic, if just dumped) computer equipment, where can you send them to best effect? The Computer Re-use Optimisation Project (CROP) lists a number of organizations and institutions, in a number of different areas of the world, that take, refurbish, and give computers to worthy causes. Read more →
Posted by Rob Slade on 24 March 2009 at 11:12 PM in Cybersecurity Training, Digital Forensics, IT Security, Operations Security, Privacy | Permalink
|
Comments (0)
|
TrackBack (0)
Understanding the Web browser threat
An interesting piece of research and discussion, examining browser vulnerabilities, and the risk to the computing envrionment as a whole, in light of a large number of factors. Read more →
Posted by Rob Slade on 24 March 2009 at 12:28 AM in Cybersecurity Training, IT Security, Malware, Network Security, Operations Security, Risk, Software Development | Permalink
|
Comments (0)
|
TrackBack (0)
23 March 2009
NIST SP800-16 - revised draft security training standard
I've been reading and thinking today about a revised NIST Special Publication SP800-16, currently released for public comment. If you are genuinely interested in making security awareness more effective, I recommend setting aside an hour or three to read and consider the draft document. To whet your appetite, here are just a few short paragraphs from one section of the draft, with my own thoughts and comments cited below. Under section 2.2.1 of SP800-16, NIST says: "Awareness is not training (1). Security awareness is a blended solution of activities (2) that promote security, establish accountability, and inform the workforce of... Read more →
Posted by Gary Hinson on 23 March 2009 at 09:24 PM in Cybersecurity Training | Permalink
|
Comments (0)
|
TrackBack (0)
21 March 2009
Data Normalization
One of the challenges of IT security monitoring is figuring out what to do with the mountains of data that can easily be gathered. Once you've overcome any technical and procedural challenges to collecting that data at a central point, you now have to normalize that data. I have found the best way to do this is to organize your data by source (such as Antivirus software logs), and then build database tables for each source. Use common column names such as source_host, dest_host, and date where possible. It will take some creative use of Perl, Python, etc. to slice... Read more →
Posted by Adam Kuncewitch on 21 March 2009 at 04:27 AM in Network Security, Operations Security | Permalink
|
Comments (2)
|
TrackBack (0)
19 March 2009
Spellcheckers creating disaster
We have all kinds of systems to help us out. Sometimes they help us *way* out. Sometimes they create the most amazing problems. This article addresses that kind of situation. (I recall a, well, "politically correct checker," I suppose, which, some years ago, amended a newspaper article in order to inform people that a certain local municipal government was, fiscally speaking, "back in the African-American" ...) Read more →
Posted by Rob Slade on 19 March 2009 at 09:49 PM in Cybersecurity Training, IT Security, Operations Security, Risk, Software Development | Permalink
|
Comments (0)
|
TrackBack (0)
Secure data erasure
For all the trouble we have to take to protect, backup, and maintain our data, when we want to get rid of it, it turns out to be remarkably difficult. Do we delete Overwriting delete? Overwrite 40 times? Overwrite 40 times including all the slack space? Degauss? Get out the thermite? This site presents a faster and easier option. There is software, and also a paper (possibly self-serving ...) explaining the option, and why it is very often good enough. Read more →
Posted by Rob Slade on 19 March 2009 at 09:16 PM in Cybersecurity Training, Digital Forensics, IT Security, Legal, Operations Security, Privacy, Risk | Permalink
|
Comments (2)
|
TrackBack (0)
16 March 2009
Presenting risk
We talk about risk, risk assessment, risk analysis, and risk management. A lot. But people are remarkably bad at really understanding risks. This web page and animation on understanding uncertainty was created to address medical risks. However, it points out a number of ways that we can either misrepresent, or misunderstand, risk in general. Read more →
Posted by Rob Slade on 16 March 2009 at 03:13 PM in Cybersecurity Training, Risk | Permalink
|
Comments (0)
|
TrackBack (0)
DHS Cybersecurity help/resource
Recently there has been a bit of a debate, around the US, anyway, about whether the NSA or the DHS should have responsibility for cybersecurity. One of the points raised is that the NSA shouldn't take on that job, since cybersecurity involves helping "ordinary" people and companies secure their own systems. (In the modern environment, silo/bastion thinking doesn't work in security: now, that fact that I have a virus means you have a problem.) And the NSA has proven itself singularly loath to tell anything to anyone. DHS has, on the other hand, set up a cybersecurity resource. Check it... Read more →
Posted by Rob Slade on 16 March 2009 at 02:58 PM in Cybersecurity Training, IT Security, Network Security, Operations Security, Risk | Permalink
|
Comments (1)
|
TrackBack (0)
14 March 2009
The BBC's Botnet
Having devoted much of the past few days to blogging on the topic of the BBC's venture into criminal botherding, and a small portion of my weekend to watching its controversial Click programme, as well as to reading the BBC's own responses to some of the comments from the security industry and others, I'd like to make one or two points here. It's clear from viewing the whole programme (which some of you at least can do online, if you haven't yet had the opportunity) that the BBC paid several thousand dollars for the control of a botnet comprised of... Read more →
Posted by David Harley on 14 March 2009 at 11:24 AM in Ethics | Permalink
|
Comments (3)
|
TrackBack (0)
08 March 2009
Moving from Compliance to Measurable Security
Let’s face it compliance is a good thing. For what ever reason, people left to their own devices will make risky decisions, to lower cost, reduce effort, return a higher profit, or simply make a quick buck. It seems that people will often take the path of least resistance unless they fear it will cause themselves personal pain in the process. Rules are needed to compel people to do what is right or reasonable. A lack of regulation incubates an environment for abuse. If the state of the current economy does not fully illustrate this point then nothing will. In... Read more →
Posted by Sean M. Price on 08 March 2009 at 12:43 AM | Permalink
|
Comments (0)
|
TrackBack (0)
07 March 2009
The New Federal CIO Announced
President Obama announced his appointment of Vivek Kundra as the newly created Federal CIO position during a news conference March 5. According to FCW: "President Barack Obama today named Kundra, the former chief technology officer for the local government of the District of Columbia, to two posts; the federal CIO in the White House, and he will also be the Office of Management and Budget’s administrator for e-government and information technology, Kundra said in a teleconference with reporters after Obama's announcement. Kundra said he plans to build on innovations from the previous administration but wants to move beyond e-government. As... Read more →
Posted by Lester Nichols on 07 March 2009 at 01:06 AM in IT Security | Permalink
|
Comments (0)
|
TrackBack (0)
04 March 2009
Sumitomo scammers guilty
"Two men who plotted to steal £229m from a bank using software have been found guilty for their roles in the scam. "Lord" Hugh Rodley, of Gloucestershire, who bought his title, was convicted of conspiracy charges dating back to 2004. Gang members had installed spyware on computers at the London offices of Sumitomo Mitsui bank in order to steal money from big business accounts. Soho sex shop owner David Nash, 47, from Durrington, West Sussex, was also convicted at Snaresbrook Crown Court. He had been used by Rodley to front accounts into which the funds would have been channelled, the... Read more →
Posted by Gary Hinson on 04 March 2009 at 05:17 PM | Permalink
|
Comments (0)
|
TrackBack (0)
03 March 2009
Consensus Audit Guidelines - What is the consensus?
The first draft of the Consensus Audit Guidelines (CAG) was published on February 23, 2009 according to the SANS press release. As represented in the press release, the CAG includes 20 controls, 15 of which can be automated. Further, the CAG defined tests that could be used to determine whether each control is effectively implemented. According to the CAG, a "Consortium of US Federal Experts" identified the 20 Most Critical Controls "essential for blocking known high-priority attacks": Critical Controls Subject to Automated Measurement and Validation: 1: Inventory of Authorized and Unauthorized Hardware. 2: Inventory of Authorized and Unauthorized Software. 3:... Read more →
Posted by Matthew Metheny on 03 March 2009 at 11:52 AM in IT Security, Network Security, Operations Security | Permalink
|
Comments (2)
|
TrackBack (0)
01 March 2009
You Oughta Know Better!
In a report today from MSNBC titled, Report: Obama helicopter security breached, the blueprints and other information relating to Marine One, the Presidential helicopter, were found linked to an Iranian IP address. The report states that a defense contractor downloaded a peer-to-peer (P2P) application the "SAME SYSTEM" that contained the information regarding Marine One. We all make mistakes, but this one is a big one. We all oughta know that you treat systems with sensitive information as systems with sensitive information. This means that you do not install P2P applications from the Internet on a classified system or you do... Read more →
Posted by Lester Nichols on 01 March 2009 at 11:47 PM in Ethics, Insider Risk, IT Security, Malware, Network Security, Operations Security, Risk | Permalink
|
Comments (0)
|
TrackBack (0)
Search
Categories
- Center for Cyber Safety and Education (52)
- Cloud Security (137)
- Cybersecurity Certifications (387)
- Cybersecurity Training (315)
- Cybersecurity Workforce (254)
- Digital Forensics (30)
- Ethics (53)
- Government (127)
- Insider Risk (57)
- ISC2 Chapters (22)
- ISC2 Events (166)
- IT Security (389)
- Legal (46)
- Malware (116)
- Network Security (178)
- Operations Security (144)
- Privacy (117)
- Ransomware (90)
- Risk (204)
- Software Development (46)
- Spotlight (71)