Categories ArchivesEnterprise Security

11th of December, 2012
In: Consumer Security, Enterprise Security, Headlines
0
0

IDC Releases Alarming Trends for the Digital Universe standard

Nobody disputes the growth of digital information over the last decade enabled by technology developments in storage further put to use in the hands of consumers. We all create content every day; and as the phones get bigger and better processors, cameras, and radios, we can expect this to continue. To put the growth of digital information into perspective, think about how painful it was to download a thirty second HD movie clip five years ago or an entire music album ten years ago. Now we do it on our phones or tablets without thinking about it (until that data-bill comes in!). IDC released a study today (in conjunction with EMC) projecting that the digital universe will be so large ...

Continue Reading

The Biggest Thing The PCI Council Can Do standard

The PCI Council has been pretty influential in our lives since its inception on September 7, 2006. They were handed control of the PCI Data Security Standard and have turned it into a cascading group of standards that govern (or recommend controls) for nearly every aspect of payment acceptance and processing. So it almost seems like this PCI problem is sort of solved, doesn’t it? When you look at the PCI DSS ecosystem, many of the big rocks have already been addressed. This has some interesting side effects, one of which is a camp of merchants that have been hounded to get compliant (Levels 1-3) and a mass of merchants that have no clue about PCI DSS until they are ...

Continue Reading

PCI Council Releases Risk Assessment Guidelines standard

The PCI Security Standards Council announced today a new set of guidelines for risk assessments, as output from one of the major Special Interest Groups selected by the Participating Organizations in 2011. This topic is one I have written about before, and in fact it was one of the SIGs that I voted for. I’ve been through the output and I must say, I don’t see it as any different from any other risk guidance out there. It’s fairly comprehensive when it comes to listing common risk methodologies, it gives some sample frameworks and processes, and aims to give some clarity to the larger 12.1.2 subrequirement of PCI DSS. As with most risk-related topics, you will have people hailing its ...

Continue Reading

Securing Distributed Infrastructure standard

With Harvard Business Review calling the Data Scientist the sexiest career for the next 10 years, security professionals are going to have their hands absolutely full with securing the distributed infrastructure that powers big data analytics. The Hadoop infrastructure isn’t just one tool that you download to get you some Big Data fun, it’s really a framework of a multitude of tools (and options for substitution) that each carry out specific tasks in a distributed and flexible way. Part of the driving force behind wide-scale Hadoop environments is the notion that it is easier to move computation capabilities than it is to move data. This means that nodes will have some slice of data, but the end result analytics would ...

Continue Reading

Game Theory and Cyber Defense standard

One of my colleagues is working with a bunch of crazy-smart people at RSA Labs to explore how attacker-defender games can be used to help model behaviors and outcomes in the cyber defense realm. Notice how I am not saying “Information Security.” I know a lot of you hate the term “cyber,” but in this case it is a more accurate usage of what these games really teach us about. Check out this latest blog by Bob Griffin. In it, he discusses how game theory is making its way into the information security mainstream starting with several presentations at RSA Europe 2012 (and next week at GameSec in Budapest). The FlipIt game that these guys created is quite ground breaking, ...

Continue Reading

On Whitelisting ASVs standard

This topic has made the rounds again—both due to the community meetings happening over the last four weeks and with some customer discussions I became involved in. Essentially, the issue is this. ASVs need the ability to scan through perimeter defenses like IPS and companies being scanned want to showcase their defenses such that they activate (like they should) upon a scan. Both groups have valid points. The ASV is following the program guide. In order to provide passing scans they must be able to scan through perimeter defenses to the actual systems to generate an accurate vulnerability report. Having a scan instantly blocked doesn’t necessarily eliminate the possibility that a vulnerability could be exploited, it just stops that scan’s ...

Continue Reading

Slow Down Patching? standard

The whole discussion around patching and vulnerability management is a big problem in general, but typically exacerbated by compliance initiatives like PCI DSS. Companies want to be secure, in general, but they have different risk procedures that can change the manner in which they do things like patching or how they lock down desktop controls. A good friend of mine turned me on to a presentation that happened at the San Diego ToorCon this past weekend that I am curious about. The abstract pushes us into dangerous territory, that of interpretation of QSAs (something we have often chatted about here). In the abstract, the presenter takes the opinion that rushing to patch is undesirable (potentially agree) and that the language ...

Continue Reading

The Power of Inference standard

Last week I spoke at RSA Conference about using social engineering techniques as a form of espionage—a way to “game” big data, as it were. I believe that our current estimation of what can be derived from innocuous appearing data is not only lacking, but it’s nearing the level of irresponsibility. In our talk, we discussed how an attacker might go after a prized piece of information, say the formula for Coca Cola. If an attacker wants to re-assemble such a formula, he could apply techniques often used in social engineering. Social engineers don’t bluntly ask targets for their social security number, they ask them for pieces they can use to reconstruct it. For example, people tend to give out ...

Continue Reading

“Non-Observables” standard

Security professionals are fraught with crazy obstacles unseen in other parts of the technology space. For example, we are often fighting enemies we cannot see. They out-maneuver us by attacking our partners, informational supply-chain, and even the people. But they are not completely invisible if we know what to look for. There was a recent thread on the SIRA mailing list that discussed the concept of “non-observables,” or elements in the security space that cannot be feasibly observed by defenders. These elements, in theory, would be critical in event detection, thus providing defenders with better capabilities to shrink the window of vulnerability. This is a foolish notion that leads security people into an unnecessary state of helplessness. Consider Locard’s Exchange ...

Continue Reading

The Dissolving Perimeter standard

IT and IS professionals have long acknowledged and lamented the dissolution of the network perimeter amid a global economic crisis and shrinking IT budgets. We must do more with less, be more efficient, and create and leverage economies of scale and scope to achieve all of this. But that doesn’t necessarily represent why the perimeter is dissolving, so what is going on? Businesses are exchanging information in real time (both providing and consuming) over public networks as opposed to frame relay or MPLS links behind the scenes. The number of telecommuters ((The State of Telework in the US – Five Year Trend and Forecast.)) in the US grew 61% from 2005-2009. This means more laptops over desktops, and now more ...

Continue Reading

This is a unique website which will require a more modern browser to work!

Please upgrade today!