Video Screencast Help
Cyber Security Group
Showing posts tagged with Mobile Security
Showing posts in English
PaulTobia | 22 Mar 2013 | 0 comments

Thanks to regulatory requirements most everyone in the corporate world in the US is required to have official annual information security awareness/education/training. This isn't a bad thing per se, but I doubt few of us go beyond a stack of presentation slides with 10 multiple choice questions at the end. The compliance box gets checked, sure, but is anyone more knowledgeable about security? Has any risk been reduced?

There are many ways to impart knowledge or skill. Let's break things down at a very high level and all get on the same page. Awareness, education, and training are not interchangable terms so let me be clear on what I mean.

  • Awareness covers exposure to information, and not much else. Newsletters, posters, email blasts all fall under awareness. Note there's no requirement that the target of the awareness shows that anything has changed.
  • Education requires study and testing. Whether from a stack of slides, a website, a video,...
Phil Harris | 20 Mar 2013 | 1 comment

You know, it’s 2013 and we still have this issue of employees believing that corporate data is their own to do with as they please. In a recent Ponemon survey report ~two thirds of employees believe this to be true. Unfortunately, this is an incredibly big problem going forward with the advent of Cloud and Mobility. We now have more places that data can be placed than ever before and, more importantly, without the employers’ knowledge in most cases. So, the question is this! Why is security awareness failing to meet the mark after all these years?

Well, there may be a couple of different answers to this question: 1) It’s possible that most companies don’t understand the value of the information they have and, hence, aren’t training employees (properly) about their responsibilities regarding corporate information; or 2) Companies still don’t see security awareness as an important element of driving employee conduct in their organizations...

Robert Shaker | 18 Mar 2013 | 0 comments

It’s all your fault, really, it is. Whether it’s a lack of caring, naivety or a misunderstanding you executives of companies and leaders of agencies have helped to create an underground ecosystem for attackers to collaborate and coordinate attacks against all of us. It’s time for a change. It’s time that we all realize that good security is good business.

Maybe if I put it this way. Do you want your organization to have maximum uptime? Do you want to have known manageable long term costs? Do you want your kid’s identity stolen? It’s really that bad. The evidence is there, we see it in the news daily. We need to change the way you think about Information Security and its place in your life.

Things are only going to get better when all C-level executives and leaders of governments step up and embrace a strong information security program that reinforces their business goals. So please listen to your information security team and...

franklin-witter | 15 Mar 2013 | 0 comments

Last month, Symantec hosted its 2nd annual internal CyberWar Games and I had the privilege of joining Efrain Ortiz, Ben Frazier, and JR Wikes as part of team Avengers. For five days, we worked on limited sleep, grinding our way through the process of hacking systems and applications to capture flags and rack up enough points to secure our team a spot in the finals. Along the way, I made a couple of observations that I thought would be worth passing alone.
Lesson #1: Vulnerability Scanners LIE!!!
…or at least they don’t always tell the full story. If we had believed the results we got back from the vulnerability scans we ran against the systems in the CyberWar environment, we would not have made it very far. You see, our scans showed that there were no “Critical” or high-risk vulnerabilities present on the systems scanned and there were no useful “Medium” or “Low” vulnerabilities. What was...

franklin-witter | 13 Mar 2013 | 0 comments

With the continued uncertainty lingering in the global economy, I think it is likely that spending on new information security initiatives will continue to be highly scrutinized.  This isn’t to say that security initiatives won’t go forward, just that CISOs and Security Directors will probably have to do more to justify the need for their organization to part with precious capital resources needed to fund these projects.  As a result, security leaders will have to be very intentional in their approach to security in order to secure funding needed to improve or expand security operations. As I thought about how I might approach this challenge if I were back in the role of CISO, there are three key actions I would recommend to lay a foundation for justifying any new security initiatives.
Take Inventory
Before embarking on any new initiatives, I think that it is very important for organizations to take...

PaulTobia | 11 Mar 2013 | 3 comments

Over the past few months I’ve noticed a disturbing trend in our industry to talk more about “offensive security.” People are writing and tweeting about “active defenses” or “strikeback capabilities” but it all points to a movement that is at best a confusing use of terminology and at worst a dangerous allocation of resources for almost any organization.

I get the appeal though. Offense is much sexier than defense. Competitions are won by scoring more points than your opponent, not having your opponent score fewer points than you. The hero in almost every action story will eventually make the bad people pay in some violent fashion. Even within security the amount of discussion around successful hacks, the results of scans and pen-tests, and what’s the latest vulnerability still dominates what we write and read.

With the increase in targeted attacks we know that there’s someone behind the attacks. There’s a...

Phil Harris | 07 Mar 2013 | 0 comments

I came across this article (see link below) not too long ago and it really got me thinking about not only the places where I put my information on the Internet, but the reasons I put my information out there.  Most sites we put our information seem really innocuous and quasi-safe because we don’t think the site is very interesting to anyone but ourselves and a hand full of others with similar interests.  It seems like it almost becomes a “second nature” activity to just blindly assume that Internet sites that don’t ask for your credit card are okay cause well, it’s just my name, and maybe my phone number and/or address. 

When it comes to using ecommerce sites we all expect a certain level of security to protect our financial data.  When it comes to non-ecommerce sites, it seems like there’s less thought given about the ramifications of what happens when you provide your personal information.  For example, job...

Joseph.Rogalski | 05 Mar 2013 | 0 comments

So what is the big deal if a few of my corporate PCs are infected with malware, what’s the worst that can happen? In this post I want to cover what can be done with a compromised PC and why it is a big deal. Many Security Managers minimize the importance of having clean PCs on their networks and comment what is the worst that can happen. We will walk though why it is extremely important to be diligent about protecting your endpoints.
Some “What ifs” to think about, these are the more obvious risks if a user’s PC is infected?
What if account credentials were harvested and used to access internal corporate information, or place fraudulent orders within your internal systems?   How would you know and what could you do about it?
What if access was granted to the user corporate email? Sending phishing emails internally or external from what is a trusted email address and further...

Joseph.Rogalski | 28 Feb 2013 | 0 comments

While managing Operational Risk for a large IT organization, one of my responsibilities was to work with Corporate Operational Risk to define Key Risk Indicators (KRIs) KRIs were monitored at a corporate level.  We took the easy route by using canned reports that were already in production rather than taking the time to evaluate what may be useful to measure. We looked at things such as spam activity and external firewall activity.  These KRIs provided very little value, as they were not actionable.  If blocked spam activity went up or down, what could be done about it? If the firewalls were being scanned more frequently, was there much, if anything, we could do?   When I speak with clients today about reporting and KRIs, I encourage them to measure and report on areas where action can be taken and is useful to the organization.
I recently dealt with a number of customers who experienced MAJOR Severity 1 issues.  The impact and...

Vince Kornacki | 26 Feb 2013 | 0 comments

Ready for one last slick web application penetration test trick? In this installment we'll explore a subtle and often overlooked vulnerability related to web application authentication. In response to the login request containing posted authentication credentials the web application should return a "302 Found" redirect with a corresponding "Location" header specifying the next page within the application workflow. However, many web applications instead return a "200 OK" response without including this intermediate redirect. So what’s the problem?

In essence, browsers choose whether to resubmit posted data back to web applications based on the response codes returned by the web application. When a "200 OK" response code is received, the information originally submitted to the web application will be resubmitted when the "Back" button is clicked. However, when a "302 Found" redirect is received, the...