Video Screencast Help
Cyber Security Group
Showing posts in English
phlphrrs | 22 Nov 2012 | 1 comment
Continued from Part 1 where I discussed the issues surrounding DLP.  Part 2 covers Anti-Virus technologies.

Now when it comes to anti-virus, there’s a number of ways to look at this particular issue.  Yes, in fact, definitions-based anti-virus is fast-becoming a dinosaur of sorts.  The problem is that there’s so many new variants and new malware code being generated it’s just plain hard to keep up with that.  One day Symantec see’s a new virus and we write a signature, the next day McAfee see’s a new virus and writes that signature.  It just depends on which AV Vendor see’s that particular malware on a particular day.  Not a race, just reality. 

I kind of laugh when I hear about companies that complain about their AV vendor and say things like, “Your stuff couldn’t find this virus, but when I went out and bought an AV software from ElCheapoAV.com, they found it easily. Why did they find...

phlphrrs | 19 Nov 2012 | 1 comment

I’ve been hearing and reading about a lot of interesting comments made by various info sec professionals regarding whether or not DLP or anti-virus has outlived its usefulness.  Believe it or not, both of these important technologies are still viable protection mechanisms that must continue to be evolved.  Both are relevant especially in today’s fast-paced information and malware flows and attacks.

With Data Loss Prevention, you get a thorough understanding where your sensitive data (including Intellectual Property) is throughout your environment, being able to put it back where it belongs, and preventing it from moving to where you don’t want it.  But, the real value is in the intelligence you’ve gained from that effort. 

As security professionals we often complain about how the business doesn’t get involved in security, they don’t understand why they need security or they’re just see it as a roadblock...

SecurityHill | 12 Nov 2012 | 0 comments
So in Covering All Your Bases – Part 1, I discussed some of the possible risks to our organizations by not having a Supply Chain Risk Management process in place.  In this article I will cover some ideas and controls to manage your risk and exposure through the Supply Chain Process.
Using traditional Business Continuity Planning (BCP) an organization can begin to establish a beginning SCRM process.
  1. Identifying high risk Items
  2. Understand key processes and/or components
  3. Identify recovery time per process and/or component
  4. Audit processes and maintain reporting for baselines

To accomplish the first, establish a formalized SCRM team; do not rely on your Business Units to handle issues on an Ad-Hoc basis.  The group does not need to be large but should maintain the correct amount of personnel to influence and manage the process.  Hopefully you have buy in or a representative from the various Business Units...

SecurityHill | 07 Nov 2012 | 0 comments
In the public wave of attention to Stuxnet, we have seen the capability of how physical systems are impacted by malicious threats.  But threats to hardware are not limited to Industrial Controls Systems (ICS); other potential targets are networking equipment, computing hardware and telecom.  When protecting our organizations, we should always make sure we are covering all of our bases.  Sometimes this means protecting and auditing the hardware itself that is responsible for our communications and processing.  In recent years we have seen other examples of compromised hardware resulting from process or personnel within a supply chain.  Examples include; computing hardware being shipped with malware stored in nonvolatile memory.  Hardware that has covert secondary channels or devices to communicate or store confidential data or a device may contain something as simple as a backdoor login.  All of these examples are possibilities that can be...
BJT | 05 Nov 2012 | 1 comment
I spend the majority of my time speaking with CISO & like-positions across all sectors of the Government; small, medium, and enormous.
 
One common issue I see is the time it takes to implement. 
I was in a conversation with a CISO this month, and his chain of command told him that “2014 is the year for security” when it comes to spend.
 
That means he is preparing his budgets to be submitted for their FY14 funding as we speak, and he’s doing so based on technologies that they’ve wanted for the past 5 years!    
Then, in 2014, when the CISO MIGHT get his funding, he’ll have to go out to alllll the vendors in the space; go through discovery, presentations, and demos.  After that, it may take 2-4 months to get the RFP on the street based on all of the preliminary work.  Next: another 2-4 weeks for RFP response; and then down-select to a couple vendors for the PoCs...
Joseph.Rogalski | 31 Oct 2012 | 0 comments
When talking with customers about seeking approval for their investments in security I think back to conversations I have with my children when they ask if they can have something.  The conversation goes a little something like this:
 
Andy:  Daddy can I have the new video game?
 
Dad: Why do you want it, you have 50 other games sitting on the floor of your room.
 
Andy: Because I need to have it!!!
 
Dad: But why?
 
Andy: Because!!! (repeat “But why” loop 4 times)
 
Dad: Will this game bring you joy and happiness?
 
Andy: YES!!!!
 
Dad: Well since you have no money if you want this game you need to clean you room, keep it clean and mow the lawn for the next month, deal?
 
Andy: A whole month?
 
Dad: Yes a whole month.
 
Andy: Ok then.
 ...
Joseph.Rogalski | 29 Oct 2012 | 0 comments
When talking with customers about seeking approval for their investments in security I think back to conversations I have with my children when they ask if they can have something.  The conversation goes a little something like this:
 
Andy:  Daddy can I have the new video game?
 
Dad: Why do you want it, you have 50 other games sitting on the floor of your room.
 
Andy: Because I need to have it!!!
 
Dad: But why?
 
Andy: Because!!! (repeat “But why” loop 4 times)
 
Dad: Will this game bring you joy and happiness?
 
Andy: YES!!!!
 
Dad: Well since you have no money if you want this game you need to clean you room, keep it clean and mow the lawn for the next month, deal?
 
Andy: A whole month?
 
Dad: Yes a whole month.
 
Andy: Ok then.
 ...
Robert Shaker | 24 Oct 2012 | 0 comments
Do you remember that from Saturday morning cartoons? It's such a true statement and one that we should all remember when we go about our daily lives. Here's an example. I was riding my jet ski on Father's Day. I've been riding for years and feel pretty comfortable even in open water. During this ride, a leisurely cruise with my brother, I saw a 28' foot boat slowly driving by and thought it would be fun to jump the wake. I started toward it but far enough away for the wake to calm a bit. After I broke the bow wake, a tiny one, it was only a millisecond or two before I realized I had miscalculated the aft wake; it was massive. He had been running his boat in a way I didn't expect, it wasn' t logical, he was trimming the aft deep and that massive wake caught me off guard. Needless to say, it wasn't the fun jump I was expecting and pretty much ruined Father's day for several fathers.

I was traveling this week on the west coast and had a...

Tim Fitzgerald | 19 Oct 2012 | 0 comments

Lately, I’ve been considering whether users really want security to be transparent. Certainly they want security to be easy and not get in their way but I am not certain that they want transparency. In all of my interactions with end users it seems to me that users want to know that they are being protected and that their data is safe. They just don’t want that security to interrupt the flow of their work and daily life.

 

As a security professional, what I really want is the security to be effective. Ideally, the security controls we put in place are not burdensome on the end user.  But I also want users to be security aware and to make good security decisions on behalf of the company. To be able to educate users as they work (letting a user know that they have just made or are about to make a poor security decision as the transaction is about to occur), seems like it would be a very effective mechanism to inform users and potentially...

BJT | 15 Oct 2012 | 0 comments
I was sitting with the Personal Counsel for a State Governor for a full day of Cyber Security and Policy Discussions and this topic presented itself so we spent some time defining it throughout the day.
 
The bottom line question: 
Why is it in a State's best interest to, not only protect its own IT ecosystem, but also encourage and even assist in protecting facilities and the States embedded companies and industries?
 
Simple really:  Trickle Down Breach Effects 
If a company or industry which has a prime and/or dominant location within a State or Territory, and that entity suffers a significant breach of Personal Identifiable, Intellectual Property, or even something more detrimental; it could have a ripple effect that would reach far beyond the limits of that single entity.  In the past, we have seen things like brand reputation hits, which often precedes or contributes to a drop in stock...