Video Screencast Help
Symantec to Separate Into Two Focused, Industry-Leading Technology Companies. Learn more.
Cyber Security Group
Showing posts in English
PaulTobia | 22 Mar 2013 | 0 comments

Thanks to regulatory requirements most everyone in the corporate world in the US is required to have official annual information security awareness/education/training. This isn't a bad thing per se, but I doubt few of us go beyond a stack of presentation slides with 10 multiple choice questions at the end. The compliance box gets checked, sure, but is anyone more knowledgeable about security? Has any risk been reduced?

There are many ways to impart knowledge or skill. Let's break things down at a very high level and all get on the same page. Awareness, education, and training are not interchangable terms so let me be clear on what I mean.

  • Awareness covers exposure to information, and not much else. Newsletters, posters, email blasts all fall under awareness. Note there's no requirement that the target of the awareness shows that anything has changed.
  • Education requires study and testing. Whether from a stack of slides, a website, a video,...
Phil Harris | 20 Mar 2013 | 1 comment

You know, it’s 2013 and we still have this issue of employees believing that corporate data is their own to do with as they please. In a recent Ponemon survey report ~two thirds of employees believe this to be true. Unfortunately, this is an incredibly big problem going forward with the advent of Cloud and Mobility. We now have more places that data can be placed than ever before and, more importantly, without the employers’ knowledge in most cases. So, the question is this! Why is security awareness failing to meet the mark after all these years?

Well, there may be a couple of different answers to this question: 1) It’s possible that most companies don’t understand the value of the information they have and, hence, aren’t training employees (properly) about their responsibilities regarding corporate information; or 2) Companies still don’t see security awareness as an important element of driving employee conduct in their organizations...

Robert Shaker | 18 Mar 2013 | 0 comments

It’s all your fault, really, it is. Whether it’s a lack of caring, naivety or a misunderstanding you executives of companies and leaders of agencies have helped to create an underground ecosystem for attackers to collaborate and coordinate attacks against all of us. It’s time for a change. It’s time that we all realize that good security is good business.

Maybe if I put it this way. Do you want your organization to have maximum uptime? Do you want to have known manageable long term costs? Do you want your kid’s identity stolen? It’s really that bad. The evidence is there, we see it in the news daily. We need to change the way you think about Information Security and its place in your life.

Things are only going to get better when all C-level executives and leaders of governments step up and embrace a strong information security program that reinforces their business goals. So please listen to your information security team and...

franklin-witter | 15 Mar 2013 | 0 comments

Last month, Symantec hosted its 2nd annual internal CyberWar Games and I had the privilege of joining Efrain Ortiz, Ben Frazier, and JR Wikes as part of team Avengers. For five days, we worked on limited sleep, grinding our way through the process of hacking systems and applications to capture flags and rack up enough points to secure our team a spot in the finals. Along the way, I made a couple of observations that I thought would be worth passing alone.
Lesson #1: Vulnerability Scanners LIE!!!
…or at least they don’t always tell the full story. If we had believed the results we got back from the vulnerability scans we ran against the systems in the CyberWar environment, we would not have made it very far. You see, our scans showed that there were no “Critical” or high-risk vulnerabilities present on the systems scanned and there were no useful “Medium” or “Low” vulnerabilities. What was...

franklin-witter | 13 Mar 2013 | 0 comments

With the continued uncertainty lingering in the global economy, I think it is likely that spending on new information security initiatives will continue to be highly scrutinized.  This isn’t to say that security initiatives won’t go forward, just that CISOs and Security Directors will probably have to do more to justify the need for their organization to part with precious capital resources needed to fund these projects.  As a result, security leaders will have to be very intentional in their approach to security in order to secure funding needed to improve or expand security operations. As I thought about how I might approach this challenge if I were back in the role of CISO, there are three key actions I would recommend to lay a foundation for justifying any new security initiatives.
Take Inventory
Before embarking on any new initiatives, I think that it is very important for organizations to take...

Tim G. | 11 Mar 2013 | 0 comments

The DeepSight Next Generation Portal Preview is live for all DeepSight Subscribers.

In the email that was sent there is a survey link that product management is using to collect feedback from users for continuous improvement.

Please log in and take a look around.  The new portal will be going live soon, so be prepared for these changes.



PaulTobia | 11 Mar 2013 | 3 comments

Over the past few months I’ve noticed a disturbing trend in our industry to talk more about “offensive security.” People are writing and tweeting about “active defenses” or “strikeback capabilities” but it all points to a movement that is at best a confusing use of terminology and at worst a dangerous allocation of resources for almost any organization.

I get the appeal though. Offense is much sexier than defense. Competitions are won by scoring more points than your opponent, not having your opponent score fewer points than you. The hero in almost every action story will eventually make the bad people pay in some violent fashion. Even within security the amount of discussion around successful hacks, the results of scans and pen-tests, and what’s the latest vulnerability still dominates what we write and read.

With the increase in targeted attacks we know that there’s someone behind the attacks. There’s a...

Phil Harris | 07 Mar 2013 | 0 comments

I came across this article (see link below) not too long ago and it really got me thinking about not only the places where I put my information on the Internet, but the reasons I put my information out there.  Most sites we put our information seem really innocuous and quasi-safe because we don’t think the site is very interesting to anyone but ourselves and a hand full of others with similar interests.  It seems like it almost becomes a “second nature” activity to just blindly assume that Internet sites that don’t ask for your credit card are okay cause well, it’s just my name, and maybe my phone number and/or address. 

When it comes to using ecommerce sites we all expect a certain level of security to protect our financial data.  When it comes to non-ecommerce sites, it seems like there’s less thought given about the ramifications of what happens when you provide your personal information.  For example, job...

Robert Shaker | 05 Mar 2013 | 0 comments

Authored by Kevin Riggins, Enterprise Security Architect, Fortune 500 Financial Services Organization

Thanks to Kevin for allowing us to cross post his article. Visit his blog for the article with its images.

On Friday, March 1st, 2013, I delivered my first RSA USA talk. It was a 20 minute talk on the need for and the value of an Enterprise Security Architecture. In addition to extolling the benefits of an EISA, I also provided a high level description of what one should look like and a quick blue print of how we go about starting down the path of developing one. Below is the text of the talk. I tend to wing it a bit during my talks so it is not a verbatim transcript, but all the thoughts and ideas are there. You can download the...

Joseph.Rogalski | 05 Mar 2013 | 0 comments

So what is the big deal if a few of my corporate PCs are infected with malware, what’s the worst that can happen? In this post I want to cover what can be done with a compromised PC and why it is a big deal. Many Security Managers minimize the importance of having clean PCs on their networks and comment what is the worst that can happen. We will walk though why it is extremely important to be diligent about protecting your endpoints.
Some “What ifs” to think about, these are the more obvious risks if a user’s PC is infected?
What if account credentials were harvested and used to access internal corporate information, or place fraudulent orders within your internal systems?   How would you know and what could you do about it?
What if access was granted to the user corporate email? Sending phishing emails internally or external from what is a trusted email address and further...