Wednesday, November 28, 2012
Georgia Tech's Cyber Threat Predictions for 2013: Ho hum, Yawn
Friday, November 16, 2012
Battle for information security 'is being won'
Cautious optimism or delusional optimism?
Monday, November 12, 2012
Huawei too dangerous to do business with?
Last week, three US service providers came out in support of the Chinese companies. (Sorry, I can't find or recall the reference for this.)
In March, the GAO found that defense agencies claimed to have no supply chain security issues, and discovered that DOD had suspect components.
Is this just New Cold War posturing?
Wednesday, November 7, 2012
Volunteering Falls Short on Threat Information Sharing
I can understand why they don't want to share with government agencies whose attitude toward sharing is all one-way: you give to us and we'll horde it all.
For more on this, read Threat Intelligence: What to Share?
Friday, October 26, 2012
Half of U.S. adults said Internet service is the most important utility in their homes
So, neither fresh water, electricity, sewer systems, nor even television is important. Amazing. How's this set back Maslow's hierarchy of needs? Then, there is the earlier report that Internet access is more important than sex. Are these people all lreading candidates for a Darwin Award? I think we have to worry for the survival of the species.
Monday, October 8, 2012
Chinese firms draw fire in House Intelligence report; Cisco cuts ties to China's ZTE after Iran probe
Seems like the House Intelligence Committee did something right. Reuters reports that the committee is recommending that Huawai and ZTE be barred from buying US companies because of fears that they could be used for cyber-espionage. Of course, depending on who wins the Presidential election next month, the committee's recommendation has a good chance of being ignored. I'm suprised we allow them to sell kit into the US, or at least the defense establishment. As I said before, cyber-espionage is still esponiage. Is it any easier done over networks than by coopting employees of target companies or government agencies? I'd be more concerned about cyberwarfare. And didn't India ban Chinese telecom firms from selling into the country because of security concerns? Frankly, I'd be as worried about French and Israeli providers.
10/9/12 -- According to Reuters, Cisco cuts ties to China's ZTE after Iran probe. Shall I rest my case now?
Wednesday, September 19, 2012
Facebook, Twitter Begin Slide into Irrelevance
Basically in exchange for free content and ads, users sell their souls, otherwise known as PII. Fair exchange? I think not. But users are selectively cheap. They're been conditioned to expect online content and services for free, although the cost of accessing the content and services isn't free. What ISP doesn't exact a monthly fee for access? If Google is so intent on free access information, why doesn't it supply ad-free search, and provide payments to content creators?
This perspective may be influenced by my role as a content creator, but it bothers me that users expect free online content, but these same freeloaders expect to pay for Starbucks and slacker chic.
Denny Hatch, a curmudgeonly DM commentator, and others have suggested that Facebook, Twitter, and their ilk charge $1/month for use. Do the math. That's billions a year, and for $12/year we won't have to provide PII and suffer invasive ads. Of course, there's a risk to building a paywall in that someone else can offer that service for free. It wasn't so long ago that mobile service providers tried to keep users in walled gardens. How Apple continues to do this is beyond my ken.
Tuesday, September 18, 2012
National Cyber Security Hall of Fame: Where's Hal Tipton?
While I'm certain that everyone named to the hall of fame is deserving, and knowing most of them either personally or by reputation, they are, I still can't believe that Hal Tipton wasn't included. Hal's history is like the history of information security. And, the number of people he's influenced has to be legions. Hal was a true pioneer, visionary, and doer.
Thursday, September 6, 2012
"No Easy Day"
I'm still struggling to figure out what was "classified," and why the witch hunt. The story didn't seem too much different from the Time article published last Spring. You'd think, though, that the Pentagon would be looking at all the leaks about the operation in its aftermath. It didn't take long for details to emerge.
Wednesday, September 5, 2012
No Easy Day: Day 2
So far, there's been nothing exciting in the book. The usual stuff about how the auther was born to do this, complaints about too much training and too little action, anecodotes about missions in the Middle East, ...
I've heard the training complaint before. The son of a friend is in Delta now, and has been for five years or so. He's only deployed to Trashcanistan once. The other years were spent either as a trainee or a trainer, both here and overseas.
As I continue to read, maybe we'll get to the actual assault and take down of bin Laden.
A Vulnerable Network Can Cost Your Business
Tuesday, September 4, 2012
"No Easy Day" Coming Soon to a Torrent Website?
Being a publisher, I'm not happy about this. Publishers, authors, musicians, and ultimately all of loss from this.
Wednesday, August 29, 2012
Hotel Keycard Lock Hacker Questions Firmware Fix
Deadbolts won't help when you're not in the room. I recall a conversation about this at an ASIS conference a few years ago. Then it was more of a privacy issue; for example, the management systems records when the door was opened, and by whom. It's not unlike using EZPass to record who goes where and when, or mobile phone GPS data to track movements. Law enforcement and divorce lawyers have a field day with this.
Because hackers can unlock and start cars, not to mention hijack drones, why should we be surprised they can spoof keycards?
Tuesday, August 21, 2012
WeKnowYourHouse.com and PleaseRobMe.com
I'm also hearing stories of how people claim they're safe because they don't use social networking. Then, someone checks their kids Facebook page and see that daddy's going to Bentonville, Arkansas, Well, there's only one reason to go to Bentonville, and this knowledge could be corporate intelligence.
We're publishing a book on data anonymization, which deals with this from an enterprise perspective, particularly PII and PHI. Supposedly, 87% of US citizens can be linked using zipcode, data of birth, and sex. So, by using publicly available information such as voter records and supposedly clean data on health insurance, it's possible to identify and tie an individual to a health record. There are many good reasons why PHI, for example, needs to be private. Yet, it's remarkedly easy to get it.
I don't know why it's so hard to increase users awareness of the dangers of the Web, and their willingness to barter PII for free access. I guess it's the free part.
Saturday, August 4, 2012
Cyber-security Measure Fails to Pass in Senate; RIsk Management Webinar
Dan Swanson's next Webinar on Risk Management for Directors and Officers is scheduled for August 28th.
Friday, August 3, 2012
Anonymous Attack Protests Web Laws, Catches Innocents
Thursday, August 2, 2012
Dropbox Admits Hack, Adds More Security Features
Monday, July 23, 2012
Kaspersky, ex-KGB, Is Tool of Putin
And, we're worried about supply chain security in relation to China?
Monday, July 2, 2012
3 Risks of Failing to Monitor Internet Usage
Employees downloading files, social engineering attacks, bandwidth consumption and negatively impacted productivity can all result from the misuse of employee Internet access privileges. Many of these risks can be mitigated by using software to monitor Internet usage over your network, and to apply proactive security measures to stay secure.
Let’s take a look at the three most common pitfalls and how they can be avoided by Internet monitoring software.
Decreased Productivity
Not all employees understand the concept of “Internet privileges”, and some may interpret it more loosely as “carte blanche to surf the web all day.” In addition, some employees like to use high-speed corporate networks to download large files, such as movies. Not only does this activity put the company at legal risk, but large downloads can also devour bandwidth and cause a loss of productivity across your network.
Good software can allow you to monitor Internet usage, providing the granular management of Internet access controls for your employees. This allows you to control their browsing habits and prevent abuse to ensure your system runs at peak performance. In addition, Internet monitoring software can also allow you to set bandwidth thresholds and block streaming media to ensure you retain control of Internet traffic passing through your network.
Malicious Files and Viruses
Unauthorized downloads and malicious websites can result in infected PCs. Not only does that put your confidential data at risk, but it can also result in system downtime to clean out the infection and restore your network to a secure state.
Employees may also attempt to download and install patches for work-related software, which could destabilize your network if those patches are not tested and approved. Compatibility issues can arise with your existing setup, resulting in administrator resources being used to fix a problem that shouldn’t have arisen in the first place.
By using software to effectively monitor Internet usage you can control which files can be downloaded by users. Software can also be used to scan files that are allowed onto the system with multiple antivirus engines, thus ensuring they are safe. In addition, sites that are off limits can be blocked, keeping your network safe from a variety of attack vectors.
Phishing Attacks
Websites that are masquerading as legitimate sources can lure employees into a false sense of security. They may be tricked into revealing confidential information, or even inadvertently give away access codes that could leave your system open to attack.
By filtering websites and monitoring HTTPS traffic to prevent malware masquerading as safe software, you can keep your network better protected against such risks. In addition some software that can monitor Internet usage will also block access to known phishing websites based on updateable databases of known attack sites.
By failing to monitor Internet usage you can leave your company exposed to considerable risks. Few businesses can afford a loss of productivity, or having their bandwidth resources gobbled up by employees making personal use of the network. Worse still, infection from malware or viruses as a result of failing to control downloads can leave your system completely down.
By deploying software to monitor Internet usage you can keep a careful eye on your network and control its usage to ensure it always runs at peak performance, while also providing an extra layer of protection against attack. The question now is, is it worth the risk to remain without it?
**********
This guest post was provided by Peter Wisner on behalf of GFI Software Ltd. GFI is a leading software developer that provides a single source for network administrators to address their network security, content security and messaging needs. Learn more about why you need to monitor Internet usage.
Friday, June 29, 2012
GAO: Cyber Threats Facilitate Ability to Commit Economic Espionage
Wednesday, June 27, 2012
LulzSec Members Confess to DDoS Attacks
Thursday, June 21, 2012
New Android Malware Is Disguised as a Security App
Thursday, June 14, 2012
Turtle Crossing
Wednesday, June 13, 2012
World IPv6 Launch Day
Thursday, May 31, 2012
The 7 Qualities of Highly Secure Software
This excerpt discusses the need for building security into software. Building security in is about proactively designing and developing appropriate security controls into the software. The quality of building security in that will result in highly secure software can be achieved by addressing the people, the process, and the technology components in the software engineering process.
Wednesday, May 23, 2012
86% Say No to ‘Dial High Club’: Travellers against Phones on Planes
Friday, May 18, 2012
"Loaphobia." I wonder what the Diagnostic and Statistical Manual of Mental Disorders says about this?
Thursday, May 10, 2012
Just Say No?
The same people who want to create more security threats now want more security. I wonder what they'll think about more security when it'll require installation management software on their digital toys, and maybe have to submit to intense awareness training?
Monday, April 30, 2012
Patch Management the Easy Way
Patching is one of the most critical system admin activities, but it is also one of the most frequently neglected. The stated reasons may vary, but usually come down to a simple lack of patch management strategy, and an application to make patching easy. To get from bad/non-existent patching strategy to sound and successful patch management strategy, like so many others, starts with a single step.
Decide patch management is important
IT needs to patch, but they also have to want to patch. It’s far too easy to push patching off, especially when most patches require reboots, and no one wants to stay up until 3AM on a Saturday. Security needs to patch, since many exploits take advantage of flaws that have been patched. Management needs to patch since patched systems are more stable and reliable, and have better performance against SLAs. Everybody knows patching is important, so you all need is to agree to it, and senior management needs to support that. With senior management support’s go ahead, the rest of the steps are easy.
Implement a patch management solution
That senior management support must include funding for a patch management solution. One of the biggest reasons why patching is so painful to many is because they try to do it manually, or with a combination of Windows Server Update Services (WSUS) and scripts, or other home-grown solutions. A good patch management solution can automate all the work, letting you approve and schedule patching, and then just check on status when it’s done.
Include third-party applications
Patching operating systems, but not third-party applications, is like locking all the windows and leaving the front door open. It’s the applications that are what the users interact with, and that process data submitted from the web, and these must be patched just as diligently as your operating systems. Good patch management solutions can patch third party apps just as easily as operating systems.
Commit to testing
The vendors do a lot to test their patches, but ultimately it is your responsibility to test patches before deploying them. Testing requires users to run patches on their workstations, and on test versions of your application servers, and to run things through their paces to ensure there are no issues. Senior management needs to allocate resources to perform this testing each month. Your patch management app should be able to deploy patches to a set of test machines to make it easier to evaluate patches before pushing them to all of production.
Have a way to rollback
Even with testing it’s possible to encounter an issue with a patch, so make sure your patch management solution can automate the rollback of a patch.
Assess, log, report and audit
The biggest risk with manually patching is that something will be missed. Patch management applications should be able to assess all systems, log all patching, generate scheduled and on-demand reports, and you need to audit these to ensure all machines are patched and compliant.
Respect the window
Establish a patching window and make sure everyone knows what that is. Make that window one that takes priority over other actions, and set the expectation that the business will have to work around patching, and not vice-versa. Again, you will need senior management support to get this through, but you don’t want to delay critical security patches just because the marketing team wants to update the content of the website.
Patch with confidence
With a good patch management application, the support of senior management, a sound testing plan, and windows where you are able to patch, proceed with confidence. Patching is a good thing and shouldn’t be a cause of pain or suffering. Leave that for when patches are missed, because it’s a safe bet that if you miss a critical patch, the pain and suffering will come.
If your IT organization and senior management see that patching is important, advocate patching within the organization, allocate a modest amount of resources to patching, and then set the expectation that patching will be done, you will soon find that patching is a normal and easy part of systems administration activities. Take that first step with your patch management process and you will be well on your way.
For more on patch management, see Security Patch Management.
Tuesday, April 24, 2012
Tech groups push for cyberthreat information-sharing bill. Great idea. It's worked real well with Federal agencies.
Monday, April 23, 2012
Mac trojan fallout: Apple security glory days gone?
When it comes to vulnerability to attacks, though, UNIX was always an easy target. Macs are so safe and secure. Of course, until recently there weren't many of them, and they weren't in the enterprise, and so they were not as attractive a target as, say, Windows. Now that there are more Macs, making them an attactive target, the myth is staring to explode. Still, zealots being zealots, all's right in their world. Koolaid anyone?
Friday, April 20, 2012
"You can't patch stupid." House committees approve 2 cybersecurity bills
Thursday, April 19, 2012
PWC Survey: "... majority of executives ... are confident in the effectiveness of their organization’s information security practices."
Doesn't this fly in the face of fact? With reported breaches on the rise, and fears of fraud, APTs, and supply chain security, among other threats, increasing, why are these executives so confident?
Friday, April 6, 2012
Hurrah! There's a silver bullet for information security
While it's a reach to think that pentesting is the be all and end all of infosec, later in the conference a panel discussion between some enfants terrible made a different claim. After telling the audience that it was stupid and ineffective, they said that the solutions to the problem lie in hiring smart people, thinking outside the box, and reading log files.
A general theme was that risk trumped infosec; that is, determine what most needs to be protected, then protect it, rather than trying to protect everything. There's a trend toward the creation of Chief Risk Officers, with infosec reporting to them instead of CIOs, thereby removing some conflict of interest. Awareness continues to be important because "There's no patch for stupid." Good luck with that one.
Tuesday, March 27, 2012
National Security-Related Agencies Have No ITC Supply Chain Risks?
Now, today, the GAO reports that suspect counterfeit electronic parts can be found on DOD supply chain Internet purchasing platforms.
I recall Whitfield Diffie addressing a RSA conference state that one of his greatest security fears is components calling home (to China). This type of threat has movie written all over it, but this doesn't make it any less real.
Australia has no such qualms, however. It's blocked Huawei from bidding on gear for its National Broadband Network. It seems that foreign governments, especially in Asia, are much more aware of these threats. At least the US Congress has blocked sale of some US high-tech companies to Chinese enterprises controlled by the PLA.
There are other IT security lessons that Australia can teach us.
Monday, March 26, 2012
Hackers breached 174 million records in 2011. Did it make the Guinness Book of Records?
Thursday, March 22, 2012
If we didn't have Google to kick around, I'd have to create it
At this point, Google is still battling Amazon for the top slot on my list of companies I love to hate. Remember when the world hated Microsoft because of its dominance in desktop computing and LANs? They look absolutly altruistic when compared to the undisguised rapacious behavior of Google and Amazon. For a long time I hated Barnes & Noble for putting independent, especially technical, bookstores out of business in the 1990s. Now, I'm praying for its survival under the offensive launched by Amazon on the entire book publishing industry. I still hate Walmart for its business and labor practices, and pioneering the decline of American manufacturing. Channeling this disgust at the "be evil" company and Amazon is cathartic, though, even though I'm spinning my wheels.
What's this go to do with information security? Not much. But it was cathartic.
Wednesday, March 21, 2012
Patch Management the Easy Way
Decide Patch Management Is Important
IT needs to patch, but they also have to want to patch. It’s far too easy to push patching off, especially when most patches require reboots, and no one wants to stay up until 3AM on a Saturday. Security needs to patch, because many exploits take advantage of flaws that have been patched. Management needs to patch because patched systems are more stable and reliable, and have better performance against SLAs. Everybody knows patching is important, so you all need is to agree to it, and senior management needs to support that. With senior management support, the rest of the steps are easy.
Implement a Patch Management Solution
That senior management support must include funding for a patch management solution. One of the biggest reasons why patching is so painful to many is because they try to do it manually, or with a combination of WSUS and scripts, or other home-grown solutions. A good patch management solution can automate all the work, letting you approve and schedule patching, and then just check on status when it’s done.
Include Third-Party Applications
Patching operating systems, but not third-party applications, is like locking all the windows and leaving the front door open. These are the applications that are what the users interact with, and that process data submitted from the web, and these must be patched just as diligently as your operating systems. Good patch management solutions can patch third-party apps just as easily as operating systems.
Commit to Testing
The vendors do a lot to test their patches, but ultimately it is your responsibility to test patches before deploying them. Testing requires users to run patches on their workstations, and on test versions of your application servers, and to run things through their paces to ensure there are no issues. Senior management needs to allocate resources to perform this testing each month. Your patch management app should be able to deploy patches to a set of test machines to make it easier to evaluate patches before pushing them to all of production.
Have a Way to Rollback
Even with testing it’s possible to encounter an issue with a patch, so make sure your patch management solution can automate the rollback of a patch.
Assess, Log, Report and Audit
The biggest risk with manually patching is that something will be missed. Patch management applications should be able to assess all systems, log all patching, generate scheduled and on-demand reports, and you need to audit these to ensure all machines are patched and compliant.
Respect the Window
Establish a patching window and make sure everyone knows what that is. Make that window one that takes priority over other actions, and set the expectation that the business will have to work around patching, and not vice-versa. Again, you will need senior management support to get this through, but you don’t want to delay critical security patches just because the marketing team wants to update the content of the website.
Patch with Confidence
With a good patch management application, the support of senior management, a sound testing plan, and windows where you are able to patch, proceed with confidence. Patching is a good thing and shouldn’t be a cause of pain or suffering. Leave that for when patches are missed, because it’s a safe bet that if you miss a critical patch, the pain and suffering will come.
If your IT organization and senior management see that patching is important, advocate patching within the organization, allocate a modest amount of resources to patching, and then set the expectation that patching will be done, you will soon find that patching is a normal and easy part of systems administration activities. Take that first step with your patch management process and you will be well on your way.
This guest post was provided by Casper Manes on behalf of GFI Software Ltd. GFI is a leading software developer that provides a single source for network administrators to address their network security, content security and messaging needs. Learn more about the right patch management solution.
To learn more about patch management, read
5 Reasons to Establish a Patch Management Policy
Security Patch Management: Getting Started
Tuesday, March 13, 2012
Facebook social engineering attack strikes NATO
Friday, March 9, 2012
IT security neglect helps Anonymous: a deliberately contentious statement?
Monday, March 5, 2012
GOP senators introduce another cyber security bill: SECURE IT
And, who comes up with these acronyms? SECURE IT. Is there someone with a full-time job in Congress to come up with these? And I thought the headline writers for the NY tabloids were clever?
Friday, March 2, 2012
Google Privacy Changes: 6 Steps To Take, or 1
"Hurt me once, shame on you. Hurt me twice, shame on me."
The real problem here is how deeply we've let Google insinuate itself into our lives. I have to admit, I use Blogger, a Google product, for this blog. I use Google Analytics for Web site analysis. I've undoubtedly shared photos using Picasa, and I'm certain none were embarrassing. It's hard to beat free and good and available, and I'm sure there are equally good alternatives that are slightly less intrusive but I haven't found them. So, it's shame on me.
Monday, February 27, 2012
5 Hot Security Worries at RSA
1. Securing employees' smartphones and tablets
2. Stopping Advanced Persistent Threats (APTs)
3. Curbing social animal attacks
4. Securing Big Data
5. Getting better at stopping hacktivists
What's missing? Who agrees? Disagrees?
Social animal attacks is a new one for me.
If anyone wants to write on BYOT, APTs, or Big Data, let me know.
Friday, February 17, 2012
Developers say Apple needs to overhaul iOS user information security; jailbreak apps access user data far less frequently than Apple-approved apps in the App Store
Tuesday, February 14, 2012
Mobile payments will boost crime
Friday, February 10, 2012
Jesse Varsalone to lead ethical hacking and systems defense seminar
Thursday, February 9, 2012
CIO's Guide to Security Incident Management
Thursday, February 2, 2012
Google calls Microsoft privacy claims 'myth'--spare me, please!
Monday, January 30, 2012
BYOD, BYOT, IT Consumerization: A Burning Issue
Sometimes I think I have a hard time separating media and conference hype--the need to cover something and create some level of FUD--and reality, or what people in the trenches think. Frequently, media-generated FUD is backed up by survey data, which may or may be valid, fueling the fire.
So, not I ask, "Is BYOD, BYOT, IT consumerization, or whatever you call it really a burning issue?
Friday, January 27, 2012
World IPv6 Launch. Yawn.
Thursday, January 26, 2012
Is Network Security an Oxymoron?
Remember PPT—people, process, and technology? We can throw technology at the problem and achieve middling success. If we are eternally vigilant and paranoid, we may realize great success. But what about people and process?
Despite comprehensive signed policies and awareness training, users still click on email attachments or embedded links, and willingly provide their user IDs and passwords to people calling from tech support. And this is without the burgeoning BYOD and BYOT problem. Who know what users are introducing to the network when they connect their USB drives, tablets, and smartphones to their desktops?
What’s the solution? Jim Tiller, now Head of Professional Services, Americas at HP Enterprise Security, suggests that regulations and compliance, and now insurance, are trying to do what PPT couldn’t. He thinks that government has accepted that because we have been doing hasn’t worked, then increasing the regulatory burden will. So, has network defense become notification and remediation once an organization has become compliant? Yes, it’s a loaded question.
Under this scenario, security becomes strictly a cost/benefit analysis. If the cost of an intrusion is, say, $1 million to cover notification and remediation, and the cost of preventing the intrusion is $1.5 million, then an organization would decide to accept the risk of an intrusion rather than take actions to prevent it. And now that an organization can obtain insurance, the insurers will determine the risk, instead of using the standard infosec risk formulas.
Assuming the organization was compliant with all regulations, then it’s done all it’s required to do to protect its network and information. It no longer has to compete in an ever escalating arms race against hackers of all ilks, from privately to government sponsored.
Of course, an enterprise could simply disconnect critical systems and employees from the Internet, which would prevent intrusions from the outside, but do little against insider threats. (It still amazes me that SCADA and other ICS are Internet-facing, and that things will inevitably get worse as M2M and the Internet of Things creates more points to attack.) As Jim concludes, efforts to protect and defend networks won’t go away, but response may well take precedence.
Wednesday, January 25, 2012
How to Use a Vulnerability Scanner
A vulnerability scanner will search your network for various vulnerabilities and it does this by analyzing a number of things, including:
• Open Ports
• Applications
• Configurations
• Scripts
• Devices
• Users
• Shares
• Groups
• Ports
• Security Software
Once a vulnerability scanner finishes analyzing a particular machine it will use the data collected to determine and report on vulnerabilities and potential vulnerabilities. There is an important distinction to be made here.
If your vulnerability scanner were to detect a user who hasn’t logged on in quite a while, this will be reported as a vulnerability. While this could certainly be the case, there may be a legitimate reason for it and it is up to the administrator to decide which reported vulnerabilities are to be acted upon and which can be ignored for business purposes (potentially incurring minor risks).
After a scan the administrator now has a list of vulnerabilities sorted according to what needs to be done and what level of risk wehave to accept because of legacy elements in the system and other reasons.
The vulnerabilities we want to act upon require a straightforward approach. The vulnerability scanner will most likely provide an explanation on what the issue is and suggest resources that the administrator can refer to for more details and how to solve the problem.
Sometimes not all vulnerabilities can be fixed and the administrator must decide whether the benefits outweigh the risks. Vulnerabilities may be left untreated for various reasons: it may be due to legacy applications that have known vulnerabilities but are considered important for the business or system configurations and protocols with known insecurities are required. The administrator’s role is to identify what the risk is and find ways to limit the risk without compromising business operations or security.
For example, let’s say that for legacy purposes you need to support SSH protocol Version 1, which has numerous known vulnerabilities. The application you are using that requires SSH 1 support has no viable replacement and is critical to the business. In this example, you have no choice but to leave the vulnerabilities in the system. However, although you cannot really avoid using a vulnerable application or protocol, you still need to do something to minimize the risk.
You need to analyze how the application is used and, where possible, restrict its use and access. If you need to support SSH 1 for a legacy application make sure your firewall only allows exclusive access from the location where the application is runningand blocks any other source.
Security is a process. A vulnerability scanner is not simply a matter of running a program and following the onscreen instructions; you could miss out on important details and create additional risks. As an administrator you need to ask: how do you use your vulnerability scanner? How do you tailor the security process to your needs? Once you have the answers to these questions you can effectively secure your environment from a huge range of threats.
This guest post was provided by Emmanuel Carabott on behalf of GFI Software Ltd. GFI is a leading software developer that provides a single source for network administrators to address their network security, content security and messaging needs.
Tuesday, January 17, 2012
Why should Bradley Manning defend himself?
Sure, let's play good defense and muddy the waters. The question is whether or not he purposefully leaked classified documents. It doesn't matter whether or not they should have been classified, or if the leak did damage. There was a rule; someone broke it; someone should pay. If Manning is guilty and wants to be a counterculture hero, then he should man up. If he's not guilty, then make the plea and prove it.
Kierkegaard writes about a knight of faith who knowingly acts counter to law to achieve what he perceives is a greater good, and he takes responsibility for the act. A knight of faith is an admirable character regardless of whether or not one agrees with his actions. No snivelling cowardice allowed. If Manning did what he's accused of doing, he's now baser than a scrawny little runt who teases the bigger kids and then runs to hide behind his mother.
Monday, January 16, 2012
Does cyber insurance offer IT peace of mind?
It was only a matter of time. The real challenge is for security organizations to get too big to fail, and let the citizens underwrite the risk.
Friday, January 13, 2012
Book Review Went Viral, but Do Books Matter?
Speaking of which, is anyone reading this still reading books? Buying books? Downloading pirated copies of books? Do books play any role in your working life?
Monday, January 9, 2012
Symantec says some source code stolen, no customer information exposed
Wednesday, January 4, 2012
ASIS-ISAF research pinpoints move towards security convergence
Monday, January 2, 2012
Chinese government to crack down on phishing schemes
A couple of recent items (here and here) highlight China's attempts to protect its citizens from the evils of phishing. Maybe they should dial back their espionage, IP theft, and cyberwar efforts instead. China's apparant ham-handed approach to everything is a wonder to observe. Why do something subtle when you can use a cudgel? Sitting on top of all that money, they really don't care what the world, or its citizens, thinks. If the money threat doesn't work, there's always the new carrier-killer missles.