Wednesday, December 18, 2013
Edited by Ross Leo, Chief Systems and Security Architect at Cirrus Informatics, Inc., the objectives of this series include providing timely, well-researched, and informative pieces on the specific areas and issues associated with safeguarding America's critical infrastructures.
Critical Infrastructure and Cybersecurity Engineering Series
If you're interested in finding out more about the series and participating in it, contact Ross Leo.
Tuesday, December 17, 2013
In this case, as reported on Ars Technica, it came down to little or no patch management. How simple?
If they had bothered to apply a little common sense, and had Felicia Nicastro's book, Security Patch Management, a lot of this could have been avoided.
Wednesday, December 11, 2013
Yet, as reported by Mobile World Live, FCC chairman Tom Wheeler doesn't care, and won't act to ban calls. I can think of few things worse than the agony of air travel compounded by rude, obnoxious, self-obsessed people making phone calls at 30,000 feet. As if bad music that filters out of earbuds isn't bad enough. There is legislation pending to ban calls, but because it depends on Congress acting, I'm not counting on it going anywhere. Noise cancelling headphones anyone?
Tuesday, December 10, 2013
We have some new books to help you defend against attacks:
Automatic Defense against Zero-day Polymorphic Worms in Communication Networks
Android Security: Attacks and Defenses
Thursday, November 14, 2013
Tuesday, November 12, 2013
ISACA says the governing the Internet of Things won't be easy.
OK. I'll buy that. But first, what's the Internet of Things?
Here are some resources to bring you up to speed on the technology so you then address the security.
Cyber-Physical Systems: Integrated Computing and Engineering Design
Unit and Ubiquitous Internet of Things
The Internet of Things in the Cloud: A Middleware Perspective
The Internet of Things
Communication Middleware for the Internet of Things
Thursday, November 7, 2013
Kevin Beaver will conduct a complimentary webinar "IT & BC: Filling the Gaps to Protect Your Business"
Kevin is co-author, with Rebecca Herold, of The Practical Guide to HIPAA Privacy and Security Compliance.
Friday, November 1, 2013
This is not a new issue. It's been going on for a long time. Battle of the retired government agent or cop security manager--white socks, black shoes, definitely analog--facing an increasing digital physical security world versus the IT security pro who ensures that all the digital safeguards are working. (ASIS vs ISSA.)
The books we publish on security management largely have an analog focus as well.
We first covered this in 2006. Really, nothing has changed and likely won't. There's a comfort level in hiring an ex-agent for physical security, regardless of digital competence.
Thursday, October 31, 2013
From the headlines of the worldwide press:
Chinese DM urges stronger information security
China says it will take measures to uphold its information security in ...
China to step up own security after new NSA allegations
This is getting old. All countries spy on each other, and, IMHO, German (and France and Israel, for that matter) has never been a good ally, just a benefactor of American largess. And, China ... well, it's China.
I suspect much of this is theater for local enjoyment. No government can appear soft on something as "ungentlemanly" as this.
Tuesday, October 22, 2013
So, according to the NY Times, the TSA "is expanding its screening of passengers before they arrive at the airport by searching a wide array of government and private databases that can include records like car registrations and employment information."
I find this far more worrisome than the masses of information the NSA is capturing, or Google, Apple, Facebook, and others of their ilk. It won't be long before the TSA is screening rail travel, buses, using the ubiquitous roadway surveillance cameras to prevent us from driving, (use your imagination here), ...
Unfortunately, it'll never stop. Like the DEA, which has a vested interest in ensuring that the war on drugs never ends, the TSA needs to insinuate itself into every aspect of our lives in order to guarantee its existence beyond the Rapture. God help us all.
Friday, October 18, 2013
GAO: Centers for Medicare and Medicaid Services Needs to Pursue a Solution for Removing Social Security Numbers from Cards
What they really need to do is de-identify and anonymize data.
Of course, we have books that will help solve the problem.
Guide to the De-Identification of Personal Health Information
In this book Khaled El Emam, the founder and CEO of Privacy Analytics, Inc., offers compelling practical and legal reasons why de-identification should be one of the main approaches to protecting patients’ privacy, this book outlines a proven, risk-based methodology for the de-identification of sensitive health information. It situates and contextualizes this risk-based methodology and provides a general overview of its steps. The book supplies a detailed case for why de-identification is important as well as best practices to help you pin point when it is necessary to apply de-identification in the disclosure of personal health information.
The Complete Book of Data Anonymization: From Planning to Implementation
Data anonymization provides a systematic and integrated approach to privacy protection that goes far beyond simple data-masking or network security from external or internal theft. In book, Balaji Raghunathan of Infosys Ltd. discusses the analysis, planning, set-up, and governance, this timely manual illuminates the entire process of adapting and implementing anonymization tools and programs to increase the success of privacy protection in vulnerable organizations. Providing a 360 degree view of data privacy protection, it details data anonymization patterns, automation/tool capabilities, and the key factors for success in disguising the person behind the data.
Wednesday, October 9, 2013
His topic is “Avoid Penalties: Ensuring Compliance with the September23, 2103 HIPAA Privacy and Security Omnibus Rule.”
Jay is the author of The Definitive Guide to Complying with the HIPAA/HITECH Privacy and Security Rules and The Executive MBA in Information Security.
Thursday, September 19, 2013
Thursday, August 22, 2013
This is the first annual edition of the Information Security Management Handbook since 1994 without the guidance and the insight of Hal Tipton. Hal passed away in March 2012. He will be missed by a lot of people for a lot of reasons.
It seems that every year is an interesting one for information security, and 2012 was no different. It is interesting, too, how perceptive Kaspersky Labs, for example, was with its forecast. It also foreshadows the end of online trust and privacy. If you cannot trust digital certificates, what is left to trust?
Cyberwarfare has jumped to the front pages of every newspaper, both print and virtual. Stuxnet spawned Flame, Duqu, and Gauss. While we were all focused on attacks and espionage by China, France, and Israel, Iran mounted a DDoS (Distributed Denial of Service) attack against US banks in retaliation for sanctions that appear to be working. At the same time, Iran’s central bank was attacked. Added to the online attacks is the growing threat of supply chain security, and products shipped with back doors or embedded systems that let them phone home. Witness the difficulty Chinese telecom equipment suppliers like Huawei are having with gaining toeholds in the United States by purchasing the US suppliers.
While Russians and Eastern Europeans are not singled out for cyberwarfare, crime syndicates based there continue to threaten commerce and privacy.
Theft of passwords from LinkedIn and Dropbox, and what seems like daily reports of attacks on or by Facebook show (not to mention Zuckerberg's Facebook page being hacked) the lure of social media to hackers, and the dangers to the rest of us. And while Facebook and others do not install rootkits as Sony did, their data collection efforts, combined with the apparent insecurity of the site emphasizes the growing dangers of Big Data and the Cloud.
We saw a huge increase in hacktivism as Anonymous and LulzSec launched various attacks on both government and private sites around the world.
It was only a matter of time until Mac OS X became a profitable target. Once critical mass was reached, hackers could not resist investing the time to own it. As with Mac OS X, mobile devices are becoming even more alluring targets. We have seen the same types of attacks and malware used against PCs adapted to mobile, plus new threats like SMS (short message service) spoofing. Not surprisingly, Android, Google’s open platform, has suffered the most. Plus, the growing number of apps for all platforms introduces a level of threat that is hard to estimate, but definitely growing.
M2M and the Internet of Things are creating more opportunities for hackers. From NFC (near field communication) payments to utility sensors sending unencrypted data, this is a potentially lucrative area for fraud and identity theft. Sensor networks are now in the DIY (do-it-yourself) arena, which creates yet a new class of threats.
BYOD (Bring Your Own Device), IT consumerization, whatever you call it, is making life so much more fun for black hats. It has given new meaning to “insider threats.” With portable digital devices being introduced into the enterprise, both with and without permission, we are seeing a manifold increase in threats. Clearly, policies alone are not sufficient to deal with this, and it is unclear how draconian management wants to be with forcing compliance. The products exist, but does the will to use them?
Looking at 2013, the promise of more surveillance, both from governments and online data collectors, means less privacy, even for the most careful users. Short of totally disconnecting from the grid, if such a thing is possible now, it is apparent we do not and would not have privacy.
This edition of the Information Security Management Handbook addresses many of these trends and threats, plus new areas such as security SDLC (software development life cycle), as well as forensics, cloud security, and security management. Chris Hare takes an in-depth look at hacktivism, identifying the motivations and the players, and providing advice on how to protect against it. Becky Herold analyzes the security and privacy challenges of social media. Sandy Bacik looks at the security implication of BYOD, and the challenges of managing user expectations. The Smart Grid offers its own security and privacy challenges as Terry Komperda explains. Noureddine Boudriga explains attacks in mobile environments.
There is new guidance on PCI and HIPAA/HITECH compliance. In addition to forensics and e-discovery, a chapter looks at cell phone protocols and operating systems from the perspective of a forensic investigator.
I have heard it said, “You can’t patch stupid.” So many of these attacks are successful because of clueless or irresponsible users. In what I hope is not a vain effort, Ken Shaurette and Tom Schleppenbach look at human firewall testing, social engineering, and security awareness. We also look at security and resilience in the software development life cycle, managing the security testing process, and SOA (service-oriented architecture) security.
Here is a shout out to my friend Jim Tiller, head of Security Consulting, Americas for HP Enterprise Security Services, for his help in preparing this edition. Jim’s done a lot for the Handbook over the years, and I am hoping he will continue.
All-in-all, this is a good volume of the Information Security Management Handbook. We are working on the next edition now. If you would like to contribute, please contact me at email@example.com.
You can order a copy here.
Wednesday, August 21, 2013
I've been trying for a long time to get someone to write books on DLP, SEIM, APT, GRC, ..., but am beginning to believe that these topics have jumped the shark. Aside from, maybe, identity and access management, what's going to drive people's need for information and, one can hope, books sales?
BTW, if anyone wants to accept the challenge of writing a book identity and access management, let me know. It's a sure way to immortality (or at least as long as the Library of Congress exists).
Monday, July 22, 2013
Speaking of insider threats, you might want to take a look at Managing the Insider Threat: No Dark Corners. It identifies new management, security, and workplace strategies for categorizing and defeating insider threats.
Monday, July 1, 2013
The India Times reports that following the Snowden leaks, the Chinese University in Hong Kong warned students and staff about basic computer security to ward off an onslaught of US hackers. Is this calling the pot calling the kettle black, or another skirmish in the new Cold War?
Friday, June 21, 2013
BTW, subscription to this is free, and if you have any interest at all in the communications world, I suggest you sign up. It's really entertaining, too. The Informer, who works for Informa, is a very funny bloke, indeed.
Tuesday, June 4, 2013
Just $20 a month! Not too attractive to me, though. I had a problem with my landline recently. When Verizon came, instead of repairing the old copper connection, they connected me to fiber, including installation of a battery backup. This is the part of fiber phones that I don't like. The copper phones carried a current that enabled them to work during power failures, which where I live a fairly common. During the past year I lost power a few times for more than a day, and lost phone service, too. Cell service where I live is spotty at the best of times. I've learned by trial and error which parts of the house and yards get signals, and which don't. So, with the fiber landline down and no way to charge a cell phone, I had no phone service. Is this progress?
Wednesday, May 29, 2013
Why does every system have to be Internet facing? I can see commerical enterprises wanting to save money but using public networks, but government and the military? For them, money is merely a way to keep score. It's not real.
Just as two can keep a secret if one of them is dead, if you want a secure system, segregate it; take it offline. While I'm pained to think of the lost information, it's even more painful to know that it could have been prevented.
Talk about being on the horns of a dilemma. As a publisher, I know there are far too many pirated versions of what I publish freely available to anyone who wants to spend a few seconds searching. Do I want to make it even easier to share? On the other hand, as a consumer I want to own, and lend, what I buy. The music industry seems to have resigned itself to this. If I buy music online, I download it and for all intents and purposes own it. I can burn it to a CD, or it send as an email attachment. Movies, too, are like music. Should I buy a DVD, I can lend it like a book, although I'm more likely to rent a movie online than buy and download it.
EBooks, as we know, aren't nearly as consumer friendly. Amazon keeps everyone imprisoned its inaptly named 'walled garden.' And while there's limited sharing within the Amazon and B&N universes, it's not true sharing. And I really don't understand the limitations on library lending. It seems the controls are similar to those for print books; a library can only lend as many copies as it has rights. Once the ebook limit is reached, I go on a waiting list, just as for print books.
Wednesday, May 22, 2013
I've had authors related tales of 1,000s of downloads of their books from pirate sites. I suspect that most of those downloads don't really represents lost sales. Still, I'm seeing a steady decline in book purchases, in any format. That needs to change.
Monday, May 20, 2013
I saw a presentation by Purdue's Prof. Tiancheng Li on how easily this can be done. Here's an example.
The Massachusetts Group Insurance Commission (GIC), which is responsible for purchasing health insurance for state employees, publishes for each employee zip, dob, sex, diagnosis, procedure, ... A researcher then purchased the Massachusetts Voter registration list, which contained name, party, ..., zip, dob, sex. Using three attributes--dob, sex, zip--the researcher was able to identify the medical record of then Governor William Weld.
This was a fairly benign example. But consider, for example, insurance companies using similar techniques to identify pre-existing conditions, or employers using them to dig into backgrounds of present or potential employees.
We know we can't trust industry to self-regulate, or place PII about its own self-interests.
It just so happens that we have two new books that deal with this problem, should you care to solve it.
Guide to the De-Identification of Personal Health Information by Khaled El Emam and
The Complete Book of Data Anonymization: From Planning to Implementation by Balaji Raghunathan.
Click here to read An Overview of Data Anonymization.
Friday, May 3, 2013
Monday, April 29, 2013
This doesn't seem to agree with US evaluations. PRC has long engaged in espionage with the other APT: humans. It's only recently, it seems, that attention has been directed to government, critical infrastructur, and military targets.
Tuesday, April 23, 2013
We’ve been following, and publishing books on, IoT for a long time now. Speakers at last week’s Infosecworld mentioned IoT, along with Smart Grid, in sessions and keynotes. My question is, does anyone really know or care? Based on readership of articles and excerpts we’ve published and book sales, I’d say no.
Yet, like IPv6, another topic that doesn’t seem important to many people, IoT is going to become an IT problem, and an major security issue as well. It’s not just your smart refrigerator telling you to pick up milk on the way home from work. As the Smart Grid rolls out with essentially billions of sensor nodes, and vehicular networks, bandwidth demands will jump sharply and Big Data will inundate everything.
As a test, here are some books, articles, and excerpts covering IoT, IPv6, and Smart Grid. I’m going to monitor to see if there’s any increase in interest.
Articles and Excerpts
Internet of Things: A Context-Awareness Perspective
The Internet of Things in the Cloud: A Middleware Perspective
Communication Middleware for the Internet of Things
Basic IPv6 Security Considerations
Unit and Ubiquitous Internet of Things
The Internet of Things in the Cloud: A Middleware Perspective
The Internet of Things: From RFID to the Next-Generation Pervasive Networked Systems
Security in an IPv6 Environment
IPv6: An Introduction and Overview
Handbook of IPv4 to IPv6 Transition: Methodologies for Institutional and Corporate Networks
Friday, April 12, 2013
"Reading is so 20th century. That's why MaaS360 has created quick hit videos to make you a master in mobility management. You'll know so much about mobile device, app and doc management, people will actually think you read a white paper."
Then there was this this from Spectrum. Videos and slideshows are taking the place of print in presenting technical information.
What's more, there has been a lot of news about new 'long-form' websites publishing pieces longer than magazine artiles and shorter than books. Sign of things to come? Does anyone read books anymore?
It took USA Today to dumb-down newspapers. What's next?
Wednesday, April 10, 2013
From the press release, "Specifically intended to prevent maliciously tainted and counterfeit products from entering the supply chain, this first release of the O-TTPS codifies best practices across the entire COTS ICT product lifecycle, including the design, sourcing, build, fulfilment, distribution, sustainment, and disposal phases."
Meanwhile, the head of Huawei admits "challenges and problems" in America.
So, even though the new O-TTPS is supposed to create trust within the supply chain for COTS, could Huawei, even if it were a software company, ever use it? I doubt any type of certification will overcome the deep mistrust of enterprises owned by either the PRC or the PLA.
Tuesday, April 9, 2013
Sure. I believe that.
I think because I buy so little at the grocery store, and because whatever savings I get from use of the store card is minimal, I should consider not using it. It should be a simple habit to break.
Don't you wish you could see the aggregated data about you? Or maybe not. Life off the grid is looking better and better. I'm already starting to use cash more often, and hit the 'net anonymously.
There was a story in the local paper this morning about a town who surrendered citizens' email addresses
because of a FOIA request. Strange, though, how easily government gives up information like this, but is willing to fight to the death against providing information pertaining to its own perfidy.
It's a scary world.
Monday, April 8, 2013
Israel Says It Repelled Most Attacks on Its Web Sites by Pro-Palestinian Hackers
Anonymous hacks Israel; Israel says they're amateurs. He said; she said. We'll never know.
Thursday, April 4, 2013
The personal information survey was presented to a random sample of Avira’s website visitors during February and March of 2013. There were 950 respondents with a margin of error of +/- of 3.18 percent. The two-part question asked:
How much of a say do you feel you have today over your personal information on the Internet?
How much control would you like to have over your personal information on the Internet?
FROM THE EDITOR
While I agree with these findings, I wonder about the respondents. If they were mostly European, it could skew the findings. In general, Europeans are much more aware of privacy issues than Americans; and European privacy protection laws are very tough, especially when compared to American laws, which are basically non-existent.
I posted here about a NY Times story that consumers would sell their privacy very cheaply.
So, who really cares about online privacy, the dangers of aggregators of personal information, and intrusive advertising?
Tuesday, April 2, 2013
Monday, April 1, 2013
And, if they don't care much about their own privacy, they likely care less about security at work.
Friday, March 29, 2013
We used to joke about all the old IBM programmers retiring, and the world coming to a screaching halt. This was also a fear surrounding Y2K. Who was going to change all the two-digit date fields to four to accomodate the new millennium? It was time to reprint all the IBM programming books and make a killing. Well, obviously there was no Y2K disaster and we didn't make a killing on mainframe books.
So now the Journal News, my local newspaper (yes, I still read physical newspapers), reports that IBM has a mainframe contest. Yes, big iron still rules, and MIPS is still a "meaningless indicator of processor speed."
I should run a contest to see who can expand acronmys like CICS, REXX, VSE, MVS TSO, DASD, RACF. Anyone care to try?
Wednesday, March 27, 2013
The Army, with Bradley Manning, has other problems.
Friday, March 22, 2013
Regardless of their algorithmic cleverness, I doubt Yahoo, Google, Amazon and their ilk know me well enough. When's the last time you acted on one of their recommendations?
Thursday, March 21, 2013
Wednesday, March 20, 2013
Use kinetic force against cyber aggressors? Yes! Make the cost of playing too dear.
Tuesday, March 19, 2013
Analysis paralysis. The best way to not get something done.
Wednesday, March 13, 2013
... until the next terrorist attack.
A DDoS attack on Chase yesterday prevented access to the website, including by me. So far, the Chinese have not been blamed.
Tuesday, March 5, 2013
"I've actually lost count of the number of times this New York Times business editorial references leading edge IT concepts such as apps and cloud services, but the reality is that - as witnessed by the business pages this article appears - this really is the new norm. This creates a raft of security headaches in the shape of unsecured devices, as well as the aforementioned leak apps and cloud services. And it's against this backdrop that critical data needs to be identified, managed and protected with an effective data governance platform - without hindering employees’ work," he says.
"I think it's very revealing that the NYT feature notes that, even without proof of compromised accounts, data losses can prove costly in terms of money and reputation - especially given that the US Securities and Exchange Commission mandates that data leaks caused by unsecured devices, leaky apps or poor cloud security, must be announced publicly if the information potentially affects a company’s share price," he added.
Tuesday, February 12, 2013
Seems like something Orson Welles might do, although he wouldn't have had to hack in because he already had access to the airwaves. I guess people today are just as guiible as people in the 1930s.
Wednesday, February 6, 2013
Pentagon to Drastically Expand Cyber Force
As Adam B. Lowther, a Research Professor at the Air Force Research Institute and co-author with Panayotis A Yannakogeorgos of "Conflict and Cooperation in Cyberspace: The Challenge to National Security," to be published by Auerbach in August 2013, said, "With governments and societies believing that cyber attack is something less than an act of war, it should come as no surprise that President Obama is preparing for what may be the opening salvo in America's next confrontation. In fact, it may be the United States that attacks first. Given the cyber vulnerabilities of American society, preemption may be the only option."
Thursday, January 24, 2013
Well, the Air Force has its cyberwarriors, and wants more, so it stands to reason all our enemies and frenemies want the same. Iran's already hit the financial sector. Only 17 critical infrastructure sectors left to go.
Friday, January 18, 2013
Here's an interesting demonstration on how this can be done.
This is scary for a lot of reasons, not least of which is health insurance and employment. Forget HIPAA. Your life is an open book. Be worried. Be very worried.
We have two books publishing soon that address this.
The Complete Book of Data Anonymization: From Planning to Implementation by Balaji Raghunathan publishing on February 25, 2013 and Guide to the De-Identification of Personal Health Information by Khaled El Emam publishing on April 29, 2013.