Tag Archives: practice

My latest Gartner research: Best Practices for Detecting and Mitigating Advanced Threats, 2016 Update

Information security, network and communications practitioners must implement specific best practices to prevent, detect and mitigate advanced threats. These practitioners should leverage both existing and emerging security technologies in their security architectures. … …

Gartner customers can access this research by clicking here.




Facebooktwittergoogle_plusredditpinterestlinkedinmail

[ISN] Outrage: Iran deal commits U.S. to teach them how to defeat a cyber attack

http://www.americanthinker.com/blog/2015/07/outrage_iran_deal_commits_us_to_teach_them_how_to_defeat_a_cyber_attack_.html By Thomas Lifson American Thinker July 22, 2015 Perhaps the very worst aspect of the Iran deal reached in Vienna is the commitment of the U.S. and European powers to teach the Iranians how to resist attacks such as Stuxnet. Although it has received very little media coverage (Adam Kredo of the Free Beacon is the notable exception), the agreement states (buried on page 142 of the 159-page deal, in Annex III, under Civil Nuclear Cooperation, Section D, under Nuclear Safety, Safeguards and Security, item 10): 10. Nuclear Security E3/EU+3 parties, and possibly other states, as appropriate, are prepared to cooperate with Iran on the implementation of nuclear security guidelines and best practices. Co- operation in the following areas can be envisaged: 10. Co-operation in the form of training courses and workshops to strengthen Iran’s ability to prevent, protect and respond to nuclear security threats to nuclear facilities and systems as well as to enable effective and sustainable nuclear security and physical protection systems; 10. Co-operation through training and workshops to strengthen Iran’s ability to protect against, and respond to nuclear security threats, including sabotage, as well as to enable effective and sustainable nuclear security and physical protection systems. The language obviously s not limited to physical threats, so it must include advanced cyber warfare training. The Israelis are outraged. Ari Yasher of Israel National News writes: […]


Facebooktwittergoogle_plusredditpinterestlinkedinmail

[ISN] Survey: Nearly 1 in 4 IT firms suffered security breach

http://www.crainsdetroit.com/article/20150726/NEWS/307269992/survey-nearly-1-in-4-it-firms-suffered-security-breach By TOM HENDERSON Crain’s Detroit Business July 26, 2015 Twenty-three percent of executives at technology companies say their firms have suffered a security breach in the past 12 months, according to the national annual Technology Industry Business Outlook survey conducted by KPMG LLP, the audit, tax and advisory firm. Three-fourths of executives surveyed say their companies will spend between 1 percent and 5 percent of annual revenue on IT security in the next 12 months. “The survey findings on security are an important marker, since tech companies are the pacesetters in IT security. How much and where tech companies spend on IT security, and how successful they are, can serve as guides for all other industries,” Gary Matuszak, global chairman of KPMG’s technology, media and telecommunications practice, said in a release. The KPMG survey was of upper managers at 111 U.S.-based technology companies. Of the respondents, 54 percent were in companies with revenue of more than $1 billion a year, with the rest at companies with annual revenue between $100 million and $1 billion. […]


Facebooktwittergoogle_plusredditpinterestlinkedinmail

[ISN] Healthcare Vendor Risk Management Programs Lagging, Says Study

http://healthitsecurity.com/news/healthcare-vendor-risk-management-programs-lagging-says-study By Elizabeth Snell healthitsecurity.com July 8, 2015 Healthcare vendor risk management programs can have a huge impact on a healthcare organization’s ability to keep sensitive data – such as patient PHI – secure. However, if a recent study is any indication, healthcare vendor risk management programs have room for improvement. The 2015 Vendor Risk Management Benchmark Study, conducted by The Shared Assessments Program and Protiviti, found that vendor risk management programs within financial services organizations are more mature than companies in other industries, such as insurance and healthcare. “Even the more optimistic assessments of the current state of vendor risk management indicate that significant improvements may be needed,” the report’s authors explained. “The time for progress and improvements in vendor risk management capabilities is now, particularly when considering that cyberattacks and other security incidents are very likely to continue increasing.” The survey interviewed more than 460 executives and managers in various industries. Respondents were asked to rate their organization’s maturity level in different areas of vendor risk management on a 0 to 5 scale, with 0 equal to “Do not perform” and 5 equal to “Continuous improvement – benchmarking, moving to best practices.” […]


Facebooktwittergoogle_plusredditpinterestlinkedinmail

[ISN] Overcoming paralysis – why financial services organisations have to race to update their Windows Server strategy

http://www.bobsguide.com/guide/news/2015/Jul/6/overcoming-paralysis-why-financial-services-organisations-have-to-race-to-update-their-windows-server-strategy.html By Dave Foreman, ECS, Practice Director Bob’s Guide July 6, 2015 Most of the technical support teams we work with know their Microsoft Server operating system inside out and have hardly lifted their phone to call Microsoft support in years. But this well-oiled machine is about to become IT departments’ biggest headache. With the end of Microsoft’s support for Server 2003 on July 14th 2015, migration from this rather old operating system has escalated from being a niggling worry to a high-risk agenda item. Only a handful of businesses have started their migration and even they will have to rely on Microsoft extended support. But this is not a cost-effective or risk-free option in the long term. At some point a new vulnerability in the operating system will be discovered and exploited; businesses will be exposed and the regulators will have a stronger case for non-compliance. According to the credit card industry’s PCI Security Council standards, if an unsupported operating system is Internet-facing, it will be logged as an automatic compliance failure. CIOs are caught between a rock and a hard place. Nobody wants to be caught in a position where they have to answer tough questions about plans to meet compliance and mitigate risk. […]


Facebooktwittergoogle_plusredditpinterestlinkedinmail

[ISN] Hard to Sprint When You Have Two Broken Legs

http://carnal0wnage.attackresearch.com/2015/06/hard-to-sprint-when-you-have-two-broken.html By Valsmith June 14, 2015 Now as a disclaimer, I don’t work for the government so there is a lot I don’t know but I have friends who do or who have in the past and you hear things. I also pay attention and listen to questions I get in my training classes and conference talks. This directive from the White House is laughable for a number of reasons and demonstrates just how out of touch decision makers in the Government are on these issues. 1.) Technically skilled people have been BEGGING to improve cyber security in the government for well over 15 years. I don’t think this is any kind of secret, just google for a bit or talk to anyone who works in government in the trenches. Asking for staff, tools, budget, authority, support and getting little of it. In a way, this directive is insulting to them after years of asking, trying and failing suddenly someone says: “oh hey I have an idea, why don’t you go and secure stuff!”. Right. Unless you are going to supply those things they need RIGHT NOW, they will fail. And government procurement and hiring organizations are notoriously slow so the chances of that happening are slim. 2.) IT Operations. The first thing that has to be in place for there to be any real chance is solid IT operations. Organizations have to be able to push out images and patches quickly, orderly, and with assurance. Backup recovery, knowledge of inventory, well managed systems, etc. are all paramount. Do you know how most government IT operations are managed? By contractors, aka the lowest bidder. These are the Raytheons, Booz Allens, Boeings, Lockheeds, etc. who bid on large omnibus support contracts, win them, and THEN try to fill the staffing requirements. How do you win the lowest bid in services / support contracts? By keeping staffing costs down, aka paying the lowest possible salaries. This results in some of the most piss-poor IT operations in the world. You want to know why Hilary Clinton, former Secretaries of Defense, and numerous other government staff run their own private mail servers? Most likely its because their work provided email DOESN’T work. Slow systems, tiny inbox quotas, inability to handle attachments, downtime, no crypto or crypto incompatible with anyone else, these are just a few of the issues out there. And its not just email. I have personally seen a government conference room system take 15-20 minutes to log in at the windows login prompt, due too poor IT practices. I was told that most of the time people resorted to paper hand outs or overhead projectors. Yeh like the ones you had in highschool in the 90s with the light bulbs and transparencies. Essentially what this directive is saying: “Hey you low end IT staff, winners of the lowest bid, who can barely keep a network up or run a mail server, make sure you become infosec experts and shore up our defenses, and you have 30 days to do it.” Right. I have heard horror stories from acquaintances in the government of waiting 6 months for an initial account setup ticket to get performed. Weeks to get a new desktop deployed. It is idiotic to think that current IT operations can support this kind of request. But that is who typically manages servers, network and desktops, and who would have to deploy whatever security tools would be needed to do this in support of pitifully small infosec teams. […]


Facebooktwittergoogle_plusredditpinterestlinkedinmail

[ISN] PCI council gives up, dumbs down PCI DSS for small business

http://www.theregister.co.uk/2015/05/22/pci_council_drafts_small_biz_security_militia/ By Darren Pauli The Register 22 May 2015 The Payment Card Industry Security Standards Council has created a taskforce charged with improving security among small businesses. The prodigious task will be tackled by encouraging small businesses to adopt security best practice and simplified Payment Card Industry Data Security Standards (PCI DSS). Barclaycard payment security manager and taskforce chair Phil Jones says the Small Merchant Taskforce will focus on the most vulnerable business vertical. “Though incidents of fraud are low, it’s small merchants that are particularly vulnerable to attack from hackers,” Jones says. […]


Facebooktwittergoogle_plusredditpinterestlinkedinmail

[ISN] Lets Call Stunt Hacking What it is, Media Whoring.

http://carnal0wnage.attackresearch.com/2015/05/normal-0-false-false-false-en-us-x-none.html By Valsmith carnal0wnage.attackresearch.com May 16, 2015 I recently read this article: http://www.foxnews.com/tech/2015/03/17/ground-control-analysts-warn-airplane-communications-systems-vulnerable-to/ and it brought to mind some thoughts that have been percolating for quite a while. Sometime last year I believe Dave Aitel coined the term Stunt Hacking, which I think is a pretty good way to describe it. We often see these media blitzes about someone hacking a car, or an airplane, or some other device. The public who has a limited understanding of the technology, and the media who has a worse understanding, get in a frenzy or outrage, the security company hopes this translates into sales leads, and the researcher hopes this translates into name recognition leading to jobs, raises, conference talks, etc. A question that I think we should keep in mind is: Why would a company hire someone who just publicly displayed how little they understand about the technology and made their desired potential client look bad. There are two problems with this: 1.) The research is often FUD or based on a very limited understanding of real world deployment or 2.) Any actually valuable technical research gets lost in the hype. Let me be clear, I am not saying that researchers like Charlie Miller or Barnaby Jack haven’t contributed meaningful or ground breaking research to the community, (they have), but many ride a hype wave that is often unwarranted. Unscrupulous infosec companies take advantage of such researchers work to drive sales of mediocre consulting services as well. The practice of companies pushing their best researchers to drop and overhype controversial or gimmicky bugs makes no sense from a business perspective either from the security vendor or the services purchaser point of view. Who wins in the long run? The vendor loses credibility and the purchaser suffers in the PR space. […]


Facebooktwittergoogle_plusredditpinterestlinkedinmail