Tag Archives: practice

My latest Gartner research: Best Practices for Detecting and Mitigating Advanced Threats, 2016 Update

Information security, network and communications practitioners must implement specific best practices to prevent, detect and mitigate advanced threats. These practitioners should leverage both existing and emerging security technologies in their security architectures. … …

Gartner customers can access this research by clicking here.


My latest Gartner research: Best Practices for Detecting and Mitigating Advanced Persistent Threats

Information security practitioners must implement specific strategic and tactical best practices to detect and mitigate advanced persistent threats and targeted malware by leveraging both existing and emerging security technologies in their security architectures. Management silos between network, edge, endpoint and data security systems can restrict an organization’s ability to prevent, detect and respond to advanced attacks. Adversaries continue to use social engineering and social networks to target sensitive roles or individuals within …

Gartner clients can access this research by clicking here.


[ISN] PSA: Your crypto apps are useless unless you check them for backdoors

http://arstechnica.com/security/2015/02/psa-your-crypto-apps-are-useless-unless-you-check-them-for-backdoors/ By Dan Goodin Ars Technica Feb 4, 2015 At the beginning of the year, I did something I’ve never done before: I made a new year’s resolution. From here on out, I pledged, I would install only digitally signed software I could verify hadn’t been tampered with by someone sitting between me and the website that made it available for download. It seemed like a modest undertaking, but in practice, it has already cost me a few hours of lost time. With practice, it’s no longer the productivity killer it was. Still, the experience left me smarting. In some cases, the extra time I spent verifying signatures did little or nothing to make me more secure. And too many times, the sites that took the time to provide digital signatures gave little guidance on how to use them. Even worse, in one case, subpar security practices of some software providers undercut the protection that’s supposed to be provided with digitally signed code. And in one extreme case, I installed the Adium instant messaging program with no assurance at all, effectively crossing my fingers that it hadn’t been maliciously modified by state-sponsored spies or criminally motivated hackers. More about those deficiencies later—let’s begin first with an explanation of why digital signatures are necessary and how to go about verifying them. By now, most people are familiar with man-in-the-middle attacks. They’re waged by someone with the ability to monitor traffic passing between an end user and a website—for instance, a hacker sniffing an unsecured Wi-Fi connection or the National Security Agency sniffing the Internet backbone. When the data isn’t encrypted, the attacker can not only read private communications but also replace legitimate software normally available for download with maliciously modified software. If the attack is done correctly, the end user will have no idea what’s happening. Even when Web connections are encrypted with the HTTPS standard, highly skilled hackers still may be able to seed a website with malicious counterfeit downloads. That’s where digital signatures come in. A prime candidate for such an attack is the OTR plugin for the Pidgin instant messenger. It provides the means to encrypt messages so (1) they can’t be read by anyone monitoring the traffic sent between two parties and (2) each party can know for sure that the person on the other end is, in fact, who she claims to be. Fortunately, the OTR installer is provided through an encrypted HTTPS connection, which goes a long way to thwarting would-be man-in-the-middle attackers. But strict security practices require more, especially for software as sensitive as OTR. That’s why the developers included a GPG signature users can check to verify that the executable file hasn’t been altered in any way. […]


[ISN] CarolinaCon-11 is coming – March 20th-22nd 2015

Forwarded from: Vic Vandal h4x0rs, InfoSec geeks, script kidz, posers, and friends, CarolinaCon is back for its 11th year, which is also billed as “the last CarolinaCon as we know it”. For about the price of your average movie admission with popcorn and a drink ($20), YOU are invited to join us for yet another intimate and informative weekend of hacking-related education. This year’s event will be held on the weekend of March 20th-22nd 2015 in Raleigh NC at the North Raleigh Hilton (Midtown). The currently chosen lineup includes more presenters named Old Gregg than you’ll find at any conference anywhere, along with other esteemed individuals, such as; – Have you ever drunk Bailey’s from a shoe? (aka Pen-Testing & Social Engineering Convergence) – Old Gregg (smrk3r) – Cryptocurrency Laundering Theory for Fun and Retirement – Old Gregg (myddrn) – How to design your “You got hacked” page – Old Gregg (digital shokunin) – Electronics Engineering for Pen-Testers – Old Gregg (melvin2001) – Phony Business – What Goes Around Comes Back Around – Unregistered & Snide – Elevator Obscura: Industry Hacks & Answers to all Your Odd Questions About Those Magical Moving Rooms – Howard Payne & Deviant Ollam – Rethinking the Origins of the Lock – Schuyler Towne – RedneckSec – @th3mojo – Cyber War Stories – Andrew Shumate – One Step Closer to the Matrix: Machine Learning and Augmented Reality in Networking – Rob Weiss & John Eberhardt – I live in a van and so can you – Mark Rickert, aka Matt Foley – Drilling Deeper with Veil’s PowerTools – Justin Warner (@sixdub) & Will Schroeder (@harmj0y) – Hacker’s Practice Ground – Lokesh Pidawekar – Social engineering is bullsh*t, call it what it is – surpherdave – Anatomy of Web Client Attacks – Jason Gillam – Art of Post-infection Response and Mitigation – chill – SPAM, Phish and Other Things Good to Eat – Joshua Schroeder / JoshInGeneral …..and potentially 1-2 other l33t talks that we might be able to squeeze in! Side events currently on tap include; – Capture The Flag – Mobile Museum of Vintage Technology – Lockpicking Village – Hacker Trivia – Android Netrunner – Pulp Fiction Canonical Drinking Game – “Unofficial” Shootout (details at http://hackers.withguns.com/) For those traveling to the event or who simply want to stay at the Hilton venue throughout, hotel rooms at the special CarolinaCon group rate can be reserved via this link. http://www.hilton.com/en/hi/groups/personalized/R/RDUNHHF-CCC-20150319/index.jhtml?WT.mc_id=POG ALERT: The special group rate is only available until February 20th, so book now if interested. For other exciting details as they develop stay tuned to: http://www.carolinacon.org If you have any important questions about the event that are NOT answered in website content you can send an email to; infocarolinacon.org Peace, Vic


[ISN] OAS hails Jamaica’s cyber security efforts

http://www.jamaicaobserver.com/news/OAS-hails-Jamaica-s-cyber-security-efforts_18310037 By Balford Henry Senior staff reporter jamaicaobserver.com January 30, 2015 ASSISTANT secretary general of the Organisation of American States (OAS), Ambassador Albert Ramdin, says that Jamaica has made a sound choice of a model for its National Cyber Security Strategy (NCSS). Speaking at the official launch of the strategy at the Jamaica Pegasus hotel in New Kingston on Wednesdayy, Ramdin congratulated the government on drafting and approving its NCSS in just under a year, and appointing a “dedicated multi-stakeholder”, the National Cyber Security Task Force, to develop the strategy. He said that the group, working with the OAS and other experts from partner institutions, has committed significant effort and time to develop a strategy that has met and followed international best practices and recommendations. “I am sure that your experiences and approach will be valuable learning lessons for other Caribbean countries to take into consideration in drafting their own security strategies,” he said. […]


[ISN] Obama talks cybersecurity, but Federal IT system breaches increasing [Updated]

http://arstechnica.com/tech-policy/2015/01/obama-talks-cybersecurity-but-federal-it-systems-breaches-increase/ By David Kravets Ars Technica Jan 20, 2015 Update: This post was updated Tuesday evening to reflect comments the president made during his State of the Union address: President Barack Obama urged Congress and the American public to embrace cyber security legislation during his State of the Union address Tuesday evening. The Cyber Intelligence Sharing and Protection Act, known as CISPA, was unveiled by Obama a week ago and is controversial because it allows companies to share cyber threat information with the Department of Homeland Security—data that might include their customers’ private information. “No foreign nation, no hacker, should be able to shut down our networks, steal our trade secrets, or invade the privacy of American families, especially our kids. We are making sure our government integrates intelligence to combat cyber threats, just as we have done to combat terrorism. So tonight, I urge this Congress to finally pass the legislation we need to better meet the evolving threat of cyber-attacks, combat identity theft, and protect our children’s information. That should be a bipartsan effort. If we don’t act, we’ll leave our nation and our economy vulnerable. If we do, we can continue to protect the technologies that have unleashed untold opportunities for people around the globe,” the president said without identifying his CISPA proposal and others by name. New research out earlier Tuesday from George Mason University, however, calls into question how effective Obama’s proposal would be. That’s because the federal government’s IT professionals as a whole have “a poor track record in maintaining good cybersecurity and information-sharing practices.” What’s more, the federal bureaucracy “systematically” fails to meet its own federal cybersecurity standards despite billions of dollars in funding. According to a paper by Eli Dourado, a George Mason research fellow, and Andrea Castillo, manager of the university’s Technology Policy Program: […]


[ISN] NASDAQ Vulnerable to XSS

http://www.infosecnews.org/nasdaq-vulnerable-to-xss/ By William Knowles @c4i Senior Editor InfoSec News January 16, 2015 Bob Greifeld, CEO of The NASDAQ Stock Market explains in a promotional video “that NASDAQ is a technology based company, those businesses that we’re in have a unifying theme that are built upon our technology.” Top technology companies such as Google, Tesla, Amazon, and GoPro to name a few use NASDAQ as their trading exchange. When NASDAQ “goes to a developing market and provide to them our technology, its not just the software code, its all the best practices that have been developed on a global basis that they to integrate into their operations.” With this information in mind, it doesn’t explain why a security researcher named analfabestia was able to discover and report a new XSS (Cross-Site Scripting) vulnerability on NASDAQ.com on January 14, 2015, The sixth such vulnerability in nearly seven years. […]


[ISN] Healthcare Cybersecurity Still Top Issue, Says CHIME Leader

http://healthitsecurity.com/2015/01/14/healthcare-cybersecurity-still-top-issue-says-chime-leader/ By Elizabeth Snell Health IT Security January 14, 2015 While new technology can give cyber criminals new outlets to gain access to protected health information (PHI), it also gives more opportunities to healthcare organizations to keep that data safe. Moreover, healthcare cybersecurity is an area that the College of Healthcare Information Management Executives (CHIME) hopes to be a leader in, according to 2015 CHIME Board of Trustees Chair Charles Christian, FCHIME, LCHIME, CHCIO. In an interview with EHRIntelligence.com, Christian explained that positive patient identification and cybersecurity are some of the top health IT challenges in 2015. The national patient identifier is one area in particular that has benefited from evolving technologies, Christian said. Now, there are numerous options that can protect data while it is in motion and at-rest. Moreover, one of CHIME’s goals is to ensure that its members are properly educated on the best practices to keep all data secure. The patient identifier is a critical matter for the healthcare industry, according to Christian. “We’re going to find that care for the patient is going to be provided at a much different level than it ever has before because they’re trying to bend the cost curve down,” he said. “In order to do that, they’re going to have to find other alternatives for primary or urgent care.” […]