There has to be a better way

IT Security Insider

Subscribe to IT Security Insider: eMailAlertsEmail Alerts newslettersWeekly Newsletters
Get IT Security Insider: homepageHomepage mobileMobile rssRSS facebookFacebook twitterTwitter linkedinLinkedIn


Top Stories

The SEC Tuesday filed civil charges against the secrets-laden former head of McKinsey & Co Rajat Gupta accusing him of leaking inside information to the notorious hedge fund trader Raja Rajaratnam, whose criminal trial for insider trading and securities fraud starts next week. Gupta allegedly tipped Rajaratnam to Warren Buffet's $5 billion Berkshire Hathaway investment in Goldman Sachs in 2008 at the height of the financial meltdown. Gupta was privy to what was going on by virtue of his seat on Goldman's board and regulators say he told Rajaratnam the moment the board approved the deal via a conference call. Already informed by Gupta that the deal was in the works, Rajaratnam instantly bought another 175,000 shares of Goldman Sachs minutes before the market closed and sold them the next day when the deal was announced and they went up. Gupta also supposedly leaked... (more)

Victim-nomics: Estimating the “Costs” of Compromise

Since launching ThreatConnect.com, Cyber Squared's Intelligence Support Team has become more effective in managing, analyzing and sharing our Threat Intelligence. While understanding the threat remains one of our core requirements, we have also begun to fill a key gap that, we feel, many within the industry are failing to address. Providing effective Threat Intelligence requires more than just characterizing the threat from a technical perspective.  Instead, you must strike a balance between providing technical context as well as non-technical relevancy to the victim.  Industry report authors will often admire the cyber espionage problem all the while promoting their technical talents.  Unfortunately, these overly technical threat details are not easily interpreted or acted upon by today's non-technical business leaders.  So, ultimately, this shortcoming often over... (more)

Enhance Your Security Posture

With this post I would like to provide some personal thoughts on the key things organizations should be doing to enhance security, privacy and functionality of their IT.  This includes some specific recommendations for security solutions, including solutions I’m on advisory boards for (read the disclaimer).  So I better caveat this by saying “please use your own judgement!”   I associate myself with firms because I believe they are world class best and that is why I’ve mentioned the specific capabilities here. With that, here are my views of the top five things every government organization should be doing to reduce risk in cyberspace: 1.  Adopt an fully implement a program centered around the Consensus Audit Guidelines.  Details on this effort are at http://www.sans.org/cag This program is a well coordinated, well thought out list of controls and metrics that eve... (more)

Cybersecurity: It’s More Than Worms, Hacking and Phishing

To put things into perspective, let’s analogize about some information technology related initiatives.  In the realm of things, accounting is like a lake, integration is like a bay and cyber security is like the Pacific Ocean.  The scope of understanding required to be a cyber security expert is so vast that it fills volumes just trying to define it, let alone protect it. The reason cyber security is so vast is that it is a strategy for mitigating risk from breach of confidentiality, lack of integrity and lack of availability of information systems and networks.  Consider the number of threats that target these three things and then consider this number is only the known threats.  Also, know that new threats are being uncovered daily.  Moreover, threats are not all technological, some of them are socially engineered, which make them all that more difficult to defend ... (more)

Preventive Security Through Behavior Modification

Over the next few weeks, we'll investigate how the expression "An ounce of prevention is worth a pound of cure" could also be applied to the IT world, and what are the tools to foster preventive security through behavior modification. When looking at IT security, it seems that most of the security solutions today are based on Defensive Security. Technologies such as AntiVirus, Firewalls, Intrusion Detection Systems and Intrusion Prevention Systems, Anti-Trojan, Anti-Worms, and Anti-Spyware belong in this category. The primary focus of these technologies is defending against security attacks in progress. Other categories of security exist of course, such as Proactive Security (including Vulnerability Management) and Remediation Security (e.g. Patch Management), but the industry focus these past few years has been on Defensive Security. It is amazing that despite a... (more)

Preventive Security Through Behavior Modification - Part 2

Last week, we saw that Defensive Security is not enough to solve the $1 trillion Intellectual Property and IT theft and cybercrime problem. This week, more about Preventive Security. Preventive Security is a set of technologies and processes used to prevent security incidents from even being attempted. These include awareness and training programs, establishment of proper policies and procedures and the use of technology solutions in support of existing laws. In fact, this is not very different from "regular" crime and how we deal with it. We arm ourselves with the means to catch the bad guys, we severely punish crimes and we let people know that crime is bad, that jail is also bad and that if they try and commit the crime they will be caught. This prevents most people from getting into trouble. So how severe are punishments for IT crimes? In a case tried in March o... (more)

Rajaratnam Wants Jury Verdict Overturned

Convicted hedge fund felon Raj Rajaratnam wants the presiding judge in his months-long trial on insider trading charges to throw out the verdict that could send him to jail for a very long time. On Wednesday his lawyers renewed a motion to have him acquitted and his slate wiped clean after a federal jury found him guilty of all 14 counts of conspiracy and securities fraud on May 11. The defense tried the same thing after the government rested its case and again after all the evidence was presented. This time his lawyers claim that despite the massive wiretap evidence against him the prosecution failed to prove his guilt beyond a reasonable doubt on at least five of the 14 counts. Rajaratnam, 53, is supposed to be sentenced July 29. The tens of millions he was found to have illegally garnered were almost exclusively amassed in brand-name tech stocks from tips by corr... (more)

Ventana New Media Sweeps Up Three Awards at Golden Bridge Awards Ceremony

Ventana New Media has earned the prestigious Golden Bridge Awards titles for their Ventana New Media Engine. The coveted annual Golden Bridge Awards program encompasses the world’s best in organizational performance, products and services, executives and management teams, women in business and the professions, innovations, case studies, product management, public relations and marketing campaigns and customer satisfaction programs from every major industry in the world. Organizations from all over the world are eligible to submit nominations including public and private, for-profit and non-profit, largest to smallest and new start-ups. Winners were honored in New York on Wednesday, August 10, 2011 during the 3rd annual awards dinner and presentations. Ventana New Media was established to give companies vastly greater control over their corporate message and audienc... (more)

Time to Ditch Cryptographic Keys?

What is the most secure way to authenticate electronic data? Until recently, many technical people would have answered ‘cryptographic keys' without blinking. But recent headline events - and a ‘biggie' last year - have raised serious doubts about the ability of cryptographic keys to protect vital government and corporate data. Here are two examples from February that should make CIOs, CTOs and CSOs tremble in their boardrooms: McAfee revoking keys for signing apps on the Apple store; and stolen keys from Bit9 being used to sign malware. In the McAfee case, a McAfee administrator revoked (by mistake) the digital key for certifying desktop apps that run on Apple's OS X, thereby creating serious problems for customers who wanted to install or upgrade Mac antivirus products. The original Arstechnica article (McAfee revoking keys) noted that the administrator intended ... (more)

The New Standard: Intelligence-Driven Security

In a recent blog post, Art Coviello, the executive chairman at RSA, posed an important question. How do we move from traditional security to intelligence-driven security? In his answer he described that the quickly interdependent exchanges between parties (B2C, B2B, B2P, etc) have grown beyond the traditional means of securing the enterprise: “IT organizations have continued to construct security infrastructures around a disintegrating perimeter of increasingly ineffective controls.” He described a new-model of cyber-security that includes five concepts: A thorough understanding of risk The use of agile controls based on pattern recognition and predictive analytics The use of big data analytics to give context to vast streams of data to produce timely, actionable information Personnel with the right skill set to operate the systems Information sharing at scale I hav... (more)

Top Mistakes That Leave SMBs Vulnerable

Today even the smallest of businesses can generate a huge volume of emails, payment information and other data that must be protected. Medical practices, credit unions and independent retailers all face HIPAA, PCI and other standards. With so many regulations and limited budgets, how can small businesses keep up? Here are the top security mistakes that leave SMBs vulnerable to breaches and compliance audits. Ignoring Blind Spots In small businesses, technical expertise is generally not deep - rather, the folks in charge of protecting data are often performing other job functions in the company. If your staff lacks expertise in a given area, it is important to invest in a regular health check with subject matter experts to ensure each solution you have in place continues to remain optimally configured, and operating at peak performance. Thinking Your Size Makes You ... (more)