There has to be a better way

IT Security Insider

Subscribe to IT Security Insider: eMailAlertsEmail Alerts newslettersWeekly Newsletters
Get IT Security Insider: homepageHomepage mobileMobile rssRSS facebookFacebook twitterTwitter linkedinLinkedIn


Top Stories

Every business acknowledges that network security is critical. But how do you quantify the business value that a secure network provides? And how does an enterprise evaluate and justify investing in network security products like next-generation firewalls, intrusion prevention systems and unified threat management appliances? While there is no exact formula or "cost of attacks" calculator, there are some useful guidelines and research studies that can provide techniques and resources for IT managers to develop their own cost model. There are three core areas that are important for assessing the impact of network-based attacks and the "prevention value" of next-generation firewall technologies: Defining the different types of network-based attacks Understanding how those attacks can affect your bottom line Methods of quantifying the impact of those attacks Types of ... (more)

Best Practices to Ensure Security in the Private Cloud

As regulatory oversight across the financial landscape continues to drive greater transparency and stricter penalties, outsourcing to the private cloud has become an integral resource for hedge fund and private equity managers. Cloud infrastructure services are now synonymous with increased efficiency, decreased costs and added security. However, security in particular remains a key concern for many financial services firms. The costs a cloud services provider can incur in dealing with a security breach, both financially and to its reputation, can be devastating. Infrastructure providers, particularly those catering to financial services firms such as hedge funds, must have strict policies in place and employ best practices to ensure that their clients receive the same level of security as they would achieve with an on-site network. While most participants in the f... (more)

Cybersecurity: It’s More Than Worms, Hacking and Phishing

To put things into perspective, let’s analogize about some information technology related initiatives.  In the realm of things, accounting is like a lake, integration is like a bay and cyber security is like the Pacific Ocean.  The scope of understanding required to be a cyber security expert is so vast that it fills volumes just trying to define it, let alone protect it. The reason cyber security is so vast is that it is a strategy for mitigating risk from breach of confidentiality, lack of integrity and lack of availability of information systems and networks.  Consider the number of threats that target these three things and then consider this number is only the known threats.  Also, know that new threats are being uncovered daily.  Moreover, threats are not all technological, some of them are socially engineered, which make them all that more difficult to defend ... (more)

Cyber Security Alliance Helps Small Businesses Address Security Risks

Across all industries, small businesses are increasingly facing new threats related to cyber security. Whereas some have taken minimum steps to address these threats but most have not. New security threats and incidents are reported every day in news reports and a many remain unreported. This underscores the need for cyber security education of small business owners and managers. These threats have potentially serious consequences and could lead to unrecoverable damage to small businesses. What are some consequences of the lack of basic cyber security controls? Loss or stolen customer data Loss of intellectual property Decreased productivity Legal liability Regulatory sanctions and fines Computer systems downtime Loss of reputation and customer confidence Loss of revenue Banking Fraud Could this happen to you? It is very important to understand that neither size nor i... (more)

Preventive Security Through Behavior Modification - Part 2

Last week, we saw that Defensive Security is not enough to solve the $1 trillion Intellectual Property and IT theft and cybercrime problem. This week, more about Preventive Security. Preventive Security is a set of technologies and processes used to prevent security incidents from even being attempted. These include awareness and training programs, establishment of proper policies and procedures and the use of technology solutions in support of existing laws. In fact, this is not very different from "regular" crime and how we deal with it. We arm ourselves with the means to catch the bad guys, we severely punish crimes and we let people know that crime is bad, that jail is also bad and that if they try and commit the crime they will be caught. This prevents most people from getting into trouble. So how severe are punishments for IT crimes? In a case tried in March o... (more)

Lessons Learned from LinkedIn

Users are making it too easy for hackers. If we take a closer look at the 6.5 million hashed LinkedIn passwords that leaked we find a large swath of the user population are ignoring warnings of overly simplistic and obvious passwords. Would you believe the most common word or phrase found in a 160K sampling of the list was “link”? And would you further shake your head in disbelief that “1234” and “12345” followed close behind. Rounding out the top 10 were “work,” “god,” “job,” “angel,” “the,” “ilove,” and “sex.” More so than Facebook, LinkedIn is the social media of choice for business. So it is likely to be used by the users in your enterprise as part of their SaaS profile. This makes their problem, your problem. If we learn anything from this debacle, it is that password management should be a priority for any organization that allows its users unfettered access t... (more)

Victim-nomics: Estimating the “Costs” of Compromise

Since launching ThreatConnect.com, Cyber Squared's Intelligence Support Team has become more effective in managing, analyzing and sharing our Threat Intelligence. While understanding the threat remains one of our core requirements, we have also begun to fill a key gap that, we feel, many within the industry are failing to address. Providing effective Threat Intelligence requires more than just characterizing the threat from a technical perspective.  Instead, you must strike a balance between providing technical context as well as non-technical relevancy to the victim.  Industry report authors will often admire the cyber espionage problem all the while promoting their technical talents.  Unfortunately, these overly technical threat details are not easily interpreted or acted upon by today's non-technical business leaders.  So, ultimately, this shortcoming often over... (more)

The New Standard: Intelligence-Driven Security

In a recent blog post, Art Coviello, the executive chairman at RSA, posed an important question. How do we move from traditional security to intelligence-driven security? In his answer he described that the quickly interdependent exchanges between parties (B2C, B2B, B2P, etc) have grown beyond the traditional means of securing the enterprise: “IT organizations have continued to construct security infrastructures around a disintegrating perimeter of increasingly ineffective controls.” He described a new-model of cyber-security that includes five concepts: A thorough understanding of risk The use of agile controls based on pattern recognition and predictive analytics The use of big data analytics to give context to vast streams of data to produce timely, actionable information Personnel with the right skill set to operate the systems Information sharing at scale I hav... (more)

Is IDaaS a Trustworthy and Feasible Option?

Conspiracy theorists and other concerned citizens will insist the government is watching every keystroke, keeping a record of every website, transaction, text and email. Shades of 1984’s Big Brother, right? These last few weeks, the news has been brimming with revelations of data surveillance and monitoring by the government (not to mention data harvesting corporations like Google, Yahoo, Facebook etc…). Everyone, including the security buffs at CloudAccess, is sensitive as to what is being looked at, stored, and analyzed for hazily defined purposes. Privacy is no longer as private as you think; and hasn’t been for many years. Politics, ethics and debates over 4th amendment interpretation aside (as they serve no useful purpose in this analysis), a question was asked on one the security forums that in light of these alleged breaches of trust, whether cloud security... (more)

Top Three Reasons to Give Insiders a Unified Identity

Click Here to Download This Whitepaper Now! Although much publicity around computer security points to hackers and other outside attacks, insider threats can be particularly insidious and dangerous, whether caused by malice or employee negligence. In its list of the eight most significant cybersecurity threats for 2013, Forbes cited internal threats as No. 3, noting that internal attacks can be "the most devastating" due to the amount of damage privileged users can inflict and the type of data they can access. Click Here to Download This Whitepaper Now! ... (more)

Post Exploitation Using Metasploit Pivot and Port Forward

The Metasploit Framework is a penetration testing toolkit, exploit development platform, and research tool. The framework includes hundreds of working remote exploits for a variety of platforms. Payloads, encoders, and nop slide generators can be mixed and matched with exploit modules to solve almost any exploit-related task. A very nice feature in Metasploit is the ability to pivot through a Meterpreter session to the network on the other side. This tutorial walks you through how this is done once you have a Meterpreter session on a foreign box. We begin right after a client side exploit has been achieved from an attacker machine running Ubuntu Linux to the victim machine running Windows XP. 1. Introduction The Metasploit Project is an open-source, computer security project which provides information about security vulnerabilities that assist in performing a penet... (more)