April 23, 2015

Infosec still in the Dark Ages, says RSA president
According to Yoran, the industry has promoted a defensive strategy that aligns with a Dark Ages mindset of simply “building taller castle walls and digging deeper moats,” but that is not solving the problem. “It is like we’re working from a map of a world that no longer exists; and possibly never did,” he said. Yoran said that despite knowing that perimeters are not sufficient, the perimeter mindset persists, and the security profession continues to rely on signature-based systems. “We’ve all heard that the threats that matter most are the ones you haven’t seen before. These tools by definition are incapable of detecting the threats that matter to us most,” he said.

IT Security: The Good, the Bad & The Ugly [INFOGRAPHIC]
When it comes to IT security and risk, we've seen some pretty interesting things. The crazy part is that these things are very common among SMBs who either don't have budget allocated or don't place an importance on risk management. We want to offer you some statistics that will uncover the good things, the bad things and the downright ugly statistics that come with IT security for small business.

In Data Center Perimeter Security, TCO is a Continuous Process
To apply security products, you need to define the type of threat first: Are they terrorists or local kids? “The type of threat will guide you to the right budget and product,” said Claus. “We’ve seen it all.” After adding a deterrent around the perimeter, the next step is to determine how many layers of protection you need. Single layer sensor protection is a fence with sensors on the inside. A dual layer approach combines multiple types, in addition to better coverage; it better allows tuning out false alarms. One sensor technology is usually placed at the outer perimeter and the second at the asset. Multi-layer protection includes several different types. These sensors can extend beyond the perimeter to help detect someone doing reconnaissance. The downside is that it also detects animals and other triggers of false alarms.

Facebook’s secret plan to kill Google
Facebook is out to kill Google. There, I said it. You probably think I’m crazy, but there are a bunch of macro-trends coming together, as well as several moves that Facebook got right. that support this. But first, a disclaimer: I’m the cofounder of AdEspresso, a Facebook partner that manages advertising for SMBs and SMEs. As a Marketing Partner, we do have access to privileged information not disclosed to the public, as well as a view on a broader dataset of around $250 million of Facebook Advertising Data, but the analysis that follows is not based on any of the above, rather on public information that has been disclosed in the past few weeks paired with public insights from thought leaders.

Preparing for the digital disruption that’s coming to your industry
Whatever your business, significant disruption is either already occurring or on the way. Much of this is due to the latest wave of emerging and disruptive technologies that are serving as foundational building blocks for new, digitally based business models. I’ve talked with a number of CEOs and business leaders recently, all of them keen to glimpse around the corner to prepare for what’s ahead. Even if your business is going strong right now, you should be doing the same. To help you in this task, here are a few thoughts that arose from those recent discussions.

Systems thinking and practice
Those claiming systems ideas and methods have important characteristics in common, not least a common philosophical base. For these people systems has emerged as an important discipline or field of interest in its own right. They are interested not just in particular sorts of systems, but in systems thinking in general. And although systems has drawn ideas and techniques from engineering, biology, sociology, psychology and many other fields some say there is something special about systems, just as the different disciplines mentioned above are said to have different ways of thinking about the topic that characterises them.

Time for a new school of cyber defence, says HP
The first thing many organisations need to learn is that basic security hygiene must still be the top priority, he said. “The second thing is that it is the people and the processes that make us safe because so many of the attacks are against old vulnerabilities that we know exist,” said Gilliland. The third most important thing many organisations still need to learn is to focus on the security fundamentals, he said. Gilliland said that in relation to those fundamentals, for the past five years, HP and the Ponemon Institute have published an annual study that correlates spending on different categories of capability with the estimated cost of data breaches. The latest study found that a much broader focus on protecting the information that matters through things like the use of encryption will reduce the cost of breaches by 20%compared with the average.

Information Sharing: A Matter of Trust
While banking institutions have always been concerned about emerging attacks, they've historically been less concerned about identifying the threat actors who wage the attacks. That's mainly because banks don't have access to intelligence that would help them link attacks to certain groups or nation-states, Nelson says. Today, however, institutions, with the help of the federal government, are putting more emphasis on attribution, he adds. The government is increasingly helping the financial services industry attribute attacks to nation-states or specific crime rings, Nelson says. "Our government now is more willing to give attribution to these types of attacks, and we've seen that with some indictments against some senior officers in the Chinese military, and the Sony attack being attributed to North Korea."

Google Introduces Wireless Service Called Project Fi
“Since it’s hard to predict your data usage, you’ll get credit for the full value of your unused data,” according to the blog post. “Let’s say you go with 3GB for $30 and only use 1.4GB one month. You’ll get $16 back, so you only pay for what you use.” In many ways, the wireless service is similar to the Google Fiber Internet service that has been introduced in a handful of American cities, including the Kansas City area and Austin, Tex. Google is piggybacking on giant physical networks that are owned by other companies, creating a barrier that, for now at least, limits Google’s competitive threat to traditional carriers. But Google has a long history of trying to cut out middlemen — including Internet service providers, online stores and delivery businesses — that stand between the company and users.

Row-level security provides enterprise chops
Limiting access to the database in this way meant that a whole set of data access coding techniques I had previously used didn't work anymore, and that certain reporting packages didn't work either. You might ask why we went through all this trouble. The reason was that the company I was working for was a major bank and it had to ensure that users could only see the data for which they were authorized. It wasn't enough to implement this security in the application; it had to go in the database, so that no matter how a user connected to it -- through the application or directly -- unauthorized data remained inaccessible. Eventually I got used to the new programming patterns, and subsequent releases of major reporting tools became stored procedure-friendly. In effect, stored procedure access to tables had become an Enterprise standard throughout the industry.

Quote for the day:

"Leadership is Influence and Influence is All Around Us" -- Sam Shriver