December 23, 2015

2015: A Cloud Security Wake Up Call

Some interesting areas to watch include security information and event management (SIEM), which integrates security information management (SIM) and security event management (SEM). to provide real-time analysis of security alerts generated by network hardware and applications. Some SIEM leaders working on integrating SIEM with cloud security include Hytrust, IBM, Intel Security, and Splunk. An intrusion detection system (IDS) is a device or software application that monitors network or system activities for malicious activities or policy violations and produces reports to a management station. IDS come in a variety of “flavors” and approach the goal of detecting suspicious traffic in different ways. IDS leaders include Cisco (Sourcefire), IBM, Intel Security, and HP.

Innovation and the visionary CIO

Companies eyeing technology trends see massive opportunities and potential threats, with technology-led innovation as a competitive weapon that has two, very sharp, edges. This level of innovation doesn't arise from tactical decisions taken at the business unit level. It requires the kind of core assessment of technology, opportunity, and impact that only a centrally positioned role, such as the CIO, can deliver. While IT has long been responsible for "keeping the lights on," the best CIOs also look for ways to accelerate business growth, providing guidance and guard rails for the CEO and board. ... Keeping IT strategy headed in the right direction while avoiding investments in too many technological dead-ends requires a single vision of what is necessary and possible. Only the CIO can provide that vision.

Getting mobile device management right: Four key steps

One of the benefits of an MDM program is the ability to understand how employees are using their mobile devices. Routing the flow of information back to the IT department and help desk from the start can improve performance down the line. For example, an understanding of which devices and models are popular enables your help desk to train more accurately, resulting in better assistance with future troubleshooting issues. Another useful strategy is to share application inventory information with your support departments to ensure that corporate apps deploy properly. Sharing information with human resources about which users are active on which platforms helps their department appropriately update credential provisions when employees enter and leave the system.

Could the Internet of Things spark a data security epidemic?

What separates smart systems from "dumb" systems? IoT-enabled devices collect huge amounts of personal information, which can be retained and used to extrapolate users’ behavioral patterns and preferences. By doing so, businesses can then use these insights to automate and improve the overall user experience. This information is extremely valuable for businesses and consumers alike. However, it’s important to think about what happens to that data after you are done using the devices. In addition to acquisition and implementation, be sure to consider end-of-use or end-of-life scenarios too. In these cases, there needs to be a core feature and functionality in smart refrigerators, smart thermostats, smart TVs and all other connected products that fully wipes all data clean and can then show verifiable proof that no residual data could ever be recovered.

EU finally agrees draft of Europe-wide data privacy law

According to a recent European Parliament press release, however, the end may at last be in sight. The European Council and European Parliament have now reached a “strong compromise” on a draft of the GDPR. “It is now up to [EU] member states to give the green light to the agreement.” MEP Jan Philipp Albrecht, the European Parliament’s chief negotiator for the GDPR, said that “negotiations hopefully have cleared the way for a final agreement”. “In future,” he added, “firms breaching EU data protection rules could be fined as much as 4% of annual turnover – for global internet companies in particular, this could amount to billions. In addition, companies will also have to appoint a data protection officer if they process sensitive data on a large scale or collect information on many consumers”.

Poor security decisions expose payment terminals to mass fraud

Payment terminals require a secret key to authenticate with payment processors over the Poseidon protocol. However, like with ZVT, payment terminal manufacturers implemented the same authentication key across all of their terminals, SRLabs found. This error can be abused to steal money from merchant accounts. While most transactions add money to such accounts in exchange for goods or services, there are a few that can cost merchants money, for example transaction refunds or top-up vouchers like those used to recharge prepaid SIM cards. In the worst case scenario, attackers could hijack terminals and use them to issue refunds to bank accounts under their control from thousands of merchants by simply iterating through terminal IDs, which are usually assigned incrementally.

Amazon's 'Virtual CPU'? You Figure It Out

Amazon uses what it calls "EC2 Compute Units" or ECUs, as a measure of virtual CPU power. It defines one ECU as the equivalent of a 2007 Intel Xeon or AMD Opteron CPU running at 1 GHz to 1.2 GHz. That's a historical standard, since it dates back to the CPUs with which Amazon Web Services built its first infrastructure as a service in 2006 and 2007. (The Amazon ECU is also referred to as a 2006 Xeon running at 1.7 GHz. Amazon treats the two as equivalent.)  The value of Amazon's ECU approach is that it sets a value for what constitutes a CPU for a basic workload in the service. ECU's were not the simplest approach to describing a virtual CPU, but they at least had a definition attached to them. Operations managers and those responsible for calculating server pricing could use that measure for comparison shopping.

Cybersecurity in the digital age for the smart grid

Cybersecurity strategists must keep pace with – indeed, anticipate - the feverish pace of digital technology development. Each layer of the IP stack on which these technologies function offers hackers potential attack vectors into the emerging Smart Grid. Chip-laden computer boards integrated into a grid component – a transformer, a recloser, a circuit breaker – a represents a potential pathway into which hackers can gain entry to gather sensitive information or disrupt grid operations. Compliance with NERC and FERC regulations should be considered only a starting point toward true system security. In the ever-evolving digital age, regulations always lag behind rapid technology advancement and intensifying intruder strategies. Every power plant and interconnect now needs a brain trust which includes a lawyer, an insurance expert and a cybersecurity team.

Expect Data Breaches, Awareness to Increase in 2016

There is a lot of mystery wrapped up in security, given the sophisticated attacks launched by nation states and cyber criminals; however, many times the solution is simple and involves fundamental security principles like good passwords and encryption for sensitive data. Arguably every year should be the year of encryption, but we have seen enough avoidable damage from a lack of encryption (see TalkTalk shares tank 11% on fears that customer compensation bill could wipe out profits and “I am surprised….no encryption has been used”) this year that those responsible will start to insist upon encryption being a fundamental part of the overall storage/security strategy. The end of US/EU Safe Harbor will also help push encryption as part of a data privacy mechanism.

Updated Mobile Malware Targets Android

"Mobile devices are the new front for cybercrime - the earlier a bank acts, the sooner criminals find other targets," says Al Pascual, director of fraud and security at Javelin Strategy & Research. "To manage this growing threat, bankers should apply a holistic approach, including account-holder education on mobile security best practices, biometric authentication in the mobile app, and strong back-end account security, such as behavior metrics, device fingerprinting and transaction analysis." But banks' efforts are being subverted in part by many Android device manufacturers failing to keep their customers' devices updated with the latest operating system updates and security patches. According to research conducted by G Data in October, for example, few Android devices today are secure.

Quote for the day:

"Opportunity always involves some risk. You can?t steal second base & keep your foot on first!" -- Joseph Heller