Infosec Haiku

Anata no joho sekyuritei konshu no haiku

Cardinals v Astros
Moneyball Databases
Need Protection Too!


### Notes ###
* The Infosec Haiku has been on travel, so apologies for the inconsistent posts of late.
* Thanks to Ms. Etsuko vdH for the translation.

> Read More

PayPal left red-faced after more security holes found in two factor authentication

Just over a month ago, security researchers revealed that one of PayPal’s primary mechanisms to protect accounts from hackers had been fundamentally flawed for years.

Researchers at Duo Security discovered a method of bypassing the two-factor authentication (2FA) technology used by the site, which is supposed to protect your account should your PayPal username and password fall into the hands of online criminals.

> Read More

People Are Your Last Line of Defense

The increasing numbers of attacks profiled in news reports over the last several months demonstrate that we live in an unsecure world.  The Target breach in particular shows how important a complete cyber security program is to an enterprise network environment.  Target’s security systems generated events from the attack, but the events were not followed up on

> Read More

Global Trends in Data Protection Maturity

The other day, coinciding with Data Privacy Day, we presented the results of our 3rd annual Data Protection Maturity survey. Here’s a quick recap.

In late 2013 we conducted an online worldwide survey of IT professionals to find out how much progress is being made in data protection. We had almost 400 completed responses from folks in all sizes of organizations (the 100-499 and 5000+ categories were better represented at~20% and ~25% respectively) and from across the world (with a majority in North America and EMEA).

> Read More

Today is International Data Privacy Day

Lumension is a proud supporter of Data Privacy Day – an international effort hosted by the National Cyber Security Alliance to educate people on the importance of protecting their personal information and their employer’s data.

Data is a valuable commodity and highly sought after by cyber criminals. Whether you are an employee at a small organization,

> Read More

Three Lessons Learned From the NSA’s Use of Big Data and Security Analytics

Security analytics is the term being applied to the new methods being developed to counter sophisticated targeted attacks. The idea is simple but implementation requires skill sets that have yet to be acquired by most organizations. Gather as much data as possible, apply filters derived from security intelligence, and identify attacks in progress or already firmly established beachheads made by the adversary.

> Read More

The Danger of Open Access to University IP

When I saw last week’s New York Times story about the problems universities are experiencing with cyber attacks, my first thought was one of surprise. Wasn’t this kind of story published years ago? Hackers are opportunistic and universities pride themselves on providing free and open access to materials. Cyber attacks on research universities have been happening for some time.

> Read More

To Layer or Integrate? That is the Question

Indeed, the debate over whether to mix a myriad of tools and technologies to create a bulletproof shield that hackers can’t invade or to take an integrated approach to in-depth defense to combat persistent threats is ongoing. But more cyber security analysts are speaking out about the benefits of integration.

Also known as layered defense,

> Read More

Securing the Internet of Things

Gone are the days when the Internet was something accessed only through a PC attached to an Ethernet plug. Access is now available from anywhere and via a multitude of form factors. The Internet has moved beyond the computer and even your smartphone into the most unlikely of things. Your TV, your thermostat,

> Read More

3 Executive Strategies to Prioritize Your IT Risk

Every company wants to know the best way to protect their company, but it can be difficult when faced with the evolving security challenges of today. I recently sat down with Richard Mason, VP & CSO at Honeywell, Roger Grimes, security columnist and author, to get their thoughts on risk management best practices. I hope these strategies will help companies prioritize their IT risk and think beyond the traditional IT standards.

> Read More

ZIP Codes Are … PII?!

Mr. ZIP (or Zippy to his friends) was born back in July 1963 and the soon-to-be 50-year-old is finally getting some privacy … in Massachusetts at least.

The Massachusetts Supreme Court recently determined that under Mass. Gen. Laws, ch. 93, § 105(a), “personal identification information” includes a consumer’s ZIP code and decided that collecting such personal information is a violation of state privacy law for which the consumer can sue.

> Read More

Anatomy of Reflective Memory Attacks

Ophiocordyceps unilateralis is a parasitical fungus that, beginning with a microscopic spore, infects a certain species of ant using a series of attacks, one building on the other until it controls the ant’s brain for its own bidding.  The fungus can’t just land on the ant, consume it and reproduce.  It needs to get inside the ant – in order to eat it – and it needs the ant to travel far away from the ant’s normal home in a tree to an environment more suitable for the fungus’ growth and reproduction. 

> Read More

Embedded Chinese Malware – Theoretical Threat or Practical Issue?

Before we begin discussing the issue of the theoretical or practical reality in the potential threat of the Chinese embedding malware in the computer equipment they manufacture, consider this:

Just a few years ago who would have thought that any government (never mind our own) would have created malware to attack another government’s computer systems to achieve a political goal?

> Read More

Are Journalists Sitting Ducks?

Remember Mat Honan – a Wired reporter that covers consumer electronics? He had his entire digital life erased last summer. His Google account was deleted, his Twitter taken over, his iPhone, iPad and MacBook erased.

How about the New York Times hack? Chinese hackers allegedly broke into the paper’s systems,

> Read More