Information Aversion – The Ostrich Effect

Are we hurting our cause when we describe, in gruesome detail, the potential outcomes of a data breach or other IT security breach? Are we inadvertently pushing real security further off when we chase on the latest whiz bang technology instead of focusing on making steady progress?

That’s what came to mind when I recently heard an NPR piece on Information Aversion.

> Read More

Test of our Bulk Power System, GridExII, Kicks Off Tomorrow

On November 13-14, the North American Electric Reliability Corporation (NERC) will host a Grid Security Exercise, called GridExII, with Electricity Sub-sector entities across the U.S., Canada and Mexico. The goal is to simulate both a cyber-incident and physical attack for the purposes of testing organizational readiness and response.

Some pretty good movies have been made about the notion of a cut in on our nation’s power supply – which is what could happen in the event of a serious breach of our electrical grid.

> Read More

Changeup Information Sharing

We were talking with the CIO of a major healthcare company the other day who told us that his day had gone sideways because of the re-emergence of the ChangeUp worm / Trojan. This was news to me. I mean, yes, I’m a little behind in my reading, but I’d not heard much about ChangeUp since it flared up again at the end of 2012.

> Read More

New School Cyber Crooks Using Old School Malware Tricks

You can teach old crooks new tricks, but many cyber criminals are discovering that the old tricks are working just fine.

Indeed, recent security headlines feature old school malware attacks, like the MiniDuke. And old school botnets with creative new names are bum rushing the Internet. At the same time, reflective memory injection (RMI) attacks,

> Read More

CISPA, FISMA Passed the House. Now What?

CISPA, the Cyber Intelligence Sharing and Protection Act, passed the US House of Representatives late last week and will move to the Senate for further debate. If this rings a bell, it should. Last summer, CISPA passed the House before stalling in the face of a Senate filibuster. Of course, it was not the only failed attempt at cyber security legislation.

> Read More

Is Education Key to Closing the Door on Hackers?

I read with interest an Op-Ed piece in the New York Times the other day by Marc Maiffret (founder and CTO of BeyondTrust) entitled “Closing the Door on Hackers.” [By the way, as I’ve mentioned before, it’s interesting to see cybersecurity in the mainstream news, which seems to be happening more and more these days.] The thesis of his piece is that we should also be pressuring software makers to make significant investments in their products’ security.

> Read More

Are Journalists Sitting Ducks?

Remember Mat Honan – a Wired reporter that covers consumer electronics? He had his entire digital life erased last summer. His Google account was deleted, his Twitter taken over, his iPhone, iPad and MacBook erased.

How about the New York Times hack? Chinese hackers allegedly broke into the paper’s systems,

> Read More

Uncle Sam Has Yet Another Data Protection Bill

The latest attempt at creating a US Federal data protection / data breach notification law was recently introduced in the Senate. The “Data Security and Breach Notification Act of 2012” (S.3333) was submitted by Sen. Pat Toomey (R-PA) with the support of Sens. Olympia Snowe (R-ME), Jim DeMint (R-SC), Roy Blunt (R-MO) and Dean Heller (R-NV).

> Read More

Vermont Updates Data Breach Notification Laws

Updates to the Vermont Data Protection and Breach Notification laws came into effect in May 2012. As readers of my posts know (yo G!), although I seem to play one in this blog, IANAL. With that said, since these laws seem to cover any business in the US and beyond, you should take a quick look at Vermont’s data protection laws.

> Read More

Chances are Someone is Trying to Steal Your Organization’s Information

Chances are someone is trying to steal your organization’s information.  Instead of expending all your effort in defensive posture controls, there are ways to actively seek out and disrupt attempts to steal your organization’s information.  This is called counter intelligence and the exploits of the good old cold warrior, George Smiley, should be your hero. 

> Read More

The Year I Started Being Afraid

I’ve been in IT since I was a kid.  I was a real, stereotypical nerd.  While other computer nerds were learning to program games, I turned up my nose at their childish efforts and learned database programming because at 12 I actually wanted to write accounting software.  I know, I know, weird.  Anyway I say this to underline the fact I’ve been in technology since PC’s first came out and business technology at that. 

> Read More

Social App Security – An Oxymoron?

The recent Wall Street Journal investigation on the Facebook privacy breach begs a fundamental question:  Can a “social application” be secure?  This is a question bigger than just Facebook.  Popular mobile communications platforms such as Apple’s iOS and Google’s Android have also struggled with this as of late.  Here is the core conundrum – platform vendors need to provide a secure platform for developers to build consumer apps bursting with compelling functionality and innovation – so where do platform vendors draw the line between consumer privacy and innovative functionality? 

> Read More

Five Irrefutable Laws of Information Security

Last week, Forrester held its annual Security Forum 2010 and discussed, among other topics, the need for consistent controls on our endpoint devices to ensure continuous security and network protection. In his keynote entitled What is the Most Significant Vulnerability We Face Today, Malcolm Harkins, Chief Information Security Officer at Intel Corporation cited an example of his large,

> Read More