Blog
Insights for Reasonable Cyber Security and Compliance
What’s happening in the world of cybersecurity? How do you define 'reasonable' security controls? Which cyber threats can be prevented? What steps should you take to make your systems safer? Read our blog posts to gain new insights into cybersecurity news, security awareness, the latest threats and risks, penetration testing, compliance, regulations and so much more.
FUD in Information Security Employment
Security people sure have it good. The United States Bureau of Labor Statistics tells us that in 2012, self-described information security professionals experienced 0.9% unemployment – a sliver of the roughly 8% national average. The Bureau projects 22% job growth in InfoSec by 2020. Granted, even the BLS admits their numbers aren’t to be taken as gospel, but that’s only because they couldn’t find enough security professionals for a representative sample size. The Pentagon alone plans to add about 4,000 employees to the Defense Department’s Cyber Command. For organizations in the private sector, recruitment of security talent has become such a priority it’s a full-time job. I should know. With this kind of demand for their skills, you’d think security professionals could simply waltz into any company they like, find perfect jobs ideally matching their backgrounds, and write their own checks. (more…)
UNLIMITED SECURITY BUDGETS AND PERFECT SECURITY
Perfect security is not possible, feasible nor required by law. In fact, information security laws and regulations require that we provide “reasonable and appropriate” security through a well-defined risk management process.
Without a risk-based approach, organizations attempt to address information security requirements by either attempting to comply with a long list of security controls, or by investing in the security threats that most recently made the news. But regulations are written so that organizations can thoughtfully consider what threats are foreseeable, and what the potential impacts would be. Security controls should then be applied to bring those risks down to a level that the organization could accept.
SEIM Many Logging Options – What to Do?
Log and Security Event Information Management (SEIM) are two of the 20 Controls that SANS lists for network security. They are also some of the more controversial ones. Logs are very much like digital fingerprints for one’s network and applications. It has great value for both noticing exploits (visibility) and forensically investigating those which have already happened. SEIMs are the intelligence behind log management. They are often bought as a combined offering as one is fairly useless without the other. Metaphorically speaking together they act like an alarm system for your network. (more…)
So you’ve been hacked… now what?
The other day I met with an executive whose company had recently been hacked. He looks me in the eye and says, “It’s like I paid someone to punch me in the face…Repeatedly!” Getting breached is a huge pain that costs a lot of money, productivity, time and your reputation can suffer as well. The simple fact that there was nearly an 80% increase in data breaches in 2012 means that it is now more important than ever to have an Incident Response Plan (IRP) in place. (more…)
4 Tips for Hiring the Best Information Security Talent
“How can we recruit and interview candidates, all of which state they are interested on the phone, yet astonishingly, call to cancel the face-to-face interview before it takes place? One by one, they explain that they have accepted another position. What is it with these information security people?! I have never seen anything like it.” (more…)
HALOCK INVESTIGATES: Network Chatter from China
Network Chatter from China
Imagine one hundred container ships full of the most valuable U.S. assets heading to China every day. Diamonds, gold, oil, John Deere Tractors, priceless artwork, Chevy Corvettes, life-saving artificial hearts, books from our historic libraries, soybeans, the latest Intel® processors, Redwood trees, the genuine Constitution of the United States of America, the Statue of Liberty, Boeing Jets, Northrop weapons, Motorola phones and our most precious asset – information. (more…)
8 Ways to Avoid Becoming a Human Hack
Avoid Becoming a Human Hack.
I’ve become a fan of the show Impractical Jokers. If you haven’t seen it, three friends play jokes on the fourth, and he has to repeat whatever line is fed to him. The goal is to successfully convince random strangers to say or do a certain thing that they would not normally do. At the beginning of every challenge I think there is no possible way that these guys are going to succeed, yet one of them always does. It got me thinking about Social Engineering which is also known as Human Hacking, the manipulation of people so that they give up confidential information. (more…)
Distributed Denial of Service (DDoS) Protection For High Schools? Who’d a Thunk it?
Just this month, HALOCK saw its first incident of a high school that fell victim to a Distributed Denial of Service (DDoS) attack. Existing internet users inside the school could continue to work, but the outbound internet pipe became so clogged that no new browser sessions could be opened, impacting productivity of students and staff alike. DDoS attacks have become front page news as of late, but usually come from perpetrators wanting to: (more…)
My Back Door is Secure but I Think I Left the Front Door Unlocked!
I received an email last night from my online video rental provider that they were compromised and that my personal information may have been stolen. I immediately thought that this was a “phishing” scam and deleted the email. With all the compromised data in recent years though, Sony, and Barnes and Noble to name a few, (yes I got tagged in both events), I had to make certain this was legit. I logged into my video rental account and sure enough, the breach was confirmed and I needed to change my password immediately. (more…)
Security Alert: Recent Breach at Grocery Chain
Author: Viviana Wesley, PCI QSA
Do you accept credit cards as a form of payment? If so, take notice of the guidelines outlined by Visa in response to a recent breach at a grocery store chain: http://usa.visa.com/download/merchants/alert-prevent-grocer-malware-attacks-04112013.pdf (more…)