News, analysis and context on enterprise technology for the CTO
Here at CTOVision, we often write quite a bit about the problems of the insider threat, social engineering, and other threats to the enterprise. Amidst the seemingly endless array of security problems a given CTO faces (from overly generous Nigerians to Visitors from the Land of the Panda *cough cough* APTs), it's easy to forget that the bad guys have security issues too. Control of information is a key element in the Mexican cartel war. Slip up, and … [Read more...]
Paranoia is good when it comes to cyber-security...or is it? Are we making ourselves paranoid? Like many computer security professionals, I tend to closely follow technology and security news, even though its often discouraging and depressing. It is routine to see articles disclosing general information about recent attacks and criminal successes (and sometimes criminal captures). I suppose that at this point it is fairly common to find "shocking" … [Read more...]
These days we hear a lot of terms thrown about like the “Consumerization of IT” and “Bring your own device” (BYOD), and “Network health”. This is because corporations are starting to warm up to the idea that maybe if they let you bring in your personal computing devices such as smartphones and tablets, they won’t have to pay to give you one. The flip-side of letting employees bring their consumer devices into the corporate fold is that … [Read more...]
I just returned from a meeting at Fixmo where I had an opportunity to talk with Fixmo CEO Rick Segal and other members of his key leadership team. I am enthused to be on the Fixmo advisory board because they are bringing such virtuous capabilities to enterprise and home users. We will be providing more info on Fixmo as they roll out new capabilities we believe you should be aware of. But with this post I want to summarize an interesting piece by … [Read more...]
On Friday, December 16th, 2011, FedCyber.com will host a webinar featuring one of the great champions of secure code, Mr. Michael Howard. For more information and to register for this event see: https://www3.gotomeeting.com/register/551297622 More on the webinar: FedCyber.com is pleased to announce a special opportunity to interact with Mr. Michael Howard, author of the Security Development Lifecycle process improvements and lead security … [Read more...]
The EFF (Electronic Frontier Foundation) was founded in 1990 as a donor funded non-profit with a focus on fighting for internet freedoms. They frequently bring those fights to the courts by bringing lawsuits against large corporations and the government. They also work to provide information to inform legislators and the public at large. The EFF is cool, but of course you don't have to agree with every position they have ever taken. That said, all in all … [Read more...]
Everything that you need to know about Duqu: Duqu was reported to antivirus vendors around the 14th of October, 2011, but it has been in the wild since November of 2010. Since then there have been varients (updated copies with additional features or upgrades to code) released. It has been billed as the next Stuxnet, the son of Stuxnet, or a Stuxnet clone. In reality, Duqu is actually more like a payload of Stuxnet rather than the entire attack … [Read more...]
We've already covered how odds are your software applications aren't secure. Threats and attack vectors seem to expand faster than solutions, and many solutions are employed sub-optimally due to poor updating, patching, and information management. And conventional tools can't protect users against targeted attacks like spear phishing, which rely on flaws in judgement rather than software. It's a harsh security climate, which is why I like … [Read more...]
Over the past 18 months, almost 10,000 software applications from the government and private sector were submitted to Veracode’s online security testing platform for independent security auditing and 8 out of 10 failed to achieve an acceptable level of security on their first try. Veracode reached this conclusion by automatically checking submitted apps for over 100 types of flaws. That's not to say the 18% that passed were flawless, merely that … [Read more...]
While Alex has dealt rather masterfully with the consequences of the trumped-up Russian SCADA hacking incident, I'd like to point to a different aspect of it: the cybersecurity "wake up call." The Springfield incident was immediately called a "wake up call" for cybersecurity practitioners. Of course, we now know that it was not a cyber attack. But suppose , for the sake of argument, that it really was the work of nefarious Russians. That would be a real … [Read more...]