The flood of personal devices entering organizations through both formal bring your own device programs and informal use of personal technology poses a significant risk to enterprise security. While organizations traditionally relied upon mobile device management (MDM) technology to control both the apps installed on mobile devices and the security configurations of the device operating system, this approach does not offer the flexibility necessary for bring your own device (BYOD) models. Users do not want clunky corporate software that intrudes into their personal use of technology, and enterprise IT departments don’t want the support burden the comes along with such heavy-handed management. An app container and application wrapping are emerging as more BYOD-friendly solutions to the mobile security challenge.
Read the full article: App container, app wrapping and other emerging mobile security tactics
Published June 29, 2016 on SearchSecurity.com
The Federal Rules of Criminal Procedure (FRCP) govern the criminal trials that take place in all federal courts around the nation. While these rules are often quite dry and don’t often contain controversial provisions, they are extremely important to the conduct of criminal trials and contain the procedural rules that govern not only the conduct of a trial but also the conduct of law enforcement personnel who gather evidence that may be used at trial.
On April 28th, the U.S. Supreme Court submitted proposed amendments to the FRCP that cover a variety of changes to criminal trial procedures. One of those in particular is of great interest to information security and privacy experts. Rule 41 governs the search and seizure of evidence that may be used in a criminal proceeding.
Read the full story: Rule 41: What does it mean for enterprises?
Published June 21, 2016 on SearchSecurity.com
Posted in Articles
Tagged FRCP, privacy
If you’re looking for a career path that allows you to exercise both leadership and technical skills, technology management may be an appropriate path for you. In particular, technology professionals with a security background will find that information security management offers the combination of a challenging work environment with a potentially lucrative career in a high-demand field. Succeeding as an information security manager requires a unique blend of technical, leadership and social skills but offers tremendous rewards to those who make the cut.
Organizations around the world struggle constantly with security challenges and one need look no farther than the evening news to see evidence. Major security breaches have rocked both the public and private sectors in recent years and Congress finds themselves grappling with thorny legislative issues that seek to balance national security interests with those of information security. As organizations seek to thrive in this murky environment, they require strong leadership for their information security and compliance functions. As with many technical disciplines, they often find it challenging to attract highly qualified talent to their information security management positions because there is a relatively small pool of qualified individuals who are in great demand. This combination of circumstances offers great opportunity to those seeking a career in security leadership.
Read the full article: Information Security Management: Making the Leap
Published May 23, 2015 in Certification Magazine
The legal battle between the FBI and Microsoft this spring brought encryption into the public spotlight in a major way for the first time. While cybersecurity and law enforcement professionals have long debated issues over key escrow and access to encrypted information, these debates were never part of the greater public discourse until now. Although the FBI dropped their request for access to the phone in the San Bernardino case, that tactical move merely kicked the can down the road.
In the wake of the FBI’s attempt to access the San Bernardino iPhone, legislatures at the federal and state level have all threatened to take up the issue, with legislators introducing bills that seek to address this challenge. It’s likely that we will continue to see legislative wrangling over encryption issues this summer and fall.
Read the full story: What’s Next for Encryption Legislation?
Published May 17, 2016 on SearchSecurity.com
Browse the shelves of your local home improvement or appliance store and you likely won’t be able to move two steps before encountering a device bearing the adjective “smart.” From televisions and microwaves to toothbrushes and sprinkler systems, almost every conceivable consumer device comes with WiFi or Bluetooth connectivity. While exciting, the Internet of Things also introduces a whole new world of security risks, providing hackers with millions of new targets for their nefarious activities. A recent IDC report predicted that 90% of all networks will experience an IoT-related security breach by the end of 2016. That’s a sobering statistic!
IoT devices aren’t just popping up in homes – they’re also appearing in offices and on factory floors. In some cases, these are the results of well-planned IT projects designed to improve automation or facilitate data collection. In other cases, well-meaning employees may simply plug an IoT device into an available network port without recognizing the risks such a device might pose to enterprise security. Security and networking professionals must understand the scope of IoT efforts within their organization along with the tools and techniques at their disposal to help protect against this threat.
Read the full story: Securing the Internet of Things
Published April 27, 2016 in Certification Magazine
Has the era of major revisions to the Payment Card Industry Data Security Standard (PCI DSS) come to an end? Some industry watchers believe that the standard has reached a stage of maturity where only minor tweaks are required and organizations can now expect stability in the world of credit card compliance.
In February, the PCI Security Standards Council (PCI SSC) published a blog interview with Troy Leach, the council’s Chief Technology Officer that announced the upcoming release of PCI DSS 3.2 and discussed the future of the standard. Let’s dig in and take a look at what merchants should expect in PCI DSS 3.2 and how the standard’s release tempo might change in the future.
Read the full story: PCI DSS 3.2: Is this really the end?
Published April 25, 2016 on SearchSecurity.com
Posted in Articles
Tagged PCI DSS
Cold hard cash is a strong motivator for many people and the Department of Defense is hoping that hackers are no exception. In March, DoD announced the upcoming launch this spring of a bug bounty program, modeled after those popular in the private sector. The press release announcing the program was short on details and long on patriotic hype, but this first-of-its-kind program in the public sector seeks to take an approach that has already proven successful in private industry.
Whether organizations like it or not, hackers will probe their systems seeking out weaknesses in servers and applications that may be exploited for a variety of reasons. Some of these individuals merely seek the intellectual challenge of identifying vulnerabilities and then leverage their discoveries to gain notoriety within the hacking community. Bug bounty programs seek to redirect these individuals to disclose their discoveries directly to the company, rather than to the general public, typically in exchange for some form of compensation. The goal is to harness the intellectual horsepower and work ethic of hackers and use it in the service of improving security.
Read the full article: Defense Department Puts Bounty on Bugs
Published April 12, 2016 in Certification Magazine
“Apple devices don’t get malware.” Those words have echoed throughout technology organizations and, for years, they were generally true. Times have changed, however, and both Macintosh computers and iOS mobile devices are now the source of frequent security vulnerabilities and find themselves the focus of malware authors and hackers. The rising prevalence of Apple devices in traditionally Windows-centric businesses, government agencies, and other organizations has placed iOS and Mac OS X squarely in the crosshairs of attackers seeking access to sensitive information and resources. Technology professionals seeking to secure their organizations must develop a strategy that considers both Apple and Windows security equally.
The Apple security landscape shifted dramatically during 2015 with several major changes that should cause every technology professional to reconsider previous opinions they held about the security of OS X and iOS devices. Apple products earned the dubious distinction of ranking first in the number of security vulnerabilities included in the well-respected Common Vulnerabilities and Exposures (CVE) database during 2015. An analysis of the database by CVE Details found that the database added 654 Apple vulnerabilities during 2015, compared to 571 vulnerabilities for Microsoft, who earned second place on the list.
Read the full story: Defending Macs and iOS Devices Against Malware
Published April 11, 2016 in StateTech Magazine
Cloud computing is transforming the world of information technology before our eyes. Less than a decade ago, IT teams focused most of their time on building enterprise data centers, managing capacity and building custom applications. Today, times have changed and many organizations are now shifting their focus toward the cloud, moving to a world where automation and integration dominate and enterprises purchase much of their computing as a service from a number of different providers.
This shift toward the cloud doesn’t only change the world of developers and engineers, it also dramatically affects the work of information security professionals. In the world of cloud computing, assessments rise in importance and contract language becomes as significant a security control as the configuration of the enterprise firewall. As security professionals seek to reinvent themselves as cloud security experts, they must gain new knowledge and skills and may wish to pursue professional certifications that help them demonstrate this aptitude to current and potential employers.
Read the full story: Secure Cloud: Earning Your Cloud Security Certification
Published March 28, 2016 in Certification Magazine