The legal battle between the FBI and Microsoft this spring brought encryption into the public spotlight in a major way for the first time. While cybersecurity and law enforcement professionals have long debated issues over key escrow and access to encrypted information, these debates were never part of the greater public discourse until now. Although the FBI dropped their request for access to the phone in the San Bernardino case, that tactical move merely kicked the can down the road.
In the wake of the FBI’s attempt to access the San Bernardino iPhone, legislatures at the federal and state level have all threatened to take up the issue, with legislators introducing bills that seek to address this challenge. It’s likely that we will continue to see legislative wrangling over encryption issues this summer and fall.
Read the full story: What’s Next for Encryption Legislation?
Published May 17, 2016 on SearchSecurity.com
Browse the shelves of your local home improvement or appliance store and you likely won’t be able to move two steps before encountering a device bearing the adjective “smart.” From televisions and microwaves to toothbrushes and sprinkler systems, almost every conceivable consumer device comes with WiFi or Bluetooth connectivity. While exciting, the Internet of Things also introduces a whole new world of security risks, providing hackers with millions of new targets for their nefarious activities. A recent IDC report predicted that 90% of all networks will experience an IoT-related security breach by the end of 2016. That’s a sobering statistic!
IoT devices aren’t just popping up in homes – they’re also appearing in offices and on factory floors. In some cases, these are the results of well-planned IT projects designed to improve automation or facilitate data collection. In other cases, well-meaning employees may simply plug an IoT device into an available network port without recognizing the risks such a device might pose to enterprise security. Security and networking professionals must understand the scope of IoT efforts within their organization along with the tools and techniques at their disposal to help protect against this threat.
Read the full story: Securing the Internet of Things
Published April 27, 2016 in Certification Magazine
Has the era of major revisions to the Payment Card Industry Data Security Standard (PCI DSS) come to an end? Some industry watchers believe that the standard has reached a stage of maturity where only minor tweaks are required and organizations can now expect stability in the world of credit card compliance.
In February, the PCI Security Standards Council (PCI SSC) published a blog interview with Troy Leach, the council’s Chief Technology Officer that announced the upcoming release of PCI DSS 3.2 and discussed the future of the standard. Let’s dig in and take a look at what merchants should expect in PCI DSS 3.2 and how the standard’s release tempo might change in the future.
Read the full story: PCI DSS 3.2: Is this really the end?
Published April 25, 2016 on SearchSecurity.com
Cold hard cash is a strong motivator for many people and the Department of Defense is hoping that hackers are no exception. In March, DoD announced the upcoming launch this spring of a bug bounty program, modeled after those popular in the private sector. The press release announcing the program was short on details and long on patriotic hype, but this first-of-its-kind program in the public sector seeks to take an approach that has already proven successful in private industry.
Whether organizations like it or not, hackers will probe their systems seeking out weaknesses in servers and applications that may be exploited for a variety of reasons. Some of these individuals merely seek the intellectual challenge of identifying vulnerabilities and then leverage their discoveries to gain notoriety within the hacking community. Bug bounty programs seek to redirect these individuals to disclose their discoveries directly to the company, rather than to the general public, typically in exchange for some form of compensation. The goal is to harness the intellectual horsepower and work ethic of hackers and use it in the service of improving security.
Read the full article: Defense Department Puts Bounty on Bugs
Published April 12, 2016 in Certification Magazine
“Apple devices don’t get malware.” Those words have echoed throughout technology organizations and, for years, they were generally true. Times have changed, however, and both Macintosh computers and iOS mobile devices are now the source of frequent security vulnerabilities and find themselves the focus of malware authors and hackers. The rising prevalence of Apple devices in traditionally Windows-centric businesses, government agencies, and other organizations has placed iOS and Mac OS X squarely in the crosshairs of attackers seeking access to sensitive information and resources. Technology professionals seeking to secure their organizations must develop a strategy that considers both Apple and Windows security equally.
The Apple security landscape shifted dramatically during 2015 with several major changes that should cause every technology professional to reconsider previous opinions they held about the security of OS X and iOS devices. Apple products earned the dubious distinction of ranking first in the number of security vulnerabilities included in the well-respected Common Vulnerabilities and Exposures (CVE) database during 2015. An analysis of the database by CVE Details found that the database added 654 Apple vulnerabilities during 2015, compared to 571 vulnerabilities for Microsoft, who earned second place on the list.
Read the full story: Defending Macs and iOS Devices Against Malware
Published April 11, 2016 in StateTech Magazine
Cloud computing is transforming the world of information technology before our eyes. Less than a decade ago, IT teams focused most of their time on building enterprise data centers, managing capacity and building custom applications. Today, times have changed and many organizations are now shifting their focus toward the cloud, moving to a world where automation and integration dominate and enterprises purchase much of their computing as a service from a number of different providers.
This shift toward the cloud doesn’t only change the world of developers and engineers, it also dramatically affects the work of information security professionals. In the world of cloud computing, assessments rise in importance and contract language becomes as significant a security control as the configuration of the enterprise firewall. As security professionals seek to reinvent themselves as cloud security experts, they must gain new knowledge and skills and may wish to pursue professional certifications that help them demonstrate this aptitude to current and potential employers.
Read the full story: Secure Cloud: Earning Your Cloud Security Certification
Published March 28, 2016 in Certification Magazine
In the past few months, deadly terrorist attacks rocked both Paris, France and San Bernardino, California. The technical investigation following both incidents focused on questions related to whether the attackers communicated with each other using strong encryption to avoid eavesdropping by law enforcement and intelligence organizations. These questions sparked a national debate on the use of encryption and government access to private communications. There’s one bottom line question: Is encryption evil?
Politicians and presidential candidates quickly condemned the bombings but also used their soapboxes to condemn encryption technology as a tool of terrorism. In a Democratic debate, Hillary Clinton called for “a Manhattan-like project” focused on encryption. Republican presidential candidate John Kasich said that “we have to solve the encryption problem.” There’s certainly an undertone in the national conversation that encryption is an unwanted technology that facilitates terrorism and that the government must take action to protect Americans from it.
Read the full story: Encryption is Not Evil
Published January 2016 in Certification Magazine
Organizations around the world have extremely complex technology environments that depend upon many different components to function properly. Operating systems, hardware devices and applications all play a role in shaping our technology environments and each of these components relies upon current security patches to remain protected against the many threats found on the Internet. The vendors supplying these products continue to supply patches for older versions of their product still in use at customer sites but, unfortunately for IT teams, all good things must come to an end. Vendors are only willing to support a limited number of older versions because of the costs involved of maintaining legacy software and hardware. When a vendor decides to end support for a product organizations using it face difficult end-of-life decisions.
From a security perspective, using current software versions is a critical control. Many of the issues corrected by vendor patches are major security vulnerabilities that leave an organization open to attack. When a vendor ends support for a product, any new vulnerabilities discovered will remain unpatchable, leaving the organization susceptible to attack: clearly an undesirable situation! Adding to the gravity of the situation, hackers often develop and use automated scanning tools that scour the Internet searching out systems containing vulnerabilities. Leaving an unpatched, out-of-support device connected to the Internet presents a dangerous security risk but it happens every day!
Read the full story: IT and End of Life Issues
Published February 22, 2016 in Certification Magazine
In 2014, officials at the Internal Revenue Service received a Congressional subpoena demanding that the agency turn over all email messages sent or received by IRS official Lois Lerner as part of a Congressional investigation. Information security professionals suddenly found themselves in the public spotlight when the IRS claimed that they were unable to produce Lerner’s emails because her hard drive had crashed and the backup tapes had been accidentally erased. This began a months-long saga as data integrity issues took center stage in the media and the public focused on the ability of federal agencies to maintain the integrity of official government records.
There’s no doubt that federal agency information technology professionals have a special obligation to preserve the integrity of agency information. From tax records to legislative history, federal agencies preserve and protect the critical information that comprises our nation’s history and ensures its continued efficient operation. The duty to preserve federal records is a sacred trust between the American people and the nation’s government and IT professionals bear significant responsibility for maintaining this trust. Fortunately, there are several technology tools available to assist in this important task.
Read the full story: Preserving Data Integrity
Published February 18, 2016 in FedTech Magazine
The proposed General Data Protection Regulation (GDPR) recently passed a key legislative hurdle in the European Union and enterprise compliance teams are watching carefully as the regulation nears expected adoption in early 2016. Once passed, organizations doing business in the EU will have a two year grace period to become compliant with the regulation before facing steep fines for non-compliance.
Under the GDPR, the EU seeks to implement a single set of data privacy rules that apply across all EU member states. It expands many of the provisions of the 1995 EU Data Protection Directive and applies to organizations who previously fell outside the scope of EU regulation due to their geographic location. The GDPR includes notice and consent provisions similar to those found in the 1995 regulation with some enhancements, including disclosure of the retention time for personal information and parental consent requirements for children under the age of 13.
Read the full article: Minimizing Compliance Costs with GDPR on the Horizon
Published February 16, 2016 on SearchSecurity.com
Mike is an IT leader, information security professional, author, speaker and trainer with over fifteen years of experience in the field.