April 25, 2024
A decade ago, agencies struggled to build collaborative workplaces because the technology to facilitate teamwork simply didn’t exist. The advent of modern office productivity suites changed that picture entirely.
With tools such as Google G Suite, Microsoft OneDrive and Box, agency teams could quickly and easily work together on a shared document without the version control problems that occurred with file servers and email threads back in the day.
Eventually, however, these tools presented a new problem: Specifically, what happens when a user leaves the agency?
Published August 2020 in FedTech Magazine.
Read the full article: How Agencies Can Secure Data from Shared Documents After Users Leave
The worlds of software development and IT have changed tremendously over the last two decades. Software development evolved from the slow and rigid Waterfall model to the flexible and agile approach of DevOps. IT organizations evolved from using slowly provisioned on-premises infrastructure to the fast-paced environment of the cloud. As software development and IT shifted, cybersecurity professionals had to adapt to the change. DevSecOps — the process of integrating security into the DevOps lifecycle — is the most recent example of that adaptation.
DevSecOps is the natural consequence of shortening the development lifecycle. As a result of pressure to rapidly move code from development into production, there is no longer enough time for lengthy security review and testing processes. The goal of DevSecOps is to shift security left in the process. To achieve this, the operational work of security testing must be moved from dedicated security teams into the hands of developers. This enables developers to rapidly integrate the results of that testing into their code.
Published August 2020 in SearchSecurity
Read the full article: How to shift from DevOps to DevSecOps
Load balancers play a crucial role in modern web architectures. In addition to managing the routing of traffic, they also perform TLS termination, server health checking and other critical management functions to make websites scalable and secure.
However, the same technology that improves operational efficiency comes with a potential security issue: HTTP request smuggling attacks. It is critical that IT leaders understand how these attacks work and arm themselves with the following steps to protect web environments from HTTP request smuggling.
Published July 2020 in SearchSecurity
Read the full article: How to mitigate an HTTP request smuggling vulnerability
The virtual private network has been a vital enabler of remote work for decades. But the technology, invented in 1996, is getting a bit long in the tooth. And when too many people are on a VPN simultaneously, as has been the case all summer with most businesses, issues with application latency are inevitable.
The good news is, there’s a better way for modern businesses to protect their networks no matter how many remote workers they have.
VPNs fit into the perimeter protection model of cybersecurity. Years ago, it was common for security professionals to describe the networks as having “hard outer shells and soft chewy interiors.” This phrase meant that businesses focused primarily on building walls around networks designed to protect the trusted resources on the inside from threat actors. This approach required robust firewalls designed to keep out virtually all traffic from the internet.
Published July 2020 in BizTech Magazine.
Read the full article: The VPN Is Obsolete. Here?s What to Do Instead.
When considering stateful vs. stateless firewalls, the distinction between the two approaches may sound minor but is actually quite significant.
Stateless firewalls, one of the oldest and most basic firewall architectures, were the standard at the advent of the firewall. Originally described as packet-filtering firewalls, this name is misleading because both stateless firewalls and stateful firewalls perform packet filtering, just in different ways and levels of complexity. For example, stateful firewalls inspect the packet payload, while stateless firewalls only inspect the packet protocol header.
Published July 2020 in SearchSecurity
Read the full article: Stateful vs. stateless firewalls: Understanding the differences
In January, the U.S. Department of Defense released the Cybersecurity Maturity Model Certification requirements, outlining new cybersecurity stipulations for DOD contractors. There is no deadline for compliance with this new standard, but defense contractors should expect to see its specifications incorporated into new DOD contract bid requirements.
Abbreviated CMMC, the model seeks to extend traditional requirements for handling classified information to include security controls around federal contract information and controlled unclassified information that is not intended for public release.
Published July 2020 in SearchSecurity
Read the full article: Navigate the DOD’s Cybersecurity Maturity Model Certification
Last year, the Department of Homeland Security issued a vulnerability notice that disturbed many in the cybersecurity community: Several popular virtual private network solutions had insecurely stored authentication cookies in their memory or log files. An attacker gaining access to that information could steal a legitimate user’s session and gain access to services protected by the VPN without going through the normal authentication process.
Since then, vendors have provided patches for this vulnerability. But the announcement underscores the importance of carefully configuring and managing all components of an organization’s security program. VPNs play a crucial role, safeguarding network traffic between sites for remote and mobile users.
Published June 2020 in EdTech Magazine.
Read the full article: Secure Your VPN, No Matter What
Identity management is one of the most complex activities undertaken by any IT organization. The nature of the work requires close collaboration with other technology functions, HR teams, and business and functional leaders. When identity management processes function effectively, they largely remain transparent to those not directly involved in managing the processes. But, when things go wrong, identity management may be suddenly thrust into the spotlight after crippling operational functions.
The crucial nature of identity management practices merits careful attention from technology leaders. It also requires the dedication of skilled team members who serve as caretakers of the processes and agents of continuous improvement. It is important for an organization to take stock of its identity management lifecycle to make sure it is not missing opportunities to streamline and optimize workflows.
Published June 2020 in SearchSecurity
Read the full article: 3 key identity management tips to streamline workflows
Most successful attacks begin with a simple message. Here is what every organization should know about eliminating email-based malware.
It’s very real. It may be tempting to dismiss phishing attacks as a tactic of the past, but attackers continue to rely on them because they work. Verizon studied hundreds of security breaches in 2019 and found that phishing was the most common method for successful attacks.
Published May 2020 in BizTech Magazine.
Read the full article: How to Stop Phishing Attacks
“Meeting privacy expectations of management and stakeholders requires a cross-functional approach with contributions from business leaders, privacy professionals, technologists, and cybersecurity teams,” says Mike Chapple, adjunct analyst with IDC’s IT Executive Programs (IEP).
IDC Research Report published May 2020.
Read the full report: IDC PlanScape: Privacy Engineering