Vulnerabilities can take many forms, and you can't expect to uncover them all unless you have a diverse portfolio of tools to help you in the hunt.
By By Mathias Thurman | 03 July, 2015 04:47
The hack of the U.S. Office of Personnel Management didn't surprise me. All significant organizations are regularly attacked, and every major federal agency is a big target.
By By Ira Winkler | 30 June, 2015 04:01
Hi, my name is Steven J. Vaughan-Nichols and I had a security clearance in the 1980s. Because of that, my personal records are likely to have been revealed by the Office of Personnel Management hack.
By Steven J. Vaughan-Nichols | 30 June, 2015 02:41
Both Facebook and Google have been working hard at using computers and algorithms to identify people in photos. They've gotten really good at it.
By Mike Elgan | 29 June, 2015 20:10
For the past few weeks, I've been knee-deep in PCI compliance. I have previously mentioned that although my company's current credit card transaction volume doesn't require a full PCI audit, we have made a business decision to get the full PCI Report on Compliance, which entails hiring a qualified security assessor (QSA), submitting evidence, conducting a variety of qualified penetration tests and assessment scans and ultimately having an auditor spend about a week on site reviewing evidence and conducting in-depth testing of the 400-plus controls.
By By Mathias Thurman | 24 June, 2015 03:07
RSA recently published its inaugural and aptly named Cybersecurity Poverty Index. This study is based on self-assessments by organizations who compared their current security implementations against the NIST Cybersecurity Framework. According to the report, almost 66 percent rated themselves as inadequate in every category. With all of the recent breaches in the news, part of me is astounded at this finding. The other part is not surprised, given that this matches what I see in the field every day.
By Robert C. Covington | 16 June, 2015 03:59
The chat room and social network religious wars between Apple and Google demand that you take sides. But I've always felt that the best experience includes a cherry-picking of Apple hardware, Google services and apps from both.
By Mike Elgan | 16 June, 2015 01:29
Another hack, another claim of inevitability. It is frustrating to read about the IRS breach and see it declared sophisticated. The following quote, from the IRS commissioner to CNN, is just outright infuriating:
By By Ira Winkler and Araceli Treu Gomes | 04 June, 2015 07:01
Last year, I wrote about a ransomware infection that encrypted the hard drive of one of my company's employees. In that situation, a live, in-person scammer called the employee, claiming to be from "technical support," and tricked the employee into visiting a website that infected his computer. As with a similar situation I wrote about in 2012, the infection came from an advertisement on the front page of a major news service's website. The website runs rotating ads, one of which was compromised and hit the victim with a drive-by malware infection (without any intervention by or even the knowledge of the victim). I thought that because the infection was on the victim's personal computer, not on my company's network, we were pretty safe. I thought that if it had been on my network, the attempt probably would have failed, or would at least have been detected right away.
By By J.F. Rice | 19 May, 2015 23:08
Some things are just so predictable. A retailer is told about a mobile security hole and dismisses it, saying it could never happen in real life -- and then it happens. A manufacturer of passenger jets ridicules the risk posed by a wireless security hole in its aircraft, saying defensive mechanisms wouldn't let it happen -- and then it happens.
By Evan Schuman | 19 May, 2015 19:09
The feedback from our last article, in which we laid out what we call the Irari Rules for classifying a cyberattack as "sophisticated," was overwhelmingly positive. Nonetheless, a few people we respect disagreed with us. Ironically, examining why they disagreed demonstrates why the Irari Rules are relevant.
By By Ira Winkler and Araceli Treu Gomes | 14 May, 2015 02:45
One thing that we security managers can be sure of is this: There is no guarantee that our company will not suffer a security breach. In fact, the odds are increasing all the time, helped along by the proliferation of mobile devices, companies' heavy use of software as a service and the consumerization of IT. And let's face it: Creating a culture that fosters innovation and attracts talent exacts a cost in defensibility.
By By Mathias Thurman | 12 May, 2015 07:08
Microsoft is set to upend a 12-year practice of providing security patches on the same day each month to everyone. Or not.
By Gregg Keizer | 08 May, 2015 07:00
It's always a good idea to point the car in the right direction before pressing the gas pedal, right? Why is it, then, that so many people lose sight of that simple concept?
By By Kenneth van Wyk | 29 April, 2015 05:40
Organizations hit by a cyberattack have reason to call the attack "sophisticated." But calling an attack sophisticated doesn't make it sophisticated. We have put our heads together and come up with some rules for determining whether an attack is sophisticated, and we have put our names together (Ira and Ari) to give these rules a name: the Irari rules. If any of the following conditions occur, the attack is not sophisticated:
By By Ira Winkler and Araceli Treu Gomes | 23 April, 2015 01:24
Sony is reliving the nightmare that its hacked databases gave rise to late last year, now that Wikileaks has thoughtfully published all of the leaked documents in a searchable database. Really, they are the most courteous hoodlums ever.
By Evan Schuman | 21 April, 2015 19:11
Last week, I was horrified to discover a problem with my vulnerability scanner. The product I use relies on a user account to connect to our Microsoft Windows servers and workstations to check them for vulnerable versions of software, and that user account had never been configured properly. As a result, the scanner has been blind to a lot of vulnerabilities. And this has been going on for a long time.
By By J.F. Rice | 13 April, 2015 23:47
I mentioned in a previous article that we are using a "loaner" Palo Alto Networks firewall, with all the bells and whistles. Our testing led to all sorts of interesting discoveries, and I certainly hope that the executive staff will agree that the increased visibility makes this sort of new-generation firewall well worth the investment.
By By Mathias Thurman | 09 April, 2015 23:51
It's a time-honored tradition: U.S. businesses find ways to skirt inconvenient or expensive laws by moving operations to other countries. Thus we have had U.S. corporations operating overseas to exploit child labor, run sweatshops or avoid taxes and rigorous health and safety inspections. Now the U.S. government says something similar is happening in regards to email.
By Evan Schuman | 18 March, 2015 01:56
In the current market, there is an increasing demand for unbiased information about Enterprise Mobility Management (EMM) solutions. This white paper focuses on solutions that are anticipated to have an important role in Enterprise Mobility Management. An overview of features has been created to enable a better understanding and comparison of capabilities.
Incorporating path control in your WAN is a critical first step along the way to deploying a full SD-WAN solution. This whitepaper looks at how you can use dynamic tools to shortcut the complex configurations and expenditures of time and resources to ultimately efficiently utilise the hybrid links that may already be deployed in the network.
- Uber throws in the towel in battle with French taxi drivers
- As Windows 7 breaks the 1B-device mark, Microsoft's challenge will be to force it back to zero
- Android phone vendors should improve update policies, consumer organization says
- Five smartphones to look forward to
- Ad fraud Trojan updates Flash Player so that other malware can't get in
- The Upload: Your tech news briefing for Friday, July 3
- Cisco leaves key to all its Unified CDM systems under doormat
- IT firms' cloud appetite strong as gear sales surge 25 percent
- Samsung faces lawsuit in China over bloatware on phones
- Reddit sections go dark after exit of staffer
- Android ransomware on the rise in Australia
- Microsoft buries hatchet with Kyocera, ending litigation
- Plex hacker demands Bitcoin ransom for return of data
- Hands-on: Windows 10's latest build feels close to finished
- In Pictures: 7 things we hate about Twitter