Dear Bloggers,

As a Microsoft certified professional, I cannot tell you how many times I’ve been included in discussions basically bashing Microsoft and their Internet Explorer web browser. I don’t seek to involve myself in these discussions, it seems like it just happens. Now I can’t give anyone specifics on how secure one web browser is over another, I can’t keep up with details like that but I have and supposedly always will support Microsoft and their core products revolving around their operating system and web browser. Now with that being said, I’ve just seen the following headlines:

Mozilla releases Firefox 14 to close several major holes

Twenty-six bugs patched in Google Chrome 21 release

At a time when people were leaving Microsoft’s IE for Mozilla’s Firefox and Google’s Chrome citing easier use and better security and blah blah blah, I feel like raising up my hands in victory and saying “whatchu got now, huh!?!?”. These web browsers that have been preached to me over and over again as the “better” browser are now the ones scrambling to fix bugs and security vulnerabilities. One article reports 14 vulnerabilities in Firefox, 5 of which are labeled as critical. Chrome has twenty-six vulnerabilities, with 6 classified at “high-priority”. Twenty-six?!?!?!  Hello insanity!

Microsoft’s  July 2012 Security Bulletin lists 2 IE9 vulnerabilities. Two. Who has the more secure web browser now, huh?  J

Until next time……

 

References

Colon, M. (2012, August). Mozilla releases Firefox 14 to close several major holes. Retrieved from http://www.scmagazine.com/mozilla-releases-firefox-14-to-close-several-major-holes/article/250797/

Colon, M. (2012, August). Twenty-six bugs patched in Google Chrome 21 release. Retrieved from  http://www.scmagazine.com/twenty-six-bugs-patched-in-google-chrome-21-release/article/253031/

Dear Bloggers,

Buzz word alert!! BYOD = Bring Your Own Device.

What does it mean? Allowing employees to utilize their own smart phones, handheld devices, and laptops on the network for work related activities.

This continues to be a struggle for the network security department: to lock down or to not lock down enterprise network resources to personal devices. At first the increase of personal devices in the workplace was unwelcome but now organizations are finding they have no choice but to embrace this wave of a technology trend.

Surprisingly enough, attitudes have changed and organizations are embracing BYOD. Studies have even shown that employee productivity increases by 30 minutes per day through BYOD. Greater productivity stems from user familiarity with their personal device and the convenience of using it in the work environment.

Of course there are pros and cons to BYOD. The increased productivity in employees is a loud and clear pro. The cons include additional points of entry into the organization’s network by cyber criminals and the fact that mobile devices are fast becoming a large target for theft and criminal activity.

Organizations can protect themselves by creating a multi-layered security approach. First, the content on the device must be protected. Second, the applications running on the device must be trustworthy. Third, the device must have strong authentication services incorporated into it.

With this multi-layered approach, network administrators can allow those personal devices on the network and (hopefully) have more confidence in the security of those devices and the protection of their networks.

Until next time……

Reference

Colon, M. (August, 2012). Embracing BYOD: Mobile challenge. Retrieved from http://www.scmagazine.com/embracing-byod-mobile-challenge/printarticle/250425/

Dear Bloggers,

I don’t know about you but I could deal with a lot less spam email trying to sell me cheap Viagra and fake Rolexes….and coincidentally, that is just what may have happened!

Grum, the top botnet of spam email, is estimated to have delivered 35% of the world’s spam email. Using servers located in the Netherlands, Russia, and Panama, Grum rose through the ranks overtaking Lethic for the top spot.

Recently a senior staff scientist at FireEye identified the IP addresses on the 4 command-and-control (C&C) servers making up the botnet. Two of those four servers were responsible for pushing configuration changes to infected computers while the other two server were responsible for identifying which spam messages to send out.

Two of the four servers located in the Netherlands were taken off line leaving Grum crippled but not dead.  It would have been capable to resurrect the botnet but security officials were quick to react and successfully took down the last of the servers located in Russia and Panama.

The permanent takedown of the top spam botnet sends a strong message to other botnets.

With Grum dead, zombies infected with malware are relatively harmless as they are unable to communicate with the servers .

With less spam, I can now focus my attention on valid email offers, like shoes!!

Until next time……

References

Rashid, F. (2012, July 18). Dutch police disable Grum botnet to slow spam spread. Retrieved from http://www.scmagazine.com/dutch-police-disable-grum-botnet-to-slow-spam-spread/article/250656/

Rashid, F. (2012, July 19). Grum botnet dead after remaining servers are shut off. Retrieved from http://www.scmagazine.com/dutch-police-disable-grum-botnet-to-slow-spam-spread/article/250656/

Dear Bloggers,

To add to the ever growing list of companies who have been hacked, Yahoo has now confirmed a database breach consisting of 400,00 usernames and passwords from their Contributor Network site.

To add insult to injury, the credentials stolen were stored on Yahoo's site unencrypted and have now been made public for all the world to see.

I'm a little surprised to note that the most common passwords were '123456' and 'welcome'. Actually, I'm passed surprised, I'm appalled! In this day and age when SO much personal and financial information is stored online, how can a person not perform a due diligence and create a strong password for their information. Would this at least give their data a fighting chance to staying out of the public eye??

The breach occured through a SQL injection attack and obtained the data in clear text. This should not be a foreign concept to hear as this was a common threat seen in the Verizon Data Breach Investigations report.

Yahoo has reported that the security vulnerability has been fixed and has increased their security measures and controls to prevent this type of attack in the future.

This seems to be a weekly cycle of information found on the scmagazine.com website...company reports a breach, vulnerability has been patched......company reports a breach, vulnerability has been patched....... it's a scary merry-go-'round that is happening all too often.

Oh look! Billabong has just reported a breach!!! <Sigh>

Until next time.....

References

Kaplan, D. (July, 2012). Yahoo confirms breach, passwords appear not encrypted. Retrieved from http://www.scmagazine.com/yahoo-confirms-breach-passwords-appear-not-encrypted/article/250002/

Kaplan, D. (July, 2012). Yahoo closes security hole that led to password breach. Retrieved from http://www.scmagazine.com/yahoo-closes-security-hole-that-led-to-password-breach/article/250426/

Dear Bloggers,

No matter how many employees hold a security certification, no environment is perfectly secure. There will always be an employee who opens an infected email or clicks on an attachment for a nasty infection to occur. You will not be able defend your environment from human error. It is the “Achilles’ heel of most security operations” (Kaplan, 2012).

CISSP stands for Certified Information Systems Security Professional. In the world of Information Security, this is THE certification to have. Fresh out of college candidates for employment do not have the security skills sought by most companies. The process of obtaining the CISSP certification impresses on employers that the skills they are looking for can be found in a candidate that has obtained this accomplishment. Obtaining (and keeping) this certification is a selling feature. The certification is obtained by individuals who have achieved five years of full-time security work experience and have trained for and passed the test. Those certified CISSP individuals must also keep up with changes in security as the certification requires 120 continuing professional education (CPE) credits every three years. Don't take the endeavor of studying for this test lightly though, just last December 3,700 certification exams were taken and only half of those test takers passed.

If you can get the certification you are in luck! The demand for security professionals far outweighs the supply. More demand + few supplies = More money to be had.

The professional environment has recently evolved though. It had gotten to the point where there were multiple certification bodies and each with their own certification which has the effect of bringing down the value of the CISSP since organizations didn’t know which certification was the better one to look for.

On a positive note, this washing out of security certifications did not go unnoticed. Organizational bodies such as the Cyber Security Credentials Collaborative (C3) and the National Initiative for Cyber Security Education are working together to create a common classification allowing security roles to be matched with security competencies enabling hiring agencies to better perform their job. This type of classification will better the security environment providing for the advancement of careers while meeting the needs of the organizations. That’s very good news indeed!

Until next time…..

Reference

Kaplan, D. (May, 2012). Seal of approval: Security certifications. Retrieved from http://www.scmagazine.com/seal-of-approval-security-certifications/article/236301/

Dear Bloggers,

To coincide with our reading from week 4, I've found an article giving us better insight into insider threats.

In opposition to external threats which are often reported, there is, more often than not, a lack of reporting regarding insider threats for two reasons: organizations either didn't know about the threat or didn't want to report the threat. While companies seem to be all geared up to fight the good fight against external threats, they simply are not "prepared or equipped" (Cortiss, 2012) to battle the threats from inside the organization.

Our author details in the article that while malicious threats from organization are low, incidents regarding "erroneous or accidental breaches" (Cortiss, 2012) are happening at a rate that in a cause for concern. Examples of these include choosing 'reply to all' instead of just a simple 'reply' and sending email not only to the person you intended to send the email to but also to the entire global address book.........oopsie!

Threats from inside the organization are coming more popularly in the forms of third party contractors, blending personal and work information on the same portable device, and in conjunction with that, a "phenomenon" (Cortiss, 2012) our author describes as BYOD or Bring Your Own Device.

It's up to the organization to be proactive and implement security training and make sure their employees know what they can do regarding "appropriate custodial care of data" (Cotriss, 2012) to be a safer organization.

Until next time......


Reference
Cotriss, D. (2012, July).Danger within: Insider threat. Retrieved from http://www.scmagazine.com/danger-within-insider-threat/article/245432/

Dear bloggers,

What a great article I’ve come across to tie beautifully into our reading assignment this week! Who is really responsible to protect America from data loss? by Kevin Pouché touches on both the importance of data security in the corporate environment and how little respect, attention, and budgetary allowance it’s given to protect data assets.

Cyber threats not only affect our economy but also our national security. It’s no wonder government legislature has introduced bills in an effort to alleviate the threats. Those bills include the Stop Online Piracy Act (SOPA), Protect IP Act (PIPA), the Cybersecurity Act of 2012, and the Cyber Intelligence Sharing and Protection Act (CISPA). While the desired outcome of these bills is the reduction of data breaches, the bills are met with controversy so the process to move from a bill to a law is very time consuming.

The author of the article, Pouché, is a firm believer that the protection of data is the responsibility of the company that holds the data, not the government, and I strongly agree with that point of view. The threat to data security however is so strong that the need for government regulation and control has brought forth the bills mentioned previously.

“It’s time for businesses to get serious about data security” quotes Pouché (2012). Oftentimes conversations with security professionals are productive and the need for more secure procedures is identified. When the conversation moves to the corporate executives however, those talking points fall on “deaf ears” (Pouché, 2012).

The impact of data loss on revenue is rising, from 0.6% in 2012 to an estimated 0.77% in 2013 to 1.6% in 2018. Unless conversations can be productive with realistic goals set and met by corporations, this business of data breaches and insecurity is estimated to get wildly out of control.

What are your thoughts?

Until next time….

Reference

Pouché, K. (June, 2012). Who is really responsible to protect America from data loss? Retrieved from http://www.scmagazine.com/who-is-really-responsible-to-protect-america-from-data-loss/article/246351/