First of all, let me say thank you to the security professionals who are working their butts off to develop patches and permanent fixes for problems caused by Heartbleed. I know this is an extraordinary case of the highest priority. Thank you for using your talents and your time to plug this gaping hole and make your users safe again.
That said, I must criticize you for not engaging your colleagues on your communications team to keep your customers apprised of the situation. If ever there was a time to talk directly to consumers about computer security, this is it. Consumers are wholly confused and a little scared by this situation and they don’t know what to do—if anything. Read more
Listen up, all you security experts who want to be an entrepreneur! John Pescatore, the SANS Institute Director of Emerging Security Trends, sees an opportunity for the Next Big Thing in tech security. In Pescatore’s view, there’s a growing need for supply chain integrity testing.
In the wake of all the digital spying revelations let loose by the Edward Snowden documents, there is now a general lack of trust in the hardware and software that we all use to build and manage our networks. Read more
In the world of Industrial Control Systems (ICS) system outage or infiltration can result in system downtime, loss of productivity and loss of revenue, as well as loss of confidentiality, integrity and availability. Additionally, system outage or infiltration could possibly result in loss of life often due to the critical nature of these devices. Together, lack of access to critical ICS components and lack of visibility of the operational performance of these components can create a dire situation for those that are tasked with ensuring the safety of these systems. Read more
Posted in Data Protection, DDoS, Governance, Risk and Compliance, Network Security, Security Management, Uncategorized
Tagged Corero Network Security, Cyber Security Standards, ICS, Industrial Control Systems, Network Layer Attacks, Stephen Gates
I live in Texas, and there’s a regional retailer that has just announced a data breach that is believed to have affected more than half a million customers. The announcement is controversial because the company, Spec’s, supposedly knew about the theft of payment card data almost a year ago and is just now telling customers. As you might imagine, people affected by this breach are rather upset.
Let me lay out the details, as reported by the Houston Chronicle newspaper. (I have no first-hand knowledge of this breach, although I am a Spec’s customer and could possibly be a victim of the breach. I have not received any such notice, though.)
The Federal Financial Institutions Examination Council (FFIEC), today released advisory statements warning Financial Institutions of risks associated with cyber-attacks on ATM’s, credit card authorization systems and the continued DDoS attacks against public-facing websites. Read more
Posted in Data Protection, DDoS, Governance, Risk and Compliance, Network Security, Uncategorized
Tagged DDoS, Ellie Mae, FFIEC, online banking, SANS Institute, Stephen Gates
Thanks to the NSA, so much attention has been on the fact that the federal government is collecting metadata about our phone calls that we have taken our eyes off what’s happening on the email front. There have been a few stark reminders in the news recently that email isn’t private and we shouldn’t use it to transmit sensitive information. It also prompts the question, “Do the ends justify the means when it comes to a need to know?”
In the first example, Microsoft admitted in federal court documents that it went into a blogger’s Hotmail account and searched for content. Not just any content, mind you, but for information about proprietary Microsoft code that an ex-employee had supposedly emailed to the blogger. Microsoft lawyers said they did not need any sort of search warrant to go into the account because the Hotmail terms of service permit Microsoft access to content on its own servers in such extreme cases.
In a previous blog post I talked about the upcoming National Cybersecurity Career Fair (NCCF) this June 18 and 19, 2014. NCCF is an innovative virtual meeting place for the top cybersecurity employers and entry to mid level cybersecurity jobseekers in the United States.
It turns out that this job fair is desperately needed by employers in practically every industry, but especially government, healthcare, financial services, retail/wholesale and manufacturing. According to a recent report from Burning Glass Technologies, current cybersecurity staffing shortages are estimated between 20,000 and 40,000 and are expected to continue for years to come. The demand for all levels of IT security professionals has grown more than 3.5 times faster than the demand for other IT jobs over the past five years, and more than 12 times faster than the demand for all other non-IT jobs. Read more
Corero recently partnered with John Pescatore, Director of Emerging Security Trends with the SANS Institute in developing a survey program designed to shed more light on organizations’ experiences with DDoS attacks. Read more
Do you know anyone who is an aspiring cyber security professional? Here is some important information to pass along to help them get their career started. This is also big news if your organization is looking to recruit entry-level people for IT security positions.
Coming up this June 18 and 19, 2014, Cyber Aces is presenting the first National Cybersecurity Career Fair (NCCF). NCCF is an innovative virtual meeting place for the top cybersecurity employers and cybersecurity jobseekers in the United States. The event is co-sponsored by SANS Institute, the US Cyber Challenge, the Council on Cyber Security, the Center for Internet Security and SC Magazine. Read more
Posted in Application Security, Cloud Security, Data Protection, Governance, Risk and Compliance, Mobile Security, Network Security, Security Management, Security Threats, Uncategorized
Tagged cybersecurity, IT Security, SANS Institute
In his recent “Attack of the Month Video Blog Series,” Stephen Gates talks about NTP reflective traffic as the latest technique being used to launch DDoS attacks against hapless victims. This is certainly something to pay attention to. Since the beginning of 2014, the number of attacks using this method has skyrocketed, largely because there is a new NTP reflection/amplification toolkit available in the underground world used by cybercriminals. Toolkits like this promote Cybercrime-as-a-Service and it appears that many attackers are buying.
NTP, which stands for Network Time Protocol, is a protocol that has been around for decades and it is ubiquitous on the Internet. It’s a mechanism that synchronizes the clocks on Internet-connected devices of every type—servers, routers, PCs, etc. It’s everywhere that you can imagine. This is another reason why it’s so easy to exploit. Read more