Obama Cybersecurity Plan: What's In It For SMBs?
New cyberczar (though no names yet), management from the top, calls for more coordinated cybersecurity efforts, privacy protection -- same old same old, or does the unveiling of the Obama administration's cybersecurity plan promise real changes in the government's approach to scuring cyberspace. More importantly, what's in the plan for small and midsized businesses?
Obama Administration's IT Security Review
Today the White House released its 60-day review on cybersecurity policy, and the report -- as well as the administration's plan -- consists of five primary prongs: top-down leadership, education, distributed responsibility, information sharing, and encouraging innovation.
Storage CAPEX VS. OPEX
Wrapping up our series on choosing storage projects, part of the conversation has to be what is more important, CAPEX or OPEX? Almost every storage project you decide to embark on will have to be brought to management as something that is going to either reduce your capital expenditures or lower your operational expenditures. Which part of these projects are more important?
Cybercriminals: More Obvious Than They Think?
Attackers often use and abuse security by obscurity, which can lessen the likelihood that they will be caught. From them we can learn a lot about profiling attackers on our networks, and how they work to achieve better operational security. Take their use of encryption.
Selecting Your Next Storage Project - Big Projects
In a prior entry we discussed how to select your next storage project and suggested that most IT professionals are going to focus on smaller projects. Basically filling in pot holes as opposed to paving a new road. There are times however, even when staffing is scarce and money is tight that you need to undertake a big storage project to fix the problem, essentially putting a new road in.
U.S. Cyber Czar On The Horizon; New Legislation, Too?
The buzz surrounding President Obama's efforts at securing our cyber-infrastructure is audible. The release of a 60-day review of the government's cybersecurity efforts, which started back in February, is expected soon, along with the naming of a new White House official -- a "cyber czar," as some are calling the position -- who will reportedly have purview over developing a strategy for securing both government and private networks.
Spam Surge: 9 Out Of 10 E-mails Can't Be Good!
90% of all email was spam last month, according to Symantec's MessageLabs Intelligence Report, just released. The figure is up more than 5% in the last month. Good news, I guess, is that things can't get much more than 10% worse from here.
Security Benchmarks For Apple iPhone Released
Today the Center for Internet Security released a set of benchmarks designed to help consumers and businesses alike communicate using their favorite toy. Whoops, I meant smartphone. The guidance is worth a look.
Summer Security: Don't Put Backups In The Trunk
Temperatures are starting to rise outside -- and when they do, you can bet they're rising even faster in trunks and locked cars. Which are two of the places you should never put media you're transporting. And according to a data recovery specialist, they're also two of the most common locations for media in transit -- and two of the most common sources of data damage.
When Your Security Career Gets Hacked
Security professionals like to think they're immune from the economic woes plaguing the rest of the business world, but, unfortunately, many are finding out the hard way that their jobs aren't any more secure than their apps. So career coaches Lee Kushner and Michael Murray today launched an "incident response" podcast series to help security professionals whose careers have been hacked and their jobs lost get back into the job market.
Google I/O Developer Conference: Where's The Security Love?
At the Google I/O developer conference this week, Google Inc. will host more than 80 technical sessions on all of the Google apps and platforms we've come to know -- Android, Chrome, App Engine, Web Toolkit, AJAX and others. When reviewing the Google I/O Schedule this morning, I was disappointed by what could not be easily found.
20 SMB Security Products Worth A Look
Take a few minutes this holiday weekend -- always assuming there's such a thing as holiday weekends for small and midsized businesses -- and check out twenty of the hottest and most budget-savvy (rarely the same thing) new security products.
Adobe Owns Up To Security Issues
The discussion surrounding how to make software vendors accountable for hacked systems and data breaches due to security problems in their products is, at best, an effort in futility. As much as we'd like to have Microsoft, Oracle, and Adobe take responsibility for software vulnerabilities that have caused us headaches and cost us money, we are stuck in an endless loop of dependence on their products.
Web 2.0 For Business Requires Web 2.0-Level Security: Websense
The various elements and components and approaches that comprise Web 2.0 offer large business promise. But they also create large business risk and exposure. Better make sure your security and especially your security policies are up to the challenges.
NetApp Buys Data Domain - User Impact
With yesterdays announcement of NetApp's intention to buy Data Domain, a question that needs to be answered by IT professionals is how does this affect them? In our blog on Information Week's sister publication Byte and Switch we looked at the industry impact, but what about the users? There are current customers, c
Adobe (Finally) Getting Security Religion
In the past number of years Adobe Systems hasn't seemed to have its act together when it comes to mitigating security risks in its PDF. Hopefully, that's about to change.
Ruminating on CSI SX
Citizens of the Information Security Nation, to you I say Classify and inventory your data and assets!
Tedium? Odium? Delirium? Yes, probably all three. But worth the trouble.
Educating Our Clients Is Part Of Our Responsibility
Have you ever had a client (or your own employer) say, "There's no way a user could hack our internal Web apps; they can't run anything but authorized applications like a Web browser and e-mail client." Happens all the time, right? Guess what -- you're not alone.
Selecting Your Next Storage Project - Edge Projects
Unfortunately the reality is often that the storage project you are going to work on next is based on the one that users are screaming the loudest for that you can also afford and it usually contains "add capacity". Is there a better way to go about selecting your next storage project?
On Prison And Corporate Data Escapes
In its broadest sense, social engineering is deception to manipulate or exploit people. That's exactly how more than 50 Mexican inmates were freed this weekend. How much proprietary corporate data is "liberated" in much the same way?
Watch Your Website Even As You Watch Out For Others
Businesses rightly spend much time and effort seeking to protect their employees from malicious Web sites and the havoc those sites can wreak. A new report reminds us not to neglect vulnerabilities on our own sites, 60% of which contain the sorts of vulnerabilities the malware makers love to exploit.
Zero-Day IIS Vuln Bypasses Authentication
Windows sysadmins responsible for servers running Microsoft Internet Information Services (IIS) received an unexpected surprise last Friday afternoon--or first thing this morning--in the form of a zero-day vulnerability. The vulnerability is reminiscent of the well-known IIS unicode path traversal issue from 2001, but instead of path traversal, this allows attackers to access and upload files on WebDAV-enabled IIS 6 servers. Nicolas Rangos (aka Kincope) released information about the vulnerabili
Lessons From Fighting Cybercrime
The history of anti-spam teaches us about half-baked ideas and how people succeeded or failed to implement them. The analogy of evolution, while limited, demonstrates how reactionary solutions can achieve strategic goals before they are made obsolete by countermeasures.
Security Is Part Of The Cost Of Doing Business
Looking for ROI on a security investment is misguided -- how do you measure the cost of something that doesn't happen? But nothing happening is exactly the return you hope for when you invest in securing your business IT.
'Kramer' Is In The Building
My firm, Secure Network Technologies, was recently hired by a large healthcare provider to perform a security assessment. As part of the job, my partner, Bob Clary, posed as an employee, similar to the "Seinfeld" episode in which Kramer shows up and works at a company where he was never actually hired.
SMBs Can Trim Costs With Remote Workers, But Do It Securely
If you're looking at ways to trim operating costs without trimming staff, sending employees home to work may be near the top of your list. Just be sure, before you do, that the employees' home workspace is as secure (or more!) as your business facility.
Tippett To Discuss Verizon Breach Report
Dr. Peter Tippett, vice president of research and intelligence for Verizon Business Security Solutions, will discuss the results of the company's "2009 Verizon Business Data Breach Investigations Report" (DBIR) at CSI SX: Security Exchange, taking place May 17-21 in Las Vegas.
Return On Efficiency
What if "do more with less" was more than a marketing phrase? What if you really could do more with less? There are storage solutions available now that really let you improve efficiency but one of the key components of deciding if a do more with less project is successful, is to measure the return on efficiency. For the dollars invested are you X more effective at your job?
Detecting Malware Through Configuration Management
Malware analysis has two basic approaches that fall into either the static or dynamic analysis category. The static approach analyzes the malicious executable itself by disassembling it to determine its true nature. Dynamic analysis involves execution of the malware and analyzing it's behavior.
3 Disaster Recovery Tips (Or Risks!) You May Have Overlooked
You've got your Disaster Recovery plan in place (don't you?) and, if disaster should strike, you're ready to bounce back quickly. Or are you? Take a look at these three good -- and in case of disaster, critical -- tips to make sure your plan works.
SIEM Case Study: Israeli e-government ISP
Want a case study on the slings and arrows of outrageous SIEM implementation? Sure you do. (Really. You do. Trust me on this one.) Assaf Keren, information security manager at the Israeli e-government recently briefed me on the challenges and lessons he is learning whilst implementing a SIEM center in the Israeli e-government ISP Project (called "Tehila")--a topic he first told us about during the SIEM Summit at the CSI Annual 2008 conf
Secure360: The Triumph Of Politics (Over Security)
While listening to former special adviser for cyberspace security for the White House this morning, Howard Schmidt, talk candidly about information security at the Secure360 conference here in Saint Paul, MN - I began wondering: why didn't we implement the original National Strategy To Secure Cyberspace?
DAS VS. SAN - High Capacity
Continuing our examination of the resurgence of direct attached storage (DAS), in this entry we look at the ever-increasing internal capacity of DAS in servers. One of the key reasons users begin looking at a SAN or NAS is when the capacity demands of a single server outpace its internal storage capabilities. This may no longer be justification enough to make the move to networked storage or to continue to expand the network storage you have.
Porn Leads To Conviction Under 'Hacker Law'
Did you know that by looking online for an "adult friend" and uploading nude pictures of yourself while at work, you could be convicted using the same law that was designed for prosecuting malicious hackers?
Hidden Botnet Costs Hit SMBs Hard
While the obvious risks of bots to your business and its data -- harvesting of names, keylog sniffers seeking sensitive data -- rightly receive the most attention, compromised systems carry other risks that can exact a heavy business price. Server capacity, bandwidth and even power consumption are hidden parts of the bot equation.
Recession Opens Up Opportunities To Innovate
Information technology, and especially the area of security, is an ever-changing, dynamic field for work and research. That's one of the reasons I enjoy it so much; if I get bored with one thing, there's a dozen others I can focus on and come back to the previous thing later. But, we are in interesting times. Enterprises are cutting back IT budgets. Layoffs are happening all around us. Companies are consolidating. What does this mean to the infosec community?
SMBs In Cyber Criminals' Crosshairs
When it comes to IT security, small and midsize businesses are in the unenviable position of being not only more attractive to criminals, but also having fewer resources to defend themselves.
DAS VS. SAN - Capacity And Performance Management
Capacity presents two challenges to the Storage Area Network (SAN) vs. Direct Attached Storage (DAS) debate. A traditional knock against DAS and a reason that many data centers get a SAN is because of these two capacity challenges. The first is can you get enough capacity and the second is can you use that capacity efficiently in a performance sensitive environment? DAS however now has the ability to address both of these issues.
CouchSurfing: A Working Trust Model
Trust. At the beginning we take it on faith. On the Internet, a fortiori, all the more so. While security professionals struggle to establish online trust, CouchSurfing, a social site for tourists who want to borrow your couch and, perhaps -- wink, wink -- make friends, has a working trust model that is cool to boot.
Backdoors In The Network: Modems, WiFi, & Cellular
War-dialing received a revival in March with HD Moore's release of WarVOX, a tool that leverages VoIP to speed up the calling of phone numbers to find modems, faxes, and voice systems. Finding modems can help enterprises find backdoors into their network setup by a rogue employee. Likewise, it can help penetration testers find forgotten or lesser-known ways into a target's network through a poorly secured modems.