Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Comments
Cybersecurity Advice From A Former White House CIO
Newest First  |  Oldest First  |  Threaded View
RyonKnight
50%
50%
RyonKnight,
User Rank: Strategist
6/30/2015 | 4:17:09 AM
Re: Segemented data
Thanks for your reply Theresa.  I totally agree that this could be a sensible measure for a couple of critical assets.  I could see using it for private keys or highly sensitive proprietary information.  Still can't see a practical way of making it work for something that's going to be frequently accessed by a variety of users, like a schedule.  I'm not sure if you can give any more specifics due to the nature of the job and what you were protecting, but kudos for making it work.

Thanks again for the article and taking the time to reply.
JohnL228
50%
50%
JohnL228,
User Rank: Apprentice
6/29/2015 | 2:35:10 PM
Great Post Recognizing the Human
 I really like your premise of human factor failings in this post. This harkens back the human-centric design of Alan Cooper's "The Inmates are Running the Asylum." He used the creation of "personas" to help humanize the likely users in the design of software or other products. I suspect that a similar profiling will help to develop more elegant cybersecurity policies that anticipate the most likely human failings.  

 

theresap282
100%
0%
theresap282,
User Rank: Author
6/24/2015 | 9:40:15 AM
Re: Segemented data
Hi Ryon, thanks for asking your question!  In my humble opinion, you would do both.  Because safety measures for data such as encryption or two factor authentication are not 100% bullet proof solutions, you want to make sure you segment your data.  When that breach happens, they can only steal one piece and you slow them down from taking more of your information.  This is hard to do which is why I only recommend this for 1-2 of your most critical information assets.  Hope this a helpful explanation.  
RyonKnight
50%
50%
RyonKnight,
User Rank: Strategist
6/23/2015 | 7:43:45 AM
Segemented data
I'm unclear on what you're trying to get at with segmenting data like the President's schedule.  What is the benefit of having it segmented across multiple teams or systems?  How does this work in practice?  As you note, the amount of effort and synchronisation would be high.  There are lots of easier ways to secure data and restrict access than segmenting it all over the place.  You cite this as a "similar strategy" to how banks use 2 factor authentication, but this sounds like something quite different.  Grateful if you can clarify, thanks for the article.


More SolarWinds Attack Details Emerge
Kelly Jackson Higgins, Executive Editor at Dark Reading,  1/12/2021
Vulnerability Management Has a Data Problem
Tal Morgenstern, Co-Founder & Chief Product Officer, Vulcan Cyber,  1/14/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
2020: The Year in Security
Download this Tech Digest for a look at the biggest security stories that - so far - have shaped a very strange and stressful year.
Flash Poll
Assessing Cybersecurity Risk in Today's Enterprises
Assessing Cybersecurity Risk in Today's Enterprises
COVID-19 has created a new IT paradigm in the enterprise -- and a new level of cybersecurity risk. This report offers a look at how enterprises are assessing and managing cyber-risk under the new normal.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2021-20619
PUBLISHED: 2021-01-19
Cross-site scripting vulnerability in GROWI (v4.2 Series) versions prior to v4.2.3 allows remote attackers to inject an arbitrary script via unspecified vectors.
CVE-2020-29450
PUBLISHED: 2021-01-19
Affected versions of Atlassian Confluence Server and Data Center allow remote attackers to impact the application's availability via a Denial of Service (DoS) vulnerability in the avatar upload feature. The affected versions are before version 7.2.0.
CVE-2020-36192
PUBLISHED: 2021-01-18
An issue was discovered in the Source Integration plugin before 2.4.1 for MantisBT. An attacker can gain access to the Summary field of private Issues (either marked as Private, or part of a private Project), if they are attached to an existing Changeset. The information is visible on the view.php p...
CVE-2020-36193
PUBLISHED: 2021-01-18
Tar.php in Archive_Tar through 1.4.11 allows write operations with Directory Traversal due to inadequate checking of symbolic links, a related issue to CVE-2020-28948.
CVE-2020-7343
PUBLISHED: 2021-01-18
Missing Authorization vulnerability in McAfee Agent (MA) for Windows prior to 5.7.1 allows local users to block McAfee product updates by manipulating a directory used by MA for temporary files. The product would continue to function with out-of-date detection files.