cyber_admin – Page 4 – WindowsTechs.com

Why NIST’s privacy framework could help security efforts

Posted on November 9, 2018 by cyber_admin

Although many people, even some cybersecurity practitioners, tend to conflate data security and data privacy as one and the same, privacy experts see them as two different, often contradictory, yet frequently overlapping objectives. “We look at it as a Venn diagram,” Naomi Lefkovitz, privacy engineering program head at the National Institute of Standards and Technology (NIST), said during a plenary session here at NIST’s Cybersecurity Risk Management conference. Lefkovitz is spearheading NIST’s initiative to create a Privacy Framework, along the lines of NIST’s successful Cybersecurity Framework, which could help pave the way toward the development of trustworthy information systems that protect privacy. From the Venn diagram perspective, the protection of individual privacy cannot be achieved by merely securing personally identifiable information (PII) because security risks arise from unauthorized system behavior while privacy risks arise as a byproduct of authorized PII. The area where security concerns overlap privacy concerns is the […]

The post Why NIST’s privacy framework could help security efforts appeared first on Cyberscoop.

Continue reading Why NIST’s privacy framework could help security efforts→

Why NIST is so popular in Japan

Posted on November 8, 2018 by cyber_admin

While all organizations around the globe continue to grapple with chronic shortages of qualified cybersecurity workers, Japan is tackling the problem in a significant way by turning to two U.S. government technology frameworks to help manage its own information security manpower shortages. Japanese industry has turned to the National Institute of Standards and Technology’s (NIST) Cybersecurity Framework and National Initiative for Cybersecurity Education (NICE) Workforce Framework in an effort to fill the unique cybersecurity skills gap characteristic of Japanese companies. Speaking at NIST’s Cybersecurity Risk Management Conference in Baltimore, Maryland, Masato Kimura, a manager in the cybersecurity R&D planning department at Japanese telecom giant NTT, said that the NIST workforce framework in particular plays a pivotal role in Japan due to the high level of reliance by Japanese companies on outsourced IT and cybersecurity personnel. In the U.S., around 71.5 percent of IT professionals work in-house, but in Japan, only 24.8 […]

The post Why NIST is so popular in Japan appeared first on Cyberscoop.

Continue reading Why NIST is so popular in Japan→

30 years ago, the world’s first cyberattack set the stage for modern cybersecurity challenges

Posted on November 2, 2018 by cyber_admin

Back in November 1988, Robert Tappan Morris, son of the famous cryptographer Robert Morris Sr., was a 20-something graduate student at Cornell who wanted to know how big the internet was – that is, how many devices were connected to it. So he wrote a program that would travel from computer to computer and ask each machine to send a signal back to a control server, which would keep count. The program worked well – too well, in fact. Morris had known that if it traveled too fast there might be problems, but the limits he built in weren’t enough to keep the program from clogging up large sections of the internet, both copying itself to new machines and sending those pings back. When he realized what was happening, even his messages warning system administrators about the problem couldn’t get through. His program became the first of a particular type […]

The post 30 years ago, the world’s first cyberattack set the stage for modern cybersecurity challenges appeared first on Cyberscoop.

Continue reading 30 years ago, the world’s first cyberattack set the stage for modern cybersecurity challenges→

How to combat the long lives of zero-day vulnerabilities

Posted on September 12, 2018 by cyber_admin

We’ve all heard stories about advanced nation-states leveraging zero-days to exploit a previously unknown security vulnerability. Perhaps the most infamous example is Stuxnet (with its four zero-days) that survived for an estimated five years prior to being discovered. However, that does not mean the ability to develop exploits for zero-day vulnerabilities is reserved only for well-financed state-sponsored actors. According to RAND Corporation research, “…any serious attacker can always get an affordable zero-day for almost any target.” Worse, the data suggests that the time between vulnerability discovery to public disclosure and patch availability is almost seven years, a big red flag indicating that companies are dramatically underestimating their exposure. The term “zero-day vulnerability” is a bit of a misnomer, because it might convey that an attacker tries to quickly get in to victims’ computers, exfiltrate data or launch malware and get out. But just the opposite is the case, as some of […]

The post How to combat the long lives of zero-day vulnerabilities appeared first on Cyberscoop.

Continue reading How to combat the long lives of zero-day vulnerabilities→

Why you should be fed up with the cycle of FUD

Posted on September 6, 2018 by cyber_admin

The upcoming election has created the perfect opportunity for the $100 billion cybersecurity industry to throw some fear, uncertainty and doubt — colloquially known as “FUD” — into the daily conversation. Vendors see this as an opportunity to double down on their marketing to help congressional offices “defend democracy.” But they’re selling the same solutions that got these offices in trouble in the first place. Isn’t it time to try a different approach? It’s important to understand that unlike other branches of government, each congressional office is responsible for their own security when it comes to their IT infrastructure. In many instances, offices outsource management of their systems to contracting agencies, which contributes to the problem. Additionally, congressional offices and political parties were targets long before the industry took notice. Party staff are juicy targets for social engineering, phishing, and other forms of targeted attacks from APT groups. Stealing the […]

The post Why you should be fed up with the cycle of FUD appeared first on Cyberscoop.

Continue reading Why you should be fed up with the cycle of FUD→

Advice for the U.S. government: Stop talking and start doing

Posted on July 30, 2018 by cyber_admin

When it comes to cybersecurity, the United States government is great at talking the talk, yet consistently falls short of walking the walk. Unless the U.S. government actually implements the cybersecurity best practices it touts, the nation and its citizens will continue to be at an increased risk of a cyberattack. The government has already acknowledged the need for multi-factor authentication. In 2003, it started fielding Common Access Cards (CAC) in the military, as well as Personal Identification Verification (PIV) cards in civilian agencies. At that time, the game plan was to complete the MFA implementation across the government before the end of 2008. In April 2015, MFA implementation levels hovered below 50 percent. The massive breach at the Office of Personnel Management (OPM), which leveraged compromised user name and password credentials, could have been stopped with more rigid MFA practices. It wouldn’t have made this attack impossible, but […]

The post Advice for the U.S. government: Stop talking and start doing appeared first on Cyberscoop.

Continue reading Advice for the U.S. government: Stop talking and start doing→

Obscurity is the only security

Posted on July 9, 2018 by cyber_admin

There’s a common belief in the security world that obscurity shouldn’t be used as a layer of protection. This line of thinking is based on Kerchoffs’s Principle, which states that the security of a cryptographic system should depend on its key, not on the secrecy of its design. When analyzing cryptographic primitives or doing any sort of system audit, letting auditors in on the details makes complete sense. Skilled reviewers should spend their time searching out novel weaknesses and not on layers that are intended to slow an attacker or to alert someone to an attack. That said, there is much to be gained through properly applied obfuscation in deployed systems. If there’s one thing that the history of cryptography has taught us, it’s that each system has a lifespan. Some of this is expected. Over time, RSA key sizes have grown as machines have increased in speed and power. Yet, experience […]

The post Obscurity is the only security appeared first on Cyberscoop.

Continue reading Obscurity is the only security→

How crisis communications factor into a cyberattack

Posted on June 18, 2018 by cyber_admin

The epidemic of security breaches is escalating globally across all sectors of business, yet only half of CISOs and CIOs are ready with a crisis contingency plan and have the secure communications to implement one. What are we waiting for? After many high-profile cyber attacks that have brought down brands like Equifax, JP Morgan Chase and Yahoo!, most companies still haven’t implemented a company-wide crisis strategy. According to a recent global study conducted by Ponemon for IBM Resilient, 77 percent of respondents admit they don’t have a formal cybersecurity incident response plan (CSIRP) that is applied across their organizations, despite 65 percent agreeing that the severity of cyber attacks has increased and part of the severity stems from the longevity it takes to rebuild communications and infrastructure. Regardless of clear awareness of the risks and skyrocketing damages to companies who have suffered a cyber attack – which are expected to […]

The post How crisis communications factor into a cyberattack appeared first on Cyberscoop.

Continue reading How crisis communications factor into a cyberattack→

In the dark about ‘going dark’

Posted on May 29, 2018 by cyber_admin

We can now add “a growing lack of trustworthiness on encryption-related topics” to the FBI’s list of problems. Recent reports have shown the FBI’s encryption argument is not only wrong, but greatly exaggerates the problem’s magnitude. This comes on the heels of a shocking report by the Department of Justice’s Inspector General, suggesting that some FBI staff purposely slowed efforts to unlock Syed Rizwan Farook’s iPhone in the aftermath of the San Bernardino shooting to pressure Apple to build a backdoor. These two episodes are troubling; lawmakers should demand a thorough accounting of the FBI’s actions and the public deserves full transparency about the true nature of the FBI’s encryption problem. The FBI and DOJ have long argued that the proliferation of end-to-end encryption — whereby only the user can access the plain text of their data — allows criminals to “go dark,” operating beyond law enforcement’s reach. Cybersecurity experts […]

The post In the dark about ‘going dark’ appeared first on Cyberscoop.

Continue reading In the dark about ‘going dark’→