Author Archives: Taylor Armerding

Ask what department is responsible for data security in an organization and the most likely answer is, “IT.” But some experts are saying it shouldn’t be IT alone – that better security requires a closer collaboration with Human Resources (HR).

One example, they say, is a breach this past Feb. 26 at the Federal Deposit Insurance Corporation (FDIC), when a departing employee inadvertently downloaded 44,000 customer records, including personally identifiable information (PII), to a USB thumb drive.

To read this article in full or to leave a comment, please click here

The latest Payment Card Industry Data Security Standard – PCI DSS 3.2 – continues what industry experts call “an evolution, not a revolution.”

That would make sense, since it is also “mature,” by Internet historical standards.

The first official iteration, PCI DSS 1.0, was released in December 2004 – several generations ago in the IT era. And its roots go back another five years, to October 1999, when Visa established the Cardholder Information Security Program (CISP).

To read this article in full or to leave a comment, please click here

The online advertising world is a war zone – increasingly bandwidth-intensive, intrusive ads are countered by the exploding use of ad-blocking technology, which in turn is countered by increasingly aggressive anti-ad-blocking technology.

But amid what looks like an arms race, at least some in the industry are arguing that something close to a win-win is possible: A settlement that would lead to users being willing to tolerate – perhaps even look at – ads that are much less annoying, intrusive and data-consumptive than they are now.

Not that it sounds like any kind of truce is pending soon. As Fast Company put it this past January, which marked the 10th anniversary of AdBlock Plus, a browser plug-in that has been downloaded more than 500 million times, “after a decade hoping that ad blocking would just go away, online publishers are starting to freak out.”

To read this article in full or to leave a comment, please click here

Warnings about U.S. critical infrastructure’s vulnerabilities to a catastrophic cyber attack – a cyber “Pearl Harbor” or “9/11” – began more than 25 years ago. But they have become more insistent and frequent over the past decade.

Former Defense Secretary Leon Panetta warned in a 2012 speech of both a “cyber Pearl Harbor” and a “pre-9/11 moment.”

They have also expanded from within the security industry to the mass media. It was almost a decade ago, in 2007, that the Idaho National Laboratory demonstrated that a cyber attack could destroy an enormous diesel power generator – an event featured in a 2009 segment on the CBS news magazine “60 Minutes.”

To read this article in full or to leave a comment, please click here

Warnings about U.S. critical infrastructure’s vulnerabilities to a catastrophic cyber attack – a cyber “Pearl Harbor” or “9/11” – began more than 25 years ago. But they have become more insistent and frequent over the past decade.

Former Defense Secretary Leon Panetta warned in a 2012 speech of both a “cyber Pearl Harbor” and a “pre-9/11 moment.”

They have also expanded from within the security industry to the mass media. It was almost a decade ago, in 2007, that the Idaho National Laboratory demonstrated that a cyber attack could destroy an enormous diesel power generator – an event featured in a 2009 segment on the CBS news magazine “60 Minutes.”

To read this article in full or to leave a comment, please click here

The Internet of Things (IoT), software-defined networks (SDN), cloud-based services and network virtualization (NV) don’t sound like emerging technologies. They have all been around for more than a decade – that’s multiple generations in the high-tech world.

But according to Dr. James Burrell, deputy assistant director at the FBI, they are indeed still emerging. Burrell told an audience at the Federal Reserve Bank of Boston’s 2016 Cybersecurity Conference that, “what really matters is the rate of adoption and the rate of adaption within organizations. That impacts the risk calculus.”

And he said while everybody is very much aware of the IoT, they are likely not ready, at the adoption or adaption level, for the Internet of Everything (IoE).

To read this article in full or to leave a comment, please click here

Most people say they care about their online security and privacy. Poll after poll confirm what one would expect: They don’t want their identities stolen, phones hacked, credit cards compromised or bank accounts drained. They don’t welcome government or anyone else conducting surveillance on them, especially in their private lives.

But those polls also show that an alarmingly small percentage of those same people don’t seem to be willing to make much effort to do what they say they want – protect their privacy and security.

To read this article in full or to leave a comment, please click here

Supposedly, credit card transactions in the U.S. were going to become considerably more secure by last Oct. 1 – the deadline for merchants and card-issuing banks to be ready to process so-called “chip-and-PIN” cards instead of the legacy “swipe-and-signature” kind.

Some of them are – estimates of the percentage of merchants now equipped with the new terminals range from 17 percent to 37 percent. But even the high estimate isn’t what most people would call “critical mass.”

And if the reality is closer to the low end, that means, as security blogger Brian Krebs put it in a post last month, “U.S. consumers currently can expect to find chip cards accepted in checkout lines at fewer than one in five brick-and-mortar merchants.”

To read this article in full or to leave a comment, please click here

It would have been hard to find anybody at this past week’s RSA conference who doesn’t think privacy is a problem. The topic even had its own track, with more than six dozen sessions.

There is a bit less agreement, however, on how big a problem. It is not a large divide, but two presentations illustrated it well.

The first view is that the loss of privacy is reaching a catastrophic level. According to Theodore F. Claypoole, a partner at Wombie Carlyle, modern technology is not only eroding your privacy. It is eroding the legal standard for your “reasonable expectation” of it.

That unsettling message came with an equally unsettling title: “The gasping death of the reasonable expectation of privacy.”

To read this article in full or to leave a comment, please click here

The online theft of U.S. intellectual property (IP) by other nation states continues to be a big problem, a panel of experts agreed this week at the RSA conference in a session titled, “Responses to state-sponsored economic espionage.”

That much is obvious – awareness of economic cyber espionage has reached the mainstream, with CBS-TV’s newsmagazine “60 Minutes” even doing a segment on it last month, labeling it, “the great brain robbery of America.”

What to do about it is also a big problem. The panel agreed that the most tempting and instinctive response of “active defense” – more commonly known as “hacking back” – is not a good one.

To read this article in full or to leave a comment, please click here