18
Apr 14

TechCrunch – The Internet Is Held Together With Bubble Gum And Baling Wire

Did you know that, to quote an angry hacker:

The Internet from every angle has always been a house of cards held together with defective duct tape. It’s a miracle that anything works at all. Those who understand a lot of the technology involved generally hate it, but at the same time are astounded that for end users, things seem to usually work rather well.

Today I want to talk about all of the egregious security disasters across the Internet over the last few months, but as Inigo Montoya once said: “No, there is too much. Let me sum up.” Alas, even an incomplete summary is a lengthy litany of catastrophe. Let’s see:

Apple:”Oh dear. “It’s as bad as you could imagine, that’s all I can say.”
Oh, and separately, their OpenSSL implementation is broken.
Linux: “Critical crypto bug leaves Linux, hundreds of apps open to eavesdropping.”(1)
Microsoft Word: “Zero-day vulnerability under active attack.“
Yahoo: “Remote Command Execution Vulnerability.”
Credit cards: Target. Nieman Marcus. California’s DMV. Etcetera

More of the TechCrunch post


13
Dec 13

CIO Insight – The CIO’s Secret Weapon: Stakeholder Pressure

The roles of the CIO, and Chief Information Security Officer (CISO), have changed considerably over the past decade. Chief amongst these changes are that the security-based demands from company stakeholders have increased substantially as a result of major technological and cyber advancements.

Cyberspace is constantly evolving; its potential and real threats, vulnerabilities, complexity, and interconnectivity are always changing. The threat is asymmetric as activists, cybercriminals and nation-states disproportionately increase traditional information risks. In many organizations, cyber-security opportunities and risks have become a board-level issue, so the CIO, like the CISO, must engage at the boardroom level, where information strategy and risk should sit comfortably with other types of strategy and risk that the board oversees.

Information Security Under Pressure
Highly publicized breaches, and more stringent regulations, have put the spotlight on information security in most organizations around the world.

In a recent report, “Estimating the Cost of Cybercrime and Cyber Espionage,” conducted by the Center for Strategic and International Studies (CSIS) and sponsored by McAfee, it is estimated that cybercrime and cyber-spying are costing the U.S. economy $100 billion each year and the global economy perhaps $300 billion annually. Malicious cybercrimes are estimated to cost as many as 508,000 jobs in the U.S. alone. This has put unprecedented pressure on C-level executives to assure stakeholders that sensitive information is secure. And as information security moves up senior management and the board’s agenda, pressure will continue to mount. Like CISOs, CIOs must be able to shape the message and relay their successes to the board to sustain high-level support for security initiatives. A recent CEO survey, conducted by PwC in its Annual Global CEO Survey 2013, cited cyber-security as having the third highest possible impact on organizations—even ahead of a natural disaster disrupting a major trading and manufacturing hub or military tensions affecting access to natural resources.

More of the CIO Insight article


26
Nov 13

CIO.com – Data Centers Play Fast and Loose with Reliability Credentials

IDG News Service (San Francisco Bureau) — How reliable is your data center service provider? Perhaps not as reliable as you think.

The Uptime Institute says some data centers are playing fast and loose with its “tiering” system for rating data center reliability, making false claims or at best being economical with the truth about how resilient their facilities are.

The upshot, the Institute says, is that some companies may be running important applications in data centers that are more susceptible to failure than is advertised, and they may get a rude awakening the next time a hurricane strikes or a transformer blows out in the local power grid.

“At a time when more enterprises are moving at scale to an outsourcing option, the stakes couldn’t be higher,” said Julian Kudritzki, Uptime Institute’s chief operating officer, who along with a few data center operators is trying to raise awareness of the issue.

The Institute’s tiering system is only one way of indicating data center resiliency, but it has become well known in the industry. It gives four tiers of certification, with Tier III the most common type awarded. A Tier III data center has multiple delivery paths for power and cooling, and redundant critical components, so that downtime is minimized and maintenance can be performed without taking the computing services offline.

More of the CIO.com article by James Niccolai


06
Nov 13

Continuity Central: Are enterprises losing the cyber-war?

Bit9 has published the results of its third-annual Server Security Survey of nearly 800 IT and security professionals worldwide.

Server security remains one of the most critical aspects of any company’s security posture. Servers are where the majority of customer data, intellectual property and user credentials are stored, which is why they are the target of most advanced threats. Failure to protect servers from advanced threats can lead to significant data loss, brand damage, large financial penalties, and diminished customer confidence.

Key survey findings included:

55 percent of security professionals were concerned about targeted attacks and data breaches on servers in 2013 – up 3 percent from 2012, and up 18 percent from 2011.
Only 13 percent of respondents are ‘very confident’ in their ability to stop advanced threats targeting servers.

More of the Continuity Central article