Call Us (877) 740-5028
Note: The following article is part of a shared content agreement between Online Tech and InfoSec Institute. (View original post.) For more information on IT disaster recovery, download disaster recovery white paper or check out our case studies. In this article, we’ll learn about the concept of data loss prevention: why it is needed, what are the different types of DLP and its modes of operations, what is the planning and design strategy for DLP, what are the possible deployment scenarios, and what are workflow and best practices for DLP operations. OVERVIEW Every organization fears losing its critical, confidential, highly restricted or restricted data. Fear of losing data amplifies for an organization if their critical data is hosted outside their premises, say onto a cloud model. To address this fear or issue that organizations face, a security concept known as “Data Loss Prevention” has evolved, and it comes in product flavors in the market. The most famous among them are Symantec, McAfee, Web-sense, etc. Each DLP product is designed to detect and prevent data from being leaked. These products are applied to prevent all channels through which data can be leaked. Data is classified in the category of in-store, in-use…
Ever wonder what your company’s CFO is most worried about when it comes to cybersecurity? We may have your answer. Dig deep down through Grant Thornton LLP’s bi-annual survey of CFOs and other senior financial executives for a pretty good hint. Right there on page 23 of the 28-page report: What are your business’s top cybersecurity and data privacy concerns? 59% — Potential for undetected breaches 54% — Customer/client data privacy 50% — Unknown and identified risks 42% — Employee and workplace data privacy 32% — Compliance with data security laws (Respondents were able to select more than one answer.) More from the report: “Forty-two percent of chief audit executives listed data security/privacy as a risk area that has the potential to impact growth, and 70% include this risk in their internal audit plan. More than 40% of in-house counsel claim that the risk of a cybersecurity/data privacy breach has increased in the past year, but 17% are unsure what was being done to deal with these risks in their organization.” (Oh, and here’s some good news from that same report: Sixty-eight percent of CFOs expect an increase in the average per-employee salary over the next year!) RESOURCES: Grant Thornton…
More from the Converge information security conference in Detroit, this time recapping Enterprise Security Back to Basics presented by Joel Cardella, the director of information security, IT security, governance, risk and compliance at Holcim US. (Also see a recap of Thursday’s The Challenge of Natural Security Systems.) Why this back to basics talk? Cardella feels we’re being beguiled by all these large breaches that push people to a solution they aren’t yet ready to receive. He holds that the importance of this talk is getting organizations mature enough to be ready to buy what vendors are selling. It’s about asking if your company is sure you need what is being offered. The goal for security is being able to become proactive from the normally reactive InfoSec environment. Each single record lost is worth $145 in a data breach. That’s up 15% this year from last year. When breaches affect thousands, or even millions, of records the cost is incredible. Cardella defines risk as: Threats x Vulnerabilities x Time = Risk Threats are not something we can control. Vulnerabilities are things we can control and influence, both directly and indirectly. Time is also in our control. Taking care of something quickly…
Today is Day 2 of the Converge information security conference at Detroit’s Cobo Center, and it promises to be full of significant insights into IT security within organizations. Here’s a recap of one of Thursday’s sessions, The Challenge of Natural Security Systems, presented by Rockie Brockaway, the security practice director at Black Box: Brockaway started with a really important point: Information security is currently viewed as a tactical response within companies, when it should be treated as a function of the business. InfoSec’s role is to prevent the loss of business-critical data, promote innovation within other parts of the company and protect the brand. One of the biggest hurdles in InfoSec, Brockaway explains, is understanding what a company’s critical data is, and where it’s stored. Without that information, there’s no way to fully protect it and vulnerabilities will be created. Another issue within enterprise InfoSec is the obsession with static models like walls. If a security measure is put into place without learning, modifying and adapting from new information, it will eventually be circumvented and will become useless. So what should companies do to become more adaptive? Brockaway looks at business similar to animals, with small systems making up a…
Note: This is the first of three blog entries from Online Tech Director of Infrastructure Nick Lumsden reflecting on his key takeaways from EMC World 2014: 1. Speed of Change, 2. Shift in Ownership of IT Dollars, 3. Transition to IT-as-a-Service. In 1965, Intel co-founder Gordon Moore wrote a paper about computer chip performance doubling every 18 months. Today, we call that Moore’s law. Kryder’s law says memory efficiency doubles every 12 months. Nielsen’s law says bandwidth doubles every 21 months. We’re going to need new laws, because the speed of change for business technology is continuing to advance. Twenty years ago, if you had stood in the CIOs office and claimed that enterprise applications would eventually see updates multiple times a day you would have generated laughter from your colleagues at the obvious joke. Technology change came at the rate of once a year — and it was painful! — with the goal of moving to twice a year, maybe eventually once a quarter. Fast forward to the introduction of Agile and a significant paradigm shift occurred in software development — the rate of change advanced to once per month, moving toward bi-weekly. Fast forward again to the rise…
The U.S. Department of Homeland Security released a vulnerability note stating Microsoft Internet Explorer “contains a use-after-free vulnerability” that can “allow a remote, unauthenticated attacker to execute arbitrary code on a vulnerable system.” The security flaw was first detected by FireEye Research Labs. Homeland Security said in an advisory that the zero-day flaw in versions 6 to 11 of IE could lead to “the complete compromise” of an affected system and recommended “employing an alternative Web browser until an official update is available.” Microsoft has responded, saying: On completion of this investigation, Microsoft will take the appropriate action to protect our customers, which may include providing a solution through our monthly security update release process, or an out-of-cycle security update, depending on customer needs. The impact is potentially great. FireEye estimates 26 percent of the entire browser market is at risk. NetMarketshare claims Internet Explorer accounts for roughly 58 percent of the world’s desktop browsers. The IE flaw emerged just weeks after the public discovery of Heartbleed, a flaw in the design of an encryption tool that runs on as many as two-thirds of all active websites. (Online Tech Senior Product Architect Steven Aiello offered his take on Heartbleed in…
Note: The following article is part of a shared content agreement between Online Tech and InfoSec Institute. (View original post.) For more BYOD information, check out a replay of a past Online Tech webinar co-hosted by Tatiana Melnik, an attorney concentrating her practice on IT, data privacy and security, and regulatory compliance, “To be BYOD or not to be BYOD: Is a Bring Your Own Device Policy Right for Your Organization?” We’ve also previously compiled some of the best articles, white papers, webinars and other media that explains mobile data security and how to prevent compromised data in your organization. The BYOD (Bring Your Own Device) phenomenon is expanding at an incredible rate. It is something that affects every business, from the smallest to the largest. How each business is dealing with BYOD ranges from complete apathy to a full embrace of it with sophisticated processes and controls in place to maximize employee productivity while minimizing risk to the business. The goal of this article is to give you the information you need to get control over how employees are using their own personal devices to access, store, and communicate business-owned information in the course of doing their jobs.
Reacting to major data breaches at major retail outlets, including Target and Nieman Marcus, US senators recently introduced the Data Security and Breach Notification Act, calling on the Federal Trade Commission to develop data security and breach notification rules for all businesses that hold consumers’ personal information. According to a story at InfoSecurity.com: The dual thrust of the legislation is that the FTC should issue obligatory security standards for the protection of personal information, and that breached organizations should be required to notify customers if ever and whenever that data is compromised. Different states currently have different breach notification requirements, and this new bill would appear to be an attempt to consolidate them into a single federal law. Under the proposal, businesses would receive “incentives to adopt state of the art technologies [such as encryption] that would render consumer electronic data unreadable or unusable in the case of a breach.” Executives from Target and Nieman Marcus appeared before the Senate Judiciary Committee on Tuesday to discuss the future of retail technology. Target CFO John J. Mulligan apologized at the beginning of the session: “I want to say how deeply sorry we are for the impact this incident has had on…
SplashData’s annual list of most common passwords is always good for a laugh. Until, you know, it’s no longer funny. If you missed it over the weekend, SplashData announced Friday its annual list of the 25 most common passwords found on the Internet. For the first time since the list began, the password ‘password’ dropped out of the No. 1 spot to No. 2. It was replaced with ‘123456.’ The top 10: 123456 password 12345678 qwerty abc123 123456789 111111 1234567 iloveyou adobe123 (Does No. 10 seem a little out of place? SplashData reported this year’s list was influenced by the large number of passwords from Adobe users posted online following its well-publicized security breach.) Laughs aside, Online Tech’s Steve Aiello said in a blog post earlier this month that human error, weak passwords and OS misconfigurations are still the most vulnerable targets for hackers. We suggest using this light-hearted report to make a serious recommendation to members of your organization to improve password strength. Why? You only have to look to No. 24 on the list of most common passwords for a reason: trustno1.
Note: The following article is part of a shared content agreement between Online Tech and InfoSec Institute. This article, written by cyber-threat analyst Aaron Bossert, illustrates perfectly the difference between check-box compliance and compliance as part of your culture. While many of the examples below relate to NIFT standards, they can easily correlate to PCI, HIPAA or other compliance frameworks. (View original post.) “What’s in a name? that which we call a rose. By any other name would smell as sweet” Shakespeare would probably turn over in his grave knowing that I have used one of his more famous passages from Romeo and Juliet in this context. Shakespeare’s words can be used to draw two parallels: First, compliance is directed by enabling standards that may include the Health Insurance Portability and Accountability Act of 1996 (HIPAA), the Payment Card Industry (PCI), the Sarbanes-Oxley Act (SOX), the Federal Information Security Management Act (FISMA), and many more. Though each of the aforementioned compliance models has a different target audience, all share the same goal. Compliance models are intended to provide a framework from which one can document the methods used to secure your specific Information System. In addition to documentation, a consequence…
