Top IT Security Bloggers
-
Apple finally adopts HTTPS for the App Store - here's why it matters
Sophos - Naked SecurityLast year, a Googler named Dr. Elie Bursztein noticed that Apple's App Store protocols were using HTTP where HTTPS would have been much better.
Some time later, Apple has changed its ways.
Paul Ducklin explains why it matters...
-
Firefox and Chrome patched ALREADY after Pwn2own - now the pressure is on for IE and Microsoft!
Sophos - Naked SecurityMozilla and Google have already pushed out patches to stop the exploits that got past their browsers at this year's PWN2OWN competition!
That certainly throws down the gauntlet to Microsoft, whose Internet Explorer 10 browser was also successfully breached in the competition.
-
The Castle Has No Walls - Introducing Defensibility as an Enterprise Security Goal
HP Following the Wh1t3 Rabbit - Practical Enterprise SecurityWhat's the difference between secure and defensible?
It becomes more clear when we revisit the old, tired analogy of the castle model of security. Tough outer defenses meant to keep the 'bad guys' out, but once you're inside you've got full access to everything as if you belong. This thinking just doesn't work in today's modern enterprise... Let's talk about why and what we should be doing about it.
-
Germans bombarded in malware attack, shipment firm caught in crossfire forced to suspend email address
Sophos - Naked SecurityA hard-hitting malware attack is hitting German email inboxes, and causing a headache for an innocent shipment firm mentioned in the messages.
-
Reflecting on RSA by Dr. Guy Bunker
Clearswift Blog
The RSA conference was held last week in San Francisco and what an event it was… 23,000 participants, 350+ companies, countless education sessions and copious quantities of food and drink.
The Mandiant report came out the week before and that had created a lot of buzz which did not abate. But what was the overriding theme? To me it was ‘big data’ (security buzzword of the year 2013!) or, rather, it was the fact that security today is starting to require an awful lot of data to be collected and analysed.
The term security analytics was used by multiple speakers – so expect that one to make the buzzword list next year. The latest generation of APTs (Advanced Persistent Threats – and the runner-up in security buzzword of the year 2013) are sneaky and there is no silver bullet to prevent them. Defence in depth is still required – and one of those defences is to collect vast quantities of information and then analyse it to look for anomalies which then points to security issues. It’s the quantities of this information (terabytes and petabytes) which then turn it into a ‘big data’ problem – or one that requires a ‘big data’ solution. Spotting the useful information in this mass of data is akin to the old needle in a haystack – not something anyone can do, even with all the smart tools that exist.
We (as an industry) have a new challenge here, if, as we are told, there are increasing cyber-attacks on businesses of all sizes, then how can we help those companies which do not have the expertise and resources (time, money and people) to combat them, or the security-poor as they were labelled at the conference?
Tools need to become even easier to use, not require large numbers of professional services personnel (aka consultants) to get the solutions installed and providing value back to the organisations. How can we turn the information collected into ‘everyday value’ rather than just forensic insurance? There isn’t an answer today (and especially not one that falls into the affordable bracket), but we need to look for one.
One message that came through at the RSA Conference was that not every security defence needs a substantial and on-going investment. In the case of information governance, for example, we are seeing that success comes through a diligent approach to security, rather than through big budgets.
The other theme which was apparent was identity. This is an increasing challenge for us all, especially with the increase in BYOD and cloud collaboration. Once more, there isn’t a solution today which works everywhere – even though there were numerous vendors touting their individual solutions at RSA.
A new open identity initiative was launched www.globalidentityfoundation.org to build on the Jericho Forum Identity Commandments. This programme looks promising, as it is a pragmatic approach to the global issues which need to be addressed – I look forward to seeing the progress next year.
And so to next year… this year, the place was buzzing, from the first day to the last – and that included the booking office for next year. I suspect the exhibition hall will have sold out by the time you read this. We have booked our space… and it’s twice as big as this year – but, then again, we will have more than twice as much to show. To RSA 2014… hope to see you there.
-
-
#FFSec, March 8: Five infosec pros who stand out
CSO OnlineFollow these names on Twitter. Together, they make cyberspace a more secure place. (copy and paste) -
PWN2OWN results Day Two - Adobe Reader and Flash owned, Java felled yet again
Sophos - Naked SecurityPWN2OWN 2013 finished off today.
A second scheduled attack on IE 10 didn't happen, so IE 10 didn't get owned again, but Flash and Reader fell once each, and Java was exploited for the fourth time in two days...
-
$5 million class action lawsuit over LinkedIn data breach dismissed
Sophos - Naked SecurityNo real damage was done, a judge ruled, and besides, paying for premium membership isn't a guarantee that you'll get premium security.
Ouch! So much for promises made in privacy policies.
-
