Shopping Cart | Training Portal | Contact Us | 1-800-473-5181

Security Blog


Does your smartphone app discover all your accounts?

Posted on September 6th, by Paul Masson in Uncategorized. No Comments

There’s a chill in the air, and it’s not just the normal fall morning breeze. In the era of NSA Prism/Xkeyscore/whatnext surveillance, and considerable cybercrime enterprises, smartphone app developers seem to be taking advantage of a very lax culture of ‘accept all’ security features.
I recently developed an online Security+ course for a local university. As an assignment for the course I asked students to search for and install a few versions of the simplest of smartphone apps, the flashlight app that will turn on the camera LED for convenience lighting. Such a limited application has no need for the extent of permissions that they receive, yet thousands of users blithely ‘Accept’ them.
This year, one of my friends basically told me ‘yer playin’ and signed me up for his football fantasy league. As a newbie to fantasy … Read More »


Ethical implications of whistle blowing

Posted on June 14th, by Paul Masson in Uncategorized. 1 Comment

(ISC)2 code of ethics;
Protect society, the commonwealth, and the infrastructure.
Act honorably, honestly, justly, responsibly, and legally.
Provide diligent and competent service to principals.
Advance and protect the profession.

One thing will jump out at you right away - the first priority of a CISSP is to protect society.
Each of us are called upon to make small ethical choices every day. Unfortunately far too many
of us will face a major ethical decision at some point during our professional life as an
Information Security professional. Stumbling upon a 0 day vulnerability, leading an Incident
Response, or deciding if we should go public with what we perceive of as an abuse of the
systems in place to manage access to potentially sensitive PII. As an example of how to ethically
deal with a breach notification, I would encourage you to read up on the Heartland Payment
Systems breach. I wrote an … Read More »


The Great ATM Heist - is it really newsworthy?

Posted on May 10th, by admin in Security Blog. No Comments

On Friday, May 10, we saw many headlines about the latest great ATM bank robbery. Apparently these types of attacks are being regarded as something new and noteworthy. Interesting indeed when you consider what should be NEWS is the very fact that this attack simply repeats what we saw last December. It’s very similar to attacks that have been evolving for years.

The elements of the attack are not new. An almost identical attack was done way back in 2008 and was attributed to Russian and Estonian hackers. We dissected the attack in our Strategy to Reality workshop so clients could understand the attack vector and consider means of stronger, integrated defences. We showed how the attackers have used extremely well coordinated and synchronized campaigns. In recent attacks they even went to the trouble of raising the account withdrawal limits.

Yesterday’s attack was … Read More »


Is Ticketmaster’s paperless ticket PCI compliant?

Posted on April 10th, by Paul Masson in Uncategorized. No Comments

I recently purchased tickets to a concert event with Ticketmaster’s paperless ticket process.  It was not my preferred method, but tickets were hard to get and for this event it was the only option.  The purchase application instructed me to ‘go to the gate and present picture ID and credit card’ for admission.   Nonetheless, I still felt compelled to go to the will call window and collect my tickets.  To my surprise, I was instructed to go to the security entrance, the gate, and all would be well.  When I approached the gate, I asked ‘how does this work with a paperless ticket?’ and the gate attendant asked for my credit card.  I handed him my credit card, and expected to have to show picture id.  The attendant swiped my credit card through a roughly 6′ x 8′ device … Read More »


How secure are the IT components that go into our devices?

Posted on November 7th, by admin in Security Blog. No Comments

One of the most interesting and challenging security issues that can only be addressed by governments and large organization’s is the actual integrity of the computer products being purchased. While most of the world has worried about what American spy agencies might have embedded in systems over the years, the tables were turned several years ago when IBM sold it’s portable computer business to the Chinese. Since then, this issue has been festering with far greater stakes than ever before.

The House Permanent Select Committee on Intelligence last month, issued a report indicating that computer components and communications manufactured by two Chinese companies might have been altered to allow the Chinese government to spy on US enterprises. The report recommended that US government systems not use any component manufactured by Huawei and ZTE, both in the top 5 of the world’s … Read More »


Navigating into the IT Health Care field

Posted on October 17th, by Paul Masson in Security Blog. No Comments

There has been a lot of attention and push toward integrating technology into healthcare and the requirement for staffing positions that can’t be filled from those already working in the field. If you are looking to make a move from another sector, this could be the perfect opportunity.

The biggest challenge is breaking into the industry – getting your foot in the door, without any medical job experience or advanced education in a medical related area. Many companies often want to recruit people who already have healthcare experience, especially for more senior roles. There has also not been a lot out there on skills requirements and a path to acquiring the skills needed. However, in doing research on this we did come across a report by the University of California San Diego Extension. The report “2011 Hot Careers for College Graduates” aimed to reveal … Read More »


What is the most relevant Health IT Certification?

Posted on October 11th, by Paul Masson in Uncategorized. No Comments

The HITECH Act and the Affordable Care Act have certainly changed the landscape for the healthcare industry.   The financial incentives to share health care information among providers as well as patients opens up a veritable pandora’s box of information security issues for clinical employees.  These employees have been inundated with the privacy requirements of HIPAA, and now are tasked with maintaining privacy within an open electronic records environment.

Medical providers are desperate to maintain reimbursement levels, and the meaningful use requirements are hardly optional.  Achieving these objectives is a monumental task.   To help providers meet these requirements the US Department of Health and Human Services created the HITPro series of 6 exams to enhance and verify the skills of IT professionals working in healthcare.

Considering I hold CompTIA  and Microsoft certifications, and exam vouchers were available for free, my curiosity … Read More »


Eliminate the boring in your IT Security training program

Posted on September 5th, by Paul Masson in Security Blog. No Comments

When you get it wrong, the signs are painfully clear, but the reasons may not always be obvious.  Making that all-important connection with your learners does not happen by accident. When you are putting together any security training program – from general awareness training to specific certification training solutions, you need to make it not only interesting but also RELEVANT.

If the learner already has knowledge on security topics/issues, why do they then need additional training on the areas they already understand?  The mistake often made is that content is developed from the assumption that the learner knows very little and therefore needs to drink from the proverbial “fire hose”.  This does not have to be the case.  Constructing a well thought out quiz delivered prior to content or training to be developed or delivered can eliminate repetitive, boring content that … Read More »


Why we fail at leveraging technology in education

Posted on August 16th, by Ken Kousky in Security Blog. No Comments

There are three reasons why we fail at leveraging technology in education. First, we are undoubtedly missing the root cause of the systemic failure. It’s not content, it’s context. The content must be made meaningful to the learner. Second, we’ve failed to apply the fat tail principles of mass customization. Anchoring a concept for a learner is unique to each student. While Kahn Academy and the edX initiatives show how expansive the net is for provisioning content, we’re still missing the point that technology must address.

Finally, learning occurs at specific moments in specific context – and this includes space/time issues. Simply put, if my screen and keyboard are the source of massively complex communications systems including email, Facebook, alarms, alerts, notifications, etc. it is by definition, the worst possible tool for isolated and focused attention to a complex subject. If … Read More »


Learning Through Context

Posted on August 7th, by Ken Kousky in Security Blog. No Comments

What do we mean by context exactly and why do we believe teaching contextual based is better than content?

By context, I mean three things. First, we need to understand the where/when for studying. We should all know and understand that the “interrupt machines” that drive our always-on communications (PCs, smart phones, tablets) are the very worst possible devices for a learning context until we redesign the flow to function in this context.

Second, context is the reference point, and anchoring that provides relativity and explains new ideas in relationship to things the learner already knows. Third, context is the application of ideas, terms or concepts to situations the learner understands.

When EdX can provide learner context, the claim of “revolutionary” will once again belong to Boston. I’m not trying to argue that we do a better job than MIT in our boot … Read More »


The Ongoing Revolution in Learning Through Technology

Posted on July 27th, by Ken Kousky in Security Blog. No Comments

Over the past month, thoughts about the education paradigm have been something like the modern 4th of July fireworks — always a big bang and a new twist. I’ve followed the MIT/Harvard EdX online class of 155,000 students. I even thought about the incredible process of trying to grade the exams and student authentication challenges. If you’re not familiar with this project, you should be. MIT launched their intro to electronics class online with 155,000 enrollments! That’s a BIG classroom. Sounds like we’ve hit on an educational breakthrough!

Well, maybe it’s not a complete breakthrough. It turns out that 7,154 completed and passed the course. Our own pass rate on CISSP boot camps is dramatically better than MIT and Harvard’s. In fact, the real fallout came between the open enrollment period and the first exam. If you’ve ever taught college, you … Read More »


Understanding Risk - A 5-step risk management strategy

Posted on July 19th, by Ken Kousky in Security Blog. No Comments

So, what is risk? What does it mean? We can define risk as the possibility that bad, unplanned or unexpected things happen. It implies, most often, after the fact, that something could have been done about the “risk” to prevent the bad things. In many of the most disastrous events, there were clear warnings and a multitude of actions that should have been taken.

Risks can be mitigated. Risky activities can be reduced and safeguards can be implemented.  Why then do we continue to see disastrous events in the papers that could have been avoided? Simply put, Western societies seem to have forgotten about it. We ended the twentieth century with a growing belief that all of the critical issues of the world had been solved. Resources would be efficiently allocated through free competitive markets and social issues resolved by the … Read More »


A Dike and Three Dutch Boys…is this enough?

Posted on July 3rd, by Ken Kousky in Security Blog. No Comments

…Applying a triad methodology for risk management.

Similar to the Dutch boys and their dike, securing the barrier between your IT infrastructure and the rest of the world, rely primarily on:

Plugging the known holes.
Posturing to plug holes based on historical data and not overreacting to an acute event.
Making educated guesses where to reinforce the infrastructure to minimize potential risk.

Risk awareness and risk analysis has become a central force in all aspects of information assurance and IT security yet our current treatment of risk continues to be ad hoc and reactive rather than rigorously considered.

There are three profound issues that we must resolve if we are to sustain a meaningful, credible and constructive campaign for better risk management. First, we have to drop the absurd notion of rational economic decision makers minimizing risk. Thinking Fast and Slow is the most contemporary catalog … Read More »


Business Continuity – it’s not just for the big boys who can afford the big toys

Posted on June 28th, by Scott Koger in Security Blog. No Comments

For anyone with roots along the Gulf Coast - if have learned anything through the years, it’s that the impacts of weather can frequently far exceed expectations. For those of us who have been impacted by these tropical systems, it is not uncommon to refer to the storms by name as a kind of mile stone. “Yeah, after Betsy we had to” … or “during Camille”… and all too frequently “well with Katrina ….”.  This year’s entry into the short hand will be Debbie.  Although barely a Tropical Storm, she has lingered along the northern Gulf of Mexico for the better part of a week, dumping record amounts of rainfall in Alabama and Florida – and that’s saying something. This flooding has had significant impact upon ground transport in the area; impeding the local distribution of commodities, freight deliveries, and … Read More »


Security by Insanity

Posted on June 27th, by Ken Kousky in Security Blog. No Comments

A dear friend found a reason to remind me what Einstein (or somebody important) said was insanity - doing the same thing and expecting something different. Well, this got me thinking. All my life people have found probable cause to call me crazy …. but not insane. There’s something more clinical and more considered in the diagnosis of insanity.

I’ve spent over a decade delivering executive summaries on issues in information assurance and IT security. I’ve worked with the vendor community, academics and corporate IT staff studying threats associated with emerging technologies.

For example, when cars become “wired” systems with steering and breaking being driven by software rather than direct physical linkages, there are certain risks that should be understood and analyzed. We framed the risks for remote automotive systems access through OnStar as well as vulnerabilities in network addressable controllers of … Read More »


What’s the Worst that Can Happen?

Posted on March 29th, by Patrick Snyder in Security Blog. No Comments

By now most of the security industry has heard the rumors and threats that Anonymous intends to flood the 13 DNS servers throughout the world in a attempt to blackout the internet for a unknown period of time. This attack is the result of politically fueled opinions of some of today’s most influential hacktivists. According to a post on pastebin.com the attack will essentially involve the use of a Reflective Amplification or ‘ramp’ toolkit to DDoS the root DNS servers which will stop them from responding to DNS resolution requests and thus stop users from accessing websites via DNS names i.e. ‘www.google.com’, ‘www.facebook.com’, etc.

This attack is under great scrutiny by professionals and hackers across the web. Some say it may be possible other say at best it will be very limited and do minimal damage while the rest say that Anonymous … Read More »


We will get fooled yet again!

Posted on February 17th, by Patrick Snyder in Security Blog. No Comments

 

As if Android security controls weren’t bad enough it seems even more malicious software applications have made their way onto users devices. This new breed of malware is unlike any other. With the increasing power and capabilities of Smartphone’s, soon to include quad core processing power, attackers have begun to broaden their focus on exploiting desktop and laptop computers and are now targeting mobile devices for their Botnets.

Smartphone’s are the perfect target. They are small, powerful, mobile, and best of all thriving with connectivity. Their size and mobility make them great for spreading malware throughout multiple corporate and public areas, anywhere someone might travel to and connect to an open, unencrypted Wi-Fi network. Their increasing processing power has made them just as suitable as higher powered machines for running various attacks and malicious campaigns. Best of all, the connectivity and … Read More »


Fool me once shame on you, fool me twice shame on you

Posted on January 25th, by Ken Kousky in Security Blog. No Comments

It looks as though 2012 is not only gearing up to be the year of cloud computing and healthcare information security concerns but also the year of continued phishing attacks and scams. Here is my most recently received scams (among the many other banking phishing attacks that roll in on a daily basis). It seems I have won the Texas Lottery, again!

These scams are much simpler to spot than some of the most sophisticated phishing scams I have seen. Take a look at a few of the key indicators:

In this cyber world I guess it only makes sense that they begin running a lottery based on email addresses, right?
I am addressed as Stake Winner – You would think that my winning $800,000.00 would at least warrant a name look up by the Texas Lottery Commission.
Google Translate is getting pretty good … Read More »


Trouble keeping up with the industry? IP3 Inc.’s CPE ToGo Program is here to help

Posted on September 9th, by Ken Kousky in Security Blog. No Comments

The past year has been plagued with a variety of new attacks. The most influential being Operation Shady RAT and its attack on over 70 organizations, the theft of RSA’s SecureIDs, and the DigiNotar hack that resulted in the compromise of numerous SSL certificates. All of these attacks have one thing in common. They are all Advanced Persistent Threats (APTs). APTs are a new breed of attack taking the IT industry by storm. They are carefully monitored, resilient to defense, polymorphic and incredibly successful. But these attacks are after much more than a few SecureIDs or SSL certs, the true target is the information these assets allow their attackers to access. With one SSL cert, attackers are able to spawn an infinite amount of fake websites and lure in unsuspecting victims who submit valuable personal data and banking data to … Read More »


So much for the chain of trust

Posted on August 30th, by Patrick Snyder in Security Blog. No Comments

We all know digital certificates are meant to keep us safe while browsing the web. They are installed on our systems from birth, require digital signatures to be altered, and establish a supposedly unbreakable chain of trust. But what happens when that chain of trust is in fact compromised? What happens when a digital certificate falls into the wrong hands?

Hackers have recently obtained Google’s digital SSL certificate from DigiNotar, a Dutch certificate authority. Proof has already been flaunted on pastebin.com of this valuable takeover. It is still unclear how the certificate was obtained. There may have been a possible breach on DigiNotar’s website allowing access to the certificate or there may have been a lack of oversight by DigiNotar. Either way this event presents a significant security risk to users.

This certificate allows the hackers a trusted reputation for each of … Read More »


Earthquakes, Hurricanes, and a Crumbling Infrastructure

Posted on August 24th, by Patrick Snyder in Security Blog. No Comments

The recent 5.9 magnitude earthquake in Mineral, VA was a complete surprise to those within its reach. Although damages were minimal this still reminds us of the importance of disaster recovery and business continuity planning. So far reports only show minimal injuries, a safety shutdown of local nuclear plants, and some cell network disruption. These effects are minor as compared to other major disasters. The most important thing we must take from this event is that these things can happen anywhere and everyone must be prepared.

Your office may not be near a fault line, in tornado alley, or along hurricane path, but these natural events do deviate from their means from time to time. In a way there is no 100% safe place to be. It is always a good practice to plan for every disaster possible and not just those … Read More »


Amazon takes aim at cloud compliance issues with GovCloud

Posted on August 18th, by Patrick Snyder in Security Blog. No Comments

Compliance is never easy and cloud computing only adds to the challenge of keeping up with standards and regulations. Until now U.S. government agencies have found it difficult if not impossible to get their sensitive information onto the cloud despite federal programs aimed at doing just that. The issue has always been with compliance and security. The management of sensitive data has strict regulatory requirements that must be followed in order to protect information.

A few of those important regulatory requirements are location and access control. Sensitive data from U.S. agencies is required to be stored within US boundaries and only be accessible by users residing within the U.S. With most cloud services spanning across a few continents the challenge of keeping that data contained is nearly impossible.

Amazon Web Services hopes to defeat this challenge with their newly announced GovCloud offering.

A description from Amazon Web Services about … Read More »


Cloud Risk: Placing all of your eggs in one basket

Posted on August 8th, by Patrick Snyder in Security Blog. No Comments

It’s 2a.m on a Monday, the workweek starts in 6 hours, and your cloud service provider just notified you that their services are down. What do you do?

This is the same question European consumers were asking themselves when Amazon’s EC2 cloud services and Microsofts BPOS cloud services were taken out by a lightening strike in Dublin early this week.

Despite a proper disaster recovery and business continuity plan developed by these cloud providers, things do not always go as smoothly as they look on paper. Amazon has backup generators that should have powered up in perfect synchronization to cover the power loss however, the lightening strike was so substantial it knocked out the phase control system which synchronizes the power loads. Thus the backup generators had to be powered up and load managed manually resulting in a noticeable outage for customers.

This is something for cloud services consumers … Read More »


Break out the RAT traps, there is shady business afoot

Posted on August 4th, by Patrick Snyder in Security Blog. No Comments

Forget about LulzSec and Anonymous. Those political hacktivist groups are only amateur script kiddies compared to hackers recently revealed by McAfee. The newly discovered groups five year long attack, which struck at least 72 identified organizations, seems to have originated out of China, although no official location has been determined.

Dubbed Operation Shady RAT, which stands for remote administration tools, employs spear phishing techniques which mimic legitimate email messages (just as many other phishing attacks do), then once users open attachments their systems become infected with malware allowing them to be controlled by a command-and-control server hosted by the hackers. Unlike other attacks we have seen, this hacking group doesn’t seem to be out for laughs or a quick payout. It’s data mining they are after, and lots of it.

The longevity of their attacks has led to the compromise of petabytes worth of … Read More »


Those who fail to plan for Cloud should plan to fail

Posted on July 15th, by Patrick Snyder in Security Blog. No Comments

Although early cloud computing adopters boast of its cost savings, there seems to be a catch that many organizations are not prepared for. The cost savings in IT is no myth, your organization will save on its IT budget however this money saved may not be going directly into your pocket right from the start. This money must be reinvested and distributed among other company resources to ensure a safe transition to the cloud. These other resources include security and auditing. Without receiving corporate permission to increase these budgets and implement a new approach to measure cloud security, the transition can fail and the result will be reports showing a lack of funding and lack of security.

The unexpected “reinvestment clause” regarding a cloud transition has taken many federal organizations by surprise. Since the recent cloud-first mandate by United States Chief … Read More »


How to ruin VoIP security

Posted on June 29th, by Patrick Snyder in Security Blog. No Comments

Most recently, with our advancement in mobile technologies and IP networks, we have been able to expand our available communication channels to include many new technologies. Mobile email, mobile instant messenger, texting, and VoIP chat are rapidly replacing our more standard communication networks such as postal services and Plain Old Telephone Service (POTS). With these new technologies we have been able to introduce an advancement in security over previous mediums including networked encryption of communication channels, encrypted voice data, etc. But there was one thing we forgot when introducing these new technologies, they all must fall under the same communications laws and Privacy Acts we had for our older communication media. Compliance with these laws will very well unravel the entire security structure we have put in place.

I’ll give you an example, one being Skype. Most recently since their $8.5 billion acquisition of … Read More »


Hacking group gets their ‘Lulz’ thanks to poor security

Posted on June 16th, by Patrick Snyder in Security Blog. No Comments

Lulz Security, a seemingly innocent name you may actually confuse for a legitimate security company, has rapidly been boosting their hacking reputation since early 2011. They have managed daily hacks on dozens of websites all across the internet and even managed to set up call forwarding attacks on many customer support lines. Some of the most notable being hacks of Sony, the US Senate, the FBI, and the CIA. Many of their attacks have been simple perimeter breaches of security, things that many security professionals should have secured a long time ago.

These hacks highlight the waste of time many security managers spend attempting to secure only their outer defenses. True security should live directly around your most precious assets. The security method deployed by most sites hit by LulzSec have been primarily perimeter based security. This type of security is like building a wall … Read More »


Corporations begin biting their nails over IPv6

Posted on June 7th, by Patrick Snyder in Security Blog. No Comments

For those that don’t know, tomorrow is world IPv6 day. A day when over 400 corporation, government, and university websites will switch their networking over to IPv6 protocol for a 24 hour period. The changeover will signify the start of a new generation of internet protocol and hopefully give credit to the IPv6 system, which has been driven into the market since 1999. With the now imminent depletion of all existing available IPv4 addresses, IPv6 day aims to push the remaining non-conformers over to the new system and bring much more attention to it as a necessary protocol. Though this will be a landmark day due to its introduction of the largest wide scale implementation of IPv6 to date, it could also be D-Day for the largest wide scale implementation of DDoS attacks.

Though the trial changeover will only last from 8:00p.m. tonight … Read More »


Pentagon’s “Big Stick Ideology” Meets its First Test of Willpower

Posted on June 6th, by Patrick Snyder in Security Blog. No Comments

No more than a week after the Pentagon’s military threats in the event of a cyber attack, the U.S. receives its first test of might.

Paul Sand, Vice President, IP3 Inc., offered this statement:
“Last week, IP3 assessed the Pentagon’s decision to consider a cyber attack as an act of war. We clearly determined that there was no strong strategic or tactical benefit for doing so. Apparently, a cyber attack on the Atlanta InfraGard Chapter was launched in retaliation for the Pentagon’s aggressive stance.  Taking action that raises your profile without any clear benefit is usually a bad move.”

I’m sure most of you have heard the ancient Japanese proverb, “The nail that sticks out gets hammered down.” The U.S. government may have just targeted themselves as that very nail. By introducing such a strong statement, we have invited other less agreeable entities to test … Read More »


Mobile browser security is a spoof

Posted on May 31st, by Patrick Snyder in Security Blog. No Comments

Since when does innovation call for imitation of security? In todays world users demand portability. This involves designing devices and services to operate on much smaller platforms. Which means taking that 15 inch laptop from the office and crushing it down to a 4 inch pocket sized supercomputer, not only that but also taking those web browsers and applications and stripping them down to their minimal aspects to ensure lightweight, simple operation. In the process of stripping down these devices we are leaving out an important aspect, the security.

Although the convenience of having a pocket sized computer seems to trump most of our performance concerns we are actually giving up more than we can afford. Full sized devices offer us many integral features which we now take for granted. These features include security checks and warnings which are key to our … Read More »


In the trenches of 21st century Cyberwar

Posted on May 31st, by Patrick Snyder in Security Blog. No Comments

The U.S. government, in statements by the Pentagon, now classifies cyber attacks on our nations infrastructure as acts of war and is implementing a strategy which will allow for military retaliation in the event of a cyber attack on the U.S.

Paul Sand, Vice President, IP3 Inc. says:

“Declaring cyber attacks as acts of war is an unnecessary escalation. While I imagine that the Pentagon is striving to achieve a deterrence effect, traditional military retaliation to a cyber attack faces some big challenges. First and foremost, attribution is a problem.  Attribution is assigning responsibility for the attack to the appropriate party.  With spoofing and masquerading exploits so readily available and easy to use, an attacker will be hard to identify and may just be aiming to trigger retaliation against a third party. So, retaliation is a  path filled with significant chances for profound mistakes.”

This statement … Read More »


Mobile Malware: Coming soon to a PC near you!

Posted on May 25th, by Patrick Snyder in Security Blog. No Comments

The evolution of mobile apps has become a viral topic among technologists. Developers are rapidly transitioning their skills from PC based programming back to the minimalist programming seen in the early stages of computing where resources were limited. There are already an estimated 350,000 apps on the Android market and more than a half-million in the iOS App Store. With these mobile app environments growing so quickly, PC companies are struggling to keep up and searching for a beneficial solution.

Enterprises have been exploring the idea of virtualization of applications to allow functionality on various platforms for a long time now. Much of this development can already be seen today on mobile devices and PCs that run Java environments to power universal applications. What they are really searching for is a solution that allows for universal operation of applications that use … Read More »


Throwing Stones in a Glass Infrastructure

Posted on February 22nd, by Ken Kousky in Security Blog. No Comments

We must all understand that the net is fragile and it can be taken down. We have seen this ‘kill switch’ in action recently in Egypt. Libya is also taking its cue from Egypt and in spite of social unrest its government has also began shutting down network access. Things are slipping out of hand very quickly but Americans can breath a sigh of relief, or can we?

It seems our government is getting ahead of this situation before we meet a similar issue. Senators Joseph Lieberman and Susan Collins reintroduced legislation that prohibits this type of ‘Internet Kill Switch’ from being initiated by the president. A right to bear arms and a right to assemble lead into our right to the net.

One issue still remains, now that this type of mass Internet blackout technique has surfaced we must not only … Read More »


Spotlight on Mobile App Security: Part 1

Posted on February 8th, by Patrick Snyder in Security Blog. No Comments

Mobile devices continue to become our main source of productivity throughout our lives. Making phone calls and checking email are one thing but now we can browse full web pages and even edit documents. Mobile apps make our lives easier and…well…more mobile.

In todays world it is hard to find a task that cannot be completed in the palm of your hand. We can now conduct entire business meetings from an iPad, monitor our servers remotely through our smartphones, and take care of our banking and finances all while on the run. This could be a fatal mistake if we are not careful. We need to slow down for a minute and consider some serious security implications of our mobile actions.

Physical security of these devices is key when talking about mobile security. As smartphones get smaller and smaller and our technology … Read More »


Weekend Think Tank: Cyber Warfare

Posted on February 4th, by Patrick Snyder in Security Blog. No Comments

We are living in a world of cyber war. There isn’t a single event now of days that doesn’t involve the internet. From the malicious stuxnet attack on Iranian nuclear facilities, to Operation Payback’s mass execution of the Low Orbit Ion Cannon botnet by thousands of pro-WikiLeaks supporters, even the Egyptian internet blackout, all related to some form of hacktivism or cyber warfare.

Computers and the internet have become a powerful weapon in todays world. Whether it be for financial gain, political activism, or malicious attacks. In properly trained hands a computer can be a more destructive weapon than any knife, gun, or bomb. Mind you not just anyone can walk into a gun shop and purchase a gun, but even young kids can walk into the nearest Best Buy and pick up a computer. With a click of a mouse … Read More »


Egyptian Outage Calls For Rapid Innovation

Posted on February 1st, by Patrick Snyder in Security Blog. No Comments

Egypt has pulled the plug. This topic has been overtaking our news feeds this past week. It’s time we take a look at the good, the bad, and the ugly of this situation.

 

In fear that social networking will allow protestors the opportunity to further organize their anti-government demonstration, the Egyptian government has ordered all internet services to shut down.

 

ISP services have disabled all wired communications. As of yesterday morning the final ISP service went down. What is surprisingly scary is how quickly these services can be shut down by an ISP. In a matter of minutes these companies can alter national router hub configurations and blackout the entire country.

 

Will there be any light at the end of this dark tunnel? I guess you could assume no internet service, no internet security breaches, but then again, you can’t.

 

Without internet connectivity tech … Read More »


Looks like a Re-Evolution

Posted on January 27th, by Ken Kousky in Security Blog. No Comments

New Year, New Technology, New Game, New Threats As we all have heard, 2010 was the year of game-changers. With more malicious attacks and new technology then any preceding year. But now that the rules have changed its time to get back in the game.

So far 2011 is outlining huge innovations in technology, tablet PCs will take over our offices, mobility and wireless networking are approaching a new forefront of innovation.

But as we improve our playing strategies so do our enemies. The fight to protect our emerging technology assets is not a game we can afford to lose.

Obama’s recent State of the Union address has called for huge investments in information technology innovation. Supercomputing and the advancement of technology were stressed repeatedly within his speech. This spells big things for the IT community.

Get ready for new projects, new technology, and … Read More »


The More Things Change, The More They Stay The Same

Posted on October 10th, by Ken Kousky in Security Blog. No Comments

Imagine a war where your enemy is given a prefect replica of each weapon you use. If you shoot a machine gun, they instantly get one. If you use an RPG, they get one. The more you think about it, the more untenable it becomes. That’s what our cyberwarfare looks like. Code is code, good and bad. But take our example one step farther and realize that every evil piece of code resides in the wild and can be aggregated with techniques and practices to develop ever-more sophisticated attacks.

Security is changing. We see it everywhere. It’s becoming INSTITUTIONALIZED. That scares me. Too often we begin to embed practices prematurely. A great example – we’ve institutionalized strong passwords. It will take decades to get rid of them. They’re an oxymoron. If passwords are something an individual knows that we want to … Read More »


Ken Kousky wins ‘Coach of the Year’ at ACE ’10

Posted on January 22nd, by admin in Security Blog. No Comments

The great lakes area Annual Collaboration for Entrepreneurship elected Ken Kousky as ‘Coach of the Year’.

The 10th annual event featured over 900 guests and 175 companies.  Ken was recognized for his mentoring work with students and emerging businesses throughout Michigan.  The fruits of his efforts were demonstrated by Kenneth Lang, one of Ken’s students, who won first place in the Collegiate competition and a $1,000 prize for his elevator pitch.  His presentation was based on a project he had done in Ken’s class two years ago and is now developing into a complete business.
Congratulations to Ken on achieving this honor.


Apple Keyboard Exploit a Concern?

Posted on August 16th, by Ken Kousky in Security Blog. No Comments

Apple keyboards are vulnerable to a hack that puts keyloggers and malware directly into the keyboard. This could be a serious problem, and now that the presentation and code is out there, the bad guys will surely be exploiting it.

The vulnerability was discovered by K. Chen, and he gave a talk on it at Blackhat this year. The concept is simple, a modern Apple keyboard has about 8K of flash memory, and 256 bytes of working ram. For the intelligent, this is more than enough space to have a field day.

I wouldn’t loose sleep over this or get worked up about Black Hat demonstrations. Compensating controls that continue to provide security in depth in this case would include network and host  IDS/IPS so that the keystroke log files might be found stored on the host or being transmitted out of … Read More »


IA

Posted on June 23rd, by Ken Kousky in Security Blog. No Comments

To many, IA refers to information assurance. I really like this term much better than information security since it speaks to the broader concepts of informational integrity and places emphasis on a far-more committed and positive notion - assurance.

However, to others there is an equally important I and A. This is integrity and availability, two of the three traditional goals of security represented by the famous triad c-i-a. For far too long, information security has focused almost exclusively on the “c”, confidentiality. In far too many aspects of our modern digital age, integrity and availability are as important or often more important.

I’ll never forget a meeting with a retired hospital CEO who scolded me on the destructive influence and operational damages brought by information security professionals who thought HIPAA was about privacy and confidentiality rather than portability and efficiency.

One of … Read More »


Pandemics and Continuity

Posted on May 17th, by Ken Kousky in Security Blog. No Comments

In our Strategy to Reality workshops, we’ve spent a lot of time discussing the growing commitment to risk management in most of our enterprises. This has to be seen as an extremely valuable process. However, as we rush to be more risk aware, we may be encountering another aspect of TMI (too much information - see the May 4th posting). There are simply too many things that can, and at some point in the future, may well go wrong. It is this uncertainty of outcomes and the potential problems we face that shape our thoughts and planning on risk.
In the context of far greater concerns about risk, our preparedness for a flu pandemic is a vital issue.

For the most part, surveys on the question suggest that there is indeed a substantial


More RSA and More on Data Loss Prevention

Posted on May 17th, by Ken Kousky in Security Blog. No Comments

Is it more polite to say data “leakage” prevention rather than “loss”? We know that what leaks might be recovered, and since we usually still have a copy, isn’t it a bit bold to call it a “loss”? Sure there were terabytes of data on the most expensive weapon ever developed, but the report in the Wall Street Journal made clear that it wasn’t ALL of the data, so maybe that’s just a leak. And we still have the original data. But, like TMI and TLI, using three letters saves us the debate all together. Let’s just go with DLP.

Of course, once you’re in the DLP space, you’re touching PCI-DSS compliance and that’s a nice slippery slope into the whole realm of protecting electronic health and medical records (the difference here is important, but we’ll save that for another posting). … Read More »


TMI

Posted on May 3rd, by Ken Kousky in Security Blog. No Comments

I just learned some new texting shorthand from my daughters - TMI, meaning too much information.

I also began texting myself for the first time while working the floor at RSA.
So, it got me thinking ….

Too Much Information
Too Much IP (intellectual property easily stolen over the net)
Too Much Infrastructure
Too Much Interconnectivity
Too Much IP (internet protocol connections)
Too Much Indifference

Or maybe it’s really about what we don’t have enough of?

Has anybody ever used TLI? And that got me thinking that it wasn’t just for too little information.

Two weeks ago when I returned from RSA I was both disappointed and discouraged. While the economy may have taken a small toll on the attendance and exhibitors, what really stood out was a lack of imagination. Shortly after 9/11, I heard Richard Clarke use that expression, a lack of imagination. We failed to think outside the … Read More »


The Governmental Response

Posted on April 16th, by Ken Kousky in Security Blog. No Comments

Any student of modern history must understand that when bad things occur, in particular when there are systemic failures, government happens.

While most IT security professionals are familiar with the Gram Leach Bliley Act’s requirement that personal financial information be appropriately protected, it’s impossible to understand today’s economic crisis without realizing the profound impact that GLBA had in deregulating or de-governing the American financial system. Not only did GLBA open the door for the evolution of derivative markets, it allowed banks and financial institutions to create highly flexible but highly de-governed and deregulated enterprises. The traditional regulated mortgage industry was replaced by unregulated and thus de-governed for a deregulated and de-governed financial industry. It was a disastrous failure!

The primary concerns of IT security professionals should be foresight in organizing and preparing for a massive new array of regulatory oversight. Similar to … Read More »


Risk Management, Economic Stimulus and Information Assurance

Posted on January 12th, by Ken Kousky in Security Blog. No Comments

The chaos resulting from the economic disaster in our financial system and the ensuing rush to spend money to stimulate economic growth has left information assurance and IT security side-lined.

Most organizations are trying to understand the new business conditions before they allocate budgets for IT. At the same time, an increased focus on risk management, is tying up critical management resources. Much of the current work will prove to be tedious bureaucratic processes with little true economic impact. There is simply too much focus on “grand unifying methodologies”.

In the midst of these conflicting initiatives, there are several clear key critical points on which new strategies must be built.

First, the economic collapse was rooted in information assurance. The failure to have transparency in derivative contracts was an information integrity failure. Alan Greenspan and both political parties along with our major regulatories … Read More »


The Other WMD

Posted on December 14th, by Ken Kousky in Security Blog. No Comments

The possibility, even when remote, that a small band of fanatical terrorists could gain possession of the materials necessary to assemble and detonate a nuclear bomb in the United States is one of the most horrifying dimensions of risk in the 21st century. It serves to define asymmetric warfare. A war where an extremely small number of committed individuals are able to harness unbelievable power in their attacks on the most developed and prosperous nation in the world.

A related aspect of asymmetric warfare is the inability to identify and target the assailants through classical means.

A closely related concept of weapons of mass destruction (WMDs) are the tools of mass disruption. The use of such tools are often referred to as cyber warfare, and their threats have many parallels to our concerns over traditional weapons of mass destruction.

Weapons of mass disruption … Read More »


Who’s Winning the War?

Posted on August 6th, by Ken Kousky in Security Blog. No Comments

Winning the war, no this isn’t about Iraq or al-Qaeda, but it is about a massive asymmetric war raging on the Internet. Botnets now are able to claim millions of nodes to harness for malicious use, and the question we have to continually ask is how are we doing?

Today’s headlines read that 11 perpetrators allegedly involved in hacking 9 major U.S. retailers were indicted. They’re allegedly involved in the channeling of over 40 million credit cards and debit cards. We took down 11 bad guys, and the press suggests that we’ve made a major dent.

However, the Commerce Department has previously said that they believe that online fraud and crime today is larger than the illicit drug industry in the United States. The illicit drug industry has produced over 500,000 prison inmates. The war on illicit drugs costs billions of dollars … Read More »






Security Blog

Does your smartphone app discover all your accounts?

There’s a chill in the air, and it’s not just the normal fall morning breeze. In the era of NSA Prism/Xkeyscore/whatnext surveillance, and...

Ethical implications of whistle blowing

(ISC)2 code of ethics; Protect society, the commonwealth, and the infrastructure. Act honorably, honestly, justly, responsibly, and legally. Provide diligent and competent service to principals. Advance and protect...

The Great ATM Heist - is it really newsworthy?

On Friday, May 10, we saw many headlines about the latest great ATM bank robbery. Apparently these types of attacks are being regarded as...