With the annual Black Hat event in Las Vegas, the global Internet community celebrates its felons.
Like physical combat, Internet security requires a good understanding of enemy black hat strategies.
Last week saw Las Vegas hosting the 15th annual Black Hat event. From its inception in 1997, Black Hat has grown from a single annual conference in Las Vegas (still the main event with the highest stakes) to a global conference series with annual events in Abu Dhabi, Barcelona, Las Vegas and Washington, DC. From its nefarious roots, it spouts uncomfortable truths about the insecurities we face every day as global net workers. It’s difficult to find any other industry where crime and passion are so closely aligned and where ‘respect’ and ‘respectable’ are terms so far apart. Cyber-warfare for profit and power lacks any basic ‘Geneva Convention’ that could specify global rules of conduct and the means to prosecute felons. Continue reading “Black Hat Roundup: Keeping Tabs on the Ones That Got Away”→
The lack of cloud security standards and the expanding range of cloud providers complicate RFPs.
The Current Analysis Cloud Security Study shows IT SPs ahead of carriers and the U.S. ahead of Europe.
The decision to migrate to the cloud is complicated by the expanding number and variety of cloud service providers (typically carriers, IT SPs, vendors, or dedicated cloud SPs), each with its own legacy of strengths and weaknesses, coupled with a dearth of specific cloud security standards to put into a request for proposal (RFP). Apart from PCI DSS in the retail sector and FedRAMP for the delivery of cloud services to the U.S. government, security standards pertaining to cloud services are related to general business process quality (ISO9000), data center management processes (ISO27001-5), auditing (SSAE 16), and a slew of more vertical industry-specific requirements around handling of sensitive personal data. Corporate customers are still relying on best-practice guidelines from standards bodies such as NIST in the U.S. and ENISA in Europe, as well as the user/industry forums such as the Cloud Security Alliance with its Cloud Matrix tool. Still, what does the cloud security playing field look like from the service provider side? How can they assess their service offerings to amorphous customer requirements, as well as the other providers in the market? Continue reading “Hunting for Big Data in Cloud Services: Customers Need a Better Security Standards Map”→
High-profile outages, apprehension about data security, and compliance questions make many enterprises wary about moving mission-critical workloads to the cloud.
Yet, the flexibility, efficiency, and geographically dispersed nature of the cloud may make it a cost-effective disaster recovery/business continuity option for organizations, large and small.
There is more than a little push/pull element to the cloud. Businesses are drawn to the flexibility, lower cost, and simplicity which the on-demand model promises. However, there is enough mystery in the cloud to raise questions about security, as well as enough headline-making outages to put up red flags about stability. Incidents such as Amazon Web Services’ twin outages this past summer, which impacted both small customers and marquee businesses such as Netflix, make customers of all sizes wary about the cloud.
Provide simple security commandments to follow under pain of dismissal
The most compelling briefings at this year’s RSA Security Conference in London were focused on how companies can make the journey from their governance, risk and compliance process and the resulting security policy to actually making it work throughout their enterprise, where getting people aligned with security is a real sticking point. It’s not that employees actually want to spill company secrets – mostly, they just want to be helpful to ‘perceived’ colleagues. How many times do we actually read error messages or listen to security warnings? How often do we reflect on the veracity of a caller who seems really nice and obviously knows a lot about the company? Continue reading “Social Engineering – Industrialized Exploitation of Human Helpfulness”→
Poison in the Well: APTs threaten basic Internet trustworthiness
Head for the cloud (services), but look for open standards to avoid vendor lock-in
Network-centric cloud services are emerging as the new computing paradigm for performance-hungry, cost-conscious business customers. Recent surveys show that businesses are looking at the full span of private, hybrid and public cloud services in their adoption plans. Yet, most IT security professionals express serious and legitimate concerns about the security of cloud services, as well as how cloud adoption can adhere to corporate governance, risk and compliance (GRC) policies. IT security professionals are also increasingly alarmed by advanced persistent threats (APTs) that are undermining the very structure of the public Internet.