Technology Archives

Technology

Opinion: Toppling the IoT’s Tower of Babel

November 26, 2014 Chip Block

The five most feared words in the IT support person’s vocabulary are “This. Page. Can’t. Be. Displayed.” And yet, the growth of Service Oriented Architecture (SOA) based enterprises in the past eight years means that these dreaded words show up more and more, as services from different developers and vendors are consumed by larger, up stream platforms and and integrated to provide new capabilities. In this kind of environment, “This Page Can’t Be Displayed” is a cry for help: the first indication of a problem. For enterprise support personnel, that message is often the first step in a long journey complete with Sherlock Holmes-style sleuthing to try to find which service along an orchestrated chain is the bad actor. And, unfortunately, when an application is being attacked or gets hacked, support personnel may not even have an error message to go on. In both cases, the major roadblock for support and incident response staff is that application developers or development […]

Strategies for Securing Agile Development: An Online Conversation

November 19, 2014 Paul Roberts

There’s no question that agile development methods, which emphasize collaboration and shorter, iterative development cycles, are ascendant. Many factors contribute to agile’s growing popularity, from constrained budgets to increased user demands for features and accountability. Though traditionally associated with small and nimble software and services startups, agile methodology has been embraced by organizations across industry verticals – many (like John Deere) whose name doesn’t scream “app store” or “Silicon Valley Startup.” But if agile is here to stay, a nagging question is how to pivot to agile’s fast-paced and iterative release schedules without skimping on important areas like code security. After all, the conventional wisdom is that security slows things down: imposing time- and labor intensive code audits and testing on the otherwise results-driven development cycle. Fortunately, agile and secure development aren’t mutually exclusive. Tomorrow (Thursday), the Security Ledger and Veracode will collaborate on a Hangout and discussion of how to build, automate and deliver secure software using the agile […]

Biggest Threat to Critical Infrastructure? Lack of Imagination

November 18, 2014 Paul Roberts

The threats to critical infrastructure in the U.S. and elsewhere are so plentiful that even trying to enumerate them is futile (and not a bit depressing). But – if we were to rank them in order of importance – what would be at the top of that list? Clearly, as this blog has noted, software security is a major concern. Recently, the Industrial Control System CERT (ICS-CERT) warned about a sophisticated malware campaign targeting users of HMI (human-machine-interface) technology from leading vendors. In at least some cases, the systems targeted were exposed directly to the Internet, making compromise simple. In other cases, industrial control system software is deployed with default administrator credentials, or easy to guess passwords. In other words: while some attackers are persistent and clever, many critical infrastructure owners make their job pretty easy. So, perhaps, its not software insecurity that belongs at the top of the list, […]

U.S. Weather Systems Victims of Cyber Attack

November 12, 2014 Paul Roberts

The Washington Post is reporting that hackers from China breached the network of the National Oceanic and Atmospheric Administration (NOAA) in September, forcing cyber security teams to seal off data vital to disaster planning, aviation, shipping and scores of other crucial uses. The article cites sources within the government and Congress. The intrusion occurred in late September. However, NOAA officials gave no indication that they had a problem until Oct. 20, according to three people familiar with the hack and the subsequent reaction by NOAA, which includes the National Weather Service. According to the report, NOAA officials believe that actors based in China are responsible for the attack. The report also claims that efforts to respond to it resulted in an interruption in some key services, including NOAA’s National Ice Center Web Site, a partnership with the U.S. Navy and U.S. Coast Guard to monitor conditions for navigation. That two-day outage skewed the accuracy […]

IoT Security: The Next-Generation Matters Now

November 11, 2014 Marc Blackmer

As a cyber security professional, I spend most of my days speaking with customers and colleagues about all of the nefarious ways “the bad guys” can wreak havoc and how we can best defend ourselves. The topics we discuss often include situational awareness, defense-in-depth, threat intelligence, and new cyber security paradigms we may find ourselves adopting as the Internet of Things (IoT) evolves. I would assert that these are extremely important topics to sort out. But there’s a very important element not being discussed: the question of who will sort them out. Simply put: what difference does it make if you have the world’s greatest technology if nobody in your organization knows what to do with it? Cisco estimates that there will be a deficit of one million skilled cyber security professionals over the next five years. By 2015, 90 percent of jobs in the developed world will require some set of […]