As a cyber security professional, I spend most of my days speaking with customers and colleagues about all of the nefarious ways “the bad guys” can wreak havoc and how we can best defend ourselves. The topics we discuss often include situational awareness, defense-in-depth, threat intelligence, and new cyber security paradigms we may find ourselves adopting as the Internet of Things (IoT) evolves. I would assert that these are extremely important topics to sort out. But there’s a very important element not being discussed: the question of who will sort them out. Simply put: what difference does it make if you have the world’s greatest technology if nobody in your organization knows what to do with it? Cisco estimates that there will be a deficit of one million skilled cyber security professionals over the next five years. By 2015, 90 percent of jobs in the developed world will require some set of […]
Visibility is surprisingly tricky. The security industry offers many disparate tools to provide customers “visibility” into what is happening on their networks. Among them are tools that track what applications are on the network, tools for enumerating and tracking software vulnerabilities, tools for determining when sensitive data has left a network, tools that indicate when attacks are underway and tools that identify and analyze network data flows – to name just a few. Of course, layered on top of all this “visibility” are further systems that correlate and analyze what the mission-specific tools are seeing. Promises of a “single pane of glass” aside, the result is often a mishmash of data and events that require skilled security practitioners to analyze and interpret. The mishmash, in turn, leads to errors in analysis and prioritization. Albert Einstein famously said “Any fool can know. The point is to understand.” So it is in the information security industry, where a common refrain is “you can’t protect […]
I spend a lot of time at information security industry events. It’s part of my job at Cisco -visiting customers and attending and speaking at conferences. And these days, many of my conversations are focused on issues surrounding securing the Internet of Things. By and large, I enjoy this immensely. But my experience also gives me a vantage point from which to observe the cyber security and IoT security community broadly. What I’ve concluded is this: ours is a community that is made up of highly gifted and intelligent professionals with diverse, but also specialized skills. Unfortunately, ours has been – and continues to be- an insular community. I’ve come to realize that this pronounced and endemic navel gazing does us and the general public a great disservice. In fact, it may make the job of not repeating the security mistakes of the last two decades more difficult. Can we […]
In this post, Security Ledger contributor Or Katz of Akamai provides details of how malicious actors are abusing redirect vulnerabilities in popular web sites to boost the reputation of malicious sites they control. One recent attack involved the compromise of some 4,000 vulnerable web applications for the purpose of pumping up the search engine ranking of more than 10,000 malicious web sites, Katz reveals.
The Black Hat briefings made its reputation as a forum for star security researchers to unveil hair raising vulnerabilities in hardware and software. But Black Hat has become a more corporate event and collaboration is much in evidence these days. The latest example: the first roundtable discussion ever held at Black Hat. Speaking on Wednesday, Don Bailey, CEO of Lab Mouse Security, and Zach Lanier, Senior Security Researcher at Duo, facilitated a lively discussion of embedded system security before a group of attendees arranged around a table with a few more chairs off to the side. Bailey asked the audience to start the conversation, and he and Lanier then moderated the discussion. The conversation started with discussion of new secure chipsets, such as ARM TrustZone, and the fact that few institutions are using them. One factor is cost. Some organizations are gravitating toward open source chipsets such as Ardinuio, which […]