Top Stories

NIST Sets Course For Handling Sensitive Data

The Snowden leaks were a wake-up call for U.S. Government agencies that the tools and processes to protect classified and sensitive data were woefully out of step with the current environment of small, capacious storage devices and powerful cloud-based secure communications and hosting platforms. But what about all the data that is stored on systems belonging to the (many) contractors that the government works with? Last week brings some clarification: a draft document from the National Institute of Standards and Technology (NIST) “Protecting Controlled Unclassified Information in Nonfederal Information Systems and Organizations.” (Draft Special Publication 800-171). The new NIST document outlines steps for protecting sensitive unclassified federal information that resides in nonfederal information systems and environments. Those include non-federal information systems that lie outside of the scope of existing laws like the Federal Information Security Management Act (FISMA) and any components of nonfederal systems that process, store, or transmit CUI. Read more […]

Continue Reading

Surprise: Branding a Bug is just as Hard as Branding Anything Else!

ZDNet’s @violetblue has a nice piece on the new fad for naming vulnerabilities – seen most recently with the OpenSSL Heartbleed vulnerability and the “Shellshock” vulnerability in Linux’s common BASH  utility. As Blue notes, the desire to “brand” bugs “changes the way we talk about security” – in part by giving complex, technical flaws down a common referent. But does giving a bug a logo make it frivolous? As she notes: the penchant for naming vulnerabilities may stem not from a desire to trivialize them – but a very practical response to the need to keep track of so many security holes in software. Regardless, Heartbleed – and the marketing by the firm Codenomicon that surrounde it – was the bug that launched a thousand ships, including Shellshock, Sandworm, and more. Read more coverage of Heartbleed here. But, as with . As security research and incident response are becoming more lucrative, expect the masonry […]

Continue Reading

Opinion: Toppling the IoT’s Tower of Babel

The five most feared words in the IT support person’s vocabulary are “This. Page. Can’t. Be. Displayed.” And yet, the growth of Service Oriented Architecture (SOA) based enterprises in the past eight years means that these dreaded words show up more and more, as services from different developers and vendors are consumed by larger, up stream platforms and and integrated to provide new capabilities. In this kind of environment, “This Page Can’t Be Displayed” is a cry for help: the first indication of a problem. For enterprise support personnel, that message is often the first step in a long journey complete with Sherlock Holmes-style sleuthing to try to find which service along an orchestrated chain is the bad actor. And, unfortunately, when an application is being attacked or gets hacked, support personnel may not even have an error message to go on. In both cases, the major roadblock for support and incident response staff is that application developers or development […]

Continue Reading

New ZigBee IoT Standard To Replace Six Others

One of the main players in the Internet of Things communications space, The ZigBee Alliance, announced that it has merged six existing standards covering everything from building automation to healthcare to form a single standard:ZigBee 3.0. The announcement, last week, comes as ZigBee looks to compete with other emerging IoT standards. It says ZigBee 3.0 will provide interoperability among a wide range of smart devices that communicate based on its technology, laying the ground work for an expansion of IoT technologies. The new standard is being tested. According to the Alliance, the initial release of ZigBee 3.0 includes ZigBee Home Automation, ZigBee Light Link, ZigBee Building Automation, ZigBee Retail Services, ZigBee Health Care, and ZigBee Telecommunication services. The switch will impact tens of millions of devices already using ZigBee standards. However, the transition to ZigBee 3.0 will be gradual, as devices designed to use some of its constituent standards eventually transition to the unified […]

Continue Reading

Security Needs Context in IoT| SC Magazine

SC Magazine has a worthy editorial on IoT and security by John Barco, VP of product management at the firm ForgeRock on how Internet of Things (IoT) technologies requires both security and a better understanding of what Barco calls “context.”   “It’s not just about protecting IoT devices but the entire ecosystem, from the customer to the partner, the web page, mobile device, mobile app, the cloud and everything else in between,” he writes. Organizations that do not grasp the complex interactions between static devices, mobile devices and (of course) the cloud risk leaving sensitive, regulated data or intellectual property at the mercy of malicious actors. Barco’s recommendations? More and better user authentication to support IoT use cases outside the firewall, and future-proofing your IoT deployment by eschewing proprietary platforms and technologies. To quote Barco: “open source gives IT a platform it can build on and customize, while open standards offer the flexibility to adapt to future […]

Continue Reading
1 172 173 174 175 176 216