ADS BY GOOGLE
From the Blogosphere

As of yet, there is no definitive narrative of the virus that hit the U.S. drone fleet at Creech Air Force Base in Nevada this September. Original reports stated that drone cockpits had been infected with a keylogger virus and, while there was no indication that classified information ...
Another discussion from the HP Protect 2011 conference on Monday, September 12, 2011 featured Bob Gourley and HP’s Andrzej Kawalec, CTO of Enterprise Security, discussing the evolving enterprise threat environment and how it can be mitigated. Bob and Andrzej agreed on three major emer...
As as kid, my mom would constantly remind me that I was a Hawaiian Prince – a direct descendant of King Kamehameha’s grandparents and the Kekaulike (23rd Moi of Maui) line. I was born in Hawaii but grew up on the East Coast so as a kid, I was embarrassed to be of Hawaiian Royalty sinc...
In mid-2011, the American Institute of Certified Public Accountants (AICPA) established a Service Organization Controls (SOC) reporting framework in hopes of providing the public and CPAs with a clearer understanding of the reporting options for service organizations. This article pro...
When nearly half of folks experienced a stateful firewall failure under attack last year[1], maybe more of the same isn’t the right strategy.
As they endeavor to secure their systems from malicious intrusion attempts, many companies face the same decision: whether to use a web application firewall (WAF) or an intrusion detection or prevention system (IDS/IPS). But this notion that only one or the other is the solution is fau...
We often get requests for best practices related to relational database security in the context of cloud computing. People want to install their database of choice, whether it be Oracle, MySQL, MS SQL, or IBM DB2… This is a complex question but it can be broken down by asking “what’s ...
Virtualization has impacted IT in so many ways it’s hard to keep track. It’s increased ROI for many businesses, and it’s helped data centers to breathe, at least for a little while. It’s enabled IT departments to procure true expertise without having to invest heavily in training or br...
Most of what we see in day-to-day cybersecurity is not cyberwar, or the perennial threat of the ‘digital Pearl Harbor.’ Crime, espionage, political vandalism, and military “long-range cyber-reconaissance”–rather than kinetic targeting that kills, damages, or disables–are more mundane, ...
In the Part 2 we demonstrated how to decompile the Trojan’s .dex file - the compiled Android application code file. In Part 3, we show how the Trojan intercepts the messages and sends them to the drop point. In particular, we take a deep dive into these three decompiled classes: The A...
One of these days your company will start shifting compute resources to the cloud, and as you probably know, the many advantages cloud computing has to offer still leave the responsibility for data security and data compliance on you and your security team. Cloud Security tip #1: STAR...
New research conducted into the modus operandi and some of the differences between variants reveals sophisticated operations now focusing on a smaller segment of the financial services market.
The Web Application Firewall debate has been raging for a very long time, and we keep hearing the same comments going back and forth. Many organizations have implemented them as a fast-track to compliance, primarily compliance with PCI-DSS, but the developer community is still hesitant...
This four-part series presents an under the hood analysis of Android malware. This malicious mobile application is distributed via the Android’s application shop market. What does it do? The application captures incoming SMS messages before any other system application. It then posts t...
In the past, we've discussed the rise of mobile malware. More recently, Imperva’s ADC has analyzed mobile malware and our findings support the observation that we’ll see more Android malware than those targeted at Apple for two reasons: Technically, it is easier to write malware for A...
With an increasing number of devices, applications, and services on the Internet, it’s becoming more difficult to achieve network and application response times that deliver a quality user experience. This problem is not only a bandwidth issue—it’s also closely tied to network and infr...
A couple days ago, The SANS Institute announced the release of a major update (Version 3.0) to the 20 Critical Controls, a prioritized baseline of information security measures designed to provide continuous monitoring to better protect government and commercial computers and networks ...
OOn 28 September 2011, FedCyber.com will facilitate a one-day Government-Industry Cyber Security Summit to be held at the Newseum in Washington DC. This event is free for government cybersecurity practitioners. The FedCyber.com Government-Industry Summit will bring together thoug...
The buzz around “big data” raises concerns about the privacy of the massive amounts of data collected. One of our customers, a telecom company in the U.S. uses our software to collect more than 60 billion messages per day from over 40 different devices. Where does this data go? How ...
As a vendor of security products, I see a lot of Requests for Proposal (RFPs). More often than not these consist of an Excel spreadsheet with dozens—sometimes even hundreds—of questions ranging from how our products address business concerns to security minutia that only a high-geek ca...
The Cloud Security Alliance (CSA), a not-for-profit organization with a mission to promote the use of best practices for providing security assurance within Cloud Computing, recently announced that they are launching (Q4 of 2011) a publicly accessible registry that will document the se...
Application threats are constantly evolving. Recent high-profile Internet attacks on organizations like HBGary, RSA, WikiLeaks, Google, Comodo, and others prove that no one is immune. Anyone could be a target, and perpetrators are extremely organized, skilled, and well-funded. Culprits...
We’ve all seen the auto-out-of-office replies, ‘Thanks for your message but I’m out until I return – contact my boss/subordinate/someone else if you need or want anything.’ If you’ve emailed me over the last couple weeks, you’ve seen a similar note. I took some time off, then partici...
Over the past year, the trend of developing and delivering a software offering over a public cloud such as Amazon Web Services has grown dramatically. Software Vendors, both established and start-up companies, are using Infrastructure as a Service for its obvious advantages, such as co...
As customers continue their march to the cloud we have heard from a large number who want to use SharePoint Server in the cloud. Two major concerns that show up frequently are migration of existing custom deployments and data security. These organizations have spent years customizing ...
Is the cloud inherently insecure? Should we be yearning for the Good Old Days? Hackers and outages have certainly made sure it has rained on the cloud parade in recent months. Repeated attacks on Sony’s Playstation network have rekindled the debate about the security of the cloud as h...
IT security is all about trying to lower risks and increase the protection of your organization. With each new technology that comes along, there’s a new security challenge. Some of those technologies – like wireless networks or the Internet – have such an impact on security that they ...
Bob Gourley recently wrote about the dangers of a Maginot Line approach to network security in “The Maginot Line of Information Systems Security“, based on of the paper by Dr. Rick Forno. In the Second World War, the French relied on the Maginot Line, a string of fortifications along t...
People who are familiar with me know that there are two things I’m not forgiving about. The first is backups, the second is security. If backups interest you, perhaps we can discuss it some other time. This time we’re going to discuss security. I’m going to outline in the following a...
Military cyber defenders face a tough challenge. Many of them have been trained in warfighting specialties like aviation, infantry, amphibious operations, submarine warfare etc, then one day they wake up with orders to a unit with operational cyber defense responsibilities. I’ve seen ...
Is your stomach turning or does it feel a calm satisfaction halfway through 2011? What seemed like a relatively calm 2011 during the first couple months has turned into a banner year of breaches. The forecast could qualify as: In like a Lamb, out like a Lion as they say. When thinki...
Attacks are ongoing, constantly. They are relentless. Many of them are mass attacks with no specific target in mind, others are more subtle, planned and designed to do serious damage to the victim. Regardless, these breaches all have one thing in common: the breach was preventable. At ...
As mainstream cloud adoption picks up pace, concerns such as security and compliance have spurred growth in the private cloud sector. New offerings in this sector seek to balance the economies of scale that a public cloud can offer with the security and control that a private cloud off...
This is the second installation on my series about Computer Network Operations (CNO). The last blog explored the actions known as Computer Network Exploitation (CNE), and as always, please feel free to comment. Today, the topic switches from exploitation to defense. Computer Network...
Not that I really needed to point his out but, security attacks are moving ‘up the stack.’ 90% of security investments are focused on network security, yet according to Gartner, 75% of the attacks are focused at the application layer and ‘over 90 percent of security vulnerabilities ex...
For years, Security Information Event Management (SIEM) has been an effective tool for optimizing the identification of security threats. However, because it rarely leverages all IT information, SIEM is unable to comprehensively scale to address the other two cornerstones of the moder...
Botnets? Old school. Spam? So yesterday. Phishing? Don’t even bother…well, on second thought. Spaghetti hacking like spaghetti marketing, toss it and see what sticks, is giving way to specific development of code (or stealing other code) to breach a particular entity. In the pas...
Designing and creating secure software is absolutely critical. It requires training, experience, education and process. In the modern world software gets very complex, and doing it securely requires a scientific approach. A discipline has arose to meet this need. In this discipline a h...
Cloud security remains a top concern for enterprise cloud deployments. Unresolved policy and control issues make it difficult to meet the requirements of corporate security and networking teams. As a result, we frequently hear from our customers that they assume they can only put the l...
As every one knows the big hold up for Cloud computing is the issue of Trust, of a sense of insecurity of a remote hosting environment rather than one where you can go down the hall and cuddle the servers for a nice warm glow. The NIST Recommendations Document naturally therefore incl...


ADS BY GOOGLE