InfoSec Blog
Find valuable news, tips, and guidance in information security.
Environmentally Conscious Security: Painting Information Security Green
Posted by: JurInnov | Posted on: February 16th, 2012 | 0 Comments
Historically, ecological concerns have been significant drivers for change. Topics ranging from global warming to protecting various species carry a strong emotional appeal, thus, motivating business and personal change with the ultimate goal of protecting the environment. These environmental initiatives have been termed “green initiatives” and they impact IT in the form of “green computing.” The popularity of the green computing initiatives stems not only from environmental concerns but also from a financial concern. A primary goal of many green computing initiatives is to reduce power consumption as this has a direct impact on the bottom line.
A Certified Lack of Confidence: The Threat of Rogue Certificate Authorities
Posted by: Eric Vanderburg | Posted on: February 9th, 2012 | 0 Comments
For more than a decade, computer generated digital certificates have made it possible to authenticate the identity of computer systems, data, and web sites by connecting a public key with an identity such as an owner’s name. The process relies on trust. “Secure” websites utilize such a certificate to validate their identity. This digital certificate is usually procured from a company that will verify the identity of the company administrating the site. The digital certificate issued to them will be validated by a trusted root certificate authority or by a server that is trusted by the trusted root. This chain of certificates is called a certificate hierarchy. A small group of trusted certificate authorities is installed on computers within the operating system. These authorities include such names as Equifax, VeriSign and Thawte. So what happens when the system breaks down?
Risk Homeostasis: Is Risk Reduction a Pipe Dream?
Posted by: JurInnov | Posted on: February 3rd, 2012 | 0 Comments
How often do you speed? What is your investment strategy? Answers to questions like these could provide insight into an individual’s level of acceptable risk. We embrace or avoid risk, consciously and unconsciously, based on the level of risk someone is willing to accept. This level of risk acceptance is applicable to the use of computers as well. With the constant influx of new threats and the implementation of security controls, the level of risk felt by employees can fluctuate causing an increase or decrease in risk-taking behavior.
Is Your TV a Security Risk? Embedded Devices May be the Next Target.
Posted by: JurInnov | Posted on: January 26th, 2012 | 1 Comments
The latest televisions and Blu-ray players are being shipped with more than high definition video and audio. Internet access and a host of new applications are being built in to run directly on these devices. A popular built-in feature is wireless access which enables the user to avoid plugging in an Ethernet cable. Accessing the internet and your favorite apps directly from your TV is convenient. However, what security risk does this pose?
Stop Hoarding! Improve Security, Efficiency and the Bottom Line through an Effective Data Retention Policy
Posted by: JurInnov | Posted on: January 19th, 2012 | 0 Comments
Organizations are accumulating data at a pace that would cause a hoarder to blush. Just like that old bicycle seat stored in the attic, data is often kept “just in case it may be needed someday.” This practice, however, comes at a cost.
Some organizations think that it is inexpensive to store data, especially with the steady decline in hard drive prices. The fact is, however, data is expensive to keep. Organizations spend a significant portion of time managing, archiving and securing data. Data is housed on servers, each of which must be maintained. Data is also archived regularly according to the organization’s backup schedule and it is audited and secured against loss. Each of these activities consumes the time (i.e. increases the cost) for those in information management.
Measuring Success with Security Metrics
Posted by: Eric Vanderburg | Posted on: December 14th, 2011 | 0 Comments
Try to imagine a world without metrics. The temperature would only be “hot” instead of 95° or a project would be “in progress” instead of 75% complete. Metrics provide an effective way to keep track of vital information. They are particularly useful for identifying trends and measuring the progress of activities. When used effectively, security metrics provide a uniform way to make decisions and to measure progress in information security.
Information Security Compliance: ISO 27000
Posted by: Eric Vanderburg | Posted on: December 7th, 2011 | 0 Comments
The last two articles on compliance have covered the Health Insurance Portability and Accountability Act (HIPAA) and the ramifications of that bill on healthcare providers and business associates and the Payment Card Industry Data Security Standard (PCI-DSS) which provides guidelines for securely handling credit card and related personal data. This article outlines the ISO (International Organization for Standardization) 27000 and its benefits for organizations.
Defending Against DDOS (Distributed Denial-of-Service)
Posted by: JurInnov | Posted on: December 1st, 2011 | 0 Comments
The site is down! These are haunting words for most businesses, and today’s topic: the DDoS (Distributed Denial-of-Service) attack. This particularly nasty type of attack attempts to disrupt the availability of systems by overwhelming servers, saturating bandwidth or through other techniques. Your business is most likely heavily reliant upon specific systems and this article provides an overview of the DDoS attack that could potentially take these key systems down and techniques for combating the DDoS.
Transferring Information Security Risk with Cyber Insurance
Posted by: Eric Vanderburg | Posted on: November 16th, 2011 | 1 Comments
There are four ways of dealing with risk; Avoid, Mitigate, Accept, or Transfer. Avoiding a risk would involve changing procedures or systems so that the risk does not apply anymore such as removing old encryption protocols so that their risk is avoided. Risks are mitigated by implementing security controls. If the risk is within acceptable levels it can be accepted and lastly risks can be transferred, primarily through insurance.
Preventing the data breach: A dozen steps to protect against data loss
Posted by: JurInnov | Posted on: October 27th, 2011 | 0 Comments
Losing data can be tremendously devastating to a company. It could compromise security, information, and jobs. Today, we will look at twelve actions that a company can take to mitigate the risks of a data breach. These twelve steps, performing a risk analysis, asset identification and classification, attention to detail, encryption, social networking, compliance, management of personnel, least privilege, solution diversity, tracking mobile devices, data destruction and testing are essential to helping a company’s security program.
