Monday, February 17, 2014
Nothing new here, but every security breach fails in one (or more) of these areas.
The Target PoS Attack: Gleaning Information Security Principles
The Elements of Prevention, Detection, and Protection Must All Work Together
While there are always new and interesting things unfolding in the information security world, there are a handful of developments each year that are like something out of an edge-of-your seat Hollywood blockbuster, or a gripping novel that ratchets up the suspense level with each page. Over the last few months, it is hard to argue that any event has been as captivating -- or triggered more passionate discussion within and beyond the information security community -- than the high profile Point-of-Sale (PoS) malware attack at retail giant Target.
Much has been written about this headline-grabbing attack, and there will be plenty more discussion and analysis to come. Despite the fact that I am very interested in what unfolds here, both as the CTO of my company, and as someone who has been a member of the security community for over a decade, I am not going to focus on the latest news. Instead, I would like to take a step back from the riveting details, and highlight four key information security principles that we have gleaned, so far, from the Target PoS attack, and that may be illuminating and instructive for enterprise security professionals:
Principle #1: An “impenetrable” security perimeter is a myth.
Principle #2: It only takes one infection for a massive, headline-grabbing breach to occur.
Principle #3: Advanced threats are designed to work in multiple attack stages.
Principle #4: Enterprises need to proactively look into their network traffic.
The first step toward better security is recognizing your risks. I wonder if the US government will do a risk analysis?
Laura Donnelly writes:
Patient confidentiality could be undermined by the new medical records database, the NHS’s own risk analysis has warned.
The controversial database could be vulnerable to hackers or could be used to identify patients “maliciously”, the document, seen by The Telegraph, states.
It says the scheme could damage public confidence in the NHS and result in patients withholding information from doctors out of fear it may not be kept confidential.
Read more on The Telegraph.
“We're from the government. We're here to help you!” A report from the “Maybe big government isn't the best solution” guys.
Federal Government’s Track Record on Cybersecurity and Critical Infrastructure
by Sabrina I. Pacifici on February 16, 2014
The Federal Government’s Track Record on Cybersecurity and Critical Infrastructure - A report prepared by the Minority Staff of the Homeland Security and Governmental Affairs Committee Sen. Tom Coburn, MD, Ranking Member. February 4, 2014.
“In the past few years, we have seen significant breaches in cybersecurity which could affect critical U.S. infrastructure. Data on the nation’s weakest dams, including those which could kill Americans if they failed, were stolen by a malicious intruder. Nuclear plants’ confidential cybersecurity plans have been left unprotected. Blueprints for the technology undergirding the New York Stock Exchange were exposed to hackers. Examples like those underscore for many the importance of increased federal involvement in protecting the nation’s privately-owned critical infrastructure. But for one thing: Those failures aren’t due to poor practices by the private sector. All of the examples [in this report] were real lapses by the federal government.”
Amusing. Imagine my surprise when the word “messianic” was attached to a photo of John Kerry! Fortunately, clicking on the link connected to an article wherein, “the Israeli Defense Minister described Kerry as someone with 'misplaced obsession and messianic fervor.'”
Create Trending Vocabulary Lessons
Merriam-Webster's website has a neat feature called Trend Watch that highlights words that are trending in news and popular culture. Trend Watch includes an explanation of why each word is trending, a definition for the word, and a picture that is representative of either the word or the cause of the trend.
Applications for Education
Trend Watch could be a good source of words to include in the vocabulary lists students are studying in a language arts course. Trend Watch words could provide a good tie-in with a current events lesson.
Because of the wide variety of words that pop-up in Trend Watch I probably wouldn't send younger students to the site on their own. Instead I would bookmark the list and select appropriate words for my students.
Something those of us who like W3Schools should look into. Worst case, they list several alternatives.
– feels that W3Schools is harming the online community with inaccurate information. W3Fools tries to explain why W3Schools is a troublesome resource, why their faulty information is a detriment to the web, and what you (and they) can do about it.