background preloader

Cyber Security Blog Posts

Facebook Twitter

A comprehensive collection of Cyber Security related blog posts by Digital Management, Inc.(DMI)

Security breaches: Who’s to Blame? - DMI. The Internet of Things (IoT) to get Hacked. Bringing Framework to Mobile Security. DMI's Rick Roach on cyber and more. Cybersecurity Solutions Government Insights. Don't Get Caught with One Hand in the Cookie Jar - DMI. Safe Harbor: A Call for Powerful Privacy Solutions. Security breaches: Who’s to Blame? Privacy in Pole Position. The Internet of Things (IoT) to get Hacked.

Innovation through Hackathons – A 3-Step Guide. Cybersecurity Solutions. Do you Really need a Blackphone? DMI Integrates Privacy Offering to Provide Guidance and Strategic Input to Enterprises. 2015: AFCEA Defensive Cyber Operations Symposium. Important Update: The AFCEA Defensive Cyber Operations Symposium has been rescheduled for June 16-18 at the Baltimore Convention Center.

2015: AFCEA Defensive Cyber Operations Symposium

We are happy to share this news and look forward to a successful event. Our mission partners remain strongly supportive and will be with us in Baltimore. The U.S. Defense Information Systems Agency’s new operational role in the cyber domain as network defender creates a formal relationship between DISA, U.S. Cyber Command and the command’s military service components. Linked by a commitment to cybersecurity, this community of partners will gather at the 2015 Defensive Cyber Operations Symposium June 16-18, 2015 at the Baltimore Convention Center, Baltimore, Maryland. The operational theme centers on the teamwork, relevant guidance and priorities, and associated perspectives of mission partners united in the development of an integrated approach to operating and defending the network. Participants will include: Security Education, what is the right approach to train developers?

In a feature article on the Software Advice website about the Future of Security Education, I was part of a small group discussing the problem of producing better developers who can code more securely to help alleviate the application exploits we are seeing in the headlines.

Security Education, what is the right approach to train developers?

New York City Taxi movement data, reveals more information than you think, if you use it right. Same goes for Security Event data. In a very interesting and detailed blog post, a researcher at Neustar performed analytics on the open source data provided by the New York City Taxi and Limousine Commission logging all trips driven by NYC taxis in 2013.

New York City Taxi movement data, reveals more information than you think, if you use it right. Same goes for Security Event data.

The access to this information can be tremendously useful for city planning to determine traffic patterns, time and seasonal differences in traffic, which roads are used most, that might require more timely maintenance, etc. Bringing a Framework to Mobile Security. I’m often asked, “What is the best tool to secure my mobile devices?”

Bringing a Framework to Mobile Security

My answer is always: “Secure from what?” Unfortunately in the security industry, people equate security with tools, and happily buy technologies with claims of protection instead of determining first as to what do they need to be protected from? Mobile Application Security. On Thursday August 14th I’m speaking on a webinar for the Multi-State ISAC about Mobile application security.

Mobile Application Security

The webcast is at 2pm EDT, link to register here if you are interested. This is the third time I’ve supported webcasts for the MS-ISAC, (previous webcasts were about APT in December 2013, and Risk Management from December 2010), but this is the first time I’m the sole presenter, for which I’m honored. The MS-ISAC is the cyber security information sharing and collaboration body for state, local and tribal governments. It plays a critical role in helping these, often underfunded, organizations by providing alerts to cyber threats, by coaching how to mitigate them, and by providing critical security training to help improve their capabilities. My topic is about application security, with focus specifically on mobile. Is Your Cat Selling You Out? WWDC & IoT & Security – Should I Cringe Now? Earlier this week Apple had the kickoff of their Worldwide Developers Conference (WWDC), which is always interesting to watch where they highlight what new features will be coming out in their operating systems, and new tools they have created for developers to continue to make more apps.

WWDC & IoT & Security – Should I Cringe Now?

This year, the themes were device integration, collaboration, and extensibility. All things that make a security guy cringe. Apple is moving to more collaboration among their devices, and extensibility to allow apps to interact with each other, whereas they were sandboxed before. New enhancements will enable collaboration among your family members to share photos, music, apps, and calendars seamlessly. They also announced their platform, Healthkit for health monitoring on the mobile device. It’s not unique to Apple; Google and Microsoft are walking down the same path as well, where all our personal devices are seamlessly connected with each other and with IoT devices around us.

The Internet of Things to get Hacked. Verizon Data Breach Report – What’s interesting? I used to work in the security practice at Verizon Business in the mid 2000s.

Verizon Data Breach Report – What’s interesting?

I was there when Verizon bought Cybertrust, and inherited the forensics team from whose efforts the Verizon Data Breach Investigations Report (DBIR) data is derived. When they put out the initial report in 2008, it was the first time someone in the security industry had analyzed and published real data from real breaches. Previously, and today, most annual security “threat” reports use vulnerability data, malware counts and behaviors, surveys of customers, or general threat activity, but not the root causes of those ills as their source. Early on, the DBIR was biased towards the financial industry since many of the cases The Verizon Forensics team had analyzed were credit card breaches.

Internet of Things Privacy Conference. Last week, I participated on a panel for the TRUSTe Internet of Things (IoT) Privacy Summit at a beautiful resort in Menlo Park, California.

Internet of Things Privacy Conference

The event brought together people from many different companies, large and small, as well as privacy advocates and legal experts. Videos of the event can be found here. Ransomware. Security breaches: Who’s to Blame? Last week, I participated in a webinar about SC Magazine’s Breach Survey.

Security breaches: Who’s to Blame?

The survey was sent to a group of Chief Information Security Officer’s and included security-related questions, such as: Do you think your company is taking steps to protect critical data? 89 percent say they are. What is your security staffing makeup? Cybersecurity Innovation Forum Recap with Rick Doten. This week I presented “Bringing Trust to Mobile Application with Hardware-Based Security,” which I know seems like a very dry topic, but seemed to have been appreciated by my audience at the Cybersecurity Innovation Forum, held in Baltimore.

Cybersecurity Innovation Forum Recap with Rick Doten

My perspective was that with native mobile applications we have the opportunity to better secure them by leveraging security features of hardware, such as certificate storing, or validating components are trusted, (by using non-corruptible hardware components). This is the core of Trusted Computing, starting with a international standard Trusted Platform Module (TPM), that is a read-only chip that stores a certificate that can be used to validate other hardware and software components on a system. TPMs have been around for over 10 years, but not yet widely used. Most notable implementation is with Windows 8 for license management, and for storing of the key for Bitlocker disk encryption under Windows 7 and 8. A CISO's Perspective on RSA. The RSA Conference in San Francisco is the premier security conference here in the US. Vendors from around the world come to show their latest technology, and test their new marketing messages. Savvy conference attendees bypass large booths owned by major security vendors and work their way to the edges where numerous small vendors who often have new or unknown, yet interesting and innovative technologies.

To me, these small vendors are far more attractive because they are hungry to share their ideas. They are happy to give you details on why they created their solution and what current problems they are looking to solve or close a current security gap. They are also usually staffed by an engineer with a Santa beard wearing sandals ready to talk in-depth about the technology, as opposed to the larger vendor booths that have pretty ladies trained to communicate a scripted message. Do you Really need a Blackphone? Edward Snowden spoke at SXSW conference. He obviously didn’t fly to Texas, but instead spoke over Google Hangout from somewhere in Russia. Many people’s perception of Snowden has evolved over the past year; some still see him as a traitor who has done un-repairable damage to the US Intel gathering community and compromised many people’s lives.

On the other hand, some people view him as a hero, who uncovered misuse of personal information and helped change an industry’s perspective on privacy by encouraging large companies, like Yahoo and Google, to implement encryption to protect customer access. A few weeks ago at Mobile World Congress (MWC), Blackphone, which claims to be the “world’s first smartphone to put privacy and control ahead of everything else” was being showcased. Since then, we have seen two other phones announced in the press – The FreedomPop Privacy Phone (aka Snowden phone) and The Boeing Black, which boast about more secure Android platform.

Back to Blog. RSA Mobile Security Panel. On Monday, February 24, I’ll be speaking on a panel at the RSA Security Conference in San Francisco on a panel about Mobile Security. This talk is part of the Trusted Computing Group (TCG) Association Seminar series. Additionally, I recently have had the good fortune of being elected to be a Contributing Board Member of the TCG. Topic of our panel’s discussion is titled “Mobile Device Security: Fact or Fiction”. The title of the discussion is ironic in itself in that there is a presumption that mobile devices can’t be secured. I believe this confusion arises because folks aren’t asking the right question: “secure from what?” I will be talking specifically about mobile application security. The Critical Security Controls for Effective Cyber Defense.

The Critical Security Controls for Effective Cyber Defense version 5.0 was released for public comment at the beginning of this month by the Council on Cybersecurity. These controls represent 20 areas that organizations should regard when putting together their security programs, and provides guidance on how to measure the presence, appropriateness, and effectiveness of technology and procedural controls for each area. While there are many cyber security standards, regulations, and guidelines, these controls provide a good foundation to develop controls than can be mapped to your industry or organizational security and privacy requirements. Rick Doten, DMI Chief Information Security Officer (CISO), is a member of the panel to update and maintain these controls. Generally, this version has been organized to be more convenient to use as a reference, with more clear headings and the use of tables.

Back to Blog.