Symantec released their quarterly earnings today, which is the sort of thing we usually ignore. Especially because it’s only the third quarter, and not even a playoff game (I really need to hang out with Mike less). However…
Most folks appreciate the challenges of securing a mid-sized company. They have important data and enough employees that someone is going to screw something up. They often don’t have the budget or infrastructure maturity to take security seriously. Many get by due more to obscurity (who is going to attack them?) than any active controls. And as automated tools make it easier to find chinks in any and every company’s armor, the seriousness of the problem is going to become much higher-profile.
You know those overnight successes who toiled in the background for 10 years before they finally broke through? How did they get there? How did they work through the Dip to reach the other side? I am fascinated by organizations which have success year after year. They seem to take the long view, set up the foundation, and stay committed to the plan. Even when other folks push for (and get) faster results, opting for short-term fixes. These band-aids may provide a short-term pop, but rarely…
Do you want to know what you will be reading about in the coming weeks? HIPAA. The Department of Health and Human Services has updated the HIPAA requirements.
From Ben Kepes’ post: Sure Dropbox is Potentially Insecure, but Does it Matter?
First, why do people go around IT to use Dropbox? In the majority of cases these are good, solid, hardworking employees that don’t want to introduce risk to their organization but that do want to get stuff done. For whatever reason (inflexible legacy systems, stubborn IT departments, need to be agile) they’ve decided that for a particular project, they want to introduce Dropbox into their workflow to quickly and…
A student who legitimately reported a security breach was expelled from college for checking to see whether the hole was fixed.
One topic that has resonated with the industry has been Early Warning. Clearly looking through the rearview mirror and trying to contain the damage from attacks already in process hasn’t been good enough, so figuring out a way to continue shortening the window between attack and detection continues to be a major objective for fairly mature security programs. Early Warning is all about turning security management on its head, using threat intelligence on attacks against others to improve your own…
From NATHER’S LAW OF POLICY MANAGEMENT on the Tufin blog:
That last one is of particular interest to me today, as I saw a client recently with a rule base for his firewall that was around 1000 rules long. When looking at his compliance results for policy and risk he was showing me hundreds of rules he wanted to mark as exceptions. I was puzzled – almost two thirds of his rule base consisted of exceptions to the compliance policies they were trying to enforce.
When Mike wrote his review of Rob Graham’s post on what could define criminality on the Internet, he focused on the anonymization piece. Me? I was struck more by Rob’s “Witchcraft is not a crime” post in a very personal way:
It appears that Java is still vulnerable to exploit after the latest patch from Oracle.
Disabling Java completely probably isn’t possible for many of you, so I suggest you at least use a good web gateway/network IPS/NGFW that filters for malware, and something cloud or VPN based to protect mobile users. Events like this are why I’m so interested (and have been for a long time) in browser virtualization technologies (Bromium, Invincea, anyone else?).