The news has been rife with headlines about voting hacks, with the FBI revealing that state voter registration databases have been compromised and warning of ongoing attacks. Meanwhile, one of the major parties has already suffered two known breaches and WikiLeaks continues to post Clinton campaign emails on a regular basis. So far, signs are pointing to operators inside Russia as the culprits for all of the above.
Many of us in the information security... read more >
The age old problem of determining how to identify and mitigate risk has certainly been something organizations have struggled with for many years.
How do you protect your organization? What tools are the best in the marketplace? What tools are good enough and work with my budget? What is my long term plan and how do I get there?
All the above questions are something we deal with every day, but there is also another constant that we often overlook, our people — education about threats and how to address them on the front line.
Let’s face it, people are vulnerable and will always be. So much so, that the National Cyber Security Alliance dedicated a whole week to educating everyone on the culture of cyber security in the workplace during National Cyber Security Awareness Month (NCSAM).
We need to invest in technologies to help overcome our compulsive... read more >
Why problem management is important to security
Well, it is now official; I am writing my first blog post. As the Regional Chief Information Security Officer for the Americas here at NTT Security, I felt it important to share with you a perspective that I have gained from my extensive experience with information and physical security, combined with my recent experience with the Information Technology Infrastructure Library (ITIL), and more specifically problem management. ITIL defines problem management as “The process responsible for managing the lifecycle of all problems. Problem management proactively prevents incidents from happening and minimizes the impact of incidents that cannot be prevented” (Steinberg, Rudd, Lacy, and Hanna, 2011). Well, then, what is a problem defined as? ITIL would tell us that a problem is “a cause of one or more incidents. The cause is not usually known at the time a problem record is created, and the problem management process is responsible for further investigation”... read more >
Another Wednesday, another war story. As a Senior Security Consultant here at NTT Security, I am constantly performing assessments on-site for our clients. At a recent on-site social engineering and physical security assessment, we exploited some vulnerabilities that could easily have been avoided with the right security measures in place.
Also, as many of you are aware, October is National Cyber Security Awareness Month (NCSAM). The theme for this week is STOP. THINK. CONNECT, however, I’d like to change it to fit the theme of my blog: STOP. THINK. FACT CHECK. As I’ve said in previous war stories, always ask questions and check that the person is who they say they are. And no matter how nice someone may look or act, always fact check. Use your instincts and don’t let someone with seemingly legitimate credentials fool you.Assessment Background
The... read more >
Happy National Cyber Security Awareness Month (NCSAM) 2016! NTT Security is very excited to celebrate this year as an official NCSAM Champion. NCSAM is celebrated every October by raising awareness and ensuring safe practices online. The month is dedicated to continuing cyber education and keeping the digital world secure, which NTT Security takes very seriously with our employees and clients. NTT Security has very educational blogs discussing every day security such as social media, travel, IoT, smartphones and more. These blogs can help protect and keep your family, friends and co-workers, yourself and your devices safe online.
NCSAM is not only for personal education and... read more >
The Agile Movement
In my previous blog, Developing a Strong Application Security Program: Part 1, I looked at aspects of a successful application security program as it pertains to a more traditional waterfall Software Development Life Cycle (SDLC). In part two of this series, I’ll focus more on an agile-based SDLC and options for implementing a successful application security program.
Let’s briefly describe some of the differences between a traditional waterfall SDLC and agile SDLC. In a waterfall SDLC, there are clear project objectives through each phase of development. Typically, each project consists of several phases: planning, design, coding, and finally testing. Security teams are injected into the phases and should have sign-off authority on each phase before the project continues to the next. I detailed security’s role in this... read more >
Is your information security program ready to go pro?
It is officially the start of my favorite time of the year: football season. College and NFL seasons are kicking off in September, which means the next 20 or so weekends will be filled with football.
So why am I talking about football? In the blog today, I’ll be comparing a common framework, the National Institute of Standards and Technology (NIST) Cybersecurity Framework, to my favorite sport, football. Using comparisons when talking about security can be a powerful tool in helping to break down complex topics and make a technical problem easy to understand.
For a little background, below is a brief description of the NIST Cybersecurity Framework, from their website:
Created through collaboration between industry and government, the voluntary Framework consists of standards, guidelines, and practices to promote the protection of critical infrastructure. The prioritized, flexible,... read more >