Thanks for reading & let’s continue to be good network citizens!

The example given: An HTML file is saved along with a copy of a file called EXPLORE.EXE. The HTML file is opened and has a URI link embedded with the address file://. This will cause the browser to attempt to open EXPLORE.EXE from the local folder.

The current Microsoft workarounds for the DLL vulnerability only apply to DLL’s, not EXE’s.

See this news posting for additional information.

Information security continues to be a struggle against function, features and stopping bad things from happening. What are your thoughts about where this is going?

Thanks for reading & let’s continue to be good network citizens!

I find this article humorous but at the same time frustrating with the comment about current threats:

… the top hacking methods of cross-site scripting and SQL injection had not changed in the past six years.

“One, it tells me that the bad guys go with what they know, and two, it says the developers aren’t listening”

How should this message be delivered to developers? Why are these threats still showing up in the top 5? If you are a developer or a CISO, let me and other ITKE readers know how you handle these security issues. Thanks for reading and let’s continue to be good network citizens.

• In 2007 there were 500 million connected devices or 1/10th of a connected device per person worldwide. In 2010, there are now 35 billion (5 connected devices per person). In 2013, Forester Research projects that there will be 1 trillion (140 per person) connected devices.
• In 2007 there were about 3000 total mobile applications. In 2010, there are 265,000 mobile applications. Current growth trends estimate in 2013 there will be 1.5 million mobile applications.
• In 2007 there were approximately 624,000 security threats (the document doesn’t specify what this really means). In 2010, there will be 2.6 million security threats. The Symantec and Cisco projection for 2013 predicts 5.7 million security threats.

It is amazing how much things in the IT world have changed in the past three years and taking that projection out another three years seems staggering. How is an organization supposed to handle the growing environment and the growing threats? Cisco offers some suggestions in this report:

1. Close gaps in situational awareness. Be aware of the totality of the network.
2. Focus first on solving “old” issues – and doing it well. Begin making improvements in the area of software updates and patches.
3. Educate your workforce on security – and include them in the process. Remember in information sec-u-r-it-y, You Are IT (U-R-IT). Kinda cheesy I know but it is a basic truth. We are all responsible for IT security.
4. Understand that one security border is no longer enough. Business has now become borderless and mobile.
5. View security as a differentiator for your business. “How an enterprise approaches security and responds to trends such as social networking and mobility can have a direct impact on ability to hire and retain talent.”

What do you think is going to happen in the next 3 years with regards to devices, applications, and security threats? Is the Cisco on target, or off base? Let me and other ITKE readers know your thoughts. Thanks for reading and let’s continue to be good network citizens.

Well, time to pull out my PasswordCard and begin using my 29-character password. What other suggestions do you have for other ITKE readers? Thanks for reading and let’s continue to be good network citizens!

The three game-changing themes presented are:

• Tailored trustworthy spaces -Security tailored to the needs of a particular transaction rather than the other way around.
• Moving target -Systems that move in multiple dimensions to disadvantage the attacker and increase resiliency.
• Cyber economic incentives -A landscape of incentives that reward good cybersecurity and ensure crime doesn’t pay.

The idea of these themes is that what has been done in the past is not really working. Cybersecurity thinking and actions needs to change. The theme of Tailored trustworthy spaces is very much like the proposals I have presented in my blog before about having trusted network connections and strongly managed information flow rules with monitoring and violation detection. The Moving target theme suggests that the targets should be harder for the attacker to reach and compromise. The targets become more costly to attack. The Cyber economics theme proposes that it is important to gain more understanding about data ownership, the market for data, incentives for socially responsible actions and the loss/risks due to attacks. The Cyber economics theme is critical for organizations to be able to make effective cybersecurity decisions to manage risks.

I urge you to take a look at the presentation from the event at a minimum. This research effort seems worth following and hopefully will result in better cybersecurity management strategies and risks understanding. I heard someone say that we can’t stay ahead of the cybercriminals, but we can stay close behind and build better security based on what we do understand. Another way of saying this could be, “Nothing is foolproof to a sufficiently talented fool.”

Will you be participating in this cybersecurity game-changing research? Share your thoughts with me and other ITKE readers. Thanks for reading and let’s continue to be good network citizens!

I proposed some options in 2009:

Should computers be “licensed” or “permitted” to be on the internet to reduce threats to unsuspecting users? That’s a thought for you… what governing body would issue these computer use permits? What would the rate infrastructure be like – based on processor/memory or bandwidth? Where would the permit fees go? Would there be some internet oversight body that uses the fees to have inline malware filters?

Would these still be valid options? I mean there is real money involved with the losses due to malicious software. Who is responsible for the loss? Is it the non-technical home user who does not keep their system updated because they do not know what to update? And if they do update it, how do they know the update source is credible? How many times have you gone to a website (think Facebook) and see that your Flash software needs updated? This is an example of a prime target for malvertisers. What would you suggest? Leave some feedback for me and other ITKE readers.

Thanks for reading and let’s continue to be good network citizens!

I agree that information security awareness is a great thing, but how much valuable content can you communicate in such short bursts? Is the information communicated going to make a difference in the ability of a consumer to protect themselves and their systems? Is it going to improve or degrade the ability of information security professionals to do their jobs of protecting assets against threats and reduce risk? Is this similar to all of the medical websites available on the internet, has it improved the health of patients and their ability to speak with doctors?

Your thoughts are welcome. Please share them with me and other ITKE readers. Thanks for reading and let’s continue to be good network citizens.

A PasswordCard is a credit card size piece of paper which has symbols, characters and colors. You simply choose a symbol on the top row, choose a colored row and then use the characters shown to select the appropriate length of password. In the example shown below, I chose the Spade symbol then chose the green row and 8 characters for the password:$kKCSVQm. This is very simple to use and can be easily carried or posted without risk (unless the user marks their passwords in some manner).

Choose a symbol, a color and the number of characters

The string of numbers and letters across the bottom of the card is an identification code for this specific card. Each user’s card can be unique. If the card is damaged or lost, you can go back to the PasswordCard website and regenerate the same card if you have kept a record of this code.

Let me and other ITKE readers know if you use PasswordCard or any similar solution for secured passwords. Thanks for reading & let’s continue to be good network citizens.

I recently saw a graphic where CIO’s and CSO’s were asked if regulatory compliance has improved the organization’s security posture. As you would expect, the CIO’s strongly agreed with the statement while CSO’s leaned more toward strongly disagree.

Well, now another thought comes to us infosec professionals from the legal world. We are already under lots of compliance requirements like BASELII, SOX, HIPAA, PCI-DSS, FISMA and such. But now another thought we have to contend with is “legally defensible” IT security. I agree that this idea does have it’s merits trying to get everyone talking the same language of risk and management. It is challenging enough to get information security talking the business language, but now we have to learn legalese? I think I’ll look to see if translate.google.com can help out with that!

Thanks for reading & let’s continue to be good network citizens!