Security » Opinions »

  • Privacy and the data toothpaste problem

    Two prominent appellate courts have ruled in two unrelated privacy cases and dealt dual blows to privacy. A New York state appeals court said that Facebook had no right to resist coughing up extensive details about what its users are saying, while a federal appeals court said that anyone who unintentionally telephones someone -- a pocket-dial, sometimes known a bit more impolitely -- can't expect the listener to not listen and use the information.

  • Is Apple's control freakery out of control?

    Apple makes money. A LOT of money.

  • Assessing the value of cyber-insurance

    I've ventured into new territory lately: cyber-insurance. Here's why.

  • How should an underage cyberthief be dealt with?

    Sometimes, emotions make it difficult to see the most effective way of accomplishing an objective. And emotions can definitely arise when the subject is underage cyberthieves.

  • Is it Google's job to fix society?

    Social problems exist. Sexism, social stigmatization, crime and other problems have always plagued humanity.

  • The OPM lawsuit will only make the lawyers rich

    Sensitive data pertaining to millions of people was compromised in the data breach at the U.S. Office of Personnel Management. I suspect that millions of those people smiled when they heard about the filing of a class-action lawsuit filed against the OPM. They would like some recompense for the incredible hassle that data breach caused them. And they probably want to see the OPM pay for its mistakes. Unfortunately, those smiles are probably about all they will get out of the lawsuit.

  • The surprising genius of Apple's Beats 1 radio

    When Apple announced it was creating an Internet radio station called Beats 1 to go along with its Apple Music service, I was dismissive.

  • Spotting vulnerabilities takes many eyes

    Vulnerabilities can take many forms, and you can't expect to uncover them all unless you have a diverse portfolio of tools to help you in the hunt.

  • Social-media policies: You can't say that!

    Most companies' social media policies, if they exist at all, are highly inadequate, outdated or both.

  • 6 reasons why there will be another OPM-style hack

    The hack of the U.S. Office of Personnel Management didn't surprise me. All significant organizations are regularly attacked, and every major federal agency is a big target.

  • OPM: The worst hack of all time

    Hi, my name is Steven J. Vaughan-Nichols and I had a security clearance in the 1980s. Because of that, my personal records are likely to have been revealed by the Office of Personnel Management hack.

  • Is facial recognition a threat on Facebook and Google?

    Both Facebook and Google have been working hard at using computers and algorithms to identify people in photos. They've gotten really good at it.

  • A laser focus on PCI compliance

    For the past few weeks, I've been knee-deep in PCI compliance. I have previously mentioned that although my company's current credit card transaction volume doesn't require a full PCI audit, we have made a business decision to get the full PCI Report on Compliance, which entails hiring a qualified security assessor (QSA), submitting evidence, conducting a variety of qualified penetration tests and assessment scans and ultimately having an auditor spend about a week on site reviewing evidence and conducting in-depth testing of the 400-plus controls.

  • What defines a mature IT security operation?

    RSA recently published its inaugural and aptly named Cybersecurity Poverty Index. This study is based on self-assessments by organizations who compared their current security implementations against the NIST Cybersecurity Framework. According to the report, almost 66 percent rated themselves as inadequate in every category. With all of the recent breaches in the news, part of me is astounded at this finding. The other part is not surprised, given that this matches what I see in the field every day.

  • Google on Apple: The end is near

    The chat room and social network religious wars between Apple and Google demand that you take sides. But I've always felt that the best experience includes a cherry-picking of Apple hardware, Google services and apps from both.

  • Was the IRS breach unstoppable?

    Another hack, another claim of inevitability. It is frustrating to read about the IRS breach and see it declared sophisticated. The following quote, from the IRS commissioner to CNN, is just outright infuriating:

  • Data held hostage; backups to the rescue

    Last year, I wrote about a ransomware infection that encrypted the hard drive of one of my company's employees. In that situation, a live, in-person scammer called the employee, claiming to be from "technical support," and tricked the employee into visiting a website that infected his computer. As with a similar situation I wrote about in 2012, the infection came from an advertisement on the front page of a major news service's website. The website runs rotating ads, one of which was compromised and hit the victim with a drive-by malware infection (without any intervention by or even the knowledge of the victim). I thought that because the infection was on the victim's personal computer, not on my company's network, we were pretty safe. I thought that if it had been on my network, the attempt probably would have failed, or would at least have been detected right away.

  • Who's flying the plane? The latest reason to never ignore security holes

    Some things are just so predictable. A retailer is told about a mobile security hole and dismisses it, saying it could never happen in real life -- and then it happens. A manufacturer of passenger jets ridicules the risk posed by a wireless security hole in its aircraft, saying defensive mechanisms wouldn't let it happen -- and then it happens.

  • Applying the Irari Rules to a risk-based security program

    The feedback from our last article, in which we laid out what we call the Irari Rules for classifying a cyberattack as "sophisticated," was overwhelmingly positive. Nonetheless, a few people we respect disagreed with us. Ironically, examining why they disagreed demonstrates why the Irari Rules are relevant.

  • Taking our breach response plan for a test-drive

    One thing that we security managers can be sure of is this: There is no guarantee that our company will not suffer a security breach. In fact, the odds are increasing all the time, helped along by the proliferation of mobile devices, companies' heavy use of software as a service and the consumerization of IT. And let's face it: Creating a culture that fosters innovation and attracts talent exacts a cost in defensibility.