Are we creating a cyber professional salary bubble that will eventually burst, asks Holly Ridgeway, SVP and CISO enterprise systems at PNC.
"It is a great time to be in the cyber security field. But, have you noticed the growing challenges of recruiting and retaining good cyber talent? Six-figure salaries used to take years to achieve. Now, if you have a specialized cyber skill set, you can attain that figure with only a few years of experience. So, the question is: Are we growing cyber professionals who do not have the foundation needed to perform at a sustained level? Are we so desperate for these skill sets that we are willing to outbid each other?"
Security experts have proposed a simple way for websites to better secure highly sensitive databases used to store user passwords: the creation of false "honeyword" passcodes that when entered would trigger alarms that account hijacking attacks are underway.
The suggestion builds on the already established practice of creating dummy accounts known as honeypot accounts. It comes as dozens of high-profile sites watched user data become jeopardized—including LivingSocial, dating site Zoosk, Evernote, Twitter, LinkedIn, and eHarmony to name just a few from the past year. Because these dummy accounts don't belong to legitimate users of the service and are normally never accessed, they can be used to send a warning to site administrators when attackers are able to log in to them. The new, complementary honeyword measure—proposed in a research paper titled "Honeywords: Making Password-Cracking Detectable—was devised by RSA Labs researcher Ari Juels and MIT cryptography professor Ronald Rivest, the latter who is the "R" in the RSA cryptography scheme.
Each year, the Executive Women's Forum announces their "Women of Influence" Awards at their annual EWF event.
The awards, co-presented by Alta Associates and CSO Magazine, recognize outstanding women in several categories: one winner from the public sector, a private solutions provider from the security industry, a corporate practitioner from the private sector, and a "One to Watch," a future leader in the security field. This year, a lifetime achievement award was also given. The winners were nominated by peers in the security community.
CSO asked each winner of the 2012 WOI awards to give us their perspective on their success, lessons learned in their careers — and how women are making their mark in the security industry today.
Thanks to an exploding number of wellness apps and wearable devices, you may be beaming biodata into the cloud right now. As the Quantified Self movement picks up steam, who stands to profit? (Hint: not you.) And can those cashing in on Big Data use your heart rate against you? (Take a guess.)
It was hard to believe, but the student insisted it was true. He had discovered that compact discs from a major record company, Sony BMG, were installing dangerous software on people’s computers, without notice.
The graduate student, Alex Halderman (now a professor at the University of Michigan), was a wizard in the lab. As experienced computer security researchers, Alex and I knew what we should do: First, go back to the lab and triple-check everything. Second, warn the public.
But by this point, in 2005, the real second step was to call a lawyer. Security research was increasingly becoming a legal minefield, and we wanted to make sure we wouldn’t run afoul of the Digital Millennium Copyright Act. We weren’t afraid that our research results were wrong. What scared us was having to admit in public that we had done the research at all.
Meanwhile, hundreds of thousands of people were inserting tainted music CDs into their computers and receiving spyware. In fact, the CDs went beyond installing unauthorized software on the user’s computer...
If we want to protect privacy, we should be more clear about why it is important.
[Privacy] is better understood as an important buffer that gives us space to develop an identity that is somewhat separate from the surveillance, judgment, and values of our society and culture. Privacy is crucial for helping us manage all of these pressures -- pressures that shape the type of person we are -- and for "creating spaces for play and the work of self-[development]."
Don't wait until you decide to leave your current job to update your LinkedIn profile. Take a few minutes now to make sure your profile showcases your accomplishments and skills. Here are some common mistakes to avoid, as well.
The US National Institute of Standards and Technology (NIST) is planning to sponsor a federally funded research and development center (FFRDC), a nonprofit organization that will act in support the National Cybersecurity Center of Excellence (NCCoE).
NIST announced that this is the first FFRDC solely dedicated to enhancing the security of the nation's information systems. It will work in conjunction with NCCoE, a public-private information-sharing collaboration that brings together experts from industry, government and academia – it was established in partnership with the state of Maryland and Montgomery County in February 2012.
IT has gone from managing a highly controlled base of tools to trying to manage a far more heterogeneous mix of devices (smartphones, tablet computers, 3G/4G data cards, netbooks, tablets) running on any number of operating systems. Trying to control all these tools is becoming unnecessary: Cloud services and applications make most data accessible from any device running any OS. The mandate for IT? Shifting from old-school device management to the far more critical and strategic discipline of user management.
This new mandate — managing, enabling, and securing users’ mobile behavior — is now beginning to require its own suite of tools. However, as young and fractured as the market still is, most vendors still offer products and features that address just one part of a company’s mobile needs, rather than all of them. This à la carte approach to managing mobility means IT managers must piece together a complete stack that works for their company.
It’s a complex undertaking, given that no two companies manage mobility the same way. Companies may embrace bring-your-own-device programs, for instance, in a spectrum of ways — or not at all. Each company has its own unique approach to acquiring, distributing, funding, managing, and outfitting its employees’ mobile devices. And every company needs different apps and levels of security.
The U.S. Department of Justice and the FBI believe they don't need a search warrant to review Americans' e-mails, Facebook chats, Twitter direct messages, and other private files, internal documents reveal.
Government documents obtained by the American Civil Liberties Union and provided to CNET show a split over electronic privacy rights within the Obama administration, with Justice Department prosecutors and investigators privately insisting they're not legally required to obtain search warrants for e-mail. The IRS, on the other hand, publicly said last month that it would abandon a controversial policy that claimed it could get warrantless access to e-mail correspondence.
The rapid proliferation of smartphones, tablets, and other mobile devices has created a new challenge for college and university IT administrators. With the use of personal mobile devices now mainstream, users of software increasingly expect to get things done on their smartphones. Unlike first-generation applications, such as campus bus schedules, a growing number of new offerings touch enterprise data. The time has come for IT managers to put measures in place that ensure mobile data security across the enterprise. Security issues throughout the enterprise mobile ecosystem, from physical devices to app distribution to the actual code being executed on smartphones, must be systematically addressed. A number of new open-source and community-source technologies can help, including the Kurogo Mobile Platform and the Kuali Mobility for the Enterprise (KME) platform.
What is a good BYOD policy? Step one is to clarify the rights of both company and employee and state upfront what's business and what's personal. But there's a lot more to it. In this interview with a technology transactions lawyer, CIO.com explores the do's and don'ts of BYOD policies.
When I was asked by EDUCAUSE to write a blog about the experiences of a first-time CIO, I was concerned that I wouldn't have enough to write about that would be of interest to the EDUCAUSE community. It then occurred to me that I'd like to approach this the way I approach many situations like this - ask and listen!
What would you like to see me write about in future blog posts? Please suggest topics that you'd like to see covered in the areas of being a first-time CIO and/or how to prepare to get a first CIO job in higher education...
Phishing attacks on enterprises can be calamitous in terms of compromised networks or damaged brand names, and the Anti-Phishing Working Group (APWG), which aggregates and analyzes phishing trends data worldwide, offers some of the best insight from industry into what's occurring globally in terms of this cybercrime. The following list of frequently asked questions about phishing is derived from the APWG's April report that covers the period July-December 2012 worldwide.
Indiana University Vice President and CIO Brad Wheeler and Internet2 President and CEO David Lambert today announced a $2 million initiative to stimulate collaboration in cybersecurity efforts by higher education institutions and to provide thought leadership on strategic cybersecurity issues nationally and globally.
Speaking at the Internet2 Annual Meeting in Arlington, Virginia, Lambert and Wheeler invited the presidents and CIOs of other colleges and universities to join as investors and sponsors of this initiative. They noted that the higher education sector is unique in having significant cyber activities in research, education, and operations. This initiative is intended to stimulate more collaboration among these activities to enable the higher education sector to make further contributions to the national efforts. This new collaboration will immediately launch a national search for an executive director with significant operational experience in cybersecurity in the higher education community.
Nine winners of the 5th Annual Information Security Awareness Video and Poster Contest have been selected. The winning videos and posters are now available for colleges and universities to use in campus security awareness campaigns during National Cyber Security Awareness Month in October, student orientations, and throughout the year.
This year's sponsors and supporters include: CyberWatch, the National Cyber Security Alliance, and Google.
Visit the Information Security Guide's Cybersecurity Awareness Resource Library for more campus education, awareness, and training materials.
Online security, privacy, and safety are often top concerns for policymakers. Microsoft is committed to addressing these concerns by sharing information, technology, and guidance. (Want to learn more about mobile devices & youth safety?