Sign up with Facebook
Sign up with Twitter
Sign up with Linkedin
I don't have a Facebook, a Twitter or a LinkedIn account
Start a free trial of Scoop.it Business
A new set of guidelines from the PCI Security Standards Council is intended to help merchants and cloud services providers comply with the PCI DSS when handling payment card data on the web.
Are you sure you want to delete this scoop?
One of the reasons many security awareness programs fail is that they rely on a "push" mentality, where they force employees to take awareness training and expect or, more likely, hope that employees will seek out additional training, because it is the right thing to do. While many there are programs that do this that are successful, they are relatively rare.
Recently, we began experimenting with helping our clients implement gamification techniques, which switches the whole awareness paradigm. Instead of employees being forced to take training or risk potential punishment, employees do the right things by default and seek out additional training, because they want to.
Too many people confuse the term gamification to mean that you create a game to do awareness training, and there are many companies who are developing such games. They can be useful, but much like a poster, newsletter, or phishing campaign, they are just a single component in what should be a well rounded security awareness program.
Twitter has implemented perfect forward secrecy on traffic to its website, in order to prevent communications from easily being captured and decrypted en masse. The new measure is one that clearly takes aim at the bulk data collection being done by the NSA.
Did you know that Data Privacy Month (January 28-February 28, 2014) is just 2 months away? Use our free resources to start planning your campus activities and events.
Tip: Save the date for a free webinar with special guest speaker Robert Ellis Smith on January 30, 2014 (1-2 pm ET).
Stakeholders met in Washington, DC, on November 19 to explore and hash out the privacy and security implications of the Internet of Things (IoT). The rapidly emerging landscape of connected sensors and embedded technology has garnered the attention of the Federal Trade Commission (FTC) of late, but the complexity of the IoT ecosystem was readily apparent during the proceedings.
Called for and led by the FTC, the roundtable was broken into four main panels—the smart home, connected health and fitness, connected cars and connected privacy and security—and featured remarks from FTC Chairwoman Edith Ramirez, Commissioner Maureen Ohlhausen and Bureau of Consumer Protection Director Jessica Rich.
Review can provide insights that benefit you and your security program.
"Opportunities to think strategically and critically, and to take a long-term look at things both forward and back, are much rarer these days due to the constant bombardment of email, text, instant messages and phone calls.
One value of a job description review is that it provides a point from which to elevate oneself up to a high-level view of things, with consequent realizations and insights that can benefit you and your security program."
People say they are responsible for their own online safety, yet do very little to protect the information they share on social media, which increases the risks to themselves and employers, a study shows.
Learn how cryptanalysts think, and why cryptographers feel such terrible dismay when companies that really ought to know better make mammoth mistakes.
"Last week’s article about how to prevent CryptoLocker ransomware attacks generated quite a bit of feedback and lots of questions from readers. For some answers — and since the malware itself has morphed significantly in just a few day’s time — I turned to Lawrence Abrams and his online help forum BleepingComputer.com, which have been following and warning about this scourge for several months.
This message is left by CryptoLocker for victims whose antivirus software removes the file needed to pay the ransom.
To recap, CryptoLocker is a diabolical new twist on an old scam. The malware encrypts all of the most important files on a victim PC — pictures, movie and music files, documents, etc. — as well as any files on attached or networked storage media. CryptoLocker then demands payment viaBitcoin or MoneyPak and installs a countdown clock on the victim’s desktop that ticks backwards from 72 hours. Victims who pay the ransom receive a key that unlocks their encrypted files; those who let the timer expire before paying risk losing access to their files forever."
Today's information security teams increasingly need to improve their communications with other groups, align their activities more closely with business objectives, and excel at a variety of diverse tasks, industry experts say. And a new study suggests that these skills and attributes are most common among the industry's smallest minority of professionals: women.
Women represent about 11 percent of the current IT security workforce, according to "Agents of Change: Women in the Information Security Profession" (PDF), a new report written by Frost & Sullivan and published by the (ISC)2 security professionals' association. Yet women's strongest skill sets are the very skill sets that are in short supply across the industry, the report suggests.
The time and energy to optimize a service or process is often seen as an unaffordable luxury, says Jesse Bowling senior information security engineer, American University.
Companies are taking matters into their own hands with internal controls, open privacy policies, ethical codes and greater candor over how they're collecting and parsing personal data.
As the 10th anniversary of National Cyber Security Awareness Month (NCSAM) wraps up, we would like to thank the higher education community for another successful celebration. Colleges and universities continue to offer fun, creative activities and events for students, faculty, staff, and their local communities. Here are just a few highlights...
If you have been following the latest in news, you’ve probably heard a lot of stories talking about privacy, information leakage, espionage and such. Given that most of our communications nowadays take place online, or at the very least, via an electronic device, we should all be aware of how to protect our valuable information. This is not only applicable to large organizations, but for everyone that uses a computer on a regular basis. We all have information we want to keep private and protected and we all need to communicate online. With PGP, you can add a very strong yet easy to use layer of security to your online communications.
California Polytechnic State University has launched an educational initiative that places the school among the scores of universities starting programs to graduate cybersecurity pros.
The Cal Poly Cybersecurity Center, funded by a grant from Northrop Grumman Foundation, aims to educate "thousands of students in cybersecurity awareness and readiness." Students and faculty will collaborate in research with other academic institutions, the defense industry, private companies and government agencies and research labs.
In launching the center, Cal Poly joins scores of schools that have started cybersecurity programs to meet the talent needs of government and private industries. In 2012, the number of cyberattacks against U.S. critical infrastructure alone rose more than 50 percent to 198, according to the Department of Homeland Security.
Most social media users across the globe are not aware of two-factor authentication or how it operates, a survey reveals.
"Recent events can validate that online security breaches of social media accounts are becoming more frequent and extreme. In an effort to combat security threats, many internet companies such as Facebook, Google, LinkedIn and Twitter have upped the priority level to integrate a method of security to protect their users.
Of the solutions available, many are turning to SMS-based mobile authentication to augment their existing systems. An obvious choice, SMS-based two-factor authentication (2FA) is so appealing because of its user friendly nature, economic cost structure and security effectiveness."
What’s the difference between a medical student and a convict? The answer: A convict doesn’t pay $50,000 a year for the privilege of being fingerprinted and patted down.
I am referring, of course, to the increasingly stringent security measures that have come to characterize modern educational testing. As student-evaluation techniques have migrated from face-to-face assessment to computer-based exams administered in dedicated testing centers, evaluators have become less and less likely to know examinees, leading to heightened precautions around exam security.
An increasing number of institutions are recognizing the need to log network data in large volume and to analyze the data efficiently to detect sophisticated network intrusion attempts affecting their network space. Bro is extremely well suited for these purposes. This new white paper from HEISC describes the basics you need to know if your institution is considering a Bro deployment.
What happens to all of the data taken during a breach? Here are some basic answers.
This Spotlight focuses on data from the 2012 Core Data Service (CDS) to better understand how higher education institutions approach information security activities. Information provided for this Spotlight was derived from Module 7 of CDS, which asked several questions regarding IT security. Responses from 636 institutions were analyzed. Only U.S. institutions with a designated Carnegie class (AA, BA, MA, DR) were analyzed for this bulletin.
John Schroeter recently sat down with Alex Yokley and Kim Hickman of Western Union to discuss their unorthodox approach to security training.
"I've been involved with security awareness training for several years now, and I can't remember one single compliment on any of our previous courses," sighed Alex Yokley, Director of Corporate Information Security at Western Union.
Sound familiar? Probably so, as too many people involved in training employees on information security are singing the same song. And who can blame the bored employees? The fact is most compliance training programs are incredibly dull. User surveys consistently report that the only reason people take the courses is because they have to.
It turns out that employees taking required courses are just checking a box—just like the many information security people who administer the training. It seems that "checking the box" rolls downhill. The only difference is, when the course takers check the box, they also check out, forgetting what they learned only minutes after completion.
But Yokley, together with information security engineer Kim Hickman, decided it was time to take a different approach—a radically different approach. An approach that would mean escaping from the box of traditional, yet ineffective and uninspiring training that ultimately yields nothing but annoyance and dissatisfaction. Did their departure from the well-worn path work?
In February of this year, President Obama issued an Executive Order on Improving Critical Infrastructure Cybersecurity. The Executive Order directed the National Institute of Standards and Technology (NIST) to develop a Cybersecurity Framework to assist owners and operators of critical infrastructure in addressing cybersecurity risks. On October 29, NIST published a preliminary version of the Framework (the “Preliminary Framework”), which is open for public comment through December 13. NIST intends to issue a final version in February 2014. The creation of the framework has, of course, been a major development in the information security community – according to NIST Director Patrick Gallagher, approximately three thousand individuals have been involved to date in the development of the Preliminary Framework. But privacy professionals should be paying attention to the framework as well.
"In five years’ time the security industry will have matured into a data-driven profession."
As a profession matures, its practitioners have a growing ability to identify what things matter so they do not waste time and energy on those that do not.
Unlike mature professions such as medical or accounting, security professionals have not yet developed a standard set of tried-and-tested metrics that enable practitioners to make data-driven decisions.
While the upper echelon is paying more attention, they are still not spending enough to defend against cyberattackers, who are increasingly more sophisticated, according to the survey of senior executives in more than 1,900 companies and government organizations.
Half of the respondents planned to increase their cybersecurity budget by 5 percent or more over the next 12 months, yet 65 percent cited insufficient funds as their number one challenge to operating at a security level expected by their companies. For businesses with revenues of $10 million or less, the number dissatisfied with funding rose to 71 percent.
A larger percentage of budgets need to be directed at security innovation and emerging technologies within the enterprise, such as the use of mobile devices and social media, the survey found. Over the next 12 months, 14 percent of security budgets are being allocated to new technologies, yet respondents said they were unsure whether they were ready to handle the risks posed by corporate use of social media.
The survey found that a larger percentage of budgets need to be directed at security innovation and emerging technologies within the enterprise, such as the use of mobile devices and social media - a reponders were unsure whether they were able or ready to handle the risks posed by corporate use of social media...
As security threats increasingly cross role boundaries, information and physical security pros struggle to get along, so what are the best practices for uniting both teams under a common goal?
Creating more secure software is more important than simply buying more security software, says WhiteHat Security's Jeremiah Grossman