Greetings, This blog is being archived and I'll now be blogging at the IT Security Zone . You can read the blog online or follow the new blog by email , by rss , by twitter , or by facebook , Thanks, Calvin Powers
The mobile device security folks at IBM have released a sobering infographic about the rise of mobile security problems. It's interesting to me how the mobile security probems are being compounded by the "bring your own device" trends where people use their personal devices for business use. I also like the common sense strategy at the end for managing mobile security risks. All six elements of the mobile device security strategy make sense to me. One area that's missing is virtualization/sanboxing for mobile devices to strongly... [More]
Symantec got hacked, possibly by a member of the hacker group Anonymous.
Every IT News outlet on the planet is reporting on it. My favorite
write up is " Symantec Tells Customers to Pull the Plug on pcAnywhere Following Code Theft "
in Tech News World. That story does the best job describing the
implications for businesses. But if you are interested in the nature of
the vulnerability that the hack exposed it's best to go to this white paper published by Symantec . This seems to be the heart of the description of the... [More]
A recent report at the bankinfosecurity.com web site titled “ HSBC ATM Skimmer Arrested ”
notes a statement by the US Attorney’s Office and the U.S. Secret
Service announcing that New York law enforcement officials have arrested
and charged a Romanian man for the recent spate of ATM skimming attacks
in the New York area.
This latest series of skimming attacks is just one of several high
profile ATM skimming attacks across the country lately. It seems to be a
favorite of organized criminals and it makes sense because it requires... [More]
One of the hats I wear at IBM is one of the members of the IBM Secure Engineering team. You can read about some of our work on the IBM Secure Engineering Practices page. Our team has two main focus areas. One area is our security incident response process that IBM uses to manage the receipt, investigation and internal coordination of security vulnerability information related to IBM offerings. The other are is to foster secure engineering practices in the company. Our work efforts in this are are described in the IBM Secure Engineering... [More]
Chris Larsen, head of malware research for Blue Coat systems talks about some of the trends in end-user malware that his group has been seeing recently. We talk about search engine poisoning, malvertising, the dangers of abandoned web properties, and why image searches are currently one of the most dangerous things end users can do on the net. Blue Coat Security Blog Blue Coat Malware Trend Report IT GRaCkle #5 Chris Larsen on Web Malware Trends (MP3)
Visit www.itgrackle.com for more episodes of the podcast and to sign up for the free... [More]
I just ran across a very good video from IBM which explains the "GRC" market segment and introduces the IBM OpenPages product. It seems to be HTML5 based and I can't fugure out how to embed it. But I highly recommend following the link and watching it. The video doesn't directly address the role that IT contributes to the GRC space. It's largely focused on the financial and ERM aspects of risk management. But It's easy to see how IT contributes to the aggregation of operational risk. Offerings like Tivoli Asset Management for IT... [More]
The Open Group
a white paper describing the integration between The Open Group
Architecture Framework (TOGAF) and the Sherwood
Applied Business Security Architecture (SABSA) . Both of these standards are large, mature,
standards for their domains and it’s no small challenge to bring these two
together. While the Open Group has
fostered several security standards in the past, it doesn’t seem to me that it
has ever taken the comprehensive look at security architecture to the same
degree that SABSA has. So the... [More]
In September, the Office of the Information and Privacy
Commissioner in Ontario Canada released
a case study report titled “ Privacy
by Design: From Policy to Practice ” which describes an overview of the
three pillars of IBM’s internal privacy management practices. As stated in the report:
“One of the objectives of this case study was to inspire the
reader to adapt one or more of the ideas used at IBM for their own PbD program.”
The IBM case study dives into the three primary initiatives
of IBM’s Privacy program that... [More]
Wired Magazine has been working an exclusive story over the
past few days about a key logger
virus affecting the network the US Air Force uses to control its drone program .
Citing a “source familiar with the network infection,” it’s unknown whether the
virus is benign or specifically target to those Air Force systems. The same source reported that the Air Force’s
“Host-Based Security System” was the component that originally detected the
virus and that the key logger was found both on classified and unclassified
systems raising at... [More]
On this episode of the IT Grackle Podcast, Jonathan Barney, security architect for the IBM internal Certificate Authority, and I discuss the details of how the DigiNotar breach was discovered, the relevant certificate management protocols involved and summarize the lessons learned for the future of certificate management practices. We also walk through the key findings of the FOX IT interim report on security vulnerabilities that apparently led to the breach. FOX IT's interim report on the DigiNotar Presentation on IBM's internal... [More]
The big news this week in my world was Tuesday's
announcement that IBM is creating a separate division in IBM devoted to the
security market place. It will be called IBM Security Systems. I love the name.
First of all it's a TLA
and it's a macronym
with a hint of “ backronym ”
harkening back to our acquisition of Internet Security Systems. So the name's
got geek cred all over it.
But all joking aside, this is a great move for IBM. Over
the past few years we've seen security move from the “confidentiality,
integrity, and... [More]
Tom Cross talks about the Secure Open Wireless Access prototype.
Click the player above or download here .
-- Introductions My guest is Tom Cross, Manager of X-Force strategy and Threat Intelligence Visit the Frequency X Blog to read more about the work his group does. X-Force Trend and Risk Report -- Announcement for Black Hat 2011 Presented
a paper, presentation, and prototype code on Linux for a new wireless
access protocol you are calling Secure Open Wireless Access(SOWA) Frequency X Blog post with links to the paper,... [More]
IBM Global Technology Services just released a report written by
the Economist Intelligence Unit summarizing the findings of a survey
that investigates how organizations are developing their business
resiliency strategies. “ Key
trends driving global business resilience and risk ” is on the
IBM web site and free for anyone to download.
Businesses of all sizes from North America, Europe, and
Asia-Pacific were surveyed. They were asked to name their top risk
management concerns and the top three answers aren't too
The PCI Security
Standards Council recently released their PCI
DSS Tokenization Guidelines , which has consequently sparked much
discussion about how to decide when/if company should consider
implementing a tokenization structure to improve the security of
cardholder data in their environment and to reduce the costs PCI
Within the world of PCI DSS, “tokenization” refers to the
process of converting the Primary Account Number (PAN), aka “your
credit card number” with another number or character string. This
On this episode, a new Operational Risk Taxonomy from CMU's SEI, the Bastardization of Cyberspace, and Cloud Computing as Data Protection Control.
Download Operational Risk Taxonomies CMU SEI recently released a paper outlining a proposed risk taxonomy for operational cyber security risks which has sparked a fair amount of debate and chatter about whether we really need another risk taxonomy in the world. I want to briefly review a couple of the more well known ones then talk about the new one from CMU. Basel II... [More]
On August 10 th , Bruce Schneier pointed out a new paper
released by the CERT group at Carnegie Mellon's Software Engineering
Institute called ' A
Taxonomy of Cyber Security Risks ” and sparked a new round of
discussions about the utility of developing taxonomies and whether
or not there is need for another.
In my view, taxonomies are useful to the extent that they a) help
ensure completeness of other work and b) they are based in a credible
body of data. The latter point is especially important because if a
group of researchers... [More]
Another day, another major data leak. This one was reported by the
AP and published on Yahoo under the title, “ New
data spill shows risk of online health records .” What makes
this one notable is that not only did the data leak include identity
theft related information like names, addresses, and social security
numbers but it also included insurance form information and detailed
doctors notes. So we're not only talking about identify theft, we're
talking about deep, personal, humiliating privacy invasion.
According to the AP... [More]
A couple of weekends ago, I had the chance to attend CloudCamp RTP . I'm used to having to travel thousands of miles to attend interesting conferences, or at least having to drive 30 minutes to Raleigh for cool BarCamps . But CloudCamp RTP was held in Carrboro! Now, technically I live in the Chapel Hill town limits, but all my hanging out time is spent in Carrboro , especially the world's best Third Place, the Open Eye Cafe . So of course I had to attend!
I'm proud to say IBM was one of the main sponsors of the event and Troy Volin from... [More]
Credit.com has a story about the Morgan Stanley Data Breach that happened a few weeks ago and I'd like to make two observations about the incident because I think it highlights an often overlooked security control, the chain of custody control. First let's recap what happened. Morgan Stanley was sending information about its clients who are investors in tax exempt bonds and investments to the New York State Department of Taxation and Finance. The news article doesn't say why this information was being sent, but presumably it was required to... [More]