This column is available in a weekly newsletter called IT Best Practices. Click here to subscribe. In February 2016, quick service restaurant The Wendy’s Company reported unusual payment card activity affecting some of its franchise restaurants. The breach was confirmed in May when the company revealed it had found evidence of malware on the affected stores’ point-of-sale systems. Additional malicious activity was later reported in June.In a statement from the CEO, the company says it believes the cyberattacks resulted from service providers’ remote access credentials being compromised, allowing access – and the ability to deploy malware – to some franchisees’ point-of-sale systems.To read this article in full or to leave a comment, please click here
This column is available in a weekly newsletter called IT Best Practices. Click here to subscribe. In February 2016, quick service restaurant The Wendy’s Company reported unusual payment card activity affecting some of its franchise restaurants. The breach was confirmed in May when the company revealed it had found evidence of malware on the affected stores’ point-of-sale systems. Additional malicious activity was later reported in June.In a statement from the CEO, the company says it believes the cyberattacks resulted from service providers’ remote access credentials being compromised, allowing access – and the ability to deploy malware – to some franchisees’ point-of-sale systems.To read this article in full or to leave a comment, please click here
This column is available in a weekly newsletter called IT Best Practices. Click here to subscribe. The 2016 holiday shopping season is barely in the rearview mirror and already the retail analysts are claiming that sales via mobile devices hit a new all-time high. According to Google Analytics data, 30% of all online shopping now happens on mobile devices.That’s good news for e-commerce companies—assuming they provide shoppers with a secure application that isn’t leaking sensitive information such as user credentials and financial transaction data. How long will it be before we hear of a significant data breach due to a poorly secured mobile app?To read this article in full or to leave a comment, please click here
This column is available in a weekly newsletter called IT Best Practices. Click here to subscribe.
The massive DDoS attack that was aimed in stages at DNS provider Dyn in October 2016 did more than grab headlines. It also served as a wake-up call to companies that provide the global Internet infrastructure, as well as downstream operators and service providers. Many experts fear this attack could prove to be a tipping point in the battle to maintain stability and availability across the Internet.
Research shows the attack originated from an Internet of Things (IoT) botnet that involved an estimated 100,000 devices. Dyn experienced packet flow bursts 40 to 50 times higher than normal, and unverified reports put the magnitude of the attack in the 1.2Tbps range. The attack used multiple vectors and required a variety of techniques to fight off.To read this article in full or to leave a comment, please click here
This column is available in a weekly newsletter called IT Best Practices. Click here to subscribe.
The massive DDoS attack that was aimed in stages at DNS provider Dyn in October 2016 did more than grab headlines. It also served as a wake-up call to companies that provide the global Internet infrastructure, as well as downstream operators and service providers. Many experts fear this attack could prove to be a tipping point in the battle to maintain stability and availability across the Internet.
Research shows the attack originated from an Internet of Things (IoT) botnet that involved an estimated 100,000 devices. Dyn experienced packet flow bursts 40 to 50 times higher than normal, and unverified reports put the magnitude of the attack in the 1.2Tbps range. The attack used multiple vectors and required a variety of techniques to fight off.To read this article in full or to leave a comment, please click here
This column is available in a weekly newsletter called IT Best Practices. Click here to subscribe. Every time I read the quarterly Cloud Adoption & Risk Report published by Skyhigh Networks, I come across some tidbit of information that truly surprises me. What is it in the Q4 2016 report that has me so astounded? Consider this: Fewer than half (42%) of cloud providers explicitly specify that customers own the data they upload to the service. The rest of the providers either claim ownership over all data uploaded, or don’t refer to data ownership at all in their terms and conditions, leaving it open to controversy if service is discontinued.To read this article in full or to leave a comment, please click here
This column is available in a weekly newsletter called IT Best Practices. Click here to subscribe. Every CISO knows it’s not enough to just use prevention tools to try to keep attackers out of the network. CISOs must have the mindset of “they will get in” and plan accordingly with detection tools.According to Gartner, the average time before a breach is detected is more than 200 days, and too often the breach is detected by an outside organization such as a credit card processor or a law enforcement agency. These facts are simply indefensible when a CISO is called before the Board of Directors to discuss preparedness for cyber incidents.To read this article in full or to leave a comment, please click here
This column is available in a weekly newsletter called IT Best Practices. Click here to subscribe. Every CISO knows it’s not enough to just use prevention tools to try to keep attackers out of the network. CISOs must have the mindset of “they will get in” and plan accordingly with detection tools.According to Gartner, the average time before a breach is detected is more than 200 days, and too often the breach is detected by an outside organization such as a credit card processor or a law enforcement agency. These facts are simply indefensible when a CISO is called before the Board of Directors to discuss preparedness for cyber incidents.To read this article in full or to leave a comment, please click here
This column is available in a weekly newsletter called IT Best Practices. Click here to subscribe.
Digital certificates provide the backbone of information security and trust on the Internet. Demand for certificates is exploding as companies use them to secure and build trust in web transactions, email messages, application code, and devices such as those on the Internet of Things. The use case for digital certificates continues to expand as more people and devices become connected.
It’s not unusual for an enterprise organization to have 10,000 or more certificates in use. For example, a company might use certificates to digitally sign and encrypt email messages and attachments. Allowing for one certificate per email account, this can amount to tens of thousands of certificates for this use case alone.To read this article in full or to leave a comment, please click here
This column is available in a weekly newsletter called IT Best Practices. Click here to subscribe.
Digital certificates provide the backbone of information security and trust on the Internet. Demand for certificates is exploding as companies use them to secure and build trust in web transactions, email messages, application code, and devices such as those on the Internet of Things. The use case for digital certificates continues to expand as more people and devices become connected.
It’s not unusual for an enterprise organization to have 10,000 or more certificates in use. For example, a company might use certificates to digitally sign and encrypt email messages and attachments. Allowing for one certificate per email account, this can amount to tens of thousands of certificates for this use case alone.To read this article in full or to leave a comment, please click here
This column is available in a weekly newsletter called IT Best Practices. Click here to subscribe.
Digital certificates provide the backbone of information security and trust on the Internet. Demand for certificates is exploding as companies use them to secure and build trust in web transactions, email messages, application code, and devices such as those on the Internet of Things. The use case for digital certificates continues to expand as more people and devices become connected.
It’s not unusual for an enterprise organization to have 10,000 or more certificates in use. For example, a company might use certificates to digitally sign and encrypt email messages and attachments. Allowing for one certificate per email account, this can amount to tens of thousands of certificates for this use case alone.To read this article in full or to leave a comment, please click here
This column is available in a weekly newsletter called IT Best Practices. Click here to subscribe.
Digital certificates provide the backbone of information security and trust on the Internet. Demand for certificates is exploding as companies use them to secure and build trust in web transactions, email messages, application code, and devices such as those on the Internet of Things. The use case for digital certificates continues to expand as more people and devices become connected.
It’s not unusual for an enterprise organization to have 10,000 or more certificates in use. For example, a company might use certificates to digitally sign and encrypt email messages and attachments. Allowing for one certificate per email account, this can amount to tens of thousands of certificates for this use case alone.To read this article in full or to leave a comment, please click here
This column is available in a weekly newsletter called IT Best Practices. Click here to subscribe.
Humans are often the weak link in any cybersecurity defense. People behave unpredictably because we are sometimes driven by emotion and by an innate desire to trust and please other people. Also, we tend to take the path of least resistance, even if that path inadvertently creates a cybersecurity risk.
Attackers understand these human traits, which is why they are frequently successful in exploiting people to get around more predictable machine-based defenses. As an example, consider phishing. It’s estimated that globally, 8 million phishing email messages are opened every day, and of those, 800,000 recipients of the malicious messages click on the embedded links. Ten percent of the people who click on a link actually give their information, such as login credentials for personal applications or their employer’s applications.To read this article in full or to leave a comment, please click here
This column is available in a weekly newsletter called IT Best Practices. Click here to subscribe.
Humans are often the weak link in any cybersecurity defense. People behave unpredictably because we are sometimes driven by emotion and by an innate desire to trust and please other people. Also, we tend to take the path of least resistance, even if that path inadvertently creates a cybersecurity risk.
Attackers understand these human traits, which is why they are frequently successful in exploiting people to get around more predictable machine-based defenses. As an example, consider phishing. It’s estimated that globally, 8 million phishing email messages are opened every day, and of those, 800,000 recipients of the malicious messages click on the embedded links. Ten percent of the people who click on a link actually give their information, such as login credentials for personal applications or their employer’s applications.To read this article in full or to leave a comment, please click here
This column is available in a weekly newsletter called IT Best Practices. Click here to subscribe. For many security professionals, passwords are the scourge of the authentication world, and their death can't come soon enough. Passwords are too often stolen, shared, forgotten or simply too weak or obvious to be effective. According to the 2016 Verizon Data Breach Investigations Report, 63% of confirmed data breaches involve the use of weak, default or stolen passwords.End users hate passwords too, because they create a bad user experience (UX). We are advised (or forced) to use complex combinations of numbers, characters and symbols that are practically impossible to remember, and we are supposed to have a different password for every system and application we use. Years ago I resorted to a password manager to keep track of my 300+ sets of credentials.To read this article in full or to leave a comment, please click here
This column is available in a weekly newsletter called IT Best Practices. Click here to subscribe. For many security professionals, passwords are the scourge of the authentication world, and their death can't come soon enough. Passwords are too often stolen, shared, forgotten or simply too weak or obvious to be effective. According to the 2016 Verizon Data Breach Investigations Report, 63% of confirmed data breaches involve the use of weak, default or stolen passwords.End users hate passwords too, because they create a bad user experience (UX). We are advised (or forced) to use complex combinations of numbers, characters and symbols that are practically impossible to remember, and we are supposed to have a different password for every system and application we use. Years ago I resorted to a password manager to keep track of my 300+ sets of credentials.To read this article in full or to leave a comment, please click here
This column is available in a weekly newsletter called IT Best Practices. Click here to subscribe. Logs are one of those things that a lot of people take for granted. Every software, device and application generates its own logs, and they are often overlooked until something happens and someone needs to dig into the logs to try to discover a root cause of the issue. Companies that treat logs in this way are missing out on an opportunity to improve their business.Logs have an interesting property that makes them quite valuable: they are the only common thread across a company's entire technology stack. It doesn't matter if it's network devices, security devices, operating systems or applications—all generate logs. Because of that, and with the proper tools, it's possible to look end-to-end in the infrastructure and the application stack using logs. The result is the ability to see what is happening from node to node, and from process to process.To read this article in full or to leave a comment, please click here
This column is available in a weekly newsletter called IT Best Practices. Click here to subscribe. Logs are one of those things that a lot of people take for granted. Every software, device and application generates its own logs, and they are often overlooked until something happens and someone needs to dig into the logs to try to discover a root cause of the issue. Companies that treat logs in this way are missing out on an opportunity to improve their business.Logs have an interesting property that makes them quite valuable: they are the only common thread across a company's entire technology stack. It doesn't matter if it's network devices, security devices, operating systems or applications—all generate logs. Because of that, and with the proper tools, it's possible to look end-to-end in the infrastructure and the application stack using logs. The result is the ability to see what is happening from node to node, and from process to process.To read this article in full or to leave a comment, please click here
This column is available in a weekly newsletter called IT Best Practices. Click here to subscribe. At the recent Gartner Security & Risk Management Summit, Gartner VP Neil MacDonald spoke about the technology trends for 2016 that provide the most effective business support and risk management. Cloud Access Security Brokers (CASBs) are number one on the list. According to Gartner, companies' use of Software as a Service (SaaS) applications create new challenges to security teams due to limited visibility and control options. CASBs enable businesses to apply much-needed security policies across multiple cloud services.To read this article in full or to leave a comment, please click here
This column is available in a weekly newsletter called IT Best Practices. Click here to subscribe. Location, location, location! It turns out that mantra is not just for the real estate market. Location is a critical aspect of fog computing as well.Cisco introduced the notion of fog computing about two and a half years ago. (See Cisco unveils 'fog computing' to bridge clouds and the Internet of Things.) This distributed computing architecture addresses the challenge of backhauling a lot of raw data generated in the field –say from thousands or millions of IoT devices – to the cloud for analysis.To read this article in full or to leave a comment, please click here