For this week’s In the News, research an article how an organization has improved their productivity, efficiency, or quality of their key business services by adopting one of the New Trends in Information Security.
Reader Interactions
Comments
Leave a Reply
You must be logged in to post a comment.
Sheena L. Thomas says
I think cloud computing is very scary for Security Professionals, however, cloud computing provide flexibility, efficiency, and strategic value to an organization. Salesforce.com states the security benefits of moving to the cloud, “most businesses don’t like to openly consider the possibility of internal data theft, the truth is that a staggeringly high percentage of data thefts occur internally and are perpetrated by employees. When this is the case, it can actually be much safer to keep sensitive information offsite. Of course, this is all very abstract, so let’s consider some solid statistics.
RapidScale claims that 94% of businesses saw an improvement in security after switching to the cloud, and 91% said the cloud makes it easier to meet government compliance requirements. The key to this amped-up security is the encryption of data being transmitted over networks and stored in databases. By using encryption, information is less accessible by hackers or anyone not authorized to view your data. As an added security measure, with most cloud-based services, different security settings can be set based on the user. While 20% of cloud user claim disaster recovery in four hours or less, only 9% of cloud users could claim the same.”
https://www.salesforce.com/products/platform/best-practices/benefits-of-cloud-computing/
https://www.slideshare.net/rapidscale/cloud-computing-stats-security-and-recovery
Brock Donnelly says
I think a big one for most companies to go to the cloud is to meet government compliance. Organizations that need to meet government compliance and move to the cloud have tools available to them. https://www.fedramp.gov/ provides risk and authorization management standardization. https://cloud.gov/ helps teams build, run, and authorize cloud-ready or legacy government systems quickly and cheaply. There is NIST, FISMA and even Amazon provides tools for AWS https://aws.amazon.com/compliance/. The cloud generates a lot of compliance options foe organizations and even provides the tools to ensure it.
Steve Pote says
Is your location covered by the Fourth Amendment?
Where I spend most of my time may not directly equate to ~who I am~ but it does paint a disturbingly accurate statistical image. Include purchase history and browsing and you probably know me better than my spouse, doctor and mother. Anonymized google searches aren’t so anonymous when tagged with geojson coordinates for your home. It is great to have the ability to track your middle school child like a tagged bear on RADAR in Alaska but remember ~Pennywise the Clown~ has the same app.
What I find to be the real threat is not that ~we will be tracked~ by definition upon entering society’s gates, but that we are unclear how to proceed.
In the US, state by state rulings make this Civil Law and a game of “who’s authority is it anyway?”. Europe and GDPR already list location data as protected
https://www.aclu.org/issues/privacy-technology/location-tracking/cell-phone-location-tracking-laws-state
Steve Pote says
(sorry this was for the ~other~ thread)
Brock Donnelly says
This is a very interesting topic that I think will have varying outcomes for years to come. This is section marked as another win by the GDPR for the people of Europe. Perhaps our government finds this data too valuable to toss aside so generously. I think any authorized phone discovery is against the 4th amendment. I have read stories about arrests where phones were confiscated and when returned the sim and memory cards are taped to the back. For those individuals their digital data was uncovered. The unauthorized access for geolocation of your device is and should be no different then entering your home in the eyes of the law.
Steve Pote says
I am a neo-ludite. Most often I see new trends as liability introduced for novelty’s sake. Organizations using new trends for dubious reasons are much easier to find new on…
This stood out for me. Remembering the ~delay~ to adopt the chipped cards in the US, and a decade of lead by European dubious actors where chipped cards are concerned…I hope we don’t fall behind in our expectations for multifactor authentication. In this case German Banks recognize the disposablity of mobile devices and the ease a SIM can be spoofed as an unacceptable risk to proof of ~possession~… the authenticity of something you have…
https://www.helpnetsecurity.com/2019/07/12/german-banks-sms-tan/
My ludite sense says we are in an ixionic spin of how to prove an object’s authenticity the same way we’ve whirled around proving ~what you are~ or communicating ~what you know~ without actually telling anyone.
Brock Donnelly says
The Romance of Bug Bounties
Major organizations are increasing their bug bounty programs in hopes to uncover vulnerabilities via crowdsourcing but is it efficient? Bug bounties hold romantic notions of “build it and they will come” but white hat hacker might not be interested in your bounty for several reasons. The reward might not be large enough for their interest. Monetary rewards are only high for newly discovered bugs so for hackers the race is on. You might not be interested in their help. If you rely on bug bounty programs, who is going to review the submissions? YOU! You are going to need to review the submissions or higher a team to do so. You should be wondering, how good is the crowd? Are you willing to risk your security on what other people can find? It is not the most efficient model. As this article points out Facebook has awarded 700 of 17,800 reports leading to a lot of wasted man-hours. While some new trends are providing more efficiency and productivity it seems bug bounties are more of a poison apple.
https://www.cpomagazine.com/cyber-security/the-romance-of-bug-bounties/
Dima Dabbas says
How IT Can Balance Security and Productivity
This article discusses how IT can be the balance between security and productivity. This comes from the fact the IT deals with end users to take the most of technology implementations from accessibility factors to training sessions. It is also important that the security solutions consider productivity as IT and security should not be a hurdle to productivity. A good cyber security strategy solution considers the people and processes within the organization and uses technologies that allow for strong privileged access controls combined with security solutions that manage the risk of shared credentials and privileged passwords. Privileged access management is one of the examples that organizations use that considers productivity demands of their users. The right security solution and strategy doesn’t necessarily have to threaten productivity but rather enhance the operations of an organization while ensuring the safety and protection of its users.
https://www.informationsecuritybuzz.com/articles/can-balance-security-productivity/
Elizabeth V Calise says
Dima, this is a good share. Many end users bring up about how security is a blocker to productivity. As you and the article state, it does not have to be. When productivity is at a low, it creates stress. For example, a data loss situation can decrease productivity and bring stress quickly. If employees know what to do if there is a data loss situation, they are not as likely to experience anxiety about. A defined security plan allows for a faster response which helps minimize damage.
Duy Nguyen says
https://s3.amazonaws.com/academia.edu.documents/26008100/luento1.pdf?response-content-disposition=inline%3B%20filename%3DTechnical_opinion_Information_system_sec.pdf&X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Credential=AKIAIWOWYYGZ2Y53UL3A%2F20190717%2Fus-east-1%2Fs3%2Faws4_request&X-Amz-Date=20190717T142611Z&X-Amz-Expires=3600&X-Amz-SignedHeaders=host&X-Amz-Signature=543e7aaa3e9e1530dffb1fa7bfcb2674fc07c4bfd2d69e53c6124723a4093575
With IT moving away from physical networks, new trends in InfoSec has been slowing developing in the new Millennium. This new borderless global economy needs an efficient, effective, and collaborative network to support the organization’s incentives. In order to accommodate this new requirement, newer principles had to be adopted/develop in addition to the traditional CIA principles of InfoSec. Additional principles to be considered are Responsibility, integrity, trust, and ethicality (RITE). Adapting these new principles is critical to the development of a modern collaborative networking environment.
Responsibility and knowledge of role: is the understanding of a member’s respective role and responsibilities to team and organization. Not only does it means an understanding of one’s responsibilities but also being accountable.
Integrity: Integrity of a person as a member of an organization.
Trust: in modern organizations, its less of an emphasis on controls and supervisions and more on a mutual system of trust and understanding.
Ethicality: assumption that members will act in accordance with some ethical practice.
Ahmed A. Alkaysi says
These principles, namely Integrity, Trust, and Ethicality, are already part of most organizations values and attributes that they look for in new employees. RITE is definitely important, but if they want it to be considered as additions to CIA, it will need to be measurable. It will be interesting to see how these attributes can be evaluated in InfoSec.
Elizabeth V Calise says
How is the Internet of Things (IoT) affecting security?
I found it difficult to find an article where IoT is bringing a positive impact to Information Security. It mainly talks about the concerns, risks and continuous daunting tasks that the security team now has to deal with.
IoT will eventually become everyday reality, however, the IoT development is tightly connected with less control over security and privacy. Additionally, IoT makes use of embedded sensors which are primarily accountable for data collection, storage, analyze and administer large amounts of data which can be personal or sensitive. This is can be prone to cyber-attacks. Constant increase in connected devices makes the situation more delicate since it is increasing the number of entry points to hack.
From the articles I read through, it does not mention about positive impacts IoT has brought to security but more on the headaches it causes. One positive it does bring to information security is the increase in jobs! IoT is still relatively new and they need security experts in this area.
https://www.quora.com/How-is-the-Internet-of-Things-IoT-affecting-security
Brock Donnelly says
I don’t think there currently is one thing adding positive movement for security of IoT other then the study and high demand for it. You are right, it is going to provide jobs which is a positive for economic reasons. However, these devices are currently a black hole for security. Without standards for IoT we are going to have a lot of security cleanup as future ITACS professionals
Ahmed A. Alkaysi says
https://www.fiercevideo.com/video/nielsen-moves-its-national-tv-measurement-product-to-amazon-s-cloud
Nielsen, known for providing TV viewership ratings, is migrating its core service, National Television Audience measurement processing, from on-prem to the AWS. It’s hoping that AWS will improve the organization’s scalability, redundancy, and reliability. It’s also hoping that the move will allow the company to spend “more time innovating and less time managing infrastructure.” Stephen Orban, general manager at AWS, believes that the migration will help Nielsen to become more agile and “accelerate their work in helping companies around the world understand viewership data.” Organizations around the world have identified that the next logical step in improving its technology is making a move to the cloud. The cloud offers many benefits as well as reducing costs and overhead in the long run.
Brock Donnelly says
That is another notch in Amazons belt. Nielsen has been operating for over 90 years. Seeing Nielsen migrate their core services to AWS is no small task. If you didn’t know Nielsen now rates YouTube TV as of May 2018. I guess cable cutting isn’t going to effect Nielsen. As they measure more streaming services having a strong hold in the cloud will be a large advantage for them as services change in the future.
Jonathan Duani says
I don’t know if this falls exactly to one company but it just shows how vulnerable a company and IoT devices are. The biggest thing is that they were blocked with proper security installed on their systems, however it still shows how open them are. The article explains exactly why IoT devices are so dangerous because when hackers are able to get into a device all those devices across the world will then be vulnerably. It is a hacker’s go to in order to get into a company. I think this is a must read article to really understand the dangers of IoT.
Source: https://www.iottechnews.com/news/2019/jul/01/trend-micro-blocked-iot-camera-hack-attempts/
Oby Okereke says
On-Demand Infrastructure on AWS Helps Capital One DevOps Teams Move Faster Than Ever
———————————————————————————————————————
I’ve been an ardent follower of the DevOps phenomenon for a while now and have devoted quite some time to understand the technologies behind DevOps, the processes and tool-sets used to drive DevOps in an IT environment. DevOps methodology is marked by a change in how software delivery is treated: moving from a discrete project to an ongoing product.
This article showcases how Capital One has fully adopted the Devops methodology and as a consequence, is reaping the many benefits associated with DevOps.
In conjunction with AWS, Capital One bank DevOps team have the building blocks they need to start developing any new product as soon as they understand the intent behind it – using automation, monitoring, and continuous integration of new code to achieve faster development cycles and more frequent more reliable releases,
https://aws.amazon.com/solutions/case-studies/capital-one-devops/
Ahmed A. Alkaysi says
Thanks for sharing Oby. DevOps is a cultural change, as much as it is a technological one. Taken from the article: “A DevOps culture has helped our business product managers feel even more engaged in our technology journey than in the past,” It is extremely important to a dedicated member from business to be part of the team and share accountability.
Dima Dabbas says
Oby,
DevOps is interesting and I have been reading about it as well. More organizations are now trying to implement DevOps principles. DevOps not only organizes the way projects are implemented but it also enables more and better communication between the different teams within an organization. DevOps enables automated configuration, continuous build, continuous integration, and regular testing.
Frederic D Rohrer says
The Cyber Security threat landscape is changing but we are mostly talking about existing threats increasing. Only one new emerging threat comes to mind that will be an issue, but was previously overlooked.
This new threat is AI malware. Whereas traditional malware is able to adapt to some circumstances, AI malware could adapt and pivot like a human intruder, only that it doesn’t require any Command and Control. This makes it much harder to detect. We have not really seen a sophisticated attack, however biometric attacks could already be taking place. For example, deepfakes could be used to circumvent face scanner, or other face id verification.
https://www.gemalto.com/review/Pages/5-cybersecurity-trends-for-2019.aspx