Our nature is to resist change and fear the unknown.
Security isn't about eliminating risk. It isn't about saying no. Security is about knowledge; understanding risk and putting security risk in the right context, so business leaders can make informed decisions. When security is done right, it enables the business to embrace new and potentially transformative technologies and use them wisely to innovate and grow and produce business value. In today's global marketplace, leveraging new technologies to create a competitive advantage can mean the diference between businesses that succeed and those that fall by the wayside.
Today's technology is changing at a rapid pace, the enterprise perimiter is eroding and securing endpoints is not becoming any easier as computing is becoming ubiquitous; becoming embedded in our vehicles and consumer devices, in an increasingly interconnected worldwide web. In order to trust endpoints, transactions and secure information appropriately, technical solutions and standards are necessary but not sufficient themselves to solve the problems we face.
The key to securing new technologies is collecting more and better quantatative data about the threat landscape associated with the technology, as well as device, configuration, event and transaction information. Knowledge comes from the judicious use of this information, given that the answers we get are only as good as the questions we ask. This means taking huge data sets and reducing them to something that is manageable, while maintaining the integrity of the data. Data sharing between peers and in public and private partnerships will help to standardize how we collect and use this data and lead to better threat intelligence and risk management. With a methodical approach to model and use this data, security risk will no longer exist in its own silo, but become a part of the overall evaluation of business risk as meaningful security metrics mature in the coming years.
Change is inevitable and resistance is futile. If we fail to embrace new technologies, we are likely to watch our competitors pass us by. Knowledge is the key to understanding and providing creative ways to manage security risk in the face of uncertainty, and necessary to combat the fear that accompanies new and potentially transformative technologies.
Friday, August 19, 2011
Tuesday, June 14, 2011
Panel Accepted for Black Hat
I'm excited that our panel on software vulnerabilities has been selected for Black Hat 2011, so I will be attending the executive forum and briefings, and staying around for Def Con on the weekend. It will be a long week, but should be exciting. The briefings are listed on the Black Hat website, and they all look great!
Wednesday, May 4, 2011
Cyber Security Strategies Summit: Security in a Digital World
Join us at the Cyber Security Strategies Summit the 10-12 of May 2011 at the Kellog Conference Center in Washington DC.
Education is the key to navigating the security landscape, whether you are managing new initiatives, implementing new programs or designing new technologies, being informed is the deciding factor in winning the cyber war.
The Cyber Security Strategies Summit will focus on education in a digital world of uncertainty.
Tailored to a wide spectrum of stakeholders, the Cyber Security Strategies Summit presents value to small business, enterprise and Government security officers across every vertical.
Topics being covered at the Cyber Security Strategies Summit will include:
- Risk management techniques.
- Information protection and privacy
- Employee compliance and standards
- Operation and security in the cloud
- Mobile evolution and impact
- Law enforcement and forensics
The event will offer the ideal environment for knowledge sharing and networking opportunities, while providing a stage for education.
ENTERPRISE: The enterprise security track is driven by industry case studies. Security experts from major companies will be presenting best practices in Cyber Security and Data Protection. Delegates that work in the private sector and would like to bring home new techniques and programs that are being implemented by other corporations should attend the enterprise track.
GOVERNMENT: Cyber security has become one of the most crucial issues facing the stability of our nation. Government agencies need to be equipped with the most up to date information available in the security environment. The Government track will discuss data protection, legislation, privacy and defending our nation against internal, international and terrorist threats.
MOBILE: The influx of smartphones is not just a convenient advancement in our daily lives; it is paradigm shift in our corporate and government security initiatives. The Mobile revolution is in full swing and integration is imperative. The mobile track will address delegates in both enterprise and government, with educational presentations of strategies and risks that will enable your organization to securely adapt to the changing tide.
CLOUD: The risks vs rewards of cloud computing is an imperative conversation to have, and at the center of it all is security. Is the cloud secure? Should we trust it? And how do we make the move safely? The hot button subject will be thoroughly addressed, with discussions that prove to be pertinent for both enterprise and government security officers.
- Darin Andersen (Event Chair) - Chief Operating Officer at ESET
- Ron Baklarz - Chief Information Security Officer at Amtrak
- Patricia Titus - VP and Global Chief Information Security Officer at Unisys
- Jim Christy - Special Agent, Director of Future Exploration at the Department of Defense Cyber Crime Center
- Bob Samson - Director of Information Protection and Privacy at Marriott
- Patrick Howard - Chief Information Security Officer at the Nuclear Regulatory Commission
- Stacy Arruda - Supervisory Special Agent at the FBI Cyber Crime Unit
- Wade Baker - Director of Risk Intelligence at Verizon Business
- John Johnson - Security Program Manager at John Deere
- Rick Harris - -Chief of Future Operations US-CERT, National Cyber Security Division at DHS
- Richard H.L. Marshall - Director of Global Cyber Security Management National Cyber Security Division at DHS
- Sol Bermann - Lead Privacy Policy Development, Business Continuity, User Advocacy at the University of Michigan
- Eric S. Green - President of ELG Consulting
Adam Meyers - Director of Cyber Security Intelligence at SRA International
Jay Leek - VP of International Security at Equifax
Wednesday, February 9, 2011
SC Magazine Awards 2011
The SC Magazine Awards 2011 takes place next Tuesday (2/15) at the Intercontinental Hotel in San Francisco. The awards ceremony will honor leaders in the security industry, from government to non-profits, and showcase the best in the vendor-space and security certifications and training programs. I have been asked to introduce the award for one category, so I'll definitely be there. I'm thinking of buying a bow-tie!
49th QCESC Banquet and Awards Ceremony
Date: 24-February-2011
Time: 05:00PM to 09:00PM
Location: Putnam Museum, Davenport, Iowa
This year's Engineer's Week banquet will include displays from some of the 35 technical and professional science and engineering societies in the Quad Cities. There will be schoarships and awards and an induction to the Order of the Engineer, as well as a keynote speaker.
Food Catered by Iowa Machine Shed Restaurant with Italian Chicken and Lemon Peppered Cod, with bread, potatoes, coleslaw, cottage cheese, and a cobbler for dessert. Water, ice tea and coffee are included. A cash bar will be open all night.
Cost $35 and $20 for full-time students (open to the public!)
Link here for more information and registration.
Time: 05:00PM to 09:00PM
Location: Putnam Museum, Davenport, Iowa
This year's Engineer's Week banquet will include displays from some of the 35 technical and professional science and engineering societies in the Quad Cities. There will be schoarships and awards and an induction to the Order of the Engineer, as well as a keynote speaker.
Food Catered by Iowa Machine Shed Restaurant with Italian Chicken and Lemon Peppered Cod, with bread, potatoes, coleslaw, cottage cheese, and a cobbler for dessert. Water, ice tea and coffee are included. A cash bar will be open all night.
Cost $35 and $20 for full-time students (open to the public!)
Link here for more information and registration.
The End of Privacy - Personal Information on the Internet
Date: 18-February-2011
Time: 05:30PM to 07:30PM
Announcing the upcoming talk by Mike Bazzell on Internet privacy, sponsored by the IEEE Computer Society of Iowa-Illinois, and the Quad City Cyber Security Group.
Link for more information and registration.
Time: 05:30PM to 07:30PM
Announcing the upcoming talk by Mike Bazzell on Internet privacy, sponsored by the IEEE Computer Society of Iowa-Illinois, and the Quad City Cyber Security Group.
This presentation identifies many unknown repositories of personal information available to anyone on the internet. Through data mining companies and those that post personal information about others, data once considered private is now public. This look at our new lack of privacy will surprise even those that think they are not vulnerable. Over 120 sources of online information will be discussed. Aside from web sites, other technology such as digital camera data, document meta data, and files being unknowingly copied to your computer will be explained.
Link for more information and registration.
Cyber Security Strategies Summit
(GSMI) Cyber Security Strategies Summit
Date: May 10-12, 2011
Location: Kellogg Conference Hotel, Washington, D.C.
I will be speaking on enterprise metrics, the afternoon of May 11th. Early registration ends March 4th.
Date: May 10-12, 2011
Location: Kellogg Conference Hotel, Washington, D.C.
I will be speaking on enterprise metrics, the afternoon of May 11th. Early registration ends March 4th.
Thursday, January 13, 2011
Cyber Spoofed White House eCard Targets Execs
My friend, Mike, at NetWitness, sent me information on a fake White House email that is circulating.
Fake White House holiday e-mail is cyber attack
Associated Press: January 6, 2011
Espionage Via Spoofed White House eCard
Network World By Ms. Smith – January 3, 2011
Kneber botnet strikes again, targets gov't agencies
ComputerWorld.com: By Gregg Keizer - January 4, 2011
Malware Campaign Cyber-Espionage or Cyber-Crime?
eWeek: By: Brian Prince – January 3, 2011
Spam Attack Captures Government Data
InformationWeek: By Mathew J. Schwartz - January 5, 201
Government computers hacked by fake e-mail
WashingtonTimes: By Shaun Waterman - January 5, 2011
Threatpost.com: White House E-Card Scam Part of Larger Zeus-Related Attack
By Dennis Fisher – January 4, 2011
We were involved in the discovery of a Fake White House email that targeted senior government and a few corporate officials as part of Cyber Espionage campaign. The attack was Kneber again, a Zeus variant designed to steel credentials & confidential documents.
Fake White House holiday e-mail is cyber attack
Associated Press: January 6, 2011
Espionage Via Spoofed White House eCard
Network World By Ms. Smith – January 3, 2011
Kneber botnet strikes again, targets gov't agencies
ComputerWorld.com: By Gregg Keizer - January 4, 2011
Malware Campaign Cyber-Espionage or Cyber-Crime?
eWeek: By: Brian Prince – January 3, 2011
Spam Attack Captures Government Data
InformationWeek: By Mathew J. Schwartz - January 5, 201
Government computers hacked by fake e-mail
WashingtonTimes: By Shaun Waterman - January 5, 2011
Threatpost.com: White House E-Card Scam Part of Larger Zeus-Related Attack
By Dennis Fisher – January 4, 2011
Friday, January 7, 2011
RSA Conference 2011: On Enterprise Metrics
My proposal for a peer-to-peer discussion on "Gathering and Applying Meaningful Security Metrics" at this year's RSA Conference in San Francisco was accepted. This means I will facilitate a discussion a peer-to-peer group discussion on the topic (P2P-201B), on Wednesday, February 16th at 8:30 AM.
Security metrics are somewhat subjective, but I feel that the more data we can gather, the more we can do. Sounds obvious, but very few security programs are based on objective data. This will be an opportunity for conference participants to share their experiences and learn from experts in the field.
Subscribe to:
Posts (Atom)