Site Root

File: New IBM Security Portfolio Overview Brochure IBM Security Intelligence, Integration and Expertise

ZoeShelley — Tue, 02 Jun 8020 05:00:00 GMT

To help address the growing need for enterprise security in today’s hyper-connected business environment, IBM has created the Security Systems division with a strategy based on Intelligence, Integration and Expertise, designed to “plug the holes” of traditional approaches.

Blog Post: Creating a secure online environment in the workplace, online, and at home

ggooding_3591 — Thu, 16 May 2013 14:30:00 GMT

This week is National Cyber Security Week in Australia, and annual Government initiative that is held in partnership with industry, community and consumer organisations and all levels of government. The aim of awareness week is to help Australians using the internet – whether at home, the workplace or school – understand the simple steps they can take to protect their personal and financial information online.

Regardless of what hemisphere you reside in, technology can ensure organizations can achieve protection of their critical data. However, one area where it will not help provide a secure environment is you, the human sitting between the chair and the keyboard.

As the "1800 hotline support" for my family and friends, I have compiled a list of security " to-do's ", to better protect your work and home online presence.

1. Tablets/Smartphones
Set a password, full stop! Preferably choose an alphanumeric password, rather than the standard 4 digit pin. A lost phone with no password, or default password can expose a lot of personal and private information about yourself. Voice mail, Facebook, email, contact lists, work files, password files, notes, photos, vpn access, work collaboration sites, bank account access are all available to the person who picks up your phone/tablet. Set auto lock on your device.

2. Social media protection
Many of the default settings that we use for social media are designed for ease of use and therefore do not include any of important privacy and security settings. Take the time to learn what your settings are and be diligent in setting some of the more critical options. With over a billion potential friends out there, not all are friendly. Enforcing SSL encryption (https) is a good start, you don't want anyone on a public wifi network (read more later) sniffing your password as you type it in. Tighten your privacy settings, to allow only friends (friends of friends) to view your posts, photos, timeline, etc. There are many sites that provide suggestions on locking down your on line social presence, a simple google search will point you in the right direction.

3. Tweets and SMSs from the vast unwashed
Take the extra second to breathe before clicking on that unknown Twitter followers post, or that link in an SMS from an unknown number. Many of these links are shortened and therefore you don't know where they are taking you, or more importantly, what has just been downloaded to your device. If you don't know the origin of the sender, ditch it.

4. Public Wifi
Use with caution! Quite often you are so excited to find a public Wifi that doesn't require a password or doesn't require any payment that you readily connect to and start emailing, tweeting, facebooking, etc. Think about who owns this network you have just connected to and how they now have access to see everything you are typing, inclusive of passwords entered, usernames used, sites connected to. A network trace of your initial minutes on the internet can expose a lot about yourself that can be used as information that could lead to online identity theft.

5. Multiple passwords for multiple personas
In our busy on line life we assume multiple personas. Try and keep multiple passwords for each of those personas. At IBM we are fortunate that we have one id and password to remember to access most of our work related sites. We are also encouraged to change our passwords every 90 days, keep passwords fairly complex, don't reuse them. Maintain a layered password approach, a simple, easy to remember phrase for many online sites that if compromised wouldn't cause much grief, a more complex approach to sites that could, if discovered, provide a means to your private details and finally a strong a password as you can get for your online financial transactions. Importantly, in your non work personas, try and stick with the same regime of password change, complexity, etc., that your organization instills for your outside of work ID's.

6. Emails from (strangers acting as) friends asking for help
Many phishing scams involve infiltrating a friends account, then mass mailing all of their contacts. The mail often asks you to click on a link to provide help, or sending money or open some attachment. These can be written in such a way, That may be appealing to click to read further information. Stop for a moment and think about the implications of clicking the link or the attachment. If it doesn't sound quite right about your friend, or a friend of a friend, then don't click it. Report the mail as spam, then delete completely.

7. Secure your home Wifi
Your internet provider will ship standard comms equipment to your home and these will be configured with the standard default configuration settings. You should reconfigure and/or change a number of these settings. A couple of no brainers right up: Change the default admin password; change the SSID; configure support for encryption, such as WEP/WPA/WPA2/PSK; and disable SSID broadcasting.

8. Software updates
Don't delay the annoying reminders to update your software: anti virus signatures; operating systems, Java, applications such as Adobe; etc. Once upon a long time ago, these were designed to include new features and functions, but nowadays it is more to include security patches where hackers have exposed vulnerabilities. Many times we click the 'Remind me Later' option but in doing so, leave yourself and your system vulnerable to outside attack.

9. On line browser popup ads
Simple rule with these - click the close button. Get rid of them. Even better, use your keyboard shortcuts to shutdown browser windows (common CTRL-W, CMD-W will do this). If you are not sure, even if they look like operating systems updates or application updates in a browser window, more than likely they are not and in many cases will be malicious code designed to log every keystroke you make.

10. Build education into your organization’s social computing guidelines
Today, there are over 280,000 IBMers on LinkedIn, over 170,000 people on Facebook with IBM listed as their workplace, and an estimated 30,000 IBMers engaging on Twitter each month. Done the right way, social media can pay off both for individuals and the enterprise. Read more about how IBM is building education and guidance into the fabric of the enterprise’s social media strategy to leverage the opportunities and risks of the digital world in Security Essentials for CIOs: Navigating the Risks and Rewards of Social Media.

Blog Post: Prepping College Kids for a Career in Cybersecurity

Institute for Advanced Security — Wed, 15 May 2013 12:00:00 GMT

This blog was originally posted on asmarterplanet.com by Laurie Williams. Laurie Williams is a Professor in the Computer Science Department of the College of Engineering at North Carolina State University (NCSU). Her research focuses on software security particularly in relation to healthcare IT; agile software development practices and processes; software reliability, software testing and analysis; open source software development; and broadening participation and increasing retention in computer science. Laurie has more than 170 refereed publications. Laurie received her Ph.D. in Computer Science from the University of Utah, her MBA fromDuke University Fuqua School of Business, and her BS in Industrial Engineering from Lehigh University. She worked for IBM Corporation for nine years in Raleigh, NC and Research Triangle Park, NC before returning to academia.

According to a recent IBM Tech Trends report, both educators and students view security as extremely important. In fact, 56 percent of students and 44 percent of educators ranked it as one of the top three issues the IT industry will face over the next two years. In addition, a UK government report said that it may take 20 years to address the current cybersecurity skills gaps.

To help try and change that, North CarolinaStateUniversity is partnering with IBM to help better prepare the next generation of engineers with a secure-by-design focus and curriculum.

Why dedicate so many resources to building cybersecurity skills? The world operates with interconnected systems and as technology progresses these systems will only proliferate. The linchpin to success in securing these systems is in the design stage – not at the end of the process.

At North Carolina State University, my students are focusing on healthcare systems, specifically building and analyzing electronic medical record applications. The students leverage IBM AppScan to test these applications for potential vulnerabilities. Critical cyber systems must inspire trust and confidence. They must predictably protect the integrity of data and resources as well as the privacy of data owners, and perform securely, safely, and reliably.

Earlier this year, I had the opportunity to collaborate with IBM researchers to identifycommon themes and pinpoint some of the major challenges academic institutions are facing in relation to building next generation cybersecurity skills. Four common trends were identified:

1.) Information security is increasing in relevance. No longer just a highly-specialized area, information security impacts people every day. It has become personal in an interconnected world that’s reliant upon smart phones, social media, e-commerce and cloud services. In other words, information security impacts us every day.

2.) Increasing attention and demand from students, private industry and government agencies. More and more industries, from banks and financial services companies to aerospace and defense firms, as well as healthcare providers, are seeking graduates with specialized security skills. Training an expert cybersecurity workforce is now a national priority for many countries.

3.) The field of cybersecurity has significantly expanded with more domains to secure and more ways to attack. This means more to teach and to learn. Today, attacks are extremely hard to detect; attackers are stealthier and more evasive. In response, academic programs are expanding beyond traditional areas like cryptography and countering sniffing and denial of service attacks. Cybersecurity education now covers new areas like cyber-physical attacks, the protection of heterogeneous systems and real-time security data analysis.

4.) Academic programs are evolving from teaching purely the principles and theory of security to focus more on the practices. This is largely driven by the demands of industry and governments, as well as by students who want to focus more on real-world problems and practical challenges.

While these may be the four common themes we identified, in reality it will take all of us to create a more secure future.

Read the original article here.

Blog Post: The Congruence Model for Security

Institute for Advanced Security — Tue, 14 May 2013 14:25:00 GMT

This post was written by Javed Shah for http://expert-tech.blogspot.com. Javed Shah is a Practice Director for Security at Prolifics with more than 12 years experience in identity and access management architectures. He has broad exposure developing identity and access management solutions, and system software components that deliver reliable data security, web enablement and user lifecycle management services to customers. Before joining Prolifics, Javed founded and ran a professional services company in India for 6 years. Spanning over a decade, Javed has led identity management projects to successful exits at Nestle, University of California San Francisco, Kaiser Permanente, ABM Industries, BRE Properties, UPS, Tampa General Hospital and E*TRADE Bank. He was also the leader of the ITIM Level 3 defect resolution and analysis team in India where he was responsible for handling all customer defects for North America and Asia. Javed holds a Bachelor’s degree in Computer Science, a Certificate in Implementing and Managing an Enterprise Architecture using the Zachman Framework and the CISSP certification. He is also currently pursuing an MBA from the Haas School of Business, University of California Berkeley.

From management literature (Tushman & O'Reilly), the congruence-based problem solving is a method to quickly and accurately identify the root cause of performance or opportunity gaps. In the context of security architecture, the congruence model can be applied to creating comprehensive security assessments for an organization. The model emphasizes analysis of the relationships among four core components of an organization (shown in the graphic below) also called the building blocks whose alignment relationships are the focus of congruent security architecture techniques. The goal is to leverage the relationships and interactions between those core components to reveal the underlying security posture of an organization.

Each congruence relation is important in forming organizational diagnoses that help us understand the current state of security in the enterprise, and the causes of the vulnerabilities. Analyzing these relations tends to define the political map and how the players tend to navigate it. It helps identify organizational behaviors that are helpful, neutral or detrimental to the security architecture initiative.

Analyzing the following three alignments using an appropriate "congruence questionnaire" is crucial to determining the security posture of the enterprise.

The Task and People Congruence Relation:

Do people have the required competencies to perform the critical tasks that ensure safety of data and process?
To what extent do the skills, abilities and motives of today’s human resources fit with security planning, architecture formulation and implementation requirements?

Identification goals: task-human resource inconsistencies that inhibit the ability to execute on security strategy.

The Task and Formal Organization Relation:

Do the formal linking mechanisms between units facilitate security task integration, security team building and agility from a product delivery perspective?
Is there a company wide vision for security and a strategy for addressing regulations, audit and security breaches?

Identification goals: task-structure inconsistencies that inhibit necessary integration among SBUs, needed to deliver a comprehensive security solution.

The Task and Culture Relation:

Does the existing culture energize the accomplishment of critical tasks?
Does the informal communication network and informal distribution of power help get the work done?
Is there a reluctance to take action? Is there reliance on being told what to do? Identification goals: culture-task inconsistencies that drag performance down and inhibit consensus on security goals.

This due-diligence analysis can help identify the need for managers and their teams to realign the formal structures, people processes and cultural aspects of their organization with the critical tasks necessary to achieve the overall security vision. Managers and their teams should learn from this process, and even re-initiate the process iteratively within their own SBUs if necessary.

You can read the original post here.

Blog Post: Cybersecurity Education: The struggle to develop the future workforce

David Jarvis — Mon, 13 May 2013 12:30:00 GMT

This blog was originally posted on IBM.com.

Sometimes time and space conspire to create an opportunity that you weren't expecting. That was the case for me last week. Near where I live, the University of Rhode Island (URI) hosted their third Cybersecurity Symposium on education and workforce development. Speakers included the entire Rhode Island Congressional delegation, the director of the U.S. Defense Intelligence Agency, the CIO for the U.S. Department of Defense and a number of industry practitioners, including IBM’s VP for Cyber Security Innovation Marisa Viveros. Marisa was the co-author of the paper that we recently published on leading practices for cybersecurity education.

The symposium was open to the public and students, had over 400 attendees, and flew at a fairly high level. There were some excellent takeaways and parallels to IBM’s recent research with respect to cybersecurity skills and education. The Congressional delegation, which included Sen. Whitehouse, Sen. Reed, Rep. Langevin and Rep. Cicilline, each emphasized different areas of the cybersecurity challenge. This included improving public awareness, the national security implications of the rapidly changing cyber threat, the difficulties with law enforcement, and the need to protect our privacy, civil rights and liberties.

Lieutenant General Flynn of the U.S. Defense Intelligence Agency (and URI alum) was a very engaging speaker and talked about the “invisible war” that is currently being waged in cyberspace. He highlighted the profound transition U.S. security is currently going through – caused by population, economic and technology shifts – which require new ways of thinking. To fight this invisible war, he said that for every person currently working in cybersecurity today, we need a staggering twenty-eight more. He also repeatedly talked about the generational issues involved in cybersecurity and that real rules and discipline have yet to emerge on the international stage. He advocated something akin to the “law of the sea”, but for the cyber domain.

The business and industry panel included speakers from Google, IBM, Dell SecureWorks, CVS and Fidelity Investments and was much more open and conversational. They all brought their perspectives – whether providing information security or managing it for their organizations. There was a lot of discussion about how to break into the field of cybersecurity, what skills to have, what courses to take, and career paths. Stephan Somogyi, from Google, talked about the need to educate everyone on digital hygiene and focusing education on the basics of computer science. He said that you have to have a passion for security, it is a calling. If you have that, you can come from any field. Jeff Shilling, from Dell, talked about the incredible need for security technicians, those with hands-on skills. He has enough security managers, what he needs are those that can do the work (he agreed with Lt. Gen. Flynn’s assessment).

A lot of the themes from the day echoed what we recommended through our research. Local and national collaboration was evident with the diversity of speakers and the support from the entire university, the Congressional delegation, the military and industry. The importance of awareness was highlighted over and over. URI is working on innovative ways to provide hands-on experience for students through a low-cost Open Cyber Challenge Platform they are developing. The need for improving non-technical cybersecurity academic programs for business and policy leaders was highlighted in a new study from the Pell Center for International Relations and Public Policy.

This was a very valuable event, and I hope that it continues on an annual basis. Even though it was to raise local awareness and promote URI and its computer science program, it could stand to have increased global participation in the next iteration – which was one of our key findings.

Read the original post here.

Blog Post: Don't Get Me Started: FUD

ChrisP — Fri, 03 May 2013 12:00:00 GMT

Presentations about the information security industry can be motivating or they can be boring, but one emotion they should not elicit is fear. We do not need one more talking head lecturing us through a stern look about the dire state of security.

They start with statistics meant to scare us:

"90% of organizations we polled have suffered a system breach in the last year."
“$21 billion worth of electronic health information was stolen in the last three years.”
"50% of organizations say they have no formal incident response plan.”

Now statistics are fine, but only when placed in context, which means talking about what’s working as well as what’s not. That’s not usually the arc of the dialog. It continues as the ersatz persuader piles on qualitative statements, like “we’re losing the battle to hackers”, or "APTs are unstoppable".

Fear is good for controlling people and selling snake oil. Which is the next step in the pitch: buy my product or service and I’ll take away your pain. Just as with traveling medicine shows, a single product will not solve the problems of the world. So stop insulting us, elixir peddlers; you’d do better to have an honest conversation without the hyperbole.

That’s not to say we shouldn't discuss the dangers of doing business in the information age. A healthy exchange of experiences helps us all to assimilate the threats and formulate a strategy to detect, defend, and respond. Anyone in this industry who’s progressed beyond the crawling stage understands that information security is complicated and requires a program to effectively stand against the varied challenges like APTs, DDoS, malicious and accidental insider actions, BYOD, and cloud.

So I implore you, Mr. and Ms. presenter: please look over your decks and ask yourself whether you’re giving a balanced view of the threatscape and how you fit into the security ecosystem, or are you just trying to scare us into buying your product? And for those of you on the other side of the podium or conference table, practice your critical thinking skills and don’t get led by emotions. Chipmunks squeak and scurry randomly with their tails in the air at every vaguely threatening sound, often into the path of an oncoming car. Don’t end up an orange and black striped road pancake.

File: April 2013 IAS EMEA Community Newsletter

Martin Borrett — Wed, 01 May 2013 05:00:00 GMT

April 2013 Newsletter

Last week in London we saw one of the biggest European Information Security exhibitions of the year. With some 350 exhibitors, Infosecurity attracts some 12,000 attendees each year over its 3 days. What struck me again was the scale and also the diversity of both vendors and attendees. It brought me back to one of the challenges that I hear all the time from clients, the need to take a holistic approach across all security domains and to really think about security with a proactive and secure by design. IBM had a significant presence at the show and it was great to see all 8 of our workshops packed out and in a couple of cases sadly turning people away. The ability to share expertise, improve integration, and as a result achieve greater Security Intelligence is something that clearly resonates.

Martin Borrett

Director of the IBM Institute for Advanced Security Europe

User Group Meeting

European IBM Security User Group Meeting in Copenhagen

This follows the success of our previous meetings in Amsterdam, Brussels, Rome, Paris, Montpellier, Barcelona, London, Stockholm, Berlin, Dublin and Venice. As in previous years we will be inviting our existing customers from all across Europe to attend. The meeting will take place over two days on the 29th and 30th May 2013 (Wednesday and Thursday) in Copenhagen, Denmark. We would like to invite you and other representatives from your company to attend this event.

Register for the Event

IBM Pulse Comes to You

Pulse Comes to You 2013: Nordic Spring Event

May 28th - 29th, 2013

Participate in the major Nordic spring event and learn how to increase the pulse of your business. Pulse Comes to You 2013 is an inspiring forum, where you will be experienced with highly topical business challenges and gain new insight into IBM's intelligent IT solutions. At the event, you will also get to meet our local and international experts.

Register for the Event

Upcoming Community Webcast

Webcast: How New NFC and EMV Technologies will Affect PCI Compliance Approaches

May 29, 2013, 4 PM (BST)

New payment methods like EMV and NFC are

on the horizon for most retailers and their payment environment. These new payment methods are appealing to retailers as they have the promise of an additional layer of security from the threat and liability of a data breach and eliminates the fraud associated with traditional magnetic stripe skimming. But as these new technologies become reality in the payment environment, what will it mean for PCI compliance?

Register Now

Latest Resources

IBM X-Force 2012 Webcast Replay Now Available

The webcast replay and slides from the webcast IBM X-Force Declares 2012 "The Year of the Equal Opportunity Exploit" are now available to view in the Institute for Advanced Security community resource library:

View the Webcast Replay

View the Webcast Presentation Slides

Get the IBM X-Force 2012 Annual Trend and Risk Report

Whitepaper: A collaborative approach for cybersecurity education

By David Jarvis

Improving protection through global connections

In a world of increasing information security threats, academic initiatives focused on cybersecurity are proliferating—yet, there is still the danger of falling short in addressing the long-term threat. To avoid becoming too focused on near-term issues, programs must be more collaborative across their own institutions, with industry and government and among the global academic community.

Download the whitepaper

Whitepaper: Defending the Mobile Banking Experience

By Vijay Dheap and Glen Gooding

the adoption of mobile is taking place in a relatively short time span banking institutions will now also have to focuson securing not only devices, but also the data.

Download the whitepaper

Thank you for subscribing to the IBM Institute for Advanced Security Community newsletter. If you are not yet a member...

Join the Community Today!

Connect with the Institute

	Join the Community
	Community Blog
	Follow Us On Twitter

Join our LinkedIn Group

Latest Blog Posts

Near Field Communication (NFC): Mobile Payment Confidence?

Cybersecurity Education: Improving Protection through Global Connections

Security in the Clouds: Part 2

Featured Video

Mobility is Here: You Need to Manage and Secure It

Forum Post: RE: Defending the Mobile Banking Experience

Vijay Dheap — Tue, 30 Apr 2013 20:18:00 GMT

One of the things to recognize is that sometimes the security information that you’re getting can actually be used beyond security. The context of a user can include what type of customer they are and how often they engage. Now, that type of contextual information can be utilized to do cross-sell, up-sell, and even provide value-added services increased. It’s not just about security value, but also business potential.

Blog Post: Audio Blog: Race to Protect the Nation's Power

Danny Taylor — Tue, 30 Apr 2013 16:00:00 GMT

A race to protect the nation's power grids from cyber attacks is underway. And now utilities have a tool to help them protect their systems from would be cyber threats. It's called the Electricity Subsector Cybersecurity Maturity Model -- or ESC2M2 -- and was developed by the Department of Energy to manage dynamic threats and understand grid cybersecurity.

Hear the audio here .

Blog Post: Near Field Communication (NFC): Mobile Payment Confidence?

Tue, 30 Apr 2013 14:00:00 GMT

NFC or Near Field Communication is a standard that defines the exchange of data between two devices in close proximity. For NFC enabled smartphones, that means consumers can replace their credit and debit cards with an electronic wallet. Besides payment transactions, the technology has a wide variety of applications that it’s suitable for:

Access: Electronic identity & Physical Access control
Transactions: Store Transportation passes, Electronic Payments
Information: Store Personal information, View Product information, Receive discounts, Swap Media

How vulnerable is the technology?

NFC is inherently secure for mobile payment since transactions can only take place within roughly 4 cms, making it uncomfortably close for an attacker to ‘skim’ information. And since the NFC chip has to be queried by a reader, any encrypted credit card information stored on your smartphone can only be accessible when it’s activated at an NFC POS terminal or similar device. A strong password protected phone will add an extra layer of protection to prevent unwanted access of a stolen device to further protect sensitive credit card or other personal data.

But wait, if you have six months of free time to debunk these NFC factoids, you may discover otherwise. That’s just what someone did with a few NFC enabled smartphones to test out the security of the technology. At a 2012 BlackHat conference, a researcher presented his findings on how he painstakingly hacked the devices to take advantage of a variety of exploits. With the appropriate know-how, NFC can be manipulated to; launch a browser to link to a malicious website, download malware, upload personal info, make unwanted calls or even send SMS messages. Pretty impressive huh? And what about the concept of card skimming? Imagine an NFC tag discretely placed at a point-of-sale terminal to quietly collect credit card information with some NFC skimming technology. Ouch!

Fortunately, the slow adoption of NFC technology is being impacted by a few big barriers (lack of industry coordination / standardization, lack of infrastructure to support NFC) that will give smartphone providers some extra time to address these technology vulnerabilities (let’s hope that’s the case).

While retailers may be feeling consumer pressure to deploy NFC payments and other applications, a mis-step with the technology can have a huge impact not only on its adoption but also on the erosion of customer satisfaction, loyalty and retention. A bigger ouch!

Check out my webcast, How New NFC and EMV Technologies will Affect PCI Compliance Approaches, on May 29th, 2013 for more details.

Sources:

http://arstechnica.com/security/2012/07/android-nokia-smartphone-hack/

File: April 2013 APAC Community Newsletter

ggooding_3591 — Tue, 30 Apr 2013 05:00:00 GMT

April 2013 Newsletter

As I have been engaging with clients this past month, I have been touting the concept of “security as an enabler”. In fact, this has been one of my catch phrases for a number of years now. Building security controls into your enterprise applications from day one and providing a secure IT framework to build upon gives you a strategic platform to grow your secure IT infrastructure.

The next innovative push here is around the Security/Big Data integration, harnessing the power of business based analytics in conjunction with security intelligence, read more about that here. If you build in the power of the data analysis in this environment, your secure infrastructure will be better suited to grow your business at the speed your executives expect.

Until next month...

Glen Gooding

Director of IBM Institute for Advanced Security, Asia Pacific

LATEST RESOURCES

IBM X-Force 2012 Webcast Replay Now Available

View the Webcast Replay

View the Webcast Presentation Slides

Get the IBM X-Force 2012 Annual Trend and Risk Report

Whitepaper: A collaborative approach for cybersecurity education

By David Jarvis

Improving protection through global connections

Download the whitepaper

Whitepaper: Defending the Mobile Banking Experience

By Vijay Dheap and Glen Gooding

With a prediction of more than 22 billion connected devices being in use by 2020, the banking industry is facing many new challenges with the proliferation of mobile devices being increasingly used for banking transactions. Over time banking has evolved from brick and mortar to ATMs to online banking over the Internet. As the adoption of mobile is taking place in a relatively short time span banking institutions will now also have to focus on securing not only devices, but also the data.

Download the whitepaper

Thank you for subscribing to the IBM Institute for Advanced Security Community newsletter. If you are not yet a member...

Join the Community Today!

Connect with the Institute

	Join the Community
	Community Blog
	Follow Us On Twitter

Join our LinkedIn Group

Latest Blog Posts

Cybersecurity Education: Improving Protectection through Global Connections

Security in the Clouds: Part 2

The Healthcare Industry Needs to Implement Tighter Controls and Policies, According to the IBM X-Force 2012 Annual Trend and Risk Report

Featured Video

Mobility is Here: You Need to Manage and Secure It

Upcoming Asia Pacific Events

RSA Conference Asia Pacific 2013

Blog Post: Cybersecurity Education: Improving Protection through Global Connections

David Jarvis — Mon, 29 Apr 2013 20:35:00 GMT

This blog was originally posted on IBM.com.

In a world of increasing and varying information security threats, academic initiatives focused on cybersecurity are proliferating - yet, there is still the danger of falling short in addressing the long-term threat. To avoid becoming too focused on near-term issues, programs must be more collaborative across their own institutions, with industry, government, and among the global academic community. Only by working in concert can we meet today’s demand while educating the next generation to create a more secure future.

There have been a lot of recent reports, blog posts and news articles discussing the cybersecurity skills gap. It has been an ongoing issue for a while, and will continue into the future. We wanted to tackle this problem, not from the demand side, but from the supply side. So, the IBM Center for Applied Insights and IBM’s Cyber Security Innovation team selected 15 academic programs in 6 different countries from the over 200 institutions we monitor and work with. We conducted interviews with faculty members, department chairs and others. This week, we released a synthesis of those interviews in our latest security insights paper,“Cybersecurity education for the next generation: Advancing a collaborative approach” .

Through our interviews it was confirmed that cybersecurity is top of mind for students, educators, industry and government. Industry and government are currently facing a significant skills gap and this is causing the programs we interviewed see extremely high demand for their students, both undergraduate and graduate.

But, not all is rosy with the increased demand and attention. Programs are expected to provide more of everything – courses, graduates, opportunities, research – which has caused programs to face a number of organizational and technology challenges. Stained programs are addressing these challenges in different ways, taking different approaches to cybersecurity education, but still sharing similar common principles.

The trends, challenges, issues and differing perspectives cannot be fully addressed by each academic program on its own; cybersecurity is a global problem and should have global solutions. A set of leading practices promoting a longer-term and more collaborative approach is needed. We identified three general areas that the leading programs we talked to excelled at, all dealing with collaboration and connection.

1. Collaborate within your own institution – Cybersecurity programs should embed security practices and principles in computer science and engineering courses and take a holistic technical approach. They should work with other disciplines and schools in the university (e.g., business, law, ethics, medicine, policy). They should offer diverse education options for students and professionals (graduate, undergraduate, professional development, etc.).

2. Co-evolve with industry and government – Academic programs should have deep ties with industry and government – partnering and collaborating on research, curriculum development, and opportunities for students. A hands-on, practical, approach is also extremely important. Laboratory work, projects, special-interest groups, and internships should all be cultivated.

3. Connect across the global academic community – A number of the programs we talked with discussed the need for building a “science of security” to anticipate security problems and a cross-discipline lingua franca among scientists, engineers and policy makers. Fundamental concepts and common vocabulary can only be developed with participation of the entire global cybersecurity community.

To read more about leading cybersecurity education practices, case studies, and IBM’s recommendations, download ourreport . The paper is part of our ongoing security insights series which includes the 2012 IBM CISO Assessment and theSecurity Essentials for CIOs series.

Read the original article on IBM.com here.

File: Whitepaper: Cybersecurity Education for the Next Generation

David Jarvis — Mon, 29 Apr 2013 20:29:00 GMT

In a world of increasing information security threats, academic initiatives focused on cybersecurity are proliferating – yet, there is still the danger of falling short in addressing the long-term threat. To avoid becoming too focused on near-term issues, academic programs must be more collaborative across their own institutions, with industry, government and among the global academic community. Only by working in concert can we meet today’s demand while educating the next generation to create a more secure future.

File: Whitepaper: Defending the Mobile Banking Experience

ggooding_3591 — Mon, 29 Apr 2013 20:20:00 GMT

Over time banking has evolved from brick and mortar to ATMs to online banking over the Internet. As the adoption of mobile is taking place in a relatively short time span banking institutions will now also have to focus on securing not only devices, but also the data.

This paper is based on the webcast presentation: Defending the Mobile Banking Experience, part of the Expert Webinar Series by the IBM Institute for Advanced Security.

File: April 2013 Community Newsletter

Institute for Advanced Security — Mon, 29 Apr 2013 05:00:00 GMT

April 2013 Newsletter

Latest Resources for Security Leaders

Report: A collaborative approach for cybersecurity education

By David Jarvis

Improving protection through global connections

Download the report

Upcoming Community Webcast

Webcast: How New NFC and EMV Technologies will Affect PCI Compliance Approaches

May 29, 2013, 11 AM (EST)

New payment methods like EMV and NFC are

Register Now

IBM X-Force Declares 2012 "The Year of the Equal Opportunity Exploit"

View the Webcast Replay

View the Webcast Presentation Slides

Get the IBM X-Force 2012 Annual Trend and Risk Report

Defending the Mobile Banking Experience

By Vijay Dheap and Glen Gooding

With a prediction of more than 22 billion connected devices being inuse by 2020, the banking industry is facing many new challenges with the proliferation of mobile devices being increasingly used for banking transactions. Over time banking has evolved from brick and mortar to ATMs to online banking over the Internet. As the adoption of mobile is taking place in a relatively short time span banking institutions will now also have to focuson securing not only devices, but also the data.

Download the whitepaper

View the Webcast Replay

Thank you for subscribing to the IBM Institute for Advanced Security Community newsletter. If you are not yet a member...

Join the Community Today!

Connect with the Institute

	Join the Community
	Community Blog
	Follow Us On Twitter
	Join our LinkedIn Group

Latest Blog Posts

Near Field Communication (NFC): Mobile Payment Confidence?

Cybersecurity Education: Improving Protection through Global Connections

Security in the Clouds: Part 2

Featured Video

Mobility is Here: You Need to Manage and Secure It

Upcoming Security Events

Regional CISO Summit sponsored by IBM

Gartner Security & Risk Management 2013

Black Hat 2013 USA

April 2013 Newsletter

Latest Resources for Security Leaders

Report: A collaborative approach for cybersecurity education

By David Jarvis

Improving protection through global connections

Download the report

Upcoming Community Webcast

Webcast: How New NFC and EMV Technologies will Affect PCI Compliance Approaches

May 29, 2013, 11 AM (EST)

New payment methods like EMV and NFC are

Register Now

IBM X-Force Declares 2012 "The Year of the Equal Opportunity Exploit"

View the Webcast Replay

View the Webcast Presentation Slides

Get the IBM X-Force 2012 Annual Trend and Risk Report

Defending the Mobile Banking Experience

By Vijay Dheap and Glen Gooding

With a prediction of more than 22 billion connected devices being inuse by 2020, the banking industry is facing many new challenges with the proliferation of mobile devices being increasingly used for banking transactions. Over time banking has evolved from brick and mortar to ATMs to online banking over the Internet. As the adoption of mobile is taking place in a relatively short time span banking institutions will now also have to focuson securing not only devices, but also the data.

Download the whitepaper

View the Webcast Replay

Thank you for subscribing to the IBM Institute for Advanced Security Community newsletter. If you are not yet a member...

Join the Community Today!

Connect with the Institute

	Join the Community
	Community Blog
	Follow Us On Twitter
	Join our LinkedIn Group

Latest Blog Posts

Near Field Communication (NFC): Mobile Payment Confidence?

Cybersecurity Education: Improving Protection through Global Connections

Security in the Clouds: Part 2

Featured Video

Mobility is Here: You Need to Manage and Secure It

Upcoming Security Events

Regional CISO Summit sponsored by IBM

Gartner Security & Risk Management 2013

Black Hat 2013 USA

This message was sent to dtaylor@baptie.com from:

Sarah Moraes | 1221 S. Clarkson Street Suite 410 | Denver, CO 80210

Unsubscribe | Forward To a Friend

Blog Post: Security in the Clouds: Part 2

Institute for Advanced Security — Thu, 25 Apr 2013 12:00:00 GMT

This post by Jeff Crume originally written for Wired.com. Jeff Crume is an IBM Distinguished Engineer, Master Inventor and author of “Inside Internet Security: What Hackers Don’t Want You To Know."

In the previous post we discussed some of the fundamental challenges of securing a public cloud environment, which is analogous to “your data on my hard drive.” This computing model introduces some tremendous opportunities to do more with less by taking advantage of the economies of scale of a cloud provider. Additionally, it can free your organization to focus on core competencies rather than being distracted by the details of managing the underlying infrastructure. But just how public should your public cloud be? How much visibility and control can you afford to give up? How much have you already given up that you don’t know about?

Public cloud, public data?

Storing your data on my hard drive when my hard drive just happens to be shared by all sorts of other organizations and users of every make and model imaginable means that particular diligence must be given to ensuring that only authenticated users have access to only those resources they are authorized to access. We’ve already touched on what this means in terms of the data you know has been relocated to the cloud but what about all that you don’t know about?

How can you know about what you don’t know? Rather than ponder the existential implications let’s just say that because public clouds are so easy to use and so pervasively deployed and so cheap to access, they are sprouting up like weeds. Chances are that at least some of your data already exists in public cloud even if your organization hasn’t decided to make the leap. iCloud, Dropbox, Evernote, SugarSync, SkyDrive, Google Drive, … the list goes on and on. All offer free (or reasonably priced) public cloud storage which can be accessed via the web or an app on your laptop, tablet or smartphone. All could potentially house confidential data that your users either were careless with or didn’t know was being copied, for instance, as part of a backup/recovery solution.

As the saying goes, “if you aren’t paying for it, you are the product not the customer.” In other words, there really is no free lunch here. The business model for the “free” cloud service that your users are leveraging may involve the cloud provider scanning the content it has been entrusted with in order to provide targeted advertising or lead generation.

This can be good or bad, of course. If you don’t have kids you might not care much about ads for diapers but an offer to save on the latest gear to feed the hobby you are passionate about might be appreciated. On the other hand, if you are expecting but have only told a few close family members at this, then the sudden appearance of those same diaper ads might seem a little creepy.

Aside from the personal privacy angle, what might be going on with sensitive corporate data that is being hosted by one of these services as well? Who or what else might have access? Can data from one user accidentally spill over to another or be accessed by an attacker who has found a way to circumvent the security controls? Could a sudden uptick in demand for another organization’s data (e.g. holiday buying season) cause a undue burden on the cloud provider’s infrastructure that impacts your user’s ability to access key services? Shared infrastructure equals not only shared costs, which is good, but also shared risk, which can be good or bad depending on how well that risk is managed.

These are great services with compelling value propositions for end users and organizations alike but if you aren’t conscious about implementation, they could end up leaking sensitive information like a sieve. If your company is going to use these (and your users surely will), make sure that sensitive data is encrypted before sending it out into the ether. While the provider might say that the data is encrypted, encryption is only as strong as the security around the passwords. Without such deliberate precautions, your free public cloud could become a very expensive nightmare.

From in-house to outsource (or out house?)

Conceptually, shifting to a public cloud infrastructure is nothing new. It’s just the latest variation on the theme of outsourcing. As we have learned from some of the early adopters of this trend, there are right ways and wrong ways to this approach. We’ve all heard the horror stories of failed implementations along with the trade press profiles of smiling CIOs who became heroes by figuring out how to swim with the sharks and achieve previously unrealized levels of efficiency.

So which will it be when it comes to security in a public cloud environment? Will it be better or worse? As any good engineer will tell you – it depends. If your organization is currently struggling to keep up with the demands of security auditors, expertise is dwindling and too much time is being spent by senior technical leaders on day-to-day firefighting instead of more strategic architecture and planning, then you might actually see security improve by letting a team of specialists who have learned through previous implementation experience what works and, equally important, what doesn’t.

If, however, your provider is focused only on cost reduction and lining up more customers they will inevitably have to cut corners somewhere and you can bet security will be one of them. It’s the nature of the beast because when it’s working properly, no one sees it. When it fails, though, nothing could be more visible. If the priorities of the provider aren’t properly aligned, they may be willing to take risks with your resources that you would not approve of. Throw in the potential for lesser visibility and control which can accompany the new computing paradigm if you don’t insist otherwise, and this could lead to devastating results.

So, better or worse? As the EPA says, “your mileage may vary.”

In conclusion

Public clouds offer a compelling value proposition. If they didn’t, there wouldn’t be so much buzz surrounding them. If your organization hasn’t looked into them, they probably should, even if the answer turns out to be “no.” As you consider what you might do in this space (or if you need a sanity check regarding what you’ve already done), IBM offers some guidance on security considerations for cloud environments that might be worth a look.

For a high level view try “Cloud Security: Who Can You Trust?”

For a more technical discussion there’s an IBM Redpaper entitled “Cloud Security Guidance: IBM Recommendations for the Implementation of Cloud Security” can be found at http://www.redbooks.ibm.com/abstracts/redp4614.html.

Read the original article here.

Wiki: Canadian Security User Group - Wiki

Anonymous — Thu, 25 Apr 2013 01:19:00 GMT

Wiki: Italy – Security Group - Wiki

Anonymous — Thu, 25 Apr 2013 01:08:00 GMT

Wiki: German – Security Systems User Group - Wiki

Anonymous — Thu, 25 Apr 2013 00:53:00 GMT

Page: Tivoli Security Groups

Anonymous — Wed, 24 Apr 2013 20:20:00 GMT

Global / Virtual Groups

Asia Pacific

Europe, The Middle East and Africa

Latin America

Tivoli Security Users Group Brasil

North America