Blog

Blog

How Employees React to Security Policies

First, security professionals should understand that people’s resources are limited. Moreover, people tend to struggle with making effective decisions when they are tired. To test the validity of this argument, psychologists designed an experiment in which they divided participants into two groups. The first group was asked to memorise a two-digit...
Blog

Disney Confirms Data Breach of Playdom Forums' Servers

Disney Consumer Products and Interactive Media has confirmed a data breach that affected some users of its Playdom forums. A spokesperson for the business segment of the Walt Disney Company explains in a statement that security teams detected the incident back in July: "On July 12, 2016, we became aware that an unauthorized party gained access to...
Blog

Reviving the Forgotten Principle of Responsible Disclosure

In today’s vulnerability market, vendors want to squeeze every ounce of publicity out of their security researchers. As a result, responsible disclosure often falls by the wayside. The same is true of independent researchers in search of their 15 minutes of fame. A fatal flaw in a major product is akin to Kennedy’s dream of landing a man on the moon...
Blog

Why A Ransomware Event Is Not A Data Breach

Think of a word that sparks an emotion in you. It could be as simple as “shoes,” which makes my wife smile every time, or it could be a dark and foreboding word. Certain words trigger an emotional—sometimes visceral—response. For me, one of those words is “breach.” In a recent post about the Department of Health and Human Services’ (HHS)...
Blog

Identifying Cyber Risks: The Important Role of Senior Management

It is becoming more and more evident that cybersecurity is one of the focal points regarding security risks in the twenty-first century for all organisations. It is understandable that almost every organisation which has access to any kind of computing devices will be at risk and will probably experience harmful cyber incidents. Hackers, whether...
Blog

No Silver Bullet In Security Awareness

There is no silver bullet in security awareness. What I mean by that is there is not a right or wrong way to teach people about cyber security. Just like any other type of education, you must surround yourself with it. You cannot expect to show a once-a-year "death by Powerpoint" presentation and have your staff become cyber experts. This is...
Blog

BSidesLV 2016: Mobile App Attack

Mobile devices are rapidly becoming the primary need of any user. Ease of use, portability, user-friendly GUI, robust computing, a wide variety of applications... all of these features makes a mobile device much more compelling than a normal computer. However, mobile phones are becoming more of a security concern, and organizations need to consider...
Blog

6 Tips to Avoid Scams and Cyber Attacks At the 2016 Olympics

With the 2016 Olympic Games opening on August 5, hundreds of thousands of tourists will soon be traveling to Rio de Janeiro, Brazil. Although major international events like the Summer Olympics boost tourism and economic transactions, they also present lucrative opportunities for cybercriminals. Rio visitors and Olympic travelers alike have been...
Blog

CUI – Protect It or Lose the Business

I’m working with a couple of organizations faced with NIST 800-171 compliance. The first is a small manufacturing company doing business with a prime contractor. The second is a tribal business unit with federal contracts. Both must be compliant by December 2017 or risk losing their federal business. From what I can tell, neither organization was...
Blog

TiaraCon: Supporting Women in Security

TiaraCon started with a group of women having lunch in the foodcourt at Def Con last year. It was an oasis in the midst of testosterone. We bonded over shared experiences, both good and bad, of being women in a field that is unquestionably male-dominated. We really enjoyed the opportunity to come together, since many of us are “the only woman” in...
Blog

Hacker Mindset: SANS NetWars & Tools of the Trade

In my ongoing blog series “Hacker Mindset,” I’ll explore an attacker's assumptions, methods and theory, including how information security professionals can apply this knowledge to increase cyber-vigilance on the systems and networks they steward. In this article, I share my thoughts on NetWars – a live interactive Capture the Flag training exercise...
Blog

The Emerging Threats Posed by Augmented Reality Gaming

There is a deeper, hidden world all around us, but most of the population remains oblivious to it. An alien technology called exotic matter has broken through a dimensional barrier and leaks into our world through millions of pinprick-sized holes. This exotic matter subtly influences human creativity. Centered around the locations where this matter...
Blog

DEF CON 24: Brainwashing Embedded Systems

Come get your hands dirty with embedded device hacks during my DEF CON 24 workshop. Brainwashing Embedded Systems will be held in Las Vegas Ballroom 3 on Saturday, August 6, from 10AM - 2PM. This workshop is a condensed version of the full-day training offered at the 2016 AusCERT and SecTor conferences. During the workshop, you will learn about the...
Blog

Challenges in Securing Unrestricted (Open) DNS Resolvers

Working for a security services vendor provides me the opportunity to work with a variety of cool tools in our quest to develop new and innovative security services. The most recent project I was deeply involved in is the development of a DNS security service called SecureSurf. The foundational goal of the design of this service was to provide a...
Blog

3 Principles and Challenges of Endpoint Discovery

Digital attackers are constantly looking for ways to infiltrate organizations' IT environments. One of the easiest modes of entry is for an actor to exploit a weakness in an endpoint, a network node which according to Dark Reading remains "the most attractive and soft soft target for cyber criminals and cyber espionage actors to get inside." Under...
Blog

Finding the Balance Between Security and Productivity

The majority of employees within an organisation are hired to execute specific jobs, such as marketing, managing projects, manufacturing goods and overseeing financial investments. Their main – sometimes only – priority is to efficiently complete their core business activity, so information security is usually only a secondary consideration....