Top of Page
 

InfoSecurity Professional INSIGHTS Newsletter Archive

InfoSecurity Professional INSIGHTS is our bi-monthly e-newsletter, associated with our members-only digital publication, InfoSecurity Professional. Similar to the magazine, it will deliver timely, compelling content written with the professional development of infosecurity practitioners in mind. You can view the current monthly newsletter here

  • 2020 INSIGHTS 2020 INSIGHTS

    December INSIGHTS

    How to Stay Ahead of Adversarial Machine Learning

    By Shawna McAlearney

    As artificial intelligence technologies become more prevalent in business, so too do the potential security risks of machine learning (ML), in which machines access data and learn from their own experience rather than being programmed. One of the biggest security concerns involves adversarial machine learning in which an attacker uses bad, or deceptive, input to exploit the way artificial intelligence algorithms work and cause a malfunction in a machine learning model. Read More


    October INSIGHTS

    Election Hacking: It’s Real and It’s Happening as You Read This

    By Shawna McAlearney

    The U.S. presidential election is just about a month away, and all eyes remain on voting security: from state-sponsored efforts to influence voters, to exploitable vulnerabilities that could cast doubt on election outcomes, to a pandemic preventing in-person voting in the interest of public safety. Read More


    August INSIGHTS

    Panacea or Placebo? Business Interruption Insurance (and Vulnerable VPNs) in the Wake of COVID-19

    By Shawna McAlearney

    Disaster recovery and business continuity spending rarely is an easy sell to a C-suite always seeking quick quantification of ROI. It tends to be one of the less glamorous expenses of a risk management plan that you hope you will never use. After all, who wants to go through a major fire or flood? And what about a pandemic? If you carry business insurance, will it be the magic pill for COVID-19 business losses? Read More


    June INSIGHTS

    The Real Threat to the Threat Intelligence Community

    By Thomas McNeela, CISSP

    If you’re an information security professional, you’ve likely at some point had to weigh the pros and cons of establishing a threat intelligence program at your organization. In my opinion, such a program can be valuable — if you know how to operationalize it. However, some of the common poor practices in the threat intelligence community today hinder the overall benefits that can be gained from participating in it. The following are some of the top grievances and how to address them. Read More


    April INSIGHTS

    Building a Cybersecurity Team: 5 Keys to Proper Vetting

    By Jason McDowell, CISSP

    Companies from all industries are looking for qualified cybersecurity professionals to fill the skills gap in their current workforce. Demand is high, and many companies are willing to pay top dollar to those who possess the skills they need. With this high-demand, high-paying environment, what could go wrong? Read More


    February INSIGHTS

    Turning Users into Cyber Heroes

    By Jorge Mario Ochoa, CISSP

    A few years ago, P&G launched a marketing campaign for Colgate toothpaste in which it presented images of couples where male models all had stained teeth. So focused were viewers on the stains that few noticed other oddities in the photos, such as a man missing an ear, a woman with six fingers and another with an extra arm. To them, the stains were more obvious (and shocking) than some serious abnormalities (See below).

    Turning Users into Cyber Heroes

    In another example of quiet deception, after the business platform LinkedIn was infiltrated and its database leaked, users received emails about the breach with instructions to change their login credentials. Some of those emails were not legitimate, but users didn’t stop to look for discrepancies in the message or headers. Instead, they blindly filled out false forms that often included the same credentials they used for corporate access at work. That’s how cyber criminals were able to easily break into more networks and compromise additional databases once they’d cracked LinkedIn’s user database. Read More


  • 2019 INSIGHTS 2019 INSIGHTS

    December INSIGHTS

    What (ISC)² Members Expect to be the Biggest Security Issues in 2020

    By Shawna McAlearney

    Folks, we’ve got a problem … lots of problems, actually.

    During the 2019 (ISC)² Security Congress in Orlando, we asked dozens of attendees, speakers and vendors what their top security concern would be during the first half of 2020. We got plenty of responses, from election security and data sprawl to IoT and the cybersecurity workforce shortage—and many, many more. Read More


    October INSIGHTS

    Resilient Preparations to Ease the Pain of Ransomware

    By Shawna McAlearney

    Because of the business his own company conducts—antivirus, password management, endpoint security and vulnerability scanning—F-Secure’s Mikko Hypponen believes his interpretation of the Geneva Conventions makes even F-Secure “a legitimate target for bombing in time of war.”

    What constitutes an act of war? Is responding to a cyberattack with military action disproportionate, or does it depend on what was attacked and its outcome? A cyberattack on a country heavily dependent on its technology may suffer disproportionally to one that is not. A power grid disruption may constitute a significant, long-term problem far out of scope from the underlying attack. Or the desired outcome may be to disable an opponent for quite some time. A guiding principle of warfare balanced with international humanitarian laws mandates that attacks be proportional in response. Read More


    August INSIGHTS

    Resilient Preparations to Ease the Pain of Ransomware

    By Matt Gillespie

    Ransomware no longer captures the headlines that it did when WannaCry suddenly spanned the globe two years ago, but the category’s reign of disruption continues.

    Verizon’s 2019 Data Breach Investigations Report finds that ransomware is the second most prevalent type of malware. Dave Hylender, a senior risk analyst with Verizon, describes ransomware in 2019 as “prevalent and ubiquitous. It’s quite lucrative for the attacker; it’s high yield and low risk, and I don’t expect it to be going away soon.” Read More


    June INSIGHTS

    From Nursing to Cybersecurity: Marylyn Harris Keeps Protecting Patients

    By Pat Rarus

    For many years, Marylyn Harris, a former U.S. Army psychiatric nurse, disabled war veteran and founder of the nation’s first Women Veterans Business Center in Houston, thought networking meant meeting other professionals and exchanging business cards at special events. Now that she is transitioning to a new career in IT security, however, the word “networking” takes on a whole new meaning. Read More


    April INSIGHTS

    Look Before You Leap: What to Know Before Diving into Machine Learning

    By Deborah Johnson

    IDC anticipates a $57.6 billion worldwide investment in cognitive and artificial intelligence (AI) by 2021, which means there’s a good chance your company is considering, if not already buying or building, AI and machine learning (ML) solutions. And not just to improve business processes; companies are also considering adding AI and ML solutions to security operations centers. Read More


    February INSIGHTS

    ‘Building’ a Case for Stronger IoT-Related Cybersecurity

    By Chip Jarnagin and Douglas Humphrey

    In an April 2018 presentation to the Wall Street Journal CEO Council Conference, Nicole Eagan, the CEO of Darktrace, reported that hackers had breached the automated thermostat of a casino aquarium and through it exfiltrated the casino’s high-roller database.

    While characterizing this story as one of the greatest fishing (sic) attacks ever elicits peals of laughter, it takes on considerable significance when one looks at the cybersecurity Wild West that is the Internet of Things (IoT). According to a study by Aruba Networks involving more than 3,000 companies, 84 percent of them had experienced some type of IoT breach. While some cybersecurity teams see IoT security as a current issue because of their organizations’ industry (e.g., the medical and high-technology fields have been early adopters), most mistakenly believe it will not affect them anytime soon. Read More


  • 2018 INSIGHTS 2018 INSIGHTS

    December INSIGHTS

    A ROSE is a Rose…Or, a Fresh Way to Launch Phishing Attacks

    By Shawna McAlearney

    The next generation of phishing attacks is very complex, involving a number of fake personas across a range of social media platforms to entice your employees to circumvent your organization’s security. Are you ready?

    Increasing awareness of social engineering and phishing attacks has limited their effectiveness as easy attack vectors. In response, attackers have upped the ante. The method, dubbed ROSE (remote online social engineering), was discovered by Matt Wixey, a cybersecurity research lead at PwC U.K. It uses progressively more sophisticated and longer-term efforts, including self-referencing synthetic networks, multiple credible false personas and highly targeted and detailed reconnaissance. Read More


    October INSIGHTS

    Positive vs. Negative Security Models: A Different Way to Look at Endpoint Security

    By Rene Kolga, CISSP

    When we think about cybersecurity, inevitably we end up talking about fighting the “badness” — malicious hackers, malware, cybercriminal syndicates and malevolent nation-state actors. Whether with signatures, heuristics or machine learning models, we attempt to identify and block that “badness.” Today that approach is unable to achieve anywhere close to 100 percent efficacy, largely because the amount of “badness” is practically infinite. Read More


    August INSIGHTS

    The True Cost of Certificate Authority Trials: Can You Trust Them?

    By Rodrigo Calvo, CISSP

    Recently, some colleagues and I were able to verify a phishing attack that used a valid TLS certificate and a powerful name (Microsoft) as a cover. The chosen attack vector was Office 365 (aka O365) and the goal was to gain users’ credentials by sending a targeted campaign to specific user groups. Read More


    June INSIGHTS

    Four Reasons Healthcare Remains a Huge Target

    By Lee Kim, JD, CISSP, CIPP/US, FHIMSS

    Online scammers are increasingly targeting the healthcare industry, as revealed in the 2018 HIMSS Cybersecurity Survey. Phishing in particular is a predominant concern for healthcare stakeholders, as it can be a very effective means for eliciting information and/or delivering a malicious payload. Read More


    April INSIGHTS

    A Security Framework that Anyone – and Everyone – Can Follow

    By Shahin Kamruzzaman

    In a business start-up, the entrepreneur usually is a one-person band, taking on all kinds of work including IT. As the business grows and becomes increasingly dependent on IT infrastructure, the entrepreneur may not be able or willing to handle the challenges of IT security, vulnerability, risk management framework and privacy law. To provide the new business owner guidance on security needs, I’ve created a simple approach to basic IT security. Read More


    February INSIGHTS

    6 Proven Steps to [Re]Gain Control of Vulnerability Management

    By William Nana Fabu, CISSP

    It’s time to move vulnerability management to the front of the line. Of the many data breaches that have made news headlines in recent years, 44 percent were successful due to the presence of non-remediated vulnerabilities. Today, from board members to customers, everyone wants to know how vulnerable the company is. Read More

Ok