Security products, like firewalls and virus scanners are all outdated now. They are redundant and no longer give satisfactory protection against unknown threats and the thousands of mutations and variations of Spyware and viruses. And so to alleviate from this situation, what the technologies and new applications require is nothing but an entirely new archetype with a more robust infrastructure.
Let us now deliberate over some of the biggest information security challenges that the organizations are facing today and what could be the plausible solutions.
Confidentiality and Privacy is the biggest challenge faced. To ensure that only the intended addressees can access and read the information, lacks a well-rounded protection system. Hackers are pocketing login information and using those details to access sensitive information and application.
Second is Integrity of the data or information is another big challenge. Original information or material can easily be altered, tampered and changed.
Third is authentication. There is a lot of obscurity with the source, to know if the information shared or sent by the stated sender is authentic or reliable is a big challenge.
And lastly, it is the availability. That is, assuring that crucial information can be accessed or retrieved at all times and from all the places is quite challenging.
However, these challenges do have resolutions. What the companies need to do is to try and find out a single cybersecurity solution that effectually meets all the requirements and needs. Like the one that integrates cryptographic segmentation and role-based access control together to meet all the necessities.
3i Infotech is a titleholder when it comes to Information Security. The company knows that currently the networks are extremely dependent and interconnected and all that they need is an effective, operative security to avoid any sort of unnecessary invasions.
And so keeping up with today’s network needs and requirements, 3i Infotech provides an end-to-end security solutions to the organizations. The company believes that network security of the systems and networks should always be in pace and sync with the business activities. The security services of 3i Infotech are extremely advanced, with processes and technologies that provides secure access to business applications.
Moreover, the unique system integration team of 3i, provides a layered security approach that addresses the infrastructure as a whole. All these in combination, ensures no breach of information during any transaction or functioning of the business applications.
So there you go with information security, what it means, its challenges and solutions.
The European Commission (“Commission”), the European Parliament (“Parliament”) and the Council of the European Union reached an agreement earlier this month regarding changes to the Proposal for a Regulation on ENISA, the “EU Cybersecurity Agency”, and repealing Regulation (EU) 526/2013, and on Information and Communication Technology Cybersecurity Certification (the “Cybersecurity Act”). The agreement empowers the EU Cybersecurity Agency (known as European Union Agency for Network and Information and Security, or “ENISA”) and introduce an EU-wide cybersecurity certification for services and devices.
The Cybersecurity Act was introduced in a wide-ranging set of cybersecurity measures adopted by the Commission on September 13, 2017, and proposed as a priority of the Digital Single Market Strategy. The objective of these measures was to deal with cyber-attacks and build strong cybersecurity in the EU.
More powers for ENISA
The Cybersecurity Act reinforces the ENISA’s centrality to better support Member States when facing cybersecurity threats or attacks.. The Cybersecurity Act grants more powers to and new tasks for ENISA, including:
ENISA will also be recognized as an independent center of expertise that will promote awareness to citizens and businesses and that will assist the EU institutions and Member States in the development and implementation of policies.
Cybersecurity certification framework
The Cybersecurity Act also introduces an EU-wide cybersecurity certification framework to ensure that the products and services sold in the EU comply with EU cybersecurity standards. This a great step forward as it is the first internal market law that enhances the security of connected products, Internet of Things or critical infrastructure by implementing a single certificate.
The hope is that consumers will benefit from this new regulation as manufacturers provide detailed information on cybersecurity for certified products and services including guidance on installation, the period for security support and information for security updates. The Cybersecurity Act, in this view, will increase consumers’ trust in products and services they choose to use as they will have warranties that these products and services are cyber secure.
Similarly, companies will also benefit from the Cybersecurity Act as they will save significant costs on certification. A one stop-shop cybersecurity certification means that companies and especially Small and Medium-sized Enterprises (SMEs) will not need to apply for certificates in different countries but one certificate will be valid throughout the EU. Certification will no longer be perceived as a market-entry barrier for companies but as a competitive advantage. In addition, companies may certify their own products for a minimum level of cybersecurity.
To make future initiatives clearer and more transparent for industry, the Parliament requested that a Union rolling work program be a component of the cybersecurity certification framework’s governance, and involved in setting the strategic priorities on future certification requirements.
The Parliament’s Committee on Industry, Research and Energy and the Council of the European Union must still formally approve the proposed agreement. If approved, it will then be published in the EU Official Journal. The Cybersecurity Act will enter into force twenty days following that publication.
Five years on from a breach that shook cybersecurity | Information Security, latest Hacking News, Cyber Security, Network Security
In December 2013 news broke that Target suffered a breach that forced consumers and the cybersecurity community to question the security practices of retailers
In the twenty years since the start of my career in InfoSec, there have been a handful of security incidents that really stick out in my mind; seismic events after which the landscape seemed permanently altered. Five years ago, we experienced one of these instances when the Target breach was announced.
In light of this momentous anniversary, I decided to talk with my colleagues and fellow WeLiveSecurity Experts, about what they thought characterized the differences in the security scenery from before and after this attack.
A breach hits close to home
While 40 million payment card credentials and 70 million customer records lost seems “charmingly” small compared to more recent breaches, it was one of the first security events that hit a wide swath of people. Target was in the top five in the National Retail Federation (NRF) Top 100 Retailers list at the time (it’s down to #8 currently), and the breach was announced at the height of the holiday shopping season.
The combination of time and place was a perfect storm, reaching a significant percentage of the United States population. The odds are very good that if you lived in the US in 2013, even if you yourself were not affected, you probably know plenty of people who were. And with breaches occurring both at Target and Home Depot (currently #5 in the NRF Top 100 Retailers list) within several months of each other, the effects of each were amplified.
As Aryeh Goretsky stated: “With Target and Home Depot, consumers began (I think) to see that these weren’t intangible things that did not affect them, but rather concrete examples of ‘this happened to a place I do business with’ vs. something nebulous/opaque/invisible to consumers like a payment processor. If Target is what legitimized data breaches in consumers’ minds, maybe Home Depot was the one that galvanized them into thinking that this was going to be a repeating event.”
Chip card adoption
Another point raised by Aryeh was that “probably the biggest change is that this is what got payment processors moving towards chip & PIN in the United States.”
Stephen Cobb concurred and added that “one reason the Target breach had such an impact was timing – it happened right before Congress went home for the holidays and constituents were really angry about it. I talked to several members of Congress and their staffers in the following February and it was a very hot topic with them.”
While the use of EMV cards would not have decreased the number of records lost in the Target breach, there was a major push in the days afterwards to “do something” to decrease payment card fraud. Within months of the Target breach and within weeks of the Home Depot breach, President Obama had signed an executive order that was intended to hasten the adoption of chip card technology.
In the two years prior to these breaches, Visa and MasterCard had both announced their plans to compel banks and retail vendors to switch to offering and accepting payment cards that had embedded microchips. The conversion had been progressing slowly and quite reluctantly, but as banks suddenly had significant motivation to update the payment cards of their members, their pace picked up considerably. Many smaller retailers and gas stations are still dragging their feet in accepting EMV cards, even three years after the initial October 2015 liability switch.
Stephen also noted that “the US did not universally embrace chip and PIN, going for chip and signature in many cases. Target itself introduced a branded MasterCard a few years ago and it always requires a PIN”. In fact, all the major credit card companies only just announced this year that they’re moving towards the more secure standard of requiring a PIN.
Supply chain risk
The method that the attackers used to get access to Target’s Point of Sale (PoS) machines was by stealing the credentials of an HVAC supplier who had been accessing Target’s network through an external vendor portal. While this is a detail of the breach that has been discussed extensively within the security practitioner community in the last few years, it’s one that took some time even to permeate experts’ awareness.
David Harley recalled “I guess (or hope) that people in general and certainly the InfoSec community became more aware that it’s not just the security of the companies that you do business with that you should worry about: it’s also the security of other companies that they do business with. A company you consider trustworthy is one thing, but who do they trust? We take it for granted that we live in an interconnected world, but don’t necessarily realize just how extensive those interconnections really are.”
Stephen added, “I don’t remember anyone shouting ‘supply chain risk’ in the immediate aftermath of the Target breach, but I think it is fair to say that the Target breach marked the beginning of a broader awareness of this threat vector.”
In the years after the breach, there has been a greater understanding of the need for more robust authentication options that would have made stolen credentials less useful, and for network segmentation that would have stopped the attacker from pivoting from a less-sensitive area to one with more valuable information.
Because Target is such a popular retailer, and its breach was announced shortly before attacks on other popular retailers, the overwhelming sense was that breaches are not something that happens only to smaller shops. Attacks happen to bigger companies who should have significant defenses, as well as to smaller businesses that may not have specific security expertise. No organization of any size can afford to ignore vulnerabilities on their networks or devices, and the measures put in place to deal with fraud and data breaches affect customers as well.
Cameron Camp stated that “consumers learned to tolerate bank anti-fraud measures that, while not perfect, slow the velocity of money leaking from your account and may give you some modicum of remedy. Large breaches set the stage for banks learning how to deal with threats like this in a more manageable manner. Now that there are more data and therefore experience, they can better know how to respond.”
Stephen noticed this shift as well: “Several surveys indicate that something like 15% to 20% of consumers avoid online shopping and banking these days due to security and privacy fears, and I think that the Target breach was one of the key factors kicking off that trend (another being the Snowden revelations). Anecdotally I see some percentage of people taking one or more steps to limit their payment card exposure, like setting up transaction notifications, but I’m not sure what that percentage is.”
While acquiring sufficient budget and personnel for cybersecurity groups will always be problematic, there was a subtle shift in most executives’ perspective that eventually led to increased spending. The initial forecast for increases in security spending in 2014 was quite rosy, though it seemed that for some, this increase failed to materialize right away. Nevertheless, the increases did eventually come, as executives felt the continued pressure from customers to protect their data.
As Stephen said, “I think it was a much needed wakeup call to get deeply serious about security. Just going through the motions, like buying security products and getting your security tested, was not going to cut it: you need to architect for security, skill up for security, and train for security. If the C-suite is not making security a priority for all departments and all employees, you are at higher risk than your competitors that do prioritize security.”
Cameron echoed this sentiment: “Target came to understand that it’s not enough to just have fire-and-forget, very expensive tech to detect ‘bad things’; that correct configuration and tuning are of the essence.”
In the day-to-day struggles of securing data and devices, it can be easy to forget that there are areas in which we have indeed made progress. By looking back at major milestones, we can see how much has changed in a few years’ time. While we still have a long way to go, we can reconsider the past to strengthen our resolve to make bigger strides towards a more secure future.
As organizations continue to increase the amount of data that they store on the web, the risks increase for similar cyber-attacks trying to compromise sensitive information. To combat this, organizations have specific roles for information security analysts.
Information security analysts are responsible for overseeing security measures to protect the computer systems and networks of an organization. They are also typically tasked with creating a disaster recovery plan for their organization, in case of emergencies. As the number and complexity of cyberattacks increases, the scope of an information security analyst will expand as well.
Information security analysts typically need to have a bachelor’s degree in a related science field like,
- Computer science,
- Information assurance,
- Programming, or
Some employers prefer applicants with a graduate degree, so a master’s in cybersecurity, computer science, or even an MBA can make a candidate more attractive and command a higher salary.
There are also several professional certifications available to information security analysts. Most professionals in information security attain the Certified Information Systems Security Professional (CISSP) certification.
In 2016, information security analysts held 100,000 jobs. According to the Bureau of Labor Statistics (BLS), industries that employ the largest percentage of information security analysts:
- Computer Systems Design – 28%
- Finance and Insurance – 19%
- Management of Companies and Enterprises – 9%
- Information – 8%
- Administrative and Support Services – 6%
Information security analysts need to be proficient in a high number of highly technical skillsets. Technical skills required to be a successful information security analyst include:
- IDS/IPS, penetration and vulnerability testing
- DLP, anti-virus and anti-malware
- TCP/IP, computer networking, routing, and switching
- Firewall and intrusion detection/prevention
- Network protocols and packet analysis tools
- C, C++, C#, Java, or PHP programming languages
- Cloud computing
- SaaS models
- Security Information and Event Management (SIEM)
The responsibilities of an information security analyst can vary across different organizations and industries. Generally, accepted duties and responsibilities for an information security analyst involve:
- Monitoring the organization’s networks for security breaches and investigate violations when they occur
- Installing and updating software to protect sensitive information such as firewalls and encryption programs
- Preparing reports documenting breaches and the extent of the damage caused by the breaches
- Conducting tests that simulate an attack to look for any vulnerabilities in their systems
- Staying up to date with the latest news and developments in information security
- Creating security standards and best practices to keep the organization safe
- Consulting with management or senior IT staff to recommend security enhancements
- Providing technical support to users of your product or service
Career Outlook & Job Demand
The median annual wage for an information security analyst is $92,600. The BLS has further broken down the median annual wages for information security analysts by the top industries:
- Finance and Insurance – $94,050
- Computer Systems Design – $93,490
- Information – $92,940
- Administrative and Support Services – $92,890
- Management of Companies and Enterprises – $87,510
The demand for information security analysts is projected to experience an extremely high growth rate. Employment is projected to grow 28 percent from 2016 to 2026 for information security analysts. The industry that is projected to experience the highest growth of information security analyst employment is computer systems design. The number of information security analysts in that industry is projected to grow by 56 percent.
This high rate of growth can be attributed to the increased frequency of cyber-attacks. Most industries are increasing their online presence and need to keep pace with the increase in cyber-attacks. For example, the healthcare industry is rapidly expanding the use of electronic medical records. As more medical records are stored online, there will be more cyber criminals attempting to compromise that information.
- Principles of Information Security
- Michael E. Whitman, Herbert J. Mattord
- Course Technology
- Richard E. Smith
- Jones & Bartlett Learning
- Edition no. 2 (03/08/2015)
Last update on 2018-03-18 / Affiliate links / Images from Amazon Product Advertising API
end of post idea
shop home improvement at our LetsRenovate center
It is safe to say that all IT and information security pros have had frightening IT challenges from time to time. Whether transitioning to the cloud or remedying false-positive alerts, IT engineers are often asked to think on their feet and adapt to change quickly.
Although the industry as a whole has come a long way, there are still some incredible stories lurking in the shadows of IT past.
Just in time for Halloween, industry experts have weighed in, sharing their IT nightmare stories (and lessons learned), as well as offering their analysis around DevSecOps (development of security operations).
For the record: The purpose and intent of DevSecOps is to build on the mindset that “everyone is responsible for security” with the goal of safely distributing security decisions at speed and scale to those who hold the highest level of context without sacrificing the safety required.
Automating Core Security Functions
DevSecOps strives to automate core security tasks by embedding security controls and processes into the DevOps workflow. DevSecOps originally focused primarily on automating code security and testing, but now it also encompasses more operations-centric controls.
So enjoy this special Halloween eWEEK Data Points article.
Data Point No. 1: From George Gerchow, CSO, Sumo Logic:
What used to give you nightmares in the IT/information security world that doesn’t anymore? “Infrastructure issues. Throughout my career, whenever I would get a call for an outage, it was always due to some infrastructure or networking issue (misconfigurations of a router, etc.), which is really hard to troubleshoot. Now, as more businesses move to the public cloud, the issues are more focused on applications and data, things that are core to the business.”
So, is DevSecOps a “trick” or a “treat”? “It’s a treat. I am finding that whether it’s a buzzword or not, DevSecOps is leading to more automation in the security space, which I haven’t seen before. Working more tightly coupled with other departments within an organization is great. It may be a trendy term, but we’re reaping the benefits and I imagine other organizations are, too.”
Data Point No. 2: From Frederico Hakamine, CISSP, CCSP, Workforce Identity, APIs and Protocols, Okta:
What used to give you nightmares in the IT/information security world that doesn’t anymore? “Pop-ups, toolbars and browser plugins, and just thinking about it gives me chills. In my first job, I was in charge of managing the IT infrastructure in a small college, so you can imagine how hard it was. I’m so glad the browsers of today have vastly improved and this is a problem of the past.”
Is DevSecOps a “trick” or a “treat” or both? And why? “Definitely both. I really love how DevSecOps automates and delivers security throughout the dev lifecycle and how it removes friction between security and developers. My caveats are around the blind spots. Some people implement DevSecOps only on code, call it a day, and ignore other items such as the user login and the runtime environment. On top of that, some people also forget to keep their DevSecOps automation/scripts up-to-date. Just make sure you cover the blind spots and DevSecOps will be a treat.”
Data Point No. 3: From Ben Newton, Director, Operations Marketing, Sumo Logic:
What used to give you nightmares in the IT/information security world that doesn’t anymore? “In a past life, I once had security guy take down all of our production servers because he was running a personal instance of VMWare connected directly to our servers in the data center. I haven’t seen a server in the flesh in 10+ years. So, no longer worried about that one.”
Is DevSecOps a “trick” or a “treat”? “One would hope for it to be a treat, but like many IT trends, it is just a trick if used as an excuse to re-label outdated security practices. Much like that costume with the fake muscles that is great for a 4-year-old on Halloween, but super creepy on an adult.”
Data Point No. 4: From Jeremy Proffitt, Staff Site Reliability Engineer, LendingTree:
What used to give you nightmares in the IT/information security world that doesn’t anymore? “Seeing those flickers that geeks recognize, whether slow load times, missing information or just old fashioned errors, without direction or focus–we found ourselves lost in a sea of intertwined systems. Those horrific moments of thinking something might be wrong have progressed to checking our alerts and being able to see in almost real time, the performance and errors in our systems.”
Is DevSecOps a “trick” or a “treat” or both? And why? “It’s important to remember the trick to DevOps, is to treat them only with facts, the hard evidence. A query link showing the issue makes understanding issues satisfyingly sweet.”
Data Point No. 5: From Ken Tidwell, VP of Security Engineering, Sumo Logic:
What used to give you nightmares in the IT/information security world that doesn’t anymore? “Scalability used to be a nightmare that haunted every information security process. The ascendance of cloud deployment with microservice architectures and on-demand lateral scaling has largely banished that nightmare.”
Is DevSecOps a “trick” or a “treat”? “DevSecOps is a treat. It provides the hard candy shell that protects all of your valuable intellectual property and processes. But remember that tricksters are out there. Mind your threat and intrusion indicators, and don’t just count on the invulnerability that a good DevSecOps process works toward.”