NIST Site Search
Search NIST.GOV
Custom Search
[Official NIST.GOV TIME]
Product Research

Advertise on this site
Newsfeeds
Network World Security
  • 48% off Kidde Carbon Monoxide Alarm with Display and 10 Year Battery - Deal Alert
    DealPost Team

    Carbon Monoxide is odorless, tasteless and invisible, and it accounts for over 72,000 cases of poisoning each year. Kidde calls their C3010D model "worry free" because its sensor and sealed battery provide 10 years of uninterrupted CO detection, and a digital display that updates every 15 seconds. The unit will chirp when its reaching the ends of its life, so you don't have to wonder. The Kidde C3010D alarm is currently discounted down to just $27.93. See this deal now on Amazon.

    To read this article in full or to leave a comment, please click here



    click to view

  • How to speed up IoT deployment: Give each device an identity
    Jack Gold

    Most enterprises are in the process of evaluating how the Internet of Things (IoT) will affect their organization, especially how devices targeted at the Enterprise of Things (EoT) will be deployed.

    Indeed, companies that deploy “things” need to worry about security, manageability, longevity/availability and robustness — unlike consumers who generally don’t concern themselves with such things. I recently discussed what I see as a real lack of focus on IoT security from a device perspective. What I’d like to discuss now is the need make it easier to deploy and manage devices, especially those focused on enterprise deployments. This can be relatively easily accomplished by creating a unique unalterable identity for each device.

    To read this article in full or to leave a comment, please click here



    click to view

  • What is a firewall?
    Brandon Butler

    Network-based firewalls have become almost ubiquitous across US enterprises for their proven defense against an ever-increasing array of threats.

    A recent study by network testing firm NSS Labs found that up to 80% of US large businesses run a next-generation firewall. Research firm IDC estimates the firewall and related unified threat management market was a $7.6 billion industry in 2015 and expected to reach $12.7 billion by 2020.

    What is a firewall?

    Firewalls act as a perimeter defense tool that monitor traffic and either allow it or block it. Over the years functionality of firewalls has increased, and now most firewalls can not only block a set of known threats and enforce advanced access control list policies, but they can also deeply inspect individual packets of traffic and test packets to determine if they’re safe. Most firewalls are deployed as network hardware that processes traffic and software that allow end users to configure and manage the system. Increasingly, software-only versions of firewalls are being deployed in highly virtualized environments to enforce policies on segmented networks or in the IaaS public cloud.

    To read this article in full or to leave a comment, please click here



    click to view

  • IDG Contributor Network: How smart cities can protect against IoT security threats
    Gary Eastwood

    Smart cities, which were once confined to the realms of science fiction books, are rapidly becoming a reality all around the globe. Unfortunately, like all revolutionizing innovations, smart cities are developing their own unique challenges alongside of their perks. So what are industry insiders and tomorrow’s city planners doing to face these challenges?

    The security issues facing smart cities are unlike anything ever before seen, and solutions to these problems haven’t yet sprung up en masse, meaning many different interest groups have proposed their own respective plans. By combing through some of today’s proposed solutions, we can identify some of the leading trends that will come to dominate the future of smart city security.

    To read this article in full or to leave a comment, please click here



    click to view

  • 7 free tools every network needs
    Paul Venezia

    In the real estate world, the mantra is location, location, location. In the network and server administration world, the mantra is visibility, visibility, visibility. If you don't know what your network and servers are doing at every second of the day, you're flying blind. Sooner or later, you're going to meet with disaster.

    Fortunately, many good tools, both commercial and open source, are available to shine much-needed light into your environment. Because good and free always beat good and costly, I've compiled a list of my favorite open source tools that prove their worth day in and day out in networks of any size. From network and server monitoring to trending, graphing, and even switch and router configuration backups, these utilities will see you through.

    To read this article in full or to leave a comment, please click here



    click to view

  • Gravityscan, keeping WordPress sites safe
    Mark Gibbs

    If your website, in common with roughly 25% of all websites, is running WordPress then it's pretty much certain that it's being constantly attacked. WordPress is to hackers what raw meat is to jackals because unless sites are assiduously maintained, they quickly become vulnerable to a huge number of exploits.

    The root cause of this vulnerability is WordPress' ecosystem of complex core software augmented by thousands of third party developers whose themes and plugins are often buggy and not quickly (or often, never) updated to fend off known security problems. Add to that many site owners being slow to update their core WordPress installation and you have an enormous and easily discovered collection of irresistible hacking targets.

    To read this article in full or to leave a comment, please click here



    click to view

  • Network monitoring tools: Features users love and hate
    IT Central Station

    Managing the health of the corporate network will directly affect the productivity of every user of that network. So network administrators need a robust network monitoring tool that helps them manage the network, identify problems before they cause downtime, and quickly resolve issues when something goes wrong.

    Five of the top network monitoring products on the market, according to users in the IT Central Station community, are CA Unified Infrastructure Management, SevOne, Microsoft System Center Operations Manager (SCOM), SolarWinds Network Performance Monitor (NPM), and CA Spectrum.

    To read this article in full or to leave a comment, please click here

    (Insider Story)

    click to view

  • Book Review: Practical Packet Analysis: Using Wireshark to Solve Real-World Network Problems
    Sandra Henry-Stocker

    The overall equation is pretty simple: If you want to understand network traffic, you really should install Wireshark. And, if you really want to use Wireshark effectively, you should consider this book. Already in its third edition, Practical Packet Analysis both explains how Wireshark works and provides expert guidance on how you can use the tool to solve real-world network problems.

    Yes, there are other packet analyzers, but Wireshark is one of the best, works on Windows, Mac, and Linux, and is free and open source. And, yes, there are other books, but this one focuses both on understanding the tool and using it to address the kind of problems that you're likely to encounter.

    To read this article in full or to leave a comment, please click here



    click to view

  • Fight firewall sprawl with AlgoSec, Tufin, Skybox suites
    John Breeden II

    New and innovative security tools seem to be emerging all the time, but the frontline defense for just about every network in operation today remains the trusty firewall. They aren’t perfect, but if configured correctly and working as intended, firewalls can do a solid job of blocking threats from entering a network, while restricting unauthorized traffic from leaving.

    The problem network administrators face is that as their networks grow, so do the number of firewalls. Large enterprises can find themselves with hundreds or thousands, a mix of old, new and next-gen models, probably from multiple vendors -- sometimes accidentally working against each other. For admins trying to configure firewall rules, the task can quickly become unmanageable.

    To read this article in full or to leave a comment, please click here

    (Insider Story)

    click to view

  • Review: Canary Flex security camera lives up to its name
    Keith Shaw

    Canary’s initial foray into the networked home security camera space was very impressive – my colleague David Newman touted its high security settings in the wake of revelations about the general insecurity of these types of devices. The Canary camera was also somewhat large – a cylindrical tower that took up some significant space on your desk, cabinet or shelf.

    The latest camera the company sent me is the Canary Flex, a much smaller unit meant to be more flexible (hence the name) in terms of placement, but also in power options. Like the Arlo Pro camera, the Canary Flex is powered by an internal battery (it’s charged via USB cable and power adapter). This means you can move the Flex to a location inside or outside your home where there’s no power outlet. The Flex comes with wall mounting screws and a 360-degree magnetic stand so you can position the camera in different spots. Additional accessories, such as a plant mount or twist mount (pictured below), offer even more location choices.

    To read this article in full or to leave a comment, please click here



    click to view

  • Zix wins 5-vendor email encryption shootout
    David Strom

    Email encryption products have made major strides since we last looked at them nearly two years ago. They have gotten easier to use and deploy, thanks to a combination of user interface and encryption key management improvements, and are at the point where encryption can almost be called effortless on the part of the end user.

    Our biggest criticism in 2015 was that the products couldn’t cover multiple use cases, such as when a user switches from reading emails on their smartphone to moving to a webmailer to composing messages on their Outlook desktop client. Fortunately, the products are all doing a better job handling multi-modal email.

    To read this article in full or to leave a comment, please click here

    (Insider Story)

    click to view

  • Review: vArmour flips security on its head
    John Breeden II

    Almost every cybersecurity program these days does some sort of scanning, sandboxing or traffic examination to look for anomalies that might indicate the presence of malware. We’ve even reviewed dedicated threat-hunting tools that ferret out malware that’s already active inside a network.

    However, what if there were a different way to approach security? Instead of searching for behaviors that might indicate a threat, what if you could define everything that is allowed within a network? If every process, application and workflow needed to conduct business could be defined, then by default everything outside of those definitions could be flagged as illegal. At the very least, critical programs could be identified and all interactions with them could be tightly defined and monitored. It’s a different way of looking at security, called segmentation.

    To read this article in full or to leave a comment, please click here

    (Insider Story)

    click to view

  • 5 open source security tools too good to ignore
    Fahmida Y. Rashid

    Open source is a wonderful thing. A significant chunk of today’s enterprise IT and personal technology depends on open source software. But even while open source software is widely used in networking, operating systems, and virtualization, enterprise security platforms still tend to be proprietary and vendor-locked. Fortunately, that’s changing. 

    If you haven’t been looking to open source to help address your security needs, it’s a shame—you’re missing out on a growing number of freely available tools for protecting your networks, hosts, and data. The best part is, many of these tools come from active projects backed by well-known sources you can trust, such as leading security companies and major cloud operators. And many have been tested in the biggest and most challenging environments you can imagine. 

    To read this article in full or to leave a comment, please click here



    click to view

  • What is blockchain? Get up to speed with this video primer

    Get up to speed quickly on the potential use cases for blockchain technology, in industries such as healthcare, with Esmond Kane, deputy CISO at Partners Healthcare.

    click to view

  • 4 old malware threats still haunting business today

    From Conficker to Zeus, these four malware threats continue to impact enterprises today. Watch this short video to learn where they're still lurking.

    click to view

  • Learn the ins and outs of Europe's General Data Protection Regulation (GDPR)

    Look ahead to Europe's rollout of the the General Data Protection Regulation in May 2018, and its expected impact on data handling, with expert insights from Gary Southwell, vice president and general manager, products division, at CSPI.

    click to view

  • How to speed up IoT deployment: Give each device an identity
    Jack Gold

    Most enterprises are in the process of evaluating how the Internet of Things (IoT) will affect their organization, especially how devices targeted at the Enterprise of Things (EoT) will be deployed.

    Indeed, companies that deploy “things” need to worry about security, manageability, longevity/availability and robustness — unlike consumers who generally don’t concern themselves with such things. I recently discussed what I see as a real lack of focus on IoT security from a device perspective. What I’d like to discuss now is the need make it easier to deploy and manage devices, especially those focused on enterprise deployments. This can be relatively easily accomplished by creating a unique unalterable identity for each device.

    To read this article in full or to leave a comment, please click here



    click to view

  • What is a firewall?
    Brandon Butler

    Network-based firewalls have become almost ubiquitous across US enterprises for their proven defense against an ever-increasing array of threats.

    A recent study by network testing firm NSS Labs found that up to 80% of US large businesses run a next-generation firewall. Research firm IDC estimates the firewall and related unified threat management market was a $7.6 billion industry in 2015 and expected to reach $12.7 billion by 2020.

    What is a firewall?

    Firewalls act as a perimeter defense tool that monitor traffic and either allow it or block it. Over the years functionality of firewalls has increased, and now most firewalls can not only block a set of known threats and enforce advanced access control list policies, but they can also deeply inspect individual packets of traffic and test packets to determine if they’re safe. Most firewalls are deployed as network hardware that processes traffic and software that allow end users to configure and manage the system. Increasingly, software-only versions of firewalls are being deployed in highly virtualized environments to enforce policies on segmented networks or in the IaaS public cloud.

    To read this article in full or to leave a comment, please click here



    click to view

  • IDG Contributor Network: How smart cities can protect against IoT security threats
    Gary Eastwood

    Smart cities, which were once confined to the realms of science fiction books, are rapidly becoming a reality all around the globe. Unfortunately, like all revolutionizing innovations, smart cities are developing their own unique challenges alongside of their perks. So what are industry insiders and tomorrow’s city planners doing to face these challenges?

    The security issues facing smart cities are unlike anything ever before seen, and solutions to these problems haven’t yet sprung up en masse, meaning many different interest groups have proposed their own respective plans. By combing through some of today’s proposed solutions, we can identify some of the leading trends that will come to dominate the future of smart city security.

    To read this article in full or to leave a comment, please click here



    click to view

  • Oracle leverages machine learning to manage, secure enterprise systems
    Andy Patrizio

    Oracle is not the first company that comes to mind when you think of enterprise security, but the company announced at its recent OpenWorld conference new products with artificial intelligence (AI) and machine learning capabilities to quickly identify security threats.

    The company introduced two new sets of integrated suites called Oracle Identity Security Operations Center (SOC) and Oracle Management Cloud. It claims they will help enterprises forecast, reduce, detect and resolve cybersecurity threats in minutes rather than days and assist remediation of application and infrastructure performance issues.

    It makes sense for Oracle to jump into this field even if it is full of established players like Symantec, Sophos, Tripwire and far more. Since Oracle’s databases are often a target of hacker attacks, who better to secure an Oracle database than Oracle? 

    To read this article in full or to leave a comment, please click here



    click to view

  • IoT can learn from smartphone security
    Jack Gold

    The massive growth of Internet of Things (IoT) devices over the next one to three years should give us pause. As companies rush to get to market first, are we seeing a “dumbing down” of basic device principals that we have been working with for years, particularly enhanced security and privacy. With so many distinct applications, device scope and diversity represent a unique security challenge that so far has not been met.

    I estimate that 85 percent or more of current IoT devices deployed in the real world do not have adequate security installed, and it’s likely that the vast majority of those will never be upgraded (or are not even capable of being upgraded). That means not only do current devices being installed pose a risk, but over the next one to two years, the vast majority of devices that will be deployed also pose a risk.

    To read this article in full or to leave a comment, please click here



    click to view

  • Time to rethink how much customer data you store
    Bryan Lunduke

    Does the company you work for (or own) retain data on customers? Odds are pretty high that it does, at least in some form (often fairly extensively). It's often attractive to do so for both marketing and functionality purposes.

    But here's the thing, storing that data is probably a bad business decision. One that could cost your business a huge amount of money and, even worse, potential loss of trust by your most valuable customers.

    Storage costs 

    Just from the IT infrastructure point of view: As your business grows and the amount of data you store on each customer slowly expands (it always does), your cost for storing that data also grows. Rather quickly. Even if your data center is already well equipped, this is a not-insignificant recurring expense (failing drives, energy costs, other equipment needs, etc.).

    To read this article in full or to leave a comment, please click here



    click to view

  • Tech Talk: The Equifax data breach, a new Apple Watch and the A.I. revolution

    With the Equifax breach still making waves, the new Apple Watch now on wrists and A.I. seemingly everywhere, our panel digs into what's happening in the IT world.

    click to view

  • Nextcloud’s file storage solution gets a security boost
    Bryan Lunduke

    Nextcloud today released a preview of Nextcloud 13, its online file storage solution for enterprise and individual users.

    What makes this release so interesting? End-to-end file encryption.

    When we’re talking about the needs of big businesses, keeping files secure is absolutely critical. There has been no shortage of data breaches and hacks in recent months – reliable encryption and security is absolutely vital to reducing those problems. 

    + Also on Network World: 4 ways to simplify data management +

    From Jos Poortvliet, member of the Nextcloud, team:

    To read this article in full or to leave a comment, please click here



    click to view

  • Microsoft launches data security technology for Windows Server, Azure
    Andy Patrizio

    Data is at its greatest risk of being compromised when it is being used, when moving from a secure database around the servers or apps in memory. So, Microsoft is launching a new technology for Windows Server and Azure that protects the data while it’s being processed. 

    Microsoft claims the service, called Azure confidential computing, makes it the first public cloud provider to offer encryption of data while in use. Encrypting data while it is being manipulated is pretty CPU-intensive, and there is no word on the performance impact of this service. 

    “Despite advanced cybersecurity controls and mitigations, some customers are reluctant to move their most sensitive data to the cloud for fear of attacks against their data when it is in use,” Mark Russinovich, Microsoft Azure CTO, wrote in a company blog post. “With confidential computing, they can move the data to Azure knowing that it is safe not only at rest, but also in use from [various] threats.” 

    To read this article in full or to leave a comment, please click here



    click to view

  • Aruba rolls out security fabric designed for IoT and the digital era
    Zeus Kerravala

    Aruba, a Hewlett Packard Enterprise Company, is best known for its outstanding business-grade Wi-Fi products. What’s less well known about Aruba is that it has always had excellent security products. In fact, I’ve often described the company as a security vendor dressed up as a Wi-Fi vendor, as Aruba and security have gone hand in hand like the New England Patriots and winning. 

    However, Aruba’s security positioning has always been tactical rather than strategic because its products were used for specific purposes, such as end point protection or wireless security. That shifted this week at APAC Atmosphere in Macau when the company introduced its 360 Security Fabric, which enables it to provide end-to-end security to address the needs of a world that is becoming increasingly digitized. 

    To read this article in full or to leave a comment, please click here



    click to view

  • 5 Ways to Secure Wi-Fi Networks
    Eric Geier

    Wi-Fi is one entry-point hackers can use to get into your network without setting foot inside your building because wireless is much more open to eavesdroppers than wired networks, which means you have to be more diligent about security.

    But there’s a lot more to Wi-Fi security than just setting a simple password. Investing time in learning about and applying enhanced security measures can go a long way toward better protecting your network. Here are six tips to betters secure your Wi-Fi network.

    Use an inconspicuous network name (SSID)

    The service set identifier (SSID) is one of the most basic Wi-Fi network settings. Though it doesn’t seem like the network name could compromise security, it certainly can. Using a too common of a SSID, like “wireless” or the vendor’s default name, can make it easier for someone to crack the personal mode of WPA or WPA2 security. This is because the encryption algorithm incorporates the SSID, and password cracking dictionaries used by hackers are preloaded with common and default SSIDs. Using one of those just makes the hacker’s job easier.

    To read this article in full or to leave a comment, please click here



    click to view

  • Today’s property rules don’t work in our IoT world
    Dave Michels

    Property and ownership are among the most basic concepts of a modern society. Our ability to clarify who owns what separates us from savages because property and ownership help us maintain our independence and identity.

    The rules of property and ownership have evolved over centuries. There are clear transfer procedures for all types of property, including real estate, cars and even books. The problem is these age-old concepts are not holding up in our connected and digital world.

    owned Cambridge University Press

    “Property ownership as we know it is under attack and fading fast,” writes Joshua Fairfield in his book Owned: Property, Privacy, and the New Digital Serfdom. “The Internet of Things and digital property ownership systems are being built on the old feudal model.”

    To read this article in full or to leave a comment, please click here



    click to view

  • 5 reasons why device makers cannot secure the IoT platform
    Steven Max Patterson

    If Akamai, Cisco and Google’s post-platform security and privacy machine learning security systems protecting the web and mobile platforms are indicative of the future, IoT device makers will only be part of a larger security ecosystem. That’s because they will not have the data to train the AI machine learning models.  

    As a result, IoT post-platform security and privacy will become a layer on top of IoT device security. These five factors are why that will happen.

    1. Product developers underestimated IoT security

    In their race to market, product developers building for new platforms will underestimate the security and privacy features that should be built into their products. In some cases, this will be an act of commission, but most will be an act of omission because it is difficult to anticipate the vulnerabilities until the products reach the market at scale. Windows and mobile devices experienced something similar. They have been hardened, but earlier in their evolution they were an easy target for cyber criminals.

    To read this article in full or to leave a comment, please click here



    click to view

  • How network automation can speed deployments and improve security
    Ann Bednarz

    Five years ago, IT was decentralized at the University of New Mexico. “Every school or college had their own IT, and in most cases they were completely under-resourced – a one-person shop having to do phones, apps, email, desktop, servers, storage, disaster recovery, all of that,” said Brian Pietrewicz, deputy CIO at University of New Mexico.

    The university transitioned to a self-service model that enables each of its more than 100 departments to deploy infrastructure and application services itself and have them managed by the now-centralized IT team.

    Adopting VMware’s vCloud Automation Center enabled departments to consume cloud resources, but also give the management team the ability to curtail that consumption if necessary.

    To read this article in full or to leave a comment, please click here



    click to view

  • VMware adds whitelist security to the hypervisor
    Andy Patrizio

    Overlooked in the hoopla around the VMworld conference was an announcement of the availability of AppDefense, a new product that lets companies restrict the types of operations applications are allowed to run on virtualized servers. 

    AppDefense works with the VMware hypervisor and can also connect to third-party provisioning, configuration management and workflow automation platforms. It can send out alerts, quarantine apps, shut them down and even restore a VM from an image. All of this is based on AppDefense catching unusual behavior, such as trying to modify the kernel or communicate with an unrecognized remote server. 

    VMware already has some security features built into its NSX and VSAN products, but those are around networking and storage. AppDefense secures the core virtual machines in vSphere itself. It does this by using behavior-based whitelisting, which is not easy to do on desktops because they run a lot of apps. But on a server, especially a virtual server, it’s a much easier proposition. In some cases, virtual servers run only one or two apps, so shutting out everything else is simple.

    To read this article in full or to leave a comment, please click here



    click to view

  • Fixing, upgrading and patching IoT devices can be a real nightmare
    Fredric Paul

    Ensuring cybersecurity for computers and mobile phones is a huge, complex business. The ever-widening scope and unbelievable variety of threats makes keeping these devices safe from cyber criminals and malware a full-time challenge for companies, governments and individuals around the world.

    But at least the vast majority of those devices are easily accessible, safe in the pockets or sitting on the desktops of the very people who want to protect them. The Internet of Things (IoT) devices that need protection, on the other hand, could be almost anywhere: sitting in a remote desert, buried deep in coal mine, built into a giant truck. Or, even implanted inside the human body.

    To read this article in full or to leave a comment, please click here



    click to view

  • Ransomware: What you need to know now | Salted Hash Ep 1, Pt 4

    Reporters Fahmida Rashid and Steve Ragan talk about the latest ransomware threats, the holes in IT security and the burdens on enterprises.

    click to view

  • U.S. Cyber Command gains status | Salted Hash Ep 1, Pt 2

    Reporters Steve Ragan and Fahmida Rashid discuss the implications of the U.S. Cyber Command's recent elevation in status, putting it on the same level as the military’s other functional combatant commands.

    click to view

  • Salted Hash: Kaspersky Lab, U.S. Cyber Command, Hollywood hacking and ransomware

    Reporters Steve Ragan and Fahmida Rashid unpack the hottest topics in the security realm: Kaspersky Lab's Russia connection, the new status for the U.S. Cyber Command, Hollywood's hacking woes and ransomware.

    click to view

  • Hollywood's hacking woes | Salted Hash Ep 1, Pt 3

    Reporters Fahmida Rashid and Steve Ragan talk about hacks of Sony and more recently, HBO, and what lessons enterprises can learn from the entertainment industry's mistakes.

    click to view

  • Kaspersky Lab and the Russia connection | Salted Hash Ep 1, Pt 1

    Reporters Fahmida Rashid and Steve Ragan talk about antivirus vendor Kaspersky Lab, a Russian-based company that various U.S. agencies have flagged as untrustworthy. Should you use it?

    click to view

  • Tech Talk: Pricey iPhones, intent-based networks, GPS spoofing and smartwatches

    Our panel looks at whether smartwatch makers blew it by not focusing on the enterprise, why intent-based networking is the next big thing, whether GPS spoofing is real, and how high is too high when it comes to iPhone prices.

    click to view

  • Juniper to buy advanced threat protection security startup Cyphort
    Brandon Butler

    Juniper today announced intentions to acquire Cyphort, a Santa Clara-based startup that offers an advanced threat detection, analytics and mitigation platform. Juniper says it will integrate Cyphort’s technology with its Sky Advanced Threat Protection (ATP) product line.

    +MORE AT NETWORK WORLD: DEEP-DIVE REVIEW: How Cyphort makes advanced threat protection easier than ever +

    Cyphort’s software platform detects advanced threats, evasion techniques and zero-day vulnerabilities using a combination of behavioral analytics, machine-learning and long-data security analysis, the company says. The platform can work across virtual infrastructure, cloud environments and edge devices. In addition to identifying threats, Cyphort creates real-time timelines of incidents and can integrate with network tools to update security postures.

    To read this article in full or to leave a comment, please click here



    click to view

  • 30 ways to improve IoT privacy
    Steven Max Patterson

    Much work still must be done before the industrial and municipal Internet of Things (IoT) becomes widely adopted outside of the circle of innovators. One field, privacy, well understood by the public and private sector in the context of the cloud, PCs and mobile, is in the early stage of adaptation for the IoT.

    The sheer volume of data that will be collected and the new more granular architecture of the IoT present new privacy concerns that need to be resolved on an equal scale as the platform’s forecasted growth.

    A demonstration of this new aspect of privacy and compliance is the Privacy Guidelines for Internet of Things: Cheat Sheet, Technical Report (pdf) by Charith Perera, researcher at the Newcastle University in the U.K. The nine-page report details 30 points about implementing strong privacy protections. This report is summarized below.

    To read this article in full or to leave a comment, please click here



    click to view

  • Hot products at VMworld 2017
    Ann Bednarz
    VMworld 2017
    intro VMworld

    Image by Thinkstock/VMware

    VMworld 2017 is underway in Las Vegas, where IT pros are converging to learn about the latest in enterprise cloud, virtualization, security, and software-defined data center technologies. Here are some of the product highlights on display at the show.

    To read this article in full or to leave a comment, please click here



    click to view

  • This Mirai malware vaccine could protect insecure IoT devices
    Steven Max Patterson

    The hazard of unsophisticated and poorly secured Internet of Things (IoT) devices came to the front last year with the Mirai DDoS attack that involved nearly a million bots. Many of these devices remain a threat.

    Researchers have posed an original solution to the problem: Use the vulnerability of these devices to inject a white worm that secures the devices. It is an epidemiological approach that creates immunity with a vaccine by exposing the immune system to a weakened form of the disease.

    + Also on Network World: How to improve IoT security +

    These devices are still a threat because some cannot be fixed because they have hard-coded back doors. Other insecure devices have software or firmware vulnerabilities that cannot be fixed because product designers did not include a software updates mechanism.

    To read this article in full or to leave a comment, please click here



    click to view

  • This Linux tool could improve the security of IoT devices
    Steven Max Patterson

    The first rule of building a secure and feature-rich ecosystem is software management — push and pull software updates and software discovery through an app store mechanism from a trusted source.

    In the go-to-market IoT race, though, that often doesn’t happen. Many Internet of Things (IoT) product developers have ignored the traumatic early history of Microsoft Windows, Android and web platforms, and expoits of IoT devices — because software updates have not been designed in — are regularly reported.

    + Also on Network World: How to improve IoT security +

    Those earlier platforms have been hardened, updates have been automated, and the app discovery and installation have been made trustworthy. IoT developers need to follow their lead. 

    To read this article in full or to leave a comment, please click here



    click to view

  • 5 Ways to Secure Wi-Fi Networks
    Eric Geier

    Wi-Fi is one entry-point hackers can use to get into your network without setting foot inside your building because wireless is much more open to eavesdroppers than wired networks, which means you have to be more diligent about security.

    But there’s a lot more to Wi-Fi security than just setting a simple password. Investing time in learning about and applying enhanced security measures can go a long way toward better protecting your network. Here are six tips to betters secure your Wi-Fi network.

    Use an inconspicuous network name (SSID)

    The service set identifier (SSID) is one of the most basic Wi-Fi network settings. Though it doesn’t seem like the network name could compromise security, it certainly can. Using a too common of a SSID, like “wireless” or the vendor’s default name, can make it easier for someone to crack the personal mode of WPA or WPA2 security. This is because the encryption algorithm incorporates the SSID, and password cracking dictionaries used by hackers are preloaded with common and default SSIDs. Using one of those just makes the hacker’s job easier.

    To read this article in full or to leave a comment, please click here



    click to view

  • 30 ways to improve IoT privacy
    Steven Max Patterson

    Much work still must be done before the industrial and municipal Internet of Things (IoT) becomes widely adopted outside of the circle of innovators. One field, privacy, well understood by the public and private sector in the context of the cloud, PCs and mobile, is in the early stage of adaptation for the IoT.

    The sheer volume of data that will be collected and the new more granular architecture of the IoT present new privacy concerns that need to be resolved on an equal scale as the platform’s forecasted growth.

    A demonstration of this new aspect of privacy and compliance is the Privacy Guidelines for Internet of Things: Cheat Sheet, Technical Report (pdf) by Charith Perera, researcher at the Newcastle University in the U.K. The nine-page report details 30 points about implementing strong privacy protections. This report is summarized below.

    To read this article in full or to leave a comment, please click here



    click to view

  • Unix: How random is random?
    Sandra Henry-Stocker

    On Unix systems, random numbers are generated in a number of ways and random data can serve many purposes. From simple commands to fairly complex processes, the question “How random is random?” is worth asking.

    EZ random numbers

    If all you need is a casual list of random numbers, the RANDOM variable is an easy choice. Type "echo $RANDOM" and you'll get a number between 0 and 32,767 (the largest number that two bytes can hold).

    $ echo $RANDOM
    29366

    Of course, this process is actually providing a "pseudo-random" number. As anyone who thinks about random numbers very often might tell you, numbers generated by a program have a limitation. Programs follow carefully crafted steps, and those steps aren’t even close to being truly random. You can increase the randomness of RANDOM's value by seeding it (i.e., setting the variable to some initial value). Some just use the current process ID (via $$) for that. Note that for any particular starting point, the subsequent values that $RANDOM provides are quite predictable.

    To read this article in full or to leave a comment, please click here



    click to view

  • The complexity of password complexity
    Sandra Henry-Stocker

    Deploying password quality checking on your Debian-base Linux servers can help to ensure that your users assign reasonable passwords on their accounts, but the settings themselves can be a bit misleading. For example, setting a minimum password length of 12 characters does not mean that your users' passwords will all have twelve or more characters. Let's stroll down Complexity Boulevard and see how the settings work and examine some settings worth considering.

    First, if you haven't done this already, install the password quality checking library with this command:

    apt-get -y install libpam-pwquality

    The files that contain most of the settings we're going to look at will be:

    To read this article in full or to leave a comment, please click here



    click to view

  • 8 ways to manage an internet or security crisis
    Jennifer Lonoff Schiff

    Your business is hit with a ransomware attack. Or your ecommerce site crashes. Your legacy system stops working. Or maybe your latest software release has a major bug. These are just some of the problems that ecommerce, technology and other companies experience at one time or another.

    The issue is not if a problem – or crisis – occurs, but how your company handles it when it does. Manage the problem poorly, you risk losing customers, or worse. Handle a crisis promptly and professionally, you can fend off a public relations disaster and might even gain new customers.

    So what steps can businesses take to mitigate and effectively manage an IT-related crisis? Here are eight suggestions.

    To read this article in full or to leave a comment, please click here



    click to view

  • Incident response is like tracking down a perpetrator
    Ryan Francis
    What is incident response?
    1 incident response police tape crime death

    Image by Thinkstock

    Incident response is like investigating a real burglary. You look for evidence of the intruder at the crime scene, find his targets and his getaway car, and repair any holes. Discover any cuts in your chain link fence. Take a few steps back for more perspective. Find the intruder’s targets. What assets are near the compromised fence? Investigate in both directions to find the intruder's target and getaway car. Fix the fence. Resolve any issues and patch vulnerabilities.

    To read this article in full or to leave a comment, please click here



    click to view

  • 6 things you need to know about IoT security
    Ryan Francis
    Security, trust and data integrity
    IoT security

    Image by Thinkstock

    The emergence of IoT is altering our personal technology security paradigm and is a game-changer in customer/business interaction, in part due to the wide scope of available data and sheer number of devices collecting this data. McKinsey & Company estimates the IoT ecosystem will generate $6 trillion in value by 2025. Successful IoT offerings rely on the perception of benefit they can deliver to businesses and consumers while creating a proportionate foundation of security, trust, and data integrity. There are important ways that IoT technology can reduce data security risk while improving customer experience in a connected world.

    To read this article in full or to leave a comment, please click here



    click to view

  • Pitfalls of identity access management
    Ryan Francis
    Tracking
    identity access management

    Image by Thinkstock

    It is easy to overlook identity access management as static infrastructure in the background, and that's the chief problem: Too few organizations treat IAM as the crucial, secure connective tissue between businesses' multiplying employees, contractors, apps, business partners and service providers. Aaron Perry, president at Focal Point Data Risk, runs through some of IAM’s pitfalls.

    To read this article in full or to leave a comment, please click here



    click to view

  • How to strike ransomware out
    Ryan Francis
    Swing and a miss
    ransomware

    Image by Victor Grigas

    Most businesses are ill prepared to handle a ransomware attack. In fact, according to a new study released by Carbonite, 68 percent of survey respondents believe their company is “very vulnerable” or “vulnerable” to a ransomware attack. Respondents stated that if their company didn’t pay ransom, it was because they had a full and accurate backup. Without backup, they have no other way to get their most valuable asset back.

    To read this article in full or to leave a comment, please click here



    click to view

| Date published: Tue, 24 Oct 2017 01:41:09 -0700
Back to newsfeed list
Translate to: {GOOGLETRANS}
Google Ads




Headlines

»CVE-2010-2232
In Apache Derby 10.1.2.1, 10.2.2.0, 10.3.1.4, and 10.4.1.3, Export processing may allow an attacker ...
»CVE-2010-3659
Multiple cross-site scripting (XSS) vulnerabilities in TYPO3 CMS 4.1.x before 4.1.14, 4.2.x before 4 ...
»CVE-2011-1935
pcap-linux.c in libpcap 1.1.1 before commit ea9432fabdf4b33cbc76d9437200e028f1c47c93 when snaplen is ...
»CVE-2011-2683
reseed seeds random numbers from an insecure HTTP request to random.org during installation, which m ...
»CVE-2011-2684
foo2zjs before 20110722dfsg-3ubuntu1 as packaged in Ubuntu, 20110722dfsg-1 as packaged in Debian uns ...
»CVE-2011-4333
Multiple cross-site scripting (XSS) vulnerabilities in LabWiki 1.1 and earlier allow remote attacker ...
»CVE-2011-4334
edit.php in LabWiki 1.1 and earlier does not properly verify uploaded user files, which allows remot ...
»CVE-2012-4379
MediaWiki before 1.18.5, and 1.19.x before 1.19.2 does not send a restrictive X-Frame-Options HTTP h ...
»CVE-2012-4380
MediaWiki before 1.18.5, and 1.19.x before 1.19.2 allows remote attackers to bypass GlobalBlocking e ...
»CVE-2012-4382
MediaWiki before 1.18.5, and 1.19.x before 1.19.2 does not properly protect user block metadata, whi ...
»CVE-2012-4567
Multiple cross-site scripting (XSS) vulnerabilities in LetoDMS (formerly MyDMS) before 3.3.8 allow r ...
»CVE-2012-4568
Multiple cross-site request forgery (CSRF) vulnerabilities in LetoDMS (formerly MyDMS) before 3.3.8 ...
»CVE-2012-4569
Multiple cross-site scripting (XSS) vulnerabilities in out/out.UsrMgr.php in LetoDMS (formerly MyDMS ...
»CVE-2012-4570
SQL injection vulnerability in LetoDMS_Core/Core/inc.ClassDMS.php in LetoDMS (formerly MyDMS) before ...
»CVE-2012-6707
WordPress through 4.8.2 uses a weak MD5-based password hashing algorithm, which makes it easier for ...


Date published: 2017-10-24T05:00:08Z
Details

»Cisco Releases Security Updates
Original release date: October 18, 2017 Cisco has released updates to address vulnerabilities ...
»Google Releases Security Updates for Chrome
Original release date: October 18, 2017 Google has released Chrome version 62.0.3202.62 for W ...
»Oracle Releases Security Bulletin
Original release date: October 17, 2017 Oracle has released its Critical Patch Update for Oct ...
»IC3 Issues Alert on DDoS Attacks
Original release date: October 17, 2017 The Internet Crime Complaint Center (IC3) has issued ...
»IC3 Issues Alert on IoT Devices
Original release date: October 17, 2017 In conjunction with National Cyber Security Awareness ...
»Today’s Predictions for Tomorrow’s Internet
Original release date: October 17, 2017 October is National Cybersecurity Awareness Month, an ...
»Adobe Releases Security Updates
Original release date: October 16, 2017 Adobe has released security updates to address a vuln ...
»CERT/CC Reports WPA2 Vulnerabilities
Original release date: October 16, 2017 CERT Coordination Center (CERT/CC) has released infor ...
»Mozilla Releases Security Update
Original release date: October 11, 2017 Mozilla has released a security update to address mul ...
»Microsoft Releases October 2017 Security Updates
Original release date: October 10, 2017 Microsoft has released updates to address vulnerabili ...


Date published: not known
Details

»Gábor Szappanos wins fourth Péter Szőr Award
At the VB2017 gala dinner, the fourth Péter Szőr Award was presente ...
»VB2017 paper: Walking in your enemy's shadow: when fourth-party collection becomes attribution hell
We publish the VB2017 paper and video by Kaspersky Lab researchers ...
»Didn't come to VB2017? Tell us why!
Virus Bulletin is a company - and a conference - with a mission: to ...
»Montreal will host VB2018
Last week, we announced the full details of VB2018, which will take ...
»VB2017 preview: Beyond lexical and PDNS (guest blog)
In a special guest blog post, VB2017 Silver sponsor Cisco Umbrella ...
»Avast to present technical details of CCleaner hack at VB2017
The recently discovered malicious CCleaner version has become one o ...
»VB2017 preview: Walking in your enemy's shadow: when fourth-party collection becomes attribution hell
We preview the VB2017 paper by Kaspersky Lab researchers Juan André ...
»VB2017 preview: Offensive malware analysis: dissecting OSX/FruitFly.B via a custom C&C server
We preview Patrick Wardle's VB2017 paper, in which the Synack resea ...
»VB2017 - information for press
More than 50 security industry experts will present conference pape ...


Date published: not known
Details
Main Menu
· Home
Current Security News
 
US-CERT Current Activity

» Cisco Releases Security Updates
[18 Oct 2017 02:07pm]

» Google Releases Security Updates for Chrome
[18 Oct 2017 08:08am]

» Oracle Releases Security Bulletin
[17 Oct 2017 06:40pm]

» IC3 Issues Alert on DDoS Attacks
[17 Oct 2017 06:39pm]

» IC3 Issues Alert on IoT Devices
[17 Oct 2017 04:56pm]

» Today’s Predictions for Tomorrow’s Internet
[17 Oct 2017 05:24am]

» Adobe Releases Security Updates
[16 Oct 2017 01:33pm]

» CERT/CC Reports WPA2 Vulnerabilities
[16 Oct 2017 07:20am]

» Mozilla Releases Security Update
[11 Oct 2017 08:25am]

» Microsoft Releases October 2017 Security Updates
[10 Oct 2017 01:37pm]

***
US-CERT Alerts

» TA17-293A: Advanced Persistent Threat Activity Targeting Energy and Other Critical Infrastructure Sectors
[20 Oct 2017 04:50pm]

» TA17-181A: Petya Ransomware
[30 Jun 2017 11:41pm]

» TA17-164A: HIDDEN COBRA – North Korea’s DDoS Botnet Infrastructure
[13 Jun 2017 09:45am]

» TA17-163A: CrashOverride Malware
[12 Jun 2017 03:44pm]

» TA17-156A: Reducing the Risk of SNMP Abuse
[05 Jun 2017 06:11pm]

» TA17-132A: Indicators Associated With WannaCry Ransomware
[12 May 2017 07:36pm]

» TA17-117A: Intrusions Affecting Multiple Victims Across Multiple Sectors
[27 Apr 2017 04:50pm]

» TA17-075A: HTTPS Interception Weakens TLS Security
[16 Mar 2017 06:40am]

» TA16-336A: Avalanche (crimeware-as-a-service infrastructure)
[30 Nov 2016 10:00pm]

» TA16-288A: Heightened DDoS Threat Posed by Mirai and Other Botnets
[14 Oct 2016 05:59pm]

***
Computerworld Security

» Now THAT'S what we call security!
[23 Oct 2017 04:00am]

» Anatomy of a spambot
[19 Oct 2017 04:00am]

» What is blockchain? Get up to speed with this video primer
[18 Oct 2017 11:00pm]

» 48% off Kidde Carbon Monoxide Alarm with Display and 10 Year Battery - Deal Alert
[18 Oct 2017 07:32am]

» 4 old malware threats still haunting business today
[17 Oct 2017 10:00pm]

» Excel, Access, external DB driver errors linked to this month’s patches
[17 Oct 2017 09:08am]

» Amazon wants to deliver groceries to your car trunk — not a good idea
[17 Oct 2017 04:00am]

» Microsoft shuts down Krack with sneaky Windows update
[16 Oct 2017 02:44pm]

» Don’t be the fool in the cloud
[16 Oct 2017 08:23am]

» Learn the ins and outs of Europe's General Data Protection Regulation (GDPR)
[15 Oct 2017 11:00pm]

» FinTech builds on blockchain for international mobile payments
[15 Oct 2017 10:07pm]

» Microsoft's anti-malware sniffing service powers Edge to top spot in browser blocking tests
[14 Oct 2017 01:58pm]

» Early reports of myriad Microsoft Patch Tuesday problems
[11 Oct 2017 05:28am]

» Another banner Patch Tuesday, with a Word zero-day and several bugs
[10 Oct 2017 02:28pm]

» In iOS 11, toggling Wi-Fi and Bluetooth 'off' doesn’t work. Here’s why.
[10 Oct 2017 01:54pm]

***
Microsoft Security Advisories

» 4038556 - Guidance for securing applications that host the WebBrowser Control - Version: 1.0
[08 Aug 2017 11:00am]

» 4033453 - Vulnerability in Azure AD Connect Could Allow Elevation of Privilege - Version: 1.0
[27 Jun 2017 11:00am]

» 4025685 - Guidance related to June 2017 security update release - Version: 1.0
[13 Jun 2017 11:00am]

» 4022345 - Identifying and correcting failure of Windows Update client to receive updates - Version: 1.3
[12 May 2017 11:00am]

» 4022344 - Security Update for Microsoft Malware Protection Engine - Version: 1.2
[12 May 2017 11:00am]

» 4021279 - Vulnerabilities in .NET Core, ASP.NET Core Could Allow Elevation of Privilege - Version: 1.1
[10 May 2017 11:00am]

» 4010323 - Deprecation of SHA-1 for SSL/TLS Certificates in Microsoft Edge and Internet Explorer 11 - Version: 1.0
[09 May 2017 11:00am]

» 3123479 - SHA-1 Hashing Algorithm for Microsoft Root Certificate Program - Version: 2.0
[14 Mar 2017 11:00am]

» 4010983 - Vulnerability in ASP.NET Core MVC 1.1.0 Could Allow Denial of Service - Version: 1.0
[27 Jan 2017 11:00am]

» 3214296 - Vulnerabilities in Identity Model Extensions Token Signing Verification Could Allow Elevation of Privilege - Version: 1.0
[10 Jan 2017 11:00am]

» 3181759 - Vulnerabilities in ASP.NET Core View Components Could Allow Elevation of Privilege - Version: 1.0
[13 Sep 2016 11:00am]

» 3174644 - Updated Support for Diffie-Hellman Key Exchange - Version: 1.0
[13 Sep 2016 11:00am]

» 3179528 - Update for Kernel Mode Blacklist - Version: 1.0
[09 Aug 2016 11:00am]

» 2880823 - Deprecation of SHA-1 Hashing Algorithm for Microsoft Root Certificate Program - Version: 2.0
[18 May 2016 11:00am]

» 3155527 - Update to Cipher Suites for FalseStart - Version: 1.0
[10 May 2016 11:00am]

***
Security Latest

» Russian Spies Rush to Exploit the Latest Flash Zero Day and More Security News This Week
[21 Oct 2017 06:00am]

» The Reaper Botnet Could Be Worse Than the Internet-Shaking Mirai Ever Was
[20 Oct 2017 03:45pm]

» Equifax Deserves the Corporate Death Penalty
[20 Oct 2017 06:00am]

» Cryptojacking Lets Strangers Mine Cryptocurrency With Your Browser
[20 Oct 2017 05:00am]

» It Takes Just $1,000 to Track Someone's Location With Mobile Ads
[18 Oct 2017 05:00am]

» Why the Krack Wi-Fi Mess Will Take Decades to Clean Up
[17 Oct 2017 01:39pm]

» The Flawed System Behind the Krack Wi-Fi Meltdown
[17 Oct 2017 10:55am]

» Google's 'Advanced Protection' Locks Down Accounts Like Never Before
[17 Oct 2017 05:00am]

» KRACK Vulnerability Makes Wi-Fi Hacking Possible, Leaving Millions of Devices Exposed
[16 Oct 2017 09:03am]

» Trump Decertifying the Iran Deal Could Have Unseen Cyberattack Consequences
[15 Oct 2017 05:00am]

» An Equifax Goof, an iOS Phish, and More Security News This Week
[14 Oct 2017 06:00am]

» How Power Grid Hacks Work, and When You Should Panic
[13 Oct 2017 10:00am]

» How To Fix the Broken Social Security Number Sytem
[13 Oct 2017 05:00am]

» Kaspersky's Alleged Russia Ties Highlight the Risks of Antivirus
[11 Oct 2017 03:01pm]

» 'Crypto Anchors' Might Stop the Next Equifax-Style Megabreach
[11 Oct 2017 10:45am]

***
Network World Security

» 48% off Kidde Carbon Monoxide Alarm with Display and 10 Year Battery - Deal Alert
[18 Oct 2017 07:32am]

» How to speed up IoT deployment: Give each device an identity
[12 Oct 2017 03:30am]

» What is a firewall?
[11 Oct 2017 02:16pm]

» IDG Contributor Network: How smart cities can protect against IoT security threats
[11 Oct 2017 05:00am]

» 7 free tools every network needs
[15 Aug 2017 01:52pm]

» Gravityscan, keeping WordPress sites safe
[24 May 2017 02:34pm]

» Network monitoring tools: Features users love and hate
[01 May 2017 04:51am]

» Book Review: Practical Packet Analysis: Using Wireshark to Solve Real-World Network Problems
[27 Apr 2017 12:45pm]

» Fight firewall sprawl with AlgoSec, Tufin, Skybox suites
[10 Apr 2017 04:32am]

» Review: Canary Flex security camera lives up to its name
[24 Mar 2017 07:01am]

» Zix wins 5-vendor email encryption shootout
[13 Mar 2017 04:00am]

» Review: vArmour flips security on its head
[06 Mar 2017 03:50am]

» 5 open source security tools too good to ignore
[21 Feb 2017 07:12am]

» What is blockchain? Get up to speed with this video primer
[18 Oct 2017 11:00pm]

» 4 old malware threats still haunting business today
[17 Oct 2017 10:00pm]

***


More IT Security
News Feeds
More Sponsors

Advertise on this site
RSS Feeds
Our news can be syndicated by using these rss feeds.
rss1.0
rss2.0
rdf
Welcome
Username:

Password:




Remember me

[ ]

NIST.org is in no way connected to the U.S. government site NIST.gov

This site is © John Herron, CISSP. All Rights Reserved.

Please visit daily to stay up to date on all your IT Security compliance issues.

http://www.nist.org -
Hosted by BlueHost. We've never had a better hosting company.
{THEMEDISCLAIMER}