Top of Page
 

InfoSecurity Professional INSIGHTS Newsletter Archive

InfoSecurity Professional INSIGHTS is our bi-monthly e-newsletter, associated with our members-only digital publication, InfoSecurity Professional. Similar to the magazine, it will deliver timely, compelling content written with the professional development of infosecurity practitioners in mind. You can view the current monthly newsletter here

  • 2023 INSIGHTS 2023 INSIGHTS

    April INSIGHTS

    It’s Time to Secure Your Software Supply Chain, Whether It’s Open or Not

    By Joe Fay

    If it’s a surprise to you that April is the U.S. Cybersecurity and Infrastructure Security Agency (CISA) National Supply Chain Integrity Month, it might be an even bigger surprise that this is the event’s sixth year.

    This year’s theme is “Supply Chain Risk Management (SCRM) – The Recipe for Resilience”, and the agency is pushing government and industry to “work together to shift from a reactive to a proactive approach for supply chain risk management.”

    For good reason. Sonatype’s most recent State of the Software Supply Chain report, showed that 1.2 billion vulnerable dependencies are downloaded every month, while the number of “malicious, next-generation attacks” grew 633% year on year. Read More

    February INSIGHTS

    Are Mobile Devices Secure Enough for Zero Trust

    By John E. Dunn

    In the history of computing platforms, it’s hard to think of a more chaotic security situation than that unleashed upon consumers and businesses in the years after Android’s introduction in 2008.

    Things have improved dramatically in recent times after overdue reforms by Google. Nonetheless, the sense that mobile devices remain an opaque risk still lingers. But how far should organizations probe into the security state of more recent mobile devices, and should this go as far as pen testing? They don’t after all, pen test, most other devices. Read More

  • 2022 INSIGHTS 2022 INSIGHTS

    December INSIGHTS

    7 Tips for Coping with Imposter Syndrome

    By Infosecurity Professional Staff

    Larry Whiteside Jr. is a veteran CISO, CSO, CTO, former U.S. Air Force officer and a cybersecurity thought leader. He's offered advice to Fortune 500 companies and runs a nonprofit association to increase the number of minorities and women in the cybersecurity career field.

    Despite such accomplishments, Whiteside suffered from Imposter Syndrome until developing techniques to overcome the self-doubt that can self-sabotage a career and impact how others interact with us.

    "We've all felt this, but the important thing is to acknowledge it and have a dialogue," Whiteside told an audience at (ISC)² Security Congress. Read More

    October INSIGHTS

    5 Things Cybersecurity Leaders Should Heed in the Age of Millennials

    By Anthony Lim, CSSLP

    Millennials and older members of Gen Z will by 2025 make up the majority of the global workforce. They are challenging traditional processes and deploying new technologies for work, home, play, communications, transactions and social activities. As such, it’s essential to understand the millennials’ impact on every industry, and in particular, ours.

    Millennials’ immersion in the latest technologies is the force behind accelerating digital transformations (DX) of economic and social relationships. DX-driven businesses such as Amazon, Netflix and PayPal have not just been successful; they have rendered many non-digital legacy competitors obsolete. Read More

    August INSIGHTS

    Resilience Engineering: What It Is and Why You Need It

    By David Geer

    In his famous 2011 Wall Street Journal article, Marc Andreessen, co-creator of the first web browser, Mosaic, wrote, “Software is eating the world.” Digital transformation has since fueled software’s appetite, converting manual processes to automation, counting on code to do the heavy lifting rather than hardware alone.

    Criminal actors excel at orchestrating failure conditions in software, driving systems to a state of insecurity, breaking applications and exfiltrating precious data such as intellectual property and customer databases.

    Resilience engineering welcomes the insights and experiences of cybersecurity professionals to fortify software against the hammering of modern cyberattacks. Read More

    June INSIGHTS

    The Cybersecurity End Game Isn’t Just About Protection. It’s About Profits

    By Sandip Dholakia, CISSP, CCSP

    Though staying secure is a cybersecurity professional’s priority, it isn’t the only one. Staying in business is just as important, no matter your title.

    To be the best cybersecurity practitioner, you must embrace both the IT and business sides of an organization. More than your career depends on it. Read More

    April INSIGHTS

    Lessons Learned from Implementing PCI DSS

    By Kumar Setty, CISSP, HCISPP

    Most experienced security professionals encounter or are required to assess PCI DSS (Payment Card Industry Data Security Standard) compliance based on 12-point criteria.

    Any business that transmits, stores, handles or accepts credit card data — regardless of size or processing volume — must comply with PCI DSS. That includes hospitals, restaurants, retail outlets, and any other organization using e-commerce and accepting or handing credit and debit card information for payment.

    The ultimate penalty for noncompliance: Payment card brands terminate the merchant relationship with the organization, cutting off what for many is now their consumers’ primary payment method. Other penalties include fines until the deficiencies are remediated.

    Yet issues remain. I know because I’ve experienced them, and now wish to share what I’ve learned so others avoid them. Read More

    February INSIGHTS

    Multi-Factor Authentication: Who’s to Blame if It Doesn’t Work as Intended?

    By Ian Rifkin, CISSP

    While multi-factor authentication (MFA) usage has increased during the pandemic, its adoption could be higher, given its benefits. So why aren’t more users incorporating this stronger method of authentication? And who is really to blame when they don’t?

    Multi-factor authentication requires multiple factors as part of the authentication process. Authentication without MFA (e.g., password-based authentication) only uses one factor, while MFA uses two or more: something you know (e.g., password), something you have (e.g., a phone or security key), and/or something you are (e.g., biometrics). Security professionals agree that MFA significantly increases account security. Failure to adopt MFA makes it easier for hackers to compromise accounts. Read More

  • 2021 INSIGHTS 2021 INSIGHTS

    December INSIGHTS

    Experts Say to Expect More Job Attrition in 2022

    By Deborah Johnson

    The confluence of a long-standing global shortage of cybersecurity professionals and ongoing impact of the current pandemic will continue to present cybersecurity hiring challenges in the coming year. Some of these challenges (which could also be seen as “opportunities”) are highlighted in the November/December 2021 issue of InfoSecurity Professional magazine. They include the continuation of the remote workforce, the potential of salary creep and the need for upskilling current staff. Read More

    October INSIGHTS

    It’s not the drivers. It’s the road.

    A plea for secure-by-default infrastructure software
    By Richard Paul Hudson, CISSP

    If a combination of road markings were consistently shown to confuse drivers, leading to avoidable accidents, the appropriate response would be to change them and repaint the road, rather than try to teach people to compensate for the poor markings. Yet in the world of application security, where the insecure default behavior of infrastructure software repeatedly causes developers to build vulnerabilities into their applications, the focus remains on education and increasing developer awareness rather than on fixing the road markings — in this case the broken tools. Read More

    August INSIGHTS

    Demystifying CMMC: How It Can Help Counter Current Cyberattacks

    By Adam Kohnke, CISSP

    The publicly available Cybersecurity Maturity Model Certification (CMMC) is getting a lot of attention these days, both within and outside the public sector. Developed by the U.S. Department of Defense in response to escalating cyberattacks aimed at the defense industrial base and DoD supply chain, CMMC has broader appeal for any organization determining the maturity of its IT security controls. But what, exactly, does it do to improve an organization’s cybersecurity posture? Read More

    June INSIGHTS

    7 Ways to Enhance Your Business Reputation Through Security

    By Duncan Greaves

    Your business reputation is key to building communities, establishing partnerships, and why others choose your solutions. That reputation, whether you operate as a “solopreneur” or employee, is an external evaluation based on such criteria as direct experience, communications, branding, and/or established thought leadership. Information security professionals too often leave business reputations up to other departments or employees. However, they play no small role in how that organization’s reputation is shaped and evolves. Read More

    April INSIGHTS

    Can There Be Trustworthy Software Supply Chains?

    By Matt Gillespie

    Supply chain security depends on its weakest link, a problematic reality for software because so many links are hidden from view.

    When the software vendor acts as the root of trust for its customers, verifying product authenticity is more or less equated to verifying safety. But that system of belief breaks down if the vendor itself is compromised, as when SolarWinds’ trusted components proved untrustworthy after a cyberattack in early 2020. Read More

    February INSIGHTS

    Panel: Understanding the Extensive Ransomware Threat

    By Paul South

    Spencer Wilcox remembers the first time he heard a respected security expert talk of “it’s not if, it’s when” in terms of ransomware attacks.

    “I remember thinking at the time, ‘Well, that seems defeatist,’” Wilcox, chief security officer and executive director of technology at PNIM Resources, said. “Of course, like everybody else in the industry, I matured to finally get to a point where I can accept disaster. This [though] is a level of disaster I don’t think any of us are prepared to accept. So, as a result, we’ve got to figure out better ways to prevent ransomware. And more importantly, we have to have great ways to recover.” Read More

  • 2020 INSIGHTS 2020 INSIGHTS

    December INSIGHTS

    How to Stay Ahead of Adversarial Machine Learning

    By Shawna McAlearney

    As artificial intelligence technologies become more prevalent in business, so too do the potential security risks of machine learning (ML), in which machines access data and learn from their own experience rather than being programmed. One of the biggest security concerns involves adversarial machine learning in which an attacker uses bad, or deceptive, input to exploit the way artificial intelligence algorithms work and cause a malfunction in a machine learning model. Read More

    October INSIGHTS

    Election Hacking: It’s Real and It’s Happening as You Read This

    By Shawna McAlearney

    The U.S. presidential election is just about a month away, and all eyes remain on voting security: from state-sponsored efforts to influence voters, to exploitable vulnerabilities that could cast doubt on election outcomes, to a pandemic preventing in-person voting in the interest of public safety. Read More

    August INSIGHTS

    Panacea or Placebo? Business Interruption Insurance (and Vulnerable VPNs) in the Wake of COVID-19

    By Shawna McAlearney

    Disaster recovery and business continuity spending rarely is an easy sell to a C-suite always seeking quick quantification of ROI. It tends to be one of the less glamorous expenses of a risk management plan that you hope you will never use. After all, who wants to go through a major fire or flood? And what about a pandemic? If you carry business insurance, will it be the magic pill for COVID-19 business losses? Read More

    June INSIGHTS

    The Real Threat to the Threat Intelligence Community

    By Thomas McNeela, CISSP

    If you’re an information security professional, you’ve likely at some point had to weigh the pros and cons of establishing a threat intelligence program at your organization. In my opinion, such a program can be valuable — if you know how to operationalize it. However, some of the common poor practices in the threat intelligence community today hinder the overall benefits that can be gained from participating in it. The following are some of the top grievances and how to address them. Read More

    April INSIGHTS

    Building a Cybersecurity Team: 5 Keys to Proper Vetting

    By Jason McDowell, CISSP

    Companies from all industries are looking for qualified cybersecurity professionals to fill the skills gap in their current workforce. Demand is high, and many companies are willing to pay top dollar to those who possess the skills they need. With this high-demand, high-paying environment, what could go wrong? Read More

    February INSIGHTS

    Turning Users into Cyber Heroes

    By Jorge Mario Ochoa, CISSP

    A few years ago, P&G launched a marketing campaign for Colgate toothpaste in which it presented images of couples where male models all had stained teeth. So focused were viewers on the stains that few noticed other oddities in the photos, such as a man missing an ear, a woman with six fingers and another with an extra arm. To them, the stains were more obvious (and shocking) than some serious abnormalities (See below).

    Turning Users into Cyber Heroes

    In another example of quiet deception, after the business platform LinkedIn was infiltrated and its database leaked, users received emails about the breach with instructions to change their login credentials. Some of those emails were not legitimate, but users didn’t stop to look for discrepancies in the message or headers. Instead, they blindly filled out false forms that often included the same credentials they used for corporate access at work. That’s how cyber criminals were able to easily break into more networks and compromise additional databases once they’d cracked LinkedIn’s user database. Read More

Ok