Video Thumbnail: Will 2016 Be a Better Year for Cyber Security?

Will 2016 Be a Better Ye...

2015 was a big challenge for cyber security. There were a lot of fireworks with all the high profile targets and attackers that made headlines. But now we can ask, will 2016 be a better year for cyber security? What are we – both end users and the security industry – going to do to make 2016 a better year? Our 2016 predictions made bold claims about what will happen in the next 12 months. We can simply wait for these to happen, or we can prepare ourselves before they do happen. We just have to remember that cyber security is as much as prevention as it is negating the effects of these attacks. So we need to do our part in the process. One thing is for certain, the security industry will deal with ransomware, and a lot of it. People ask if paying ransom is a good or bad idea. If...
Video Thumbnail: Encryption Works – Don’t Break It!

Encryption Works – Don’t...

Every now and then, an ill-informed politician will stand before a microphone and say something along the lines of: encryption is helping bad guys (either terrorists, child pornographers, or other similarly acceptable target), because law enforcement can’t see what the bad guys are doing because they’re using sophisticated tools that use encryption. Said politician will urge tech companies to “work with us” to help catch these bad guys. This constant demand for encryption backdoors is something that no longer surprises me. It comes from a misunderstanding of what encryption is: it’s not some magic piece of code that can do whatever the programmer wants it to do. It’s a tool that is defined by mathematics: in short, it can only do what the math allows it...
Video Thumbnail: Defending Critical Systems: Does It Have To Be “Smart”?

Defending Critical Syste...

Everywhere I go it seems to be that “critical” systems are being attacked. Earlier this year people were talking about whether planes could be hacked. We’ve talked about whether smart grids can be hacked, too. Just a week or so ago, LOT Polish Airlines was almost completely grounded by a distributed denial-of-service (DDoS) attack. In many cases, these critical systems turn out to have been built on off-the-shelf open-source software. Almost a decade ago, I said that open-source software was safer. While that’s turned out to be mostly true, more recent issues like Heartbleed and Shellshock have illustrated that open-source software has its own problems, too. Non-technical people may ask: “Why did nobody spot these problems earlier? Are we software developers...
Video Thumbnail: The Internet of Things: Whose Data Is It Anyway?

The Internet of Things: ...

Everywhere you look, it seems to be that everything is becoming “smart”.  On my wrist, I frequently wear a smart watch that monitors how many steps I take, what my heart rate is, and so on. At home, a smart thermostat can be controlled via an app, or even be programmed based on my own behavior. I can even have a camera that will either let me see who’s at the door, or let me talk to my cats while I’m in the office. All of these devices are generating one thing: data. The smartwatch is keeping track of my health data. The thermostat is keeping track of what’s going on inside my home. The cameras are keeping track of what they see and when they are turned on. A lot of this data is passed on to the providers of these services, which frequently say they are “free”. This may...
Video Thumbnail: Defending Your Organization From Insider Attacks

Defending Your Organizat...

If you’ve read enough crime novels or seen enough action movies, the plot is all too familiar to you: an insider – acting to correct some slight or insult he or she received years ago – turns against an organization and inflicts significant damage. Sometimes the insider is on the side of the good guys, sometimes on the bad guys. This makes perfect sense. An insider knows exactly how an organization does things, what they consider valuable, and how they will respond to an attack. Who else would be better to carry out an attack than an insider? However, that assumes that an “insider threat” is by design. Fortunately, most people are not out to destroy the organization they belong to. Most people want the group that they are part of to succeed and do well. Unless you’re in an...
Video Thumbnail: Vulnerabilities for Sale

Vulnerabilities for Sale

2014 showed that vulnerabilities could be found in all applications – both Heartbleed and Shellshock caught system administrators off-guard by revealing that open-source server applications could have severe vulnerabilities as well. The reality is that making software that is free from vulnerabilities is difficult and expensive, if not completely impossible. For every thousand lines of code, you can expect to find 15 to 50 errors of some kind. Maybe you can get that error rate down for truly critical applications like space exploration, but that adds time and money to the costs of software development. Despite the costs associated with doing so, developers need to do a better job of creating secure products. Changes in how software vulnerabilities are found and disclosed mean that the...