New DoD Compliance Regimens Two major compliance regimens, DFARS and NISPOM, ratchet up this month, for all DoD contractors and sub-contractors. Many defense contractors are SMBs. These regulations break some new ground in terms of the level of cyber security investment and types and protection levels expected of contractors. Different compliance regimens, in particular
I just read the article, "U.S. says cybersecurity skills shortage is a myth". To me, this just doesn't seem to mesh with the countless other articles on the skills gap. It definitely doesn't apply to SMBs in light of my previous post which asked the question, "What's a small defender to do?" without skilled expertise. That
Do SMB staffing needs count? There's been no shortage of articles about the shortage of IT security expertise. This issue didn't appear overnight. It started to get real attention after a report by CISCO estimated one million unfilled positions globally back in 2014. Current estimates cite the figure of 200+k vacancies in the U.S.A alone.
Finally! Taking the Insider Threat (Semi-) seriously. Security Simplified Summary Compliance regimens continue to drive security spending, but amount to more expected cost of being in business, and doing business with DoD, etc. that may be a burden to SMBs. New compliance regimens, NISPOM Conforming Change 2 and Executive Order 13587 for Federal government
One thing that the recent Presidential campaigns and debates has accomplished, is to intensify the spotlight on the cyber security issue. While neither candidate receives strong report cards on their understanding of this issue, at least they seem to know that it is an issue. So when Donald Trump calls for "crippling attack cyberwar capabilities",
Prevention: you keep using that word... This past week the infosec industry and others took notice of two disturbing events. First was the huge Yahoo breach in which 500 million (or possibly more) data records have been stolen. The second event was a huge DDOS attack on Brian Krebs, a leading investigative reporter of cyber
Back Story Part 2 - Victory! Part 1 took the accepted view that, "the Red Team always wins!" and considered some circumstances when the the Red Team may not win, which appears to be a rare occurrence. I also posed the question that if an constrained, limited Red Team always wins, won't unconstrained adversaries always win also?
Calculated Impact of Langsec Design Flaws on Detection Success Part 3, explained why current WAF design flaws impact their ability to detect Web application attacks, using Chomsky Language Hierarchy and Formal Language Theory. Langsec informs us that current WAF design using signatures, will miss attacks. Mathematically speaking, all signature-based technologies such as scanning, WAF, ids/ips and
Formal Language Theory and Chomsky Language Hierarchy Part 2 presented that Langsec gives us an understanding of the design limitation of current WAFs, and all signature based detection, such as AV. In langsec, decidability matters. In order to have proper attack detection, and therefore security, one needs decidability. The notion of context in language recognition is