Most people find stories like the Uber snooping lawsuit pretty unsettling. If you heard nothing of this but the accusation of Uber's use of "God View" as explained in a recent series of articles by Forbes , it is important to know that Uber collected customer and employee information, and used that information in a manner that was well outside of reasonable use by the standards of California Privacy Legislation.
“Exhibit A contains customer data collected by Defendant and constitutes Defendant’s confidential, proprietary, and private information about its users — the very existence, content, and form of which are of extreme competitive sensitivity to Defendant in that they demonstrate what data Defendant considers important enough to capture, how that data is stored and organized, and could, individually or in the aggregate, provide Defendant’s competitors with insights into how Defendant views, analyzes and executes certain aspects of its business,” Uber wrote in a court filing.
- Details
- Category: Risk Management & Analytics
The Hackers – Time Magazine person of the year runner-up, and what it means for the rest of us
This last week, Time announced their person of the year, and as expected, President Elect, Donald Trump got the nod. More interesting was the selection of Hackers as number three. In fact, cybersecurity also touches Donald Trump, the person of the year, and Secretary Hilary Clinton, the runner-up, both knee deep in the conversation and controversy. Trump with his ties to Putin and attacks against the DNC, and Hilary with her private email server. 2016 also saw terms such as ransomware, malware, and IoT botnets enter water-cooler conversation, and the credit card hacks of the past were eclipsed by an order of magnitude when Yahoo admitted the breach of over 500 million email accounts. Even the Internet was not immune, with a denial of service attack in October cutting off connectivity to many well-known web properties.
- Details
- Written by David Ginsburg
- Category: Trending in Security
The first step in building a secure infrastructure is to understand the threats. Threats are potential events which lead to something useful for the attacker. It could be money, it could be bragging rights, or it could just be pure fun mutilating the reputation of a business entity. Threat risk modelling is an essential exercise to categorize threats and determine strategies for mitigating them. One such threat assessment model is STRIDE.
STRIDE is an acronym for six threat categories as outlined below:
- Spoofing Identity – An attacker could prove that she is an authorized user of the system
- Tampering with Data – An attacker could successfully add, modify or delete data
- Repudiation – An attacker could deny or make it impossible to prove his delinquency
- Information disclosure – An attacker could gain access to privileged Information
- Denial of Service – An attacker could make the system unresponsive to legitimate usage
- Elevation of privilege – An attacker could elevate her privileges
The STRIDE threat model forces you to think about securing your infrastructure from a threat perspective.
- Details
- Category: Docker Container Security
No security means you will likely have no business in the cloud
For an engineer such as myself, who is involved in cloud computing, and generally excited about being in the middle of nothing short of a “computing revolution”, attending AWS re:invent 2016 is akin to making an annual pilgrimage. The experience of being among the fellow travelers at the expo hall, listening to keynote addresses that set the tone for next phase of cloud computing, and walking by the myriad of booths with solutions that vie with each other pushing the envelope, was nothing short of transformational.
- Details
- Category: Security Compliance Platform
THE ISO/IEC 27002:2013 CHALLENGE
ISO/IEC 27002:2013 Information technology -- Security techniques -- Code of practice for information security controls
You might think that implementing an ISO 27002 ISMS program is fairly straight forward, and even an easy sell to the business and supporting enterprise. After all, Information Security is defined by the the C-I-A triad, the most well-known model for security policy development. Who can resist a tried and true C-I-A triad?
- Details
- Category: Regulatory Compliance
Cloud computing, on its own is a benign concept, identified as having these five attributes:
- Details
- Category: Security Compliance Platform