Welcome to another edition of our Weekly Rewind – where we summarize all our posts from the last week. The top stories this week were 3) “Fukishima: Incident Response Done Right”, 2) “You Probably Already Have Most of the Security Tools You Need”, and 1) “No Clear Solutions in the Cybersecurity Hiring Crisis”. If you missed anything or happened to be offline, we hope you find this summary post useful as a quick reference. A la Schneier … you can also use this rewind post to talk about the security stories in the news that we haven’t covered remote-access.
Video of the Week – How Forced Expiration Affects Password Choice: Bruce K. Marshall delivered this great presentation discussing the history, research, and his thoughts on the “best practices” for password expiration at the Passwords 14 conference earlier this month in Las Vegas, NV. From the abstract – “Forcing users to regularly change passwords has become a standard practice for corporate networks and some web sites. But does it it actually improve security or lead to more guessable passwords?” Know of good videos we should feature? Let us know in the comments below. (continued here)
Fukushima: Incident Response Done Right: One of my favorite podcasts isn’t on the topic of information security. It’s Harvard Business Review’s IdeaCast. I love the discussions with business leaders and creative thinkers, because it often provides me with a better understanding of the organizations I work for. So color me surprised when the weekly show covered the Fukushima meltdown from 2011. Most don’t realize that there are two nuclear power plants in Fukushima: Daiichi, which suffered a meltdown, and Daini, which didn’t. The lessons learned from how these two plants dealt with the aftermath of the tsunami is a master class in the importance of good leadership for incident response. (continued here)
What Exactly Are Levels 1 – 5 Data that Amazon Can Now Process?: If you have been following the news recently, you may have heard Amazon’s GovCloud just achieved provisional authorization to handle data at security impact levels 3-5. And earlier in the year, they gained approval for levels 1 and 2. News outlets are reporting that GovCloud can now process data just one step below classified information, which requires at least a level 6. (continued here)
How’d You Like to Give a Hand?: Some days the business of information security just makes me tired. The drudgery of compliance, the constant losing battle against malware, navigating the politics of organizations; I begin to wonder what it’s all for. Then I find something that makes me remember why I got into technology. (continued here)
You Probably Already Have Most of the Security Tools You Need: Tools – information security is fecund* with them, but it never seems like we have what we need. So what’s a poor security analyst supposed to do? In a recent two-part article, I discussed the built-in security functionalities of many common products in our organizations and how we can use them for security. (continued here)
No Clear Solutions in the Cybersecurity Hiring Crisis: Here’s an excellent post on the infosec worker shortage by Violet Blue the other day with comments from the likes of Richard Bejtlich, James Arlen, and Chris Hoff. It’s like the Cybersecurity Dreamteam … but even they can’t offer any clear solutions. (continued here)
New HTTP Shaming Site Motivates Security Improvements: A few weeks ago we wrote on how cleartext is dead and soon after that we came across the rise of HTTP Shaming. The site offers visitors the ability to submit websites that use HTTP when performing sensitive transactions (e.g., authenticating). Ironically, HTTP Shaming itself is hosted on Tumblr, which doesn’t seem to use HTTPS. (continued here)
Hope everyone had a wonderful week! Have a great weekend!