Showing Blog Posts: 1–10 of 12 by Wendy Nather

Wendy Nather

Wendy Nather

Retail Cyber Intelligence Sharing Center (R-CISC)

  • The Customer Threat

    by Wendy Nather on October 17, 2016

    For Cyber Security Awareness Month, we’re taking a closer look at cybercrime, and what organizations can do about it. To address cybercrime, you need both prevention and detection. That’s an obvious-sounding platitude, and it’s not as helpful as it could be, despite it being true. The biggest problem when it comes to detection is that skilled attackers will look exactly like authorized users. …

  • The Longevity Challenge in Infosec

    by Wendy Nather on October 4, 2016

    In a recent BankInfoSecurity article, U.S. Federal Chief Information Officer Tony Scott was quoted as saying one of the main factors behind the OPM breach was the tendency of Congress to “fund civilian agencies to maintain their information systems, not to modernize them.” This is endemic both in the public sector and in other organizations below the security poverty line, which I started writing…

  • Dissed by NIST

    by Wendy Nather on August 19, 2016

    In the latest draft of the U.S. National Institute of Standards and Technology guidance document on authentication and lifecycle management—and isn’t that a mouthful, even if you’re reading silently to yourself?—the authors have come out with the following bombshell: Due to the risk that SMS messages may be intercepted or redirected, implementers of new systems SHOULD carefully consider…

  • Your Security Resolutions for 2016

    by Wendy Nather on January 14, 2016

    We start the New Year with the best of intentions. We're going to join an ISAC and work out every day; consume only healthy and organic data; clean out our overstuffed Hadoop clusters and get rid of that out-of-fashion data; and measure our performance to match our goals. Oh yes, and we're going to stay within the security budget. But making lifestyle changes is hard, especially in security, where …

  • Getting Ready for the Holiday Hacking Season

    by Wendy Nather on December 7, 2015

    Here at the Retail Cyber Intelligence Sharing Center (R-CISC), we're bracing ourselves for one of the busiest times of year — not just for retailers, but for criminals. Of course, not all retailers see huge increases in sales volume right now (when's the last time you got a tire as a present?), but for many, this is a critical period. During peak shopping windows, availability is everything. If a…

  • The Case for Researcher Self-Regulation

    by Wendy Nather on October 29, 2015

    We're all familiar with the attacker versus defender dynamic, and how it plays out culturally in the security industry -- just say the word "cyber" and see who winces, for example. But it all used to stay "in the family," where red and blue team activities were confined to security professionals, either within security vendor companies or within organizations that had their own security staff. …

  • Glass Houses are Cheaper: the Case for Transparent Pentesting

    by Wendy Nather on September 16, 2015

    When you engage an external company to do vulnerability assessments and penetration testing, you have a few options on how to scope it. Here are some of them: Win/lose engagement: either they get in, or they don't. In a previous life, I bought pizza for the consultants if they got in during the annual pentest. For four years I bought pizza, and then in the fifth year my wallet finally got a break. …

  • Gossip to Grownup: How Intelligence Sharing Developed

    by Wendy Nather on August 5, 2015

    From an evolutionary standpoint, there was probably not much difference for cavemen between saying, "Watch out for that saber-toothed cat," "Don't eat those berries," and "Don't get Gerf mad; she swings a mean tree branch." It was all about sharing information about threats. And we're still working out how to do that today, based on the new types of threats to our businesses, our social standing, …

  • When Data Classification is a Mistake

    by Wendy Nather on June 29, 2015

    Classifying data is such a given that it's often one of the first things that security professionals recommend when launching a program. If you don't know the criticality of your data and where it's located, the conventional wisdom goes, then how can you assess the risk and decide how to mitigate it? And if you don't know what's most critical, then how can you prioritize your finite resources…

  • Security By Any Other Name

    by Wendy Nather on May 21, 2015

    If you went up to a pharmacist and said, “Hi, I need something to cure a case of the APTs,” what do you think she would recommend? A big issue with the security industry has to deal with the way we market and describe security technology. It used to be that products were described by functionality, with point features that were well understood: firewall, anti-virus, anti-spam, web filter, log…

This document was retrieved from on Sun, 23 Oct 2016 13:57:51 -0400.
© 2016 EMC Corporation. All rights reserved.