Compliance & Security
Cymbel provides a wide range of services related to automating compliance and reducing security risks. Cymbel uses a four step process – Assessment, Policy Development, Policy Implementation, Re-assessment. The key to our approach is to gain real visibility during the Assessment process by using automated tools to collect actual operational data. Learn more. Links to… [Continue Reading]
Defense-in-Depth Architecture focused on Applications, Users & Data
These changes have caused Cymbel to rethink our portfolio and assemble a next-generation defense-in-depth architecture focused on applications, users, and data. In response to the five forces of change, our approach to defense-in-depth has changed. Our solutions are focused on applications, users, and data. In addition, many of our solutions have embraced function consolidation or… [Continue Reading]
Five Forces of Change
Changes in technology, threats, compliance requirements, the economy, and our clients’ business needs have been increasing complexity, costs, and security risks. Changes in technology, threats, the economy and our client’s business needs and compliance requirements have increased risks, complexity, and costs. While every organization is different, in general these five forces of change are contributing… [Continue Reading]
Mitigating Modern Malware Risks
During the last several years we have observed dramatic changes in the types of attackers, their goals, and methods.
Today's most dangerous attackers are cyber criminals and nation-states who are stealing money and intellectual property. Their primary attack vector is no longer the traditional network-based "outside-in" method of directly penetrating the enterprise by searching for open ports and exploiting operating system vulnerabilities.
The new dominant attack vectors are at the application level. The first starts with baiting the end-user via phishing or some other social engineering technique to click on a link which takes the unsuspecting user to a malware-laden web page. The malware is downloaded to the user's personal device, steals the person's credentials, establishes a back-channel out to a controlling server, and, using the person's credentials, steals money from corporate bank accounts, credit card information, and/or intellectual property. We call this the "Inside-Out" attack vector.
The second attack vector is via your web applications which you built to better serve your customers and/or suppliers. Despite the adoption of a Secure Development Life Cycle, there are still vulnerabilities that allow attackers to run SQL Injection, Cross Site Scripting, Cross Site Request Forgeries and other types of application level attacks.
Cymbel has responded to these changes with a set of nine best practices to mitigate theses risks.
Cymbel's 12 Best Practices for Mitigating the Risks of Modern Malware
1. Application-level Positive Enforcement Model Firewall Policy
2. Firewall Management
3. Multi-layer, Application-Aware Threat Prevention
4. Remote and Mobile Worker Protection
5. Application and User Aware Log and Flow Analysis
6. Internal Network Segmentation at the Application and User Level
7. Web Application Protection
8. Encryption
9. Wireless LAN Security
10. Device Visibility, Configuration and Access Control
11. Virtualization and Cloud Security
12. Application and User Aware Full Packet Capture
For more information, see Cymbel's 12 Best Practices.
Bill Frank (Riskpundit) Twitter Feed
- Facebook sues alleged clickjacking firm, Adscend Media. Details are interesting. #infosec | Naked Security - http://t.co/NZuWDvmX about 1 day ago
- #Zscaler introduces #Zulu, a free webservice which analyzes the risk of a particular web resource. #infosec http://t.co/qE84CY6E about 2 days ago
- Video conferencing mistakes make espionage easy, say researchers. #infosec - Computerworld - http://t.co/cSNhXmpa about 2 days ago
- Apache #Shiro - Java app security framework provides authn, authz, crypto, and more. V1.2.0 released. #infosec htttp://goo.gl/RYDMn about 2 days ago
- Database Password Storage Exposes Need For Better ID Management - Dark Reading - #infosec - http://t.co/Z6ZprMDh about 2 days ago
- Final phase of Mass. data protection law (MA 201 CMR 17) kicks in March 1, 2012 #infosec Computerworld - http://t.co/ixcLEBnQ about 3 days ago
- #Symantec admits stolen source code impacts #pcAnywhere; disable if you don't absolutely need it. #infosec SCMagazine - http://t.co/DS01JLDY about 3 days ago
- #NIST issues SP 800-144 Guidelines on Security and Privacy in Public Cloud Computing #infosec | via Informationweek - http://t.co/eWANGnGW about 3 days ago
- Nice summary of consumer risks of online banking by Michael Horowitz. - Computerworld Blogs - #infosec http://t.co/k9jwGaL5 about 6 days ago
- A real world example of the difference between #compliance and #security. #infosec - YouTube - http://t.co/nth4zVRD about 7 days ago
Recent Posts
- Wall St. Journal and NYTimes interest in Information Security
- Adopt Zero Trust to help secure the extended enterprise
- Cyber attacks a top risk says World Economic Forum
- XSS and Verizon DBIR; PCI DSS and anti-malware
- Troy Hunt: 5 website security lessons courtesy of Stratfor
- Third era of Information Security
- Gartner December 2011 Firewall Magic Quadrant Comments
- Water supply system reportedly hacked, with physical damage
- FBI says lax security at Nasdaq helped hackers
- Tor launches do-it-yourself privacy bridge in Amazon cloud
- Branden R. Williams, Business Security Specialist » Where is your Chaos Monkey?
- lcamtufs blog: In praise of anarchy: metrics are holding you back
- Australia DSD’s Top Four Security Strategies
- Practical SIEM Deployment | SecurityWeek.Com
- Looking for Infected Systems as Part of a Security Assessment
- Controlling remote access tool usage in the enterprise
- Rethinking the balance between Prevention, Detection, and Response
- California Governor Vetoes Bill Requiring Warrant to Search Mobile Phones | Threat Level | Wired.com
- The 20 Controls That Arent – The Falcons View
- TaoSecurity: TaoSecurity Security Effectiveness Model