Category: Cybersecurity

What things would you do today to secure your network?  The answers are myriad, but I would suggest these seven things:

Continue reading “7 Network Security Essentials” →

Understanding how to assess cyber risk is essential for a lawyer leading or participating in an enterprise-level cyber risk management team.  One or more of these eight analytical frameworks should help.

Continue reading “8 Cyber Risk Assessment Frameworks” →

As has been widely reported, Lenovo had shipped consumer laptops with software on it that made it vulnerable to a so-called man-in-the-middle attack, namely, the software intercepted inbound web data, decrypted it, inserted advertising, recoded it, issued a new security certificate (based on a pre-installed “root” certificate) and then sent it along to the browser which accepted the data as trusted.   It works with outbound data, too.  Equally bad, because the makers of the malware were sloppy (and why wouldn’t they be?) they used the same certificate on many machines, used a weakly encrypted certificate and used a password that was easily guessable (not cracked, guessed).  This created ready-made entrance for other attackers to insert themselves as a person-in-the-middle and compromise every transaction.

The upshot?  The user of an infected machine can have zero confidence that the websites they go to (banks, corporate, etc) are real. Security experts warn that no web-based transaction from an infected machine can be deemed to be secure.

Continue reading “What the Lenovo Malware Debacle Means” →

The Anthem breach reported late last week provides a number of insights:

1. While Anthem’s transmissions were encrypted, their stored data was not.   It is worth examining whether the efficiencies gleaned from non-encrypted storage are outweighed by the costs of breach recovery, notification and damage to reputation.

Continue reading “Lessons from the Anthem Breach” →