An Ignoble Experiment

eBrief | Making BYOD Work: 4 Critical Strategies for Midmarket and SMB Companies

Happy Tuesday, everyone. Please patch all systems having anything to do with the Web.

Microsoft's Patch Tuesday releases this week focused on Internet Explorer, addressing 26 'critical' vulnerabilities. Included on that list is one problem that had already been disclosed publicly, and one that Microsoft said is likely being exploited.

ThreatPost's Michael Mimoso points out several other recent announcements from Microsoft indicating that IE security needs tightening up. The company is shortening the window of time for support of older versions of the browser to 18 months. IE versions 6 through 8 lack certain memory protections that have been added since, so Microsoft wants to clamp down on usage of those more vulnerable versions.

Microsoft also announced last week that IE will start blocking the usage of older ActiveX controls, including those used in outdated versions of Java.

Just to keep you on your toes, Adobe also advised patching a total of eight critical flaws in its popular Flash, Acrobat and Reader products. Security vendor Kaspersky Labs reportedly identified one vulnerability that is being actively exploited in isolated cases.

" The vulnerability allows attackers to escape the sandbox protection of Reader and Acrobat X and XI in order to execute code with elevated privileges on the Windows platform," reports Lucas Constantine of IDG News Service.

For more:
- Read ThreatPost's Patch Tuesday writeup
- And Constantine's coverage of Adobe issues

More on patching and vulnerabilities:
Heartbleed scan shows most large companies still vulnerable
Android Fake IT flaw increases BYOD risks (FierceMobileIT)
IoT stands for 'Increase of Threats' for many CIOs (FierceMobileIT)

Read more about: Patch Tuesday, Adobe
back to top

This week's sponsor is GLOBO.

Bring-your-own-device (BYOD) can be a blessing for mid-size and small businesses. But getting the real payoff requires some attention to details that may differ from those at large enterprises. This FierceMobileIT eBrief provides practical advice for making BYOD work. Download today.

2. Tennessee firm sues bank over money lost in cyberheist

By Derek C. Slater

Comment |

Does your bank have to help you prevent fraud?

That's a question at the heart of a lawsuit filed by TEC Industrial against TriSummit Bank.

As first reported by Brian Krebs, a May 2012 account takeover by Russian cybercriminals drained more than $300,000 out of TEC's accounts at TriSummit. TEC (called Tennessee Electric Company at the time) was able to reverse numerous transfers but ultimately lost $192,656 to the attack.

Krebs alerted TEC to the problem on May 10, 2012 after speaking with a money mule who indicated receiving funds from the accounts.

Now TEC seeks to recover those damages from the bank. The complaint is filed with the Sullivan County circuit court in Tennessee.

This is not the first such lawsuit filed against banks for similar reasons. Krebs notes that decisions to date 'have been weighted heavily' in favor of the banks. Computerworld's Jaikumar Vijayan provides some details of two US Court of Appeals decisions in recent months, one (from the Eighth Circuit court) favoring the bank, and the other (from the First Circuit) decided for the plaintiff, a Maine-based construction company.

For more:
- Read Krebs' analysis of the lawsuit
- See the formal complaint
- Read Computerworld's coverage

More on cybercrime and the law:
Delaware firms must destroy consumer records, new law says
Most plaintiffs dismissed in SAIC's case of unencrypted backup tapes
33 lawsuits against Target over data breach will be heard by one Minnesota judge

3. Yes, but what KIND of education do infosec pros really need?

By Derek C. Slater

Comment |

In a recent column posted by Dark Reading, Hord Tipton--head of industry association (ISC)2--says infosec pros need four things to 'close the talent gap' in the battle between security and hackers. Thing One is education.

Fair enough. However, Tipton doesn't offer a lot of specifics other than to say "continuing education and training in order to stay ahead of ever-changing security threats."

So what specific educational background might make information security professionals most successful--do they need more specific engineering and technology coursework? Or would 18th-century English Lit be more helpful?

The answer doesn't have to be one or the other, of course. And that's a key point argued by Lysa Myers in another contributed Dark Reading piece.

Myers, Security Researcher at ESET who has worked in anti-malware since 1999, has a background in visual arts and finds it makes pattern-recognition 'a quick and intuitive process' for her.

Myers says that while STEM education is (of course) extremely valuable, it may be better when supplemented with more emphasis on writing and design. These capabilities and a general strength in creative thinking can work together with more traditional computer science forms of analytical thinking to equip infosec professionals for success.

"It is my fervent hope that creativity does not get lost in the rush to churn out STEM graduates and employees," Myers writes.

For more:
- Read Tipton's column
- And Myers' piece

More on security education and training:
Abysmal communication between IT and executive teams undermines corporate security
Many firms still in the dark and ill-prepared when it comes to APT attacks
Needed: People skills for IT security pros

4. Why the Blackphone hack at DEF CON was way overhyped

By Derek C. Slater

Comment |