Letters
Letters

I am a longtime cybersecurity person. Every month when SC Magazine gets delivered, I tear out a few articles to study, pass around to friends, or scan for future reference. Most months there are a few pages that get ripped out. Last month, there were more pages ripped out than got recycled with the trash. Great information which will be very helpful in my job hunt. June was an excellent issue. Thanks for an excellent magazine.
Mark Goldstein

In response to a July 19 news story, “United States lacking adequate cyber workforce”:
 
I couldn't agree more because I'm interviewing the organizations that need more cybersecurity expertise, but they can't find it. I speak with SMEs who talk a lot about the dangers in cyberspace...but not the risk reduction answers. I'm glad that our association offers classes in cybersecurity, but we're only the tip of the iceberg. More needs to be done to encourage young people to go into science, technology, engineering and mathematics in colleges by proving to them that they will find a job after graduation. Thanks for sharing this information with so many people. Maryann Lawlor, executive editor, SIGNAL MagazineIn response to Editor-in-Chief Illena Armstrong's editorial in the June issue, “Cautiously optimistic on cyber chief”:

The government, industry and security vendors can probably partner together on education. They'll be able to partner together on some degree of assistance. In the denouement, what will still be lacking will be prosecution of the perpetrators if and when they're identified and caught. That's still going to require global cooperation. To date, that's been lacking.

Another major question is what the federal government will do if some “arm” of a foreign government is the culprit behind the cyber emergency. Will they play hardball?
Craig Kensek

In response to “Laughing at adversity in security,” by Lysa Myers, West Coast Labs:

You write: “The truth is this: Security products have made great strides too. If you update all your pertinent software and employ layered security, it really can be reasonably safe. It is less hip than cultivating a thick veneer of indifference, but I'd say it's worth it.”

But, the truth is: Layering half-baked security solutions equals half-baked security solutions on top of one another. It's still not secure.

Here is a great example: My bank has provided me with username and password, a challenge/response question, a one-time-password (OTP) token, and an out-of-band phone call to securely access my online bank account. Sounds strong to me. However, my anti-virus/malware software does not detect the Zeus trojan that has gotten into my PC, nor do 60 percent of the anti-malware solutions detect it. So, when I went to login to my online bank account, I was automatically switched to a fake web page and did not know it, while a hacker somewhere was on my real login page.

The Zeus trojan is a real-time keylogger, so as I entered my username and password, so did the hacker. When I answered my question, so did the hacker. When I typed in my OTP that changes every minute, so did the hacker. Now, since the hacker logged into my account for me, the bank server automatically called my cell and I answered and entered my PIN code.

This completed the secure login process for my online bank account, which should have allowed me access, but instead it allowed the hacker into my account to steal my money. I had layered and out-of-band security, which did not protect my bank account online because these solutions were all “half-baked” security solutions that are no longer strong enough to protect the consumer, yet they are still used by more than 90 percent of the banks.
Yes, there are strong multifactor authentication (MFA) security solutions that will protect the user, but the majority of the banks are not deploying them.
Mike

In response to a June 11 News Team Blog post, “When a zero-day is less about the bug and more about the disclosure”:

If these issues are not brought to light, large software makers might not feel a need to expedite the fix.
Luisced

Hello Angela, I just wanted to drop you a short note to let you know how much I (actually we) enjoyed your “APT to attack” article [May 2010]. It was written in such a “keep-you-interested” style and easy-to-understand, informative fashion that I not only stopped everything I was doing to finish reading it, but I then immediately shared it with my associates. They have all stated that your article is a super one. A job well done Angela!   

Since my copy of SC Magazine is now starting to look quite worn, I searched and found your article on the SC Magazine website. I will be referring my customers to it so they too may gain a better understanding of the APT threat.

I very much enjoyed reading your APT article and plan to watch for your future articles online. Thank you once again for a superb article.
Alex Sill, BitDefender

In response to an April 20 article on our Canadian site, Making EHR a reality, by James Hale:

This is a great article. While many in the United States. have criticized the federal government for how it has approached the health IT movement, the detailed approach is in stark contrast to how Canada has blindly approached health IT.

The federal government has invested heavily in creating a nationwide health IT infrastructure and security and safety of digitized health information is a top priority as outlined in the proposed meaningful use criteria.
Nicole


The opinions expressed in these letters are not necessarily those of SC Magazine.