Lieberman Software's management and staff frequently contribute to leading IT publications to promote security best practices for the enterprise. A selection of published articles is below.
Doing More With Less in the Age of Sequester
Government Security News
Derrick Dickey
How can federal agencies maintain regulatory compliance and stay abreast of the latest security threats while operating with a reduced IT staff? And how can these agencies secure access to their most sensitive files and applications from former employees and contractors recently furloughed or laid off?
______________________________________________________________________
The SCADA Security Challenge
Help Net Security
Philip Lieberman
SCADA systems should never, ever, be connected directly to the Internet, because they are simply not resilient enough to hook up to the public network. They require the use of advanced layers of security – firewalls, privileged identity management, secure proxies – to be implemented as soon as possible for their defense.
______________________________________________________________________
How to Ensure the Control of Privileged Accounts
Info Security Magazine
Philip Lieberman and Lev Smorodinsky
This article provides an introduction to Privilege Account Management (PAM). It is translated to Russian. The article contains the following sections:
- Cyber attacks aim for Privileged Accounts (PA)
- Anatomy of the risk of Privileged Accounts: 4As (Actors, Assets, Accounts Actions)
- PA Management (PAM) Maturity Model: At what level is your security?
- Secure your home: Do not leave the keys in the locks
______________________________________________________________________
Going Rogue
Professional Security Magazine
Philip Lieberman
Do you have a rogue employee? It seems that stories of employees ‘going rogue’ are always in the press – but how can companies stop them before they make the headlines? Do you even know if you have a rogue employee? If you’re a large multi-national organization, the laws of probability aren’t in your favor. Add to the mix a person who’s earning minimum wage, handling data that has a retail value on the black market and the temptation might, one day, just prove too much.
______________________________________________________________________
The Pros and Cons of Security Appliances
Security Daily
Derrick Dickey
That’s right, security appliances – firewalls, intrusion detection, UTMs and the like – have some little known security issues that create some very large vulnerabilities.
______________________________________________________________________
Five Common Practices that Lead to Failed IT Compliance Audits and Security Breaches
Computerworld UK
Jane Grafton
In recent years we have witnessed more and more organisations fail to adequately secure their systems. When examining the evidence, there are common practices that have lead to these failed IT compliance audits and security breaches. How many of the top five are you guilty of?
______________________________________________________________________
Low Hanging Fruit of IT Security
Professional Security Magazine
Chris Stoneff
As companies continue to struggle in today’s difficult economy, cutbacks affect all sectors of organisations. Unfortunately, IT security solutions are often not spared form the chopping block – a risky and short-sighted decision if you ask me...
______________________________________________________________________
How to Get Promoted in IT Security
Help Net Security
Philip Lieberman
It seems like hardly a day goes by without a data breach making the news — be sure that your company is not making the headlines for all the wrong reasons by doing everything within your power to protect your data.
______________________________________________________________________
Running Lights Out Management Without Putting Your Organization's Lights Out Permanently
Continuity Central
Philip Lieberman
Recently reports highlight that IPMI may have some fundamental flaws if it is not installed and managed properly and that, maybe, hackers could use it to infiltrate the network even if the device is turned off.
______________________________________________________________________
Blind Belief or Ignorance
RFP Connect
Jane Grafton
While some might argue that ignorance is bliss, when an organization’s security hangs in the balance remaining clueless isn’t a viable option. In this article, Jane Grafton of Lieberman Software dispels five common security myths.
______________________________________________________________________
Guarding against emerging spear-phishing threats
Government Security News
Derrick Dickey
During my service aboard U.S. Navy nuclear submarines, fellow crew members and I traveled the world’s oceans to protect against silent threats. Today, in my role as a security software professional, I'm committed to a different type of defense -- working with software designers who are charged with protecting the networks and highly sensitive data at U.S. Government agencies. We're on the front lines, if you will, of a fight against emerging and persistent cyber threats.
______________________________________________________________________
Privileged Identity 101: Digging for God-Like Accounts
Tek-Tips Forum
Philip Lieberman
When I think about managing identities and privileges within an organization, one of my favorite analogies for the whole privileged identity lifecycle is biblical. Everything starts ‘in the beginning’ with a super user. Whether someone starts with a server or a workstation, creates on-premise solutions for their network infrastructure or builds out a cloud, they’ll always have to start out with an account with god-like power that will control all other accounts accessing that resource going forward in the future.
______________________________________________________________________
IT Security: The Scary New Hacking Trend
Data Center Journal
Philip Lieberman
Starting with Operation Aurora—the brazen 2009 cyber attacks on Google and other large enterprises—through to the recent high-profile data breach that shut down certificate authority (CA) DigiNotar and the recent breach of VeriSign, hackers have learned to exploit a frightening and frequently ignored lapse in network security to gain control of victim networks. Philip Lieberman, President and CEO of Lieberman Software, explains what you can do to mitigate the risks of falling prey to this scary new hacking trend.
______________________________________________________________________
Preventing ITIL Failure in Four Easy Steps
TechWeek
Philip Lieberman
Rather than respond to each unauthorised change, IT management can now take advantage of software that allows them to determine in advance who can change configuration settings, at what time, with least privileges necessary – while fully documenting the stated purpose of each change. Because this category of software – called Privileged Identity Management (or PIM) – provides an authoritative record of who accessed what system or application, when, and for what purpose, it helps to create a culture of accountability within IT.
______________________________________________________________________
Avoid 'Friend or Foe' Syndrome with your IT Auditor
Infosecurity
Philip Lieberman
In a perfect world, the confidence and communication that exist between an organization and its IT security auditor might resemble the doctor–patient relationship. But when Philip Lieberman examines this critical aspect of IT security, he finds an increasingly troubled history – and makes some suggestions about how both sides can gain more from the partnership.
______________________________________________________________________
Get in Shape: Seven essentials for enterprise security success
Security Products
Philip Lieberman
In a year in which some of the biggest names in both physical and logical security have been named and shamed for security lapses and subsequent breaches, reality is bearing down hard on the IT executive. New threats and risks seem to have bombarded enterprise networks at an unrelenting pace. If your organization is one of the many without a comprehensive, multifaceted security program, now is the time to take your head out of the sand. Antivirus programs and firewalls alone no longer cut it. Hackers and malicious insiders long ago figured out that these elementary safeguards are about as effective as a suit of armor made of tissue paper.
______________________________________________________________________
The Six "Gotchas" of Disaster Recovery
Disaster Recovery Journal
Philip Lieberman
From a business perspective, much of disaster planning revolves around all-important data back-up and recovery processes. Whether a disruption is the result of a cataclysmic event or a hardware malfunction, real business continuity cannot be maintained in this digital age without off-site backup. But offsite data back-ups are no magic solution for disaster recovery. There’s a lot more to the story.
______________________________________________________________________
Five Golden Rules for a Secure Cloud Migration
Virtual Strategy Magazine
Philip Lieberman
Survey after survey has revealed that security is the top concern voiced by prospective customers about cloud computing and its outsourced, on-demand business model. Worries over data privacy may prove to be service providers’ greatest roadblock to new business. In addition, the risks of a data breach seem certain to grow as a service provider’s infrastructure expands and its IT staff becomes more numerous and decentralized.
______________________________________________________________________
Five Tips for Not Getting Fired
British Computing Society
Jane Grafton
A colleague of mine last Christmas declared 2011 as 'The year of living dangerously for IT security officers'. He said that he could see many pitfalls looming this year for the unwary in IT security and that many would end up on the dole. 2011 has indeed unleashed a wave of unprecedented security breaches that have left many people reeling: Epsilon, Sony, WikiLeaks, PBS.org, RSA Security and HBGary Federal to mention only some of the victims.
______________________________________________________________________
Can You Trust Your Cloud Data Center Security?
Data Center Post
Philip Lieberman
The fact that so many cloud providers – large and small – have no interest in managing privileged identities and segregating duties to limit access to sensitive data and systems should give customers pause before putting their most precious data and resources in the hands of many providers.
______________________________________________________________________
Generic accounts are your SIEM blind spot
Computerworld
Philip Lieberman
Data breaches often involve the unauthorized use of highly privileged accounts, and when this happens most organizations are powerless to identify the individuals or processes responsible. The best that can be done is to change a few passwords and wait for the cycle to repeat itself. It's a Groundhog Day experience that's seen in far too many enterprises.
______________________________________________________________________
RSA SecurID Breach - Where Do We Go From Here?
InfoSecurity
Philip Lieberman
The ripples of the recent RSA SecurID compromise event go far and wide and can cause us to question some of the fundamental beliefs we have in vendors and their business models.
______________________________________________________________________
The Five Golden Rules for Success in Outsourcing
DataChain
Philip Lieberman
Outsourcing has worked well for some companies, but it can also lead to business-damaging disasters. The problem is that if outsourcers fail, you're left holding the baby without the resources to care for it. There is little margin for error in choosing an outsourcer, as Lieberman Software found in our recent survey at InfoSecurity 2011. We discovered that 77% of IT professionals surveyed said their outsourcers had made up work to earn extra money...Here are my five golden rules to ensure your outsourcing lifeboat doesn’t sink mid-stream.
______________________________________________________________________
Don't Let the Insider Threat Bring Down Your Organization
Network Centric Security
Philip Lieberman
While awareness about the insider threat has grown over the last few years, a major problem lies in the way companies respond to this information. It’s been nothing more than ineffective security theater.The attitude toward security training is a good example.
______________________________________________________________________
Learning from Sony's Mega-Mistakes
SoCalTech
Philip Lieberman
The Sony breach is a wakeup call for companies to integrate the DNA of security into their IT cultures or pay heavily for the consequences.
______________________________________________________________________
It's a Long Road to a Secure Cloud
Virtual Strategy Magazine
Philip Lieberman
When it comes to cloud computing, the security and compliance landscape is riddled with pitfalls and continues to shift...My opinion is that cloud security, particularly public cloud security, is wholly inadequate.
______________________________________________________________________
Odds Stacked Against Gaming Industry
Casino International
Philip Lieberman
When it comes to handling insider security threats, gaming industry IT professionals face challenges that set them apart from peers in other markets.
______________________________________________________________________
Are outsourcers using in-house knowledge gap as a license to print money?
Computer Weekly
Jane Grafton
If Dave had just picked up the phone and given me a call I’d have been able to tell him that manually trying to manage his privileged accounts was just a money trap and wouldn’t work. By automating the process, within a week his privileged identities could be under control and managed going forward – without a contract negotiation in sight.
______________________________________________________________________
Security Secrets Your IT Administrators Don't Want You to Know
Info Security Magazine
Philip Lieberman
As valued members of your organization, IT administrators work every day to keep your infrastructure up and available. But in today’s rush to contain operational costs, your IT administrators could be taking more shortcuts than you’d expect. And perhaps no aspect of IT suffers more from cutting corners than security. Here are five facts about IT security that your administrators probably don't want executives and employees to know.
______________________________________________________________________
5 Reasons Why Privileged Identity Management Implementations Fail
Virtual Strategy Magazine
Philip Lieberman
As veterans of the privileged identity management (PIM) field, my colleagues and I hear some unsettling stories from organizations whose privileged identity management deployments did not provide the expected business value. We’ve also heard from organizations whose purchases led to years of expensive service engagements yet never delivered the agreed scope of work.
______________________________________________________________________
Security is About Compliance, Not Trust
Virtual Strategy Magazine
Philip Lieberman
The word “trust” appears in the tagline for a great many security products and services. But in the business world what we often tout as trust simply boils down to an acceptance of risk and the expectation that we can transfer liability to other parties should that trust be broken. I contend that there is no place for the concept of “trust” in IT security. Examine a history of security breaches and you’ll see countless times when trustworthy past behavior fails to predict future actions.
______________________________________________________________________
How to Stop Your Staff from Using Weak Passwords
Business Computing World
Chris Stoneff
Passwords have been with us since before the age of the desktop PC, but administrators and their users need to rethink their password security policies if they are to be truly effective.
_____________________________________________________________________
Legislation a Good First Step to Cybersecurity Leadership
SC Magazine
Philip Lieberman
A year can make a big difference in technology – and in politics. A year ago, the federal government was failing badly at establishing a leadership position in cybersecurity. Interim cybersecurity czar Melissa Hathaway had resigned amid delays to appoint a full-time federal director. The politicians were thinking about anything but the defense of our nation's computing infrastructure. And the attacks kept rolling in. Fortunately, things for the good guys have improved.
______________________________________________________________________
Best Practices for Watching the Watchers
Enterprise Systems Journal
Philip Lieberman
The simple truth is that today virtually all IT staff enjoy anonymous, unaudited, 24/7 access to your data center applications, computers, and appliances through use of privileged account credentials. More IT auditors are beginning to notice that this lack of accountability has brought organizations out of compliance with key industry mandates -- SOX, PCI-DSS, HIPAA, and others. The bad guys have also taken notice, exploiting these all-powerful and often poorly secured credentials in many of the latest, headline-grabbing breaches that include the attacks on Google and other U.S. technology firms.
______________________________________________________________________
Accountability and Transparency: Keys to Security in the Cloud
Virtual Strategy Magazine
Philip Lieberman
Safeguarding a cloud infrastructure from unmonitored access, malware and intruder attacks grows more challenging for service providers as their operations evolve. And as a cloud infrastructure grows, so too does the presence of unsecured privileged identities – those so-called super-user accounts that hold elevated permission to access sensitive data, run programs, and change configuration settings on virtually every IT component.
______________________________________________________________________
Security Training Alone Won't Solve the Negligent Insider Threat
SC Magazine
Philip Lieberman
Today, if your organization runs a network, you're a target for attack. We may never eliminate the threat but with a sound, layered security approach we can do much to reduce its potential impact. And when it comes to mitigating the risks of negligent insiders, organizations need to move beyond basic training and look for ways to limit the damage.
______________________________________________________________________
Credit Card Data Security: Who's Responsible
Network World
Philip Lieberman
If the U.S. government were to mandate that credit card issuers be responsible for losses due to fraud that inherently stems from the use of static credit cards, the transition to Smart Card technology would be a de facto decision and this type of crime and liability would be eliminated in less than a year. Until the government mandates a change in liability and an improvement in technology, the beating of the innocent (Heartland and others) will continue.
______________________________________________________________________
Mismanaged Privileged Accounts: A New Threat to Your Sensitive Data
Tek-Tips Forum
Chris Stoneff
With no end in sight to new vulnerabilities that appear in desktop applications, web services, operating systems and even network appliances, how can organizations safeguard their most sensitive data from attack?
______________________________________________________________________
How GRC Principles Measure Security and Accountability
Information Systems Security
Philip Lieberman
The mismanagement of privileged passwords (also known as privileged accounts and privileged identities) is the tip of the iceberg of GRC, but an excellent illustrative point of why mandated GRC exists and when it does not, what the repercussions are. Effectively, the privileged password problem is related to the fundamental issue that most organizations provide: too much access, to too much data, to too many systems, for too long, with no accountability and no controls.
______________________________________________________________________
Understanding Shared Account Password Management
TechNet MagazineChris Stoneff
The issue of shared account password management must be addressed. This means you should obtain a method of reliably and regularly changing your passwords. The solution must be scalable and flexible. It must also provide secured access to the passwords, and it needs to audit every action taken by the tool as well as every action taken by every user of the tool. In addition, the passwords generated need to be unique on every system in order to avoid a break-in due to shared account information.