Encryption is a measure to enhance security because it can protect files and data. It is important, but alone, it definitely doesn't make a system secure. A system is as secure as its weakest component. If the component resides behind the encryption layer (which usually is the one where the data leaves or enters the system), then the Integrity and possibly Availability of the data is compromised, despite the fact that it is transferred encrypted. And if this happens, the compromised data is going to be transmitted encrypted, so very secure, but nevertheless compromised. Continue reading

It is no secret that the cyber criminals are where the money are. If the targets are easy to breach, it is even better since this improves the ratio effort/outcome for them. Usually, small to medium size companies are preferred targets because they fit in this category: they do have money, more than the private users, and are very easy to infiltrate. The tips below help these companies not only to survive in the cyber world, but also keep the attackers away. Continue reading

Characteristics that make a security practitioner an expert in his field: Advanced theoretical knowledge proven by international certifications Practical experience in applying security Ability to communicate with all levels, according to their level of understanding, from board level to end-user Ability to find solutions which are not in books and prioritize them Ability to view the risks beyond the obvious and act upon - be proactive and not reactive Ability to choose a solution which represents a fair trade-off between security and usability Continue reading

I've been asked a lot of times, especially when I was working for an antivirus producer, why can't we simply write a software that always protects the users. Well, there is a short answer and a long answer. Short answer: Because 100% security does not exist and because most people are hackable due to being ignorant on what security is (of course, until he/she is hacked first time, and sometimes not even after such an event). Long answer, which I massively shortened by not touching all areas and not going into details: The reason is the ignorance about everything that... Continue reading

The problem of Oracle is that they bought a technology that was stretched out to be actually “write once, run everywhere”. The Virtual Machine that provides this functionality had to be ported to all devices, and lately (in the past few years) also on mobile devices. As written in the news, even if the “run everywhere” meant initially “run on every platform” – so cross platform - this concept has been now extended to actually run on platforms used by mobile devices as well (ubiquitous computing). During the last years, Java evolved while it has been ported to the new... Continue reading

As security professionals, we are continuously facing the challenge of smaller and smaller budgets allocated to maintain and improve the IT security. That’s probably the main reason why there is always the temptation of “Free”. Many people, sometimes even professionals, think that they can achieve a good security for free. “For free” means in this context that some programs used to achieve and improve security don’t cost any money to acquire. Unfortunately, the analysis of the costs stops at the acquisition and it ignores other costs like the installation and maintenance costs. But, is it possible to cover all the... Continue reading