The following excerpt has been taken from our ebook, The Ultimate Guide to Protecting Your Security Infrastructure in the Broader Data Center. Observe Proper Segregation of Duties System administration and security administration are not the same job, and those functions should be done by different people.

The following excerpt has been taken from our ebook, The Ultimate Guide to Protecting Your Security Infrastructure in the Broader Data Center. Isolate Security Services on a Protected Network While the subject of proper network security design over the entire data center will be the subject of a future article, we still need to consider the special needs of security infrastructure here.

Digital Guardian asked a bunch of security experts (including me) for their predictions on where the Data Loss Prevention (DLP) market was going in 2016 and beyond.

Let's start with a story. We recently were estimating the effort to fix up a client's audit findings, when I read "update web server configurations to upgrade SSL support from SSLv2 to SSLv3." To be fair to the auditor, the findings were probably reported before the vulnerability I will describe below (POODLE) was announced. However, SSLv3 was already viewed with suspicion, and had to be disabled if a system needed to be FIPS 140-2 compliant. While not every system needs that, it's indicative that SSLv3 is disallowed from the standard. (By the way the auditor was correct that SSLv2 needed to be disabled. In addition to its many weaknesses, SSLv2 is not compliant with either FIPS 140-2 or the PCI DSS.) Moral: the fact that one version of a protocol is bad doesn't make the next version acceptable. A recent announcement of a new vulnerability in SSLv3 (CVE-2014-3566) when using ciphers operating in cipher block chaining (CBC) mode. Because of how SSLv3 handles the block structure and padding out plain text to the block size, it is possible to construct attacks that manipulate padding to disclose plain text.

There is a lot of attention on the posting of Dropbox user name and password combinations on Pastebin. The posters claim that the 400 accounts posted are just the first installment of almost 7 million that they hold. Spot checking by security researchers indicate that they are genuine (although a follow dump as not). Dropbox has issued a statement their servers were not hacked: