|
| Home RSS Directory F.A.Q Suggest A Feed Try Custom Feed Sonneries Portable |
Latest Flows from this sub-category: random selection from this sub-category: |
 Speaking of Security is the RSA Blog and Podcast. It features a group of experts in identity management, encryption, privacy, policy, and enterprise security standards. Copyright: Copyright 2005 - 2008 RSA Security Inc. Fri, 25 Jul 2008 02:00:00 +0200 Most of us in the security trade work in a group or have a job description that contains (or in some cases, implies) the word 'information' - 'IT Security', 'Information Security', 'Office of the CIO', etc. This naming convention, while a seemingly trivial aspect of our jobs, should really be the primary driver for everything we do. Why? Because virtually everything we do has the ultimate goal of protecting some type of asset that is important to our organization, and that asset is almost always information. This basic truth can be most effectively illustrated by considering what drives the daily requirements of our work - compliance.
Fri, 25 Jul 2008 02:00:00 +0200 We keep hearing from analysts that the cost of compliance should go down each year but unfortunately our customers are telling us the exact opposite. They are continuing to get slammed by new regulations and feel compelled to implement all types of point products & solutions in order to meet immediate needs.
Fri, 25 Jul 2008 02:00:00 +0200 Data-security vendors sometimes get tall orders from customers. Not unheard of are: "I'd like a good digital signature system... with 20-bit keys" and "I want to use one-time pads for encryption... and I need to compress them." But one of the most challenging I've heard was recently offered up by colleagues in the RFID (Radio-Frequency IDentification) industry.
Thu, 24 Jul 2008 02:00:00 +0200 The first and most important thing when trying to grow a pool of malware-infected PCs is the infection stage. The goal is to infect as many users as possible, as quickly as possible -- and remain undetected for as long as possible.
Neosploit is a brand that could be relied upon to solve that problem rather well. Designed to ease the infection stage, Neosploit is an infection kit which exploits numerous system vulnerabilities and infects PCs worldwide with any type of malware. Neosploit checks "candidate" PCs in order to find vulnerabilities, and once these are found, the PC will be infected with the malware of the criminal's choice. However, the RSA FraudAction Research Labs recently received information indicating that we may soon see the last of this "Neosploitation". Thu, 24 Jul 2008 02:00:00 +0200 Over in the US, Senator Obama has recently been talking about his stance on Cyber terrorism. While there were many interesting points in his proposals, I wanted to home in on his comments regarding the protection of national infrastructure. You don't need to be a technological genius to have figured out that computers pretty much run every aspect of our daily lives these days -- transportation networks, utilities, broadcast information... you name it. It's fair to say, then, that if you could find a way of compromising those computers you could really mess up everyone's day....
Thu, 24 Jul 2008 02:00:00 +0200 Notwithstanding the fine bloggery that goes on at this site (excluding yours truly of course), there's a bunch of splendid social computing activity going on here at RSA. There's no better example of this than the RSA enVision Intelligence Community.
The Intelligence Community is an online community of RSA enVision customers, partners, systems engineers and product managers. It's getting quite a lot of use too, with interesting new posts around feature requests, tips and tricks and product announcements appearing every day. I was just trawling through it this morning, and I thought I'd pull out a few highlights... Tue, 22 Jul 2008 02:00:00 +0200 So, in conversations with customers of late, I've observed a steady increase in talk of plans to soon adopt ISO 27002, or active work to get the standard implemented in some fashion. This isn't necessarily surprising, particularly when you're talking with highly regulated companies or those more apt to understand information risk management, overall (e.g., those in banking, insurance and utilities, or more recently, thanks to PCI DSS, retail). Because, as I suspect most would agree (and speak up if you don't!), 27002 provides an incredibly broad and deep view into the types of security controls an organization should at least consider when building a security and information risk management program.
What has certainly come as more of a surprise, though, is... Mon, 21 Jul 2008 19:00:00 +0200 Click to Download/Listen (05:51)
New co-host Amanda Van Veen interviews Linda Lynch, RSA® Conference Europe Manager, about this year's Conference in October. Learn about the early bird registration special as well as other helpful travel hints and session highlights. Register today: www.rsaconference.com/2008/europe. attached file: type: audio/mpeg size: 9.76 KB here Mon, 21 Jul 2008 02:00:00 +0200 A couple of weeks ago I posted on the topic of "defining compliance." One of the suggestions raised was that businesses that identify a common control framework, or combination of frameworks, may have an opportunity to significantly reduce costs and redundancies associated with their compliance program. The idea is that rather than approaching each requirement in a silo, and therefore attacking each related security requirement in isolation, it would be better to ensure that the organization is looking more horizontally at the types of security controls that must be enacted in the context of all the requirements that must be met...
Thu, 17 Jul 2008 02:00:00 +0200 Yes folks, the PCI DSS's first major update since version 1.1 was announced in September 2006 is on the horizon. Unveiled in May by the PCI Security Standards Council, the new version, called 1.2, is due out in October. Over the past few weeks, I've received a myriad of inquiries from merchants and figured this would be a good forum to share some of them...
Tue, 15 Jul 2008 14:30:30 +0200 So this one's been digging away at me for a while. I just think that the term "Security Information and Event Management" doesn't do the space justice.
I'm not talking about the "information" vs "event" debate -- it's the "Security" part of it that I have a bit of a problem with. Log management doesn't really capture the essence of it either, as Greg Shipley pointed out in his recent Network World article, especially since we're dealing with all sorts of asset and vulnerability information too.
For a start, labeling these tools solely as security tools sets expectations about what these tools are best at....
Tue, 15 Jul 2008 02:00:00 +0200 Last Friday I spent the morning in the company of a lawyer from a top international law firm. Once we'd marvelled that the sun had finally deemed to make an appearance over the grey skies of London, our conversation turned to the rather weightier subject of data privacy. We've been doing a lot of work around using ISO27002 as a framework best practice in developing and deploying a robust information security strategy. As part of that work, I and my "Evangelist" colleagues have taken a stab at mapping various regulations against this "gold standard" in order to help customers understand where overlaps, or indeed gaps, may occur between these various regs...
Mon, 14 Jul 2008 02:00:00 +0200 Click to Download/Listen (11:11)
With users wanting more real-time, self-service options, many organizations have migrated their services to remote channels including the Internet or Call Centers but these services and benefits come with added risks of fraud and identity theft. Knowledge-based authentication (KBA) offers customers the opportunity to benefit from remote interactions with stronger security as well as the added convenience of real-time authentication. Learn more in this week's podcast. In other news, we bid a fond farewell to co-host Matt Buckley. attached file: type: audio/mpeg size: 9.76 KB here Tue, 08 Jul 2008 02:00:00 +0200 Virtualization is one of the most hyped technologies in Information Technology today -- and rightly so. It offers the potential to improve utilization, lower cost of ownership of computers, enhance productivity, ease compliance, increase reliability and potentially improve security.
Let's explore the last claim. Without a doubt, there is an impact of virtualization on security, and in particular authentication...
Mon, 07 Jul 2008 17:08:00 +0200  Art Coviello Keynote at EMC World Art Coviello tells a cautionary tale of the future of security and its impact on business innovation at this year's EMC World. Hear how to avoid the perfect storm by integrating security into the platform and using information risk management strategies. attached file: type: video/mv4 size: 9.76 KB here Mon, 07 Jul 2008 02:00:00 +0200 I don't want to spend all my time on this blog talking about HMRC (otherwise referred to in the UK as "the taxman"), but a colleague just forwarded me a phishing email he'd just received purporting to be from them, asking him to resubmit his personal details as a "new security measure"
While in itself there's nothing particularly big or clever about this attack, it's interesting in that it illustrates a couple of key things. Firstly, that sometimes in order for an attack to be successful, timing is everything...
Thu, 03 Jul 2008 21:30:00 +0200 Please join us in welcoming a two more RSA Bloggers. The RSA Compliance Solutions team (which already includes Dave Howell and Brad Davenport) has been joined by Andrew Maloney and John McDonald.
Please take advantage of the comments field to get answers to your compliance-related security queries! Thu, 03 Jul 2008 20:00:00 +0200 As an RSA 'Evangelist' with pan-EMEA responsibilities, I obviously take a special interest in what's happening in the information security world that pertains to this region. Last week saw the publication in the UK of the long-awaited Hannigan Report -- detailing the steps that UK Government departments have taken -- and are expected to take -- to mitigate recent data leakage events which have occurred, most notably in the instance of HMRC.
It's a cracking read and one I'd recommend to all insomniacs with an penchant for such topics, but I have to say, I'm actually pretty encouraged by what I read... Thu, 03 Jul 2008 19:26:29 +0200 I talk to a lot of security folks about SIEM and log management, and quite often the conversation turns to event correlation. You can spot the people who've never bought a SIEM product, because they start by saying, "Well, I want to know whenever 'x' happens, and then 'y' happens soon after". Admittedly, the situation they cite is a usually real one, and granted, if you do see 'x' and 'y' happening in reasonably quick succession then, chances are, you have a problem. But it's usually not their biggest problem -- in fact, far from it. My favorite is "the guy swiping his badge in Tokyo and then logging on in New York", which I hear time and time again...
Tue, 01 Jul 2008 02:00:00 +0200 Many of the merchants I speak with are sharply focused on addressing specific PCI security requirements. While implementing the controls needed to meet the requirements is absolutely critical, I can't stress enough the importance of taking time to aim before firing.
It's no secret that PCI compliance is focused on securing cardholder data and infrastructure. Simply put, you can't secure what you don't manage and you can't manage what you don't know about. Before you go looking for all instances of cardholder data, you must be prepared to find more than expected. Most merchants are aware of the cardholder data in their database(s). But what about payment applications or payment portals that temporarily store the data? Or customer service reps e-mailing credit card information to confirm or dispute an order?... Mon, 30 Jun 2008 02:00:00 +0200 Click to Download/Listen (07:04)
The fear of data leakage through loss, theft or careless use of USB flash drives is rising dramatically throughout the enterprise. This week we discuss the problem and potential solutions with Dror Todress, Senior Manager, Marketing, for SanDisk Corporation’s Enterprise Division, an RSA Secured Partner. attached file: type: audio/mpeg size: 9.76 KB here Thu, 26 Jun 2008 02:00:00 +0200 So earlier this year, again in my past life as an analyst, I spoke to a bunch of users, vendors and experts hoping to get some best practices about creating a Security Operations Center (SOC). For Forrester customers, I published my findings here.
To be honest, I originally came at this piece of research as a way to define what the place of a SIEM product in a SOC, so I diligently asked everyone I interviewed what technologies they thought were central to a security operations function. The answers I got were pretty unexpected, and normally started with the phrase "Technology? Oh that's an afterthought." When we think of a SOC, we often have this picture of a big room, full of people in rows staring at a big screen up front, with monitors in front of them... Wed, 25 Jun 2008 02:00:00 +0200 Please join us in welcoming a new set of RSA Bloggers. The RSA Compliance Solutions team--including Dave Howell and Brad Davenport--will be penning a set of blog entries for "Speaking of Security" around the theme of Simplified Compliance.
Please take advantage of the comments field to get answers to your compliance-related security queries!
Wed, 25 Jun 2008 02:00:00 +0200 As part of the RSA Compliance Solutions team I meet with companies all over the world to discuss their security challenges and priorities. Inevitably I spend much of my time discussing ... you guessed it ... compliance.
It is eye-opening to see how differently our customers and partners, as well as folks within RSA, define compliance. From what I've seen, most will immediately gravitate towards the notion of meeting the stated or implied security requirements within governmental mandates, such as Sarbanes-Oxley and HIPAA. In addition, "compliance" certainly conjures up images of the PCI Data Security Standard, which isn't surprising considering how many organizations these requirements impact. What we don't tend to see initially is a broader view of compliance... Tue, 24 Jun 2008 02:00:00 +0200 I met with a merchant this morning to talk PCI compliance. Like many of the conversations I've had with merchants, things got a bit more interesting when the discussion focused on cardholder data protection.
They joked that the new rev of the PCI Standard, version 1.2 -- due out in October -- would eliminate the data protection requirements. All joking aside, the truth is that data protection isn't going anywhere when it comes to the PCI DSS. While there are other alternatives, such as hashed indexes, truncation and...
Mon, 23 Jun 2008 02:00:00 +0200 Click to Download/Listen (12:39) Both Gartner and Forrester, two of the leading independent technology and market research firms, recently evaluated data loss prevention (or DLP) vendors in their annual reports on this market. RSA's Data Loss Prevention Suite was named as a leader by both of these firms. Paul Joyal talks about these reports with Tom Corn, Vice President of Products for RSA's Data Security Group. And we continue with another giveaway for Podcast Listener Appreciation Month for all responders to our Authentication Poll! Listen to this week's podcast for the secret word! attached file: type: audio/mpeg size: 9.76 KB here Thu, 19 Jun 2008 02:00:00 +0200 Morning all,
Welcome to my new blog, where I'll be musing upon the weird and occasionally fascinating world of security information and event management (SIEM). Before we start, though, people might have a few questions that I'll try to answer right now.
Didn't you used to be an analyst? Yep, I used to cover the SIEM space for Forrester, as well as a bunch of data security and architecture topics. However, all good things must come to an end - I was certainly approaching the end of my shelf life in that world. It was a privilege, though, as I got to spend a huge amount of time talking to people about their security priorities and looking at how that translated into requirements for new tools and ways of doing things. Now I get to help turn these conversations and ideas into something tangible... Mon, 16 Jun 2008 02:00:00 +0200 Click to Download/Listen (05:48)
Last week's headline: "RSA, The Security Division of EMC, Expands Identity Assurance Portfolio with Flexible Card-Shaped Authenticator to Provide Convenient Online Security" is the topic of this week's interview with RSA's Rachael Stockton. And we continue with another giveaway for Podcast Listener Appreciation Month for all responders to our Authentication Poll! Listen to this week's podcast for the secret word! attached file: type: audio/mpeg size: 9.76 KB here Mon, 09 Jun 2008 02:00:00 +0200 Click to Download/Listen (08:24)
We continue June with another giveaway for Podcast Listener Appreciation Month! Listen all month long for chances to WIN fabulous prizes... Details are in the podcast for this week's contest. In this episode, Matt Buckley interviews one of our new Speaking of Security Bloggers, Paul Stamp, formerly of Forrester Research who is now a Senior Manager, Product Marketing, in RSA's Information and Event Management Group. Speaking of SIEM, RSA is positioned in the Leaders quadrant within Gartner's Q12008 Magic Quadrant for SIEM. attached file: type: audio/mpeg size: 9.76 KB here Fri, 06 Jun 2008 19:22:32 +0200 So the weekend is approaching and you decide to go to the movies. If you are like me, you probably check your trusted source for movie reviews and then think twice about going if the review is less than favorable. In the IT industry, the opinions of Forrester and other lead analysts carry even greater weight in the eyes of customers than Siskel and Ebert in their heyday.
So, we are very pleased indeed to see the June 2008 Forrester Wave™: Data Leak Prevention, Q2 2008 which cited RSA as a leader in the Data Loss Prevention (DLP) product category with our RSA DLP Suite. Some highlights from the report include...
Fri, 06 Jun 2008 02:00:00 +0200 I've just returned from EMC's annual user conference, EMC World. The attendance at the PCI sessions and the related discussion between many of the 9,000 customers and partners in attendance really underscored the progress that's being made with respect to cardholder data security. One of the issues that came up in nearly every conversation I had, in some form or another, was: "What does PCI compliance really mean?" This question brings up two very important concepts....
Mon, 02 Jun 2008 02:00:00 +0200 Click to Dowload/Listen (08:24)
June is Podcast Listener Appreciation Month! Listen all month long for chances to WIN fabulous prizes... Details are in the podcast for this week's contest. This episode also includes an encryption Q&A with Rich Mogull, founder of Securosis.com and formerly of Gartner. Earlier this week he presented "How Encryption and Key Management Solutions Fit into an Overall Information Risk Management Strategy" during part 1 of a 2-part RSA web seminar series on encryption. Watch the full replay here and/or sign up for next week's part 2 here. attached file: type: audio/mpeg size: 9.76 KB here Thu, 29 May 2008 02:00:00 +0200 We often swallow ideas that we needn't or shouldn't. Take the onetime urging of nutritionists to substitute margarine for butter in the cause of cardiovascular health. When this advice was first circulating, most margarines contained high quantities of trans fats, concoctions that have turned out to be so harmful - to the heart, among other things - that they are now banned in restaurants in NYC. Similar dogma applies to the advice to drink eight eight-ounce glasses of water a day for overall good health. Everyone knows the advice. But no one seems to know where the 8x8 rule comes from or if it is good or bad.
So what pieces of conventional wisdom in computer security are like margarine and the 8x8 water doctrine? I'd hold forth password expiration as a prime candidate.
Mon, 26 May 2008 02:00:00 +0200 Click to Dowload/Listen (07:13)
Paul Joyal interviews RSA's Rachael Stockton and Phil Darringer about how the RSA SecurID software token for BlackBerry and other mobile and portable devices can be used to authenticate to network and online resources. For more information on this technology, visit www.rsa.com and/or download our solution brief, "RSA SecurID® Authentication Solutions for BlackBerry® Devices." attached file: type: audio/mpeg size: 9.76 KB here Wed, 21 May 2008 02:00:00 +0200 Today's hearing on the security of the United States' critical infrastructure was as spirited of a Congressional hearing on cyber security issues that I have seen during my career, and it's clear that key Members of Congress from both political parties are running out of patience and want to see immediately cyber vulnerabilities taken more seriously in the bulk power industry in particular.
In a scathing opening statement, U.S. Representative Jim Langevin (D-RI), Chairman of the Subcommittee on Emerging Threats, Cybersecurity, and Science & Technology, said that "I think we could search far and wide and not find a more disorganized, ineffective response to an issue of national security."...
Tue, 20 May 2008 02:00:00 +0200  A Framework-Based Approach to Regulatory Compliance
In Speaking of Security's 105th security podcast we talk to Dave Howell, Senior Manager Solutions Marketing, about how organizations are turning to a framework-based approach to manage ever-expanding and overlapping regulatory requirements.
attached file: type: video/mv4 size: 9.76 KB here Thu, 15 May 2008 02:00:00 +0200 The United Kingdom's Information Commissioner's Office received new authority to levy fines on organizations that "deliberately" or "recklessly" violate the U.K.'s "Data Protection Act", or DPA, of 1998. In a little noticed amendment to the Criminal Justice and Immigration Act of 2008, the 1998 DPA was updated to enable the Information Commissioner to impose serious fines on organizations. This change in the UK's data protection law was spurred by a string of high-profile breaches of personally-identifiable information in the U.K. over the last year, including the large-scale data breach at Her Majesty's Revenue and Customs agency...
Tue, 13 May 2008 02:00:00 +0200 It was another great RSA Conference this year, with interesting workshops, great exhibitor activity, informative sessions and lots of time to network with customers, partners and fellow employees. My flight was cancelled on Sunday, so I missed the Concordia Workshop on Monday, but the Liberty Alliance Workshop was very interesting. Geisinger Health System had a very nice presentation on how they are using federation to provide improved information to health care providers to improve patient care, particularly in emergency room visits.
RSA also made a number of exciting announcements...
Mon, 12 May 2008 02:00:00 +0200 Click to Listen/Download (10:14)
Paul Joyal interview's the President of Corporate Integrity, Michael Rasmussen, about "Developing a Sustainable and Cost Effective IT Compliance Program." For the companion white paper, click here. Other RSA resources on this approach can be found at www.rsa.com/compliance. attached file: type: audio/mpeg size: 9.76 KB here Mon, 05 May 2008 02:00:00 +0200  EMC PowerPath Encryption with RSA
Happy Cinco de Mayo and welcome to the latest Speaking of Security video podcast. Today Host Paul Joyal speaks with Colin Bailey of EMC and Katie Curtin-Mestre of RSA, The Security Division of EMC, about this new scalable solution that leverages RSA Key Manager for the Datacenter. attached file: type: video/mv4 size: 9.76 KB here Thu, 01 May 2008 02:00:00 +0200 Kevin Bowers is a Research Scientist at RSA Laboratories. Here are his views on the controversy surrounding REAL ID. What do you think?
I'm getting married this summer and my family will be traveling to the wedding. In order to make the trip, my parents recently renewed their passports. Not because I'm getting married at an exotic destination, but because they live in Montana and have to fly to the wedding. Like several other states, Montana has refused to comply with the requirements of the REAL ID Act of 2005. The Department of Homeland Security (DHS) had threatened to prevent residents from those states from using their state-issued driver's licenses as identification at airport security, effective May 11th. As it happens, the DHS recently granted all states an extension to the May 11th deadline, allowing them additional time to become REAL ID compliant. Mon, 28 Apr 2008 02:00:00 +0200 Click to listen or download (6:39)
Paul Joyal interview's RSA's Paul Davilman on What is Sarbanes-Oxley & How is it Applicable to IT Security? For additional information on SOX and IT Security, read more here. attached file: type: audio/mpeg size: 9.76 KB here Wed, 23 Apr 2008 02:00:00 +0200 As I mentioned in a blog post in late October 2007, the IT industry and other stakeholders have been calling for the U.S. Congress to pass legislation that would help empower law enforcement to more effectively investigate and prosecute cyber criminals -- while updating penalties in U.S. criminal code so that the punishment fits the crime. It's stunning to me that the Congress has not yet sent legislation to the President for his signature to address this important issue...
Tue, 22 Apr 2008 02:00:00 +0200 Click here to download/listen (11:23).
In a recent RSA Web Seminar, Juniper Networks' Smitha Murthy and RSA's John Masotta discussed the benefits of an SSL VPN and how best to secure its access with strong authentication. Hear a snippet in this week's podcast or check out the entire replay of the event. attached file: type: audio/mpeg size: 9.76 KB here Mon, 21 Apr 2008 02:00:00 +0200 Today (the date I'm writing this entry) is my birthday. Birthdays are a time of quiet contemplation for me (and quiet desperation for my mother). As I think about the past year and the progress I've made (things are looking good for my long-term goal of spending my old age miserable and alone), I keep thinking of change and how people and things advance.
The past year has shown much progress. Women have rejected me, technology products have been launched, iPhones were purchased and even the world of financial crime has not been silent.
The Rock Phish group is a phishing gang believed to be based out of Russia -- and, by some accounts, is responsible for roughly 50% of phishing attacks by volume...
Thu, 17 Apr 2008 02:00:00 +0200 I have been attending RSA Conferences since early this decade. The U.S. version of the Conference has been around since 1991 and it's grown from 50 attendees (all cryptologists) to around 17,000 participants annually from the private and public sectors including security professionals, business executives, lawyers, academics, privacy advocates, regulators, and journalists. For the first-time attendee it can be absolutely overwhelming because there are so many speakers, so many issues, so many events during the week, and if you go to the show floor, literally hundreds of organizations showing their wares.
Well, being a veteran RSA Conference attendee, I thought I was ready for another busy but ultimately manageable week despite the multiple commitments and responsibilities that I had to balance. Well, that theory was turned on its head, starting on Sunday... Wed, 16 Apr 2008 02:00:00 +0200  The Challenges of Identity Assurance with Marc Gaffan
In Speaking of Security's blockbuster 100th security podcast we talk to Marc Gaffan, Director Product Marketing, about Identity Assurance and its importance to enterprise-level security and compliance.
attached file: type: video/mv4 size: 9.76 KB here Wed, 09 Apr 2008 02:00:00 +0200 Yesterday at the RSA Conference Art Coviello addressed how security fears have stifled innovation at organizations large and small around the world. IDG Research reports that 80 percent of IT, security, and business executives surveyed admit that their organizations have shied away from business innovation opportunities because of information security concerns.
RSA is committed to countering this trend by starting an industry-wide conversation about smart ways to manage information risk. As we mentioned in yesterday's blog posting, we were able to pick the brains of 10 top security executives from global enterprises in a variety of industries and get THEIR suggestions. But we'd like to hear from you... Tue, 08 Apr 2008 10:00:00 +0200 His keynote will begin at 11:30 AM. Let us know if you're going to be there and leave us your impressions.
Tue, 08 Apr 2008 02:00:00 +0200 This morning at Art Coviello, Executive Vice President, EMC Corporation and President, RSA, The Security Division of EMC, gave his yearly keynote at the RSA Conference in San Francisco. Art uses this venue each year to present a "state of the industry"--reviewing major security developments--and to share his ideas on where security is going in the coming year.
Here is a transcript of the talk: http://www.rsa.com/innovation/docs/coviellokeynote2008.pdf It's a good read, with a lot of interesting insights... Mon, 31 Mar 2008 02:00:00 +0200 Click here to download/listen (11:15).
Part 2: Paul Joyal speaks with award-winning USA Today journalists, Byron Acohido and Jon Swartz. They are the co-authors of Zero Day Threat: The Shocking Truth of How Banks and Credit Bureaus Help Cyber Crooks Steal Your Money and Identity, which is scheduled for an April 2008 release. Byron and Jon talk about the inspiration for their book and more in part two of this two-part interview. See Byron, Jon and Paul next week at the RSA® Conference 2008, registrations are still being accepted! attached file: type: audio/mpeg size: 9.76 KB here Fri, 28 Mar 2008 01:00:00 +0100 While RSA, The Security Division of EMC has evolved into a broad organization focusing on Information-Centric Security through Information Risk Management, securing Virtual Private Networks (VPNs) is still a significant portion of our business.
The main use case for RSA SecurID, in its various forms, continues to be supporting the needs of the mobile workforce. As organizations mature, they are now extending beyond the VPN power user to additional (and often very large) populations ...
Mon, 24 Mar 2008 01:00:00 +0100 Click here to download/listen (10:35).
Part 1: Paul Joyal speaks with award-winning USA Today journalists, Byron Acohido and Jon Swartz. They are the co-authors of Zero Day Threat: The Shocking Truth of How Banks and Credit Bureaus Help Cyber Crooks Steal Your Money and Identity, which is scheduled for an April 2008 release. Byron and Jon talk about the inspiration for their book, the state of cybercrime, and more in part one of this two-part interview. Tune in next week for part two! attached file: type: audio/mpeg size: 9.76 KB here Thu, 20 Mar 2008 01:00:00 +0100 Another announcement related to the Bush Administration's Cyber Security Initiative is expected in the next day or so and it is likely that an entrepreneur from Silicon Valley will head a new interagency group that will coordinate cyber defenses across the federal government. As reported today by Brian Krebs of the Washington Post, "...Sources in the government contracting community said that the White House is expected to announce as early as today the selection of Rod A. Beckstrom as a top level adviser to be based in the Department of Homeland Security."
View Krebs' entire article. The Bush Administration has been ratcheting up its focus on information security over the past year, but is starting to roll out its cyber security initiative... Mon, 17 Mar 2008 01:00:00 +0100 Click here to download/listen (04:13).
Tim Mather, Chief Security Strategist for RSA Conferences, talks about the role of the Chief Security Officer and how that role might evolve in the years to come. RSA® Conference 2008 is where you can hear more from leading information security professionals at the world's largest industry conference and expo when it comes to San Francisco, CA, April 7-11. For a free RSA Conference 2008 Expo Pass, courtesy of RSA, The Security Division of EMC, email podcast@rsa.com with your request before April 4 and we'll send you a special registration code. attached file: type: audio/mpeg size: 9.76 KB here Mon, 10 Mar 2008 01:00:00 +0100 Click here to download/listen (06:01).
What's the Buzz? RSA® Conference 2008 is the world's largest information security industry conference and expo and it comes to San Francisco, CA, April 7-11. Paul Joyal talks to Sandra Toms LaPedis, Area Vice President and General Manager of RSA Conferences, about what makes this event so special and what's new for this year's attendees. AND for a free RSA Conference 2008 Expo Pass, courtesy of RSA, The Security Division of EMC, email podcast@rsa.com with your request before April 4 and we'll send you a special registration code. attached file: type: audio/mpeg size: 9.76 KB here Wed, 05 Mar 2008 01:00:00 +0100  New Developments in Online Fraud with Joram Borenstein
In Speaking of Security's newest video podcast we talk to Joram Borenstein, Senior Product Manager, about the latest strategies of online fraudsters.
attached file: type: video/mv4 size: 9.76 KB here Mon, 25 Feb 2008 01:00:00 +0100 Click here to download/listen (07:52).
RSA, The Security Division of EMC, RSA is pleased to invite you to our first global technical user conference hosted at EMC World 2008 in Las Vegas, May 19-22, 2008. RSA Xchange brings together a rich community of like-minded security professionals with an interest in learning from each other, partners and RSA product and engineering experts. Cathy Long joins Paul Joyal to talk about this new and unique opportunity. attached file: type: audio/mpeg size: 9.76 KB here Mon, 11 Feb 2008 01:00:00 +0100 Click here to download/listen (07:54).
UPEK® Inc., a leading brand of secure biometric fingerprint solutions, recently announced a joint technology solution combining the convenience and security of biometrics in millions of existing notebook computers with the market-leading strong authentication solution from RSA. Matt Buckley talks with Brian DeGonia from UPEK about this solution. attached file: type: audio/mpeg size: 9.76 KB here Tue, 05 Feb 2008 01:00:00 +0100  RSA Channel Strategy with Joe Gabriel
In Speaking of Security's second video podcast we talk to Joe
Gabriel, Manager, Channel Marketing, about RSA's strategy for channel enablement.
attached file: type: video/mv4 size: 9.76 KB here Tue, 29 Jan 2008 01:00:00 +0100 The U.S. Passport card or PASS (People Access Security Service) card, a new travel document, is slated for issue by the federal government in the spring of this year. A poor cousin to the standard passport, it's more compact and less expensive, but valid only at land and sea points of border entry into the United States, not for air travel. The PASS card emerged as part of the Western Hemisphere Travel Initiative (WHTI), which phases out drivers' licenses as border-crossing documents for the U.S.
I've heard two starkly contrasting opinions on the security of the PASS card... Mon, 28 Jan 2008 01:00:00 +0100 Click here to download/listen (07:55).
Speaking of Security Blogger Sean Kline talks with Paul Joyal about his top 5 intriguing ideas for authentication for 2008. attached file: type: audio/mpeg size: 9.76 KB here Wed, 23 Jan 2008 01:00:00 +0100 As most know, the United States is in the midst of primary elections for presidential candidates. I live in New Hampshire, so woke at around 5:00am a couple of Tuesdays ago eager to participate in the democratic process (I went early because I had a flight the same day to Germany...more on that later). After getting to the front of the line, the pleasant elderly volunteer proceeded to authenticate me so that I could vote. The authentication method she used was name and address. She had a three ring binder with everyone's name printed in an easily readable large font size. The only problem was that she exposed the credential type, the name and the address for me to misuse as I pleased! Now I know that I am not the first to bring this up or write about it. Even so, it boggles my mind that after having to go to the Supreme Court the last time we went through this exercise to select our president, we would not take more care with the voting process...
Mon, 21 Jan 2008 01:00:00 +0100 Click here to download/listen (08:52).
Matt Buckley interviews Jon Oltsik, Senior Analyst, Enterprise Strategy Group, about his paper and thoughts on an information-centric security architecture. attached file: type: audio/mpeg size: 9.76 KB here Mon, 14 Jan 2008 01:00:00 +0100 Click here to listen/download (09:40).
Speaking of Security Blogger Shannon Kellogg talks with Matt Buckley about the state of information security from a Washington, D.C. point of view. attached file: type: audio/mpeg size: 9.76 KB here Mon, 07 Jan 2008 01:00:00 +0100 Welcome to a new year of RSA's Speaking of Security Podcast. Today we introduce our first Video Podcast!
This week RSA Compliance Specialist, Dave Howell, offers his view on the future of the Payment Card Industry Data Security Standard and the evolution of online fraud.
attached file: type: video/mv4 size: 9.76 KB here Wed, 19 Dec 2007 01:00:00 +0100 Click here to listen/download (11:15).
This is our final broadcast for 2007. This week's topic is Information Risk Management, an information-centric strategy that provides the most effective means of recognizing, assessing and mitigating the risk that information is exposed to throughout its lifecycle. Hear from a recent RSA Web Seminar conducted in collaboration with TowerGroup, on how financial institutions can leverage a sound IRM strategy. A companion white paper on the subject is also available. attached file: type: audio/mpeg size: 9.76 KB here Tue, 18 Dec 2007 03:00:00 +0100 An anniversary recently passed amid a heightened focus in Washington, D.C. on the status of federal information security: the Federal Information Security and Management Act (FISMA) just completed its fifth year on the books as a federal law.
As the follow up to the Government Information Security Act of 2000, FISMA established an updated legal framework for federal information security, including baseline security standards for federal agencies. I remember that the information security community was excited about FISMA and its promise. So, what's the verdict five years later? In my opinion it's a mixed bag. On one hand, FISMA has arguably increased awareness of, and focus on, federal information security... Tue, 18 Dec 2007 01:00:00 +0100 I was sitting with my friend R. in a bar. My friend was completely ignoring me (a rather stimulating treatise on how my failure with women is caused by millions of years of human evolution. I've entitled this thesis "Nature or nurture, culture or genes: Pick any one -- or all of the above"), and was focusing on a girl on the other side of the bar.
"She could be your daughter," I told R. He continued ignoring me, and said, "She could totally be mine..." "Perhaps, but she won't," I said. "You're 38, you have a girlfriend and you were telling me the other day you were thinking of proposing to her."... Tue, 11 Dec 2007 01:00:00 +0100 This blog entry is in response to this post in the Securology blog.
You raise some interesting points on which I would like to comment. First, RSA believes that there are always tradeoffs between strength of security, cost and ease of use. The key (no pun intended) is matching the right means of authentication to the right level of risk. This is why we have such a broad range of authentication types and form factors. To some of your specific points, RSA SecurID hardware and software authenticators are both forms of multi-factor authentication. In the case of hardware authenticators, they are based on something you have (the physical authenticator) and something you know (your password or Personal Identification Number). Software authenticators work the same way depending on the form factor and can include other factors.... Mon, 10 Dec 2007 18:00:00 +0100 Click here to listen/download (08:39). This week Paul Joyal speaks with Tom Corn, Vice President of Data Security Products for RSA, about Data Loss/Leakage Prevention (DLP) and RSA's approach to the issue along with how it differs from other players. attached file: type: audio/mpeg size: 9.76 KB here Mon, 10 Dec 2007 01:00:00 +0100
Mon, 03 Dec 2007 01:00:00 +0100 Click here to listen/download (07:15). This week, hear from Ari Juels, Speaking of Security blogger and Chief Scientist for RSA Laboratories. Ari tells us about some projects that his team is working on including "Proofs of Retrievability" and the WARP token for wireless authentication. attached file: type: audio/mpeg size: 9.76 KB here Mon, 26 Nov 2007 01:00:00 +0100 Not since the infamous U.S. Veterans Administration breach, when a laptop containing information on 26.5 million veterans was stolen in 2006, have we seen a breach of sensitive data like the one that occurred in the United Kingdom last week. According to news reports, two disks containing the records of 7.25 million families and around 25 million people were lost by Her Majesty's Revenue and Customs agency as they were being transferred to the UK's National Audit Office.
Fri, 16 Nov 2007 01:00:00 +0100 Earlier this month, President Bush requested $154 million in FY2008 funding for expanding cyber security initiatives at the Department of Homeland Security (DHS) and other federal agencies. The majority of the initial budget request (which would shift current government fiscal year money from other projects) will reportedly be focused on expanding DHS's "Einstein" program, which is run by the U.S. Computer Emergency Readiness Team. See this Federal Computer Week story by Jason Miller titled White House officials ask for $154 million in new cybersecurity spending for more background.
Thu, 15 Nov 2007 01:00:00 +0100 I traveled quite a bit during the month of October - which was National Cyber Security Awareness month here in the U.S. - and there was one issue that came up frequently during my various business trips to locations around the U.S. and one to London: software assurance. It's really a continuation of a theme that I have come across during the course of the last couple of years: as breaches of information security have become more and more frequent - whether perpetrated by cyber-criminals looking to make a fast buck; or by nefarious actors breaking into systems to commit espionage; or in the case of entire countries (e.g. Estonia) that have seen their critical infrastructure attacked via cyberspace - governments have become increasingly focused on product security. The issue of security within products that are integral parts of systems or networks is clearly gaining the attention of government decision makers around the world...
Mon, 12 Nov 2007 01:00:00 +0100 Click here to listen/download (07:27). Paul Joyal speaks with Dan Wilson, Vice President and Co-Founder of Accuvant, one of RSA's key channel partners about their business, their information-centric strategy for security, and a recent award that they received. Please note that we will be taking a short break for the U.S. Thanksgiving holiday, but will be back with another podcast for the week of December 3, 2007. attached file: type: audio/mpeg size: 9.76 KB here Mon, 05 Nov 2007 01:00:00 +0100 Click here to listen/download (09:56). Matt Buckley speaks with EMC Vice President of Technology Alliances, Chuck Hollis, about Security and Virtualization. Read more from Chuck at chucksblog.emc.com. attached file: type: audio/mpeg size: 9.76 KB here Fri, 02 Nov 2007 01:00:00 +0100 In his Histories, Herodotus tells the story of Polykrates, overlord of the island of Samos. The king of Egypt counseled Polykrates to throw away some possession of great value, lest a surplus of good fortune bring him tragedy. Heeding this advice, Polykrates pitched his most prized possession, an emerald ring, into the sea. Several days later, a fisherman brought Polykrates a fish as tribute. When the fish was cut open, it was discovered to contain the fatal ring. (Polykrates was, of course, brutally murdered soon afterward.)
Herodotus's story (and book) was crafted as a parable about hubris. It is also a good parable about banking--and more generally about risk...
Mon, 29 Oct 2007 01:00:00 +0100 Click here to listen/download (08:07). Last week's RSA Conference Europe is over but you can hear from some of last week's expert speakers, like Marika Konings, Director of European Affairs for the Cyber Security Industry Alliance, in the Conference Podcasts section of www.rsaconference.com/2007/europe. Paul gets an event recap from the Conference Manager, Linda Lynch, and we share part of an interview with Marika from the show floor in this week's podcast. attached file: type: audio/mpeg size: 9.76 KB here Mon, 29 Oct 2007 01:00:00 +0100 One of the concepts that RSA and EMC are starting to focus on more is risk. For some, risk has a negative connotation, such as the chance of suffering some type of loss or damage. From a finance perspective, risk is perhaps a more neutral term in that with increased risks (there is a relationship to volatility), one expects a greater return. This has relevance in information-centric security as well...
Mon, 22 Oct 2007 02:00:00 +0200 My friends have gotten tired of hearing me talk about how dreadful it is to be single. One of my friends S. (who has four children and a mortgage) suggested that I take over looking after his kids while *he* wakes up with a hangover next to a half-empty bottle of Jack Daniels and photos of a wild party and the younger sister of one of my work colleagues (Hi M!).
Another friend, R, asked me why I don't frequent the singles bar scene. I replied that I'm looking for a sun-drenched wind-swept Ingrid Bergman kiss, a heart touching romance and a soul companion -- not some sordid meaningless fling. He sagely nodded his head and voiced his hopes that I enjoy the rest of my long life looking forward to dying alone...
Mon, 22 Oct 2007 02:00:00 +0200 Click here to listen/download (07:07). This week we revisit a recent RSA web seminar held in late September. Nick Selby, Security Research Director from the analyst firm, The 451 Group, shares some key tips for securing web portals, by providing the right protection and level of access to information for trusted identities. To review the entire 9/25 webcast replay, visit www.rsa.com/webseminars. attached file: type: audio/mpeg size: 9.76 KB here Fri, 19 Oct 2007 02:00:00 +0200 As issues around cyber security continue to heat up in the wake of several high profile data security breaches in the public sector -- and with increasing concern about cyber vulnerabilities in our nation's critical infrastructures, the U.S. House of Representatives passed a resolution this week recognizing the importance of the issue. The resolution, H. RES. 716, was introduced by Congressman Jim Langevin (D-RI) with strong bi-partisan support. The purpose of the Resolution was for: "Expressing the sense of Congress with respect to raising awareness and enhancing the state of computer security in the United States, and supporting the goals and ideals of National Cyber Security Month."...
Tue, 16 Oct 2007 02:00:00 +0200 On October 16th, in the bowels of the U.S. Capitol Building, the Business Software Alliance organized a briefing on cyber-crime issues that was attended by congressional staff members, industry experts and media representatives. Art Coviello, President of RSA, The Security Division of EMC, delivered the industry keynote; U.S. Representative Steve Chabot (R-OH) provided remarks from a congressional perspective. Congressman Chabot is a co-sponsor of H.R. 2290, the Cyber Security and Enhancement Act of 2007, along with U.S. Representative Adam Schiff (D-CA).
H.R. 2290, if passed, would include changes to law that would: criminalize malicious botnet attacks...
Fri, 12 Oct 2007 02:00:00 +0200 Click here to listen/download (08:07). October is National Cyber Security Awareness Month. We celebrate by speaking with James A. Lewis, Director and Senior Fellow, Technology and Public Policy Program at the Center for Strategic and International Studies in Washington, D.C., about cyber security in the federal government and around the world. attached file: type: audio/mpeg size: 9.76 KB here Mon, 08 Oct 2007 02:00:00 +0200 Click here to listen/download (10:39).
Martin McKeay, among others, have recently blogged about the value of the CISSP (Certified Information Systems Security Professional) certification. Paul Joyal speaks with leading IT author, Shon Harris, about the CISSP and other certifications that IT Security Professionals seek to add to their credential lists and knowledge-bases. attached file: type: audio/mpeg size: 9.76 KB here Wed, 03 Oct 2007 02:00:00 +0200 This month, I'll be posting blogs several times a week given that this is National Cyber Security Awareness Month. To kick off this year's campaign, the 2007 National Cyber Security Awareness Summit was held at the National Press Club in Washington, D.C. on October 1st.
Below, you will find a post from the Summit: I was encouraged by the strong turnout at the inaugural National Cyber Security Awareness Summit, the 4th time that October has been recognized officially as National Cyber Security Awareness Month. You know that you are going to have good event when the room is half full 30 minutes before start time. I thought that Assistant Secretary Greg Garcia captured the heightened interest in the topic... Mon, 01 Oct 2007 02:00:00 +0200 Click here to listen/download (06:12).
RSA announces its solution for Information Risk Management for financial services organizations worldwide this week at SIBOS in Boston. Listen to Ann King, Senior Manger for Solutions Marketing, talk about this approach to following information within a financial institution throughout its lifecyle -- revealing where the risks lie to present a holistic view of risk related to information across the enterprise. attached file: type: audio/mpeg size: 9.76 KB here Tue, 25 Sep 2007 02:00:00 +0200 On the cyber security front, the nation's capital is abuzz this week about breaches of information systems at the U.S. Department of Homeland Security (DHS). In a Washington Post article on Monday, September 24, writers Ellen Nakashima and Brian Krebs reported that the "...FBI is investigating a major information technology firm with a $1.7 billion Department of Homeland Security contract after it allegedly failed to detect cyber break-ins traced to a Chinese-language Web site and then tried to cover up its deficiencies, according to congressional investigators."
Mon, 24 Sep 2007 02:00:00 +0200 Click here to listen/download (10:27).
This week we welcome back two previous guests, Dave Howell and Peter Beardmore. First, we share information about the PCI DSS (Payment Card Industry Data Security Standard) from a recently commissioned survey by Forrester. And we also talk about unified credential management in the enterprise. attached file: type: audio/mpeg size: 9.76 KB here Fri, 21 Sep 2007 02:00:00 +0200 Finally, the cyber security issue may just be getting the attention that it deserves at the national leadership level in the United States. In an RSA Speaking of Security blog post in early July, I asked the question: Will the recent cyber attacks on Estonia be a wake up call for European and U.S. leaders? I noted in that post that the answer in Europe was apparently yes and referenced quotes in a June 30th Reuters story from European Information Society Commissioner Vivian Reding: "Estonia was a wake up call...If people do not understand the urgency now, they never will."...
Tue, 18 Sep 2007 02:00:00 +0200 It was blasphemy at the time. At the 2007 RSA Conference in San Francisco, our President, Art Coviello, made the claim that the standalone security market was not long for this world. Some in the audience must have thought he was Looney Tunes, making a claim like that at a longtime venue dedicated to all things security.
In my role driving integrated solutions of RSA technology and EMC products, I speak with security, IT, and storage professionals regularly to understand their requirements and preferences for integrating security into information infrastructure products. The single biggest common thread between them is this: security seems to be everybody's job these days. These things tie: security-baked-in and security-as-everybody's-job...
Mon, 17 Sep 2007 02:00:00 +0200 Click here to listen/download (07:41).
Online fraud is becoming more like a traditional industry. Researchers at the RSA Anti-Fraud Command Center are hard at work as they learn more and more about how the underground world of online fraud works and how security professionals can get one step ahead. This week, Jens Hinrichsen, Senior Product Marketing Manager in RSA's Identity and Access Assurance Group, takes us deeper into this world. Learn even more on the 9/18 Web Seminar: A VIEW OF THE GROWING CRIMEWARE THREAT IN ACTION. attached file: type: audio/mpeg size: 9.76 KB here Fri, 14 Sep 2007 02:00:00 +0200 Customers are expressing an increased interest in having strong authentication mechanisms on a variety of client devices. Service providers, also, are interested in ensuring that end users are able to employ their mobile phones for two-factor authentication. Such organizations may also play the role of outsourcer and are concerned with the provisioning of credentials and new support models. Some of the drivers for this are longstanding, such as increased proliferation of mobile devices to remote employees, partners and consumers.
Ericsson1 predicts that global mobile subscriptions will reach 5.5 billion by 2012. Since people are used to carrying phones, these mobile devices become very convenient containers for strong authentication credentials needed for secure remote access. Others drivers are more visionary... Mon, 10 Sep 2007 02:00:00 +0200 Click here to listen/download (09:58).
Paul Joyal talks with Bret Hartman, RSA's CTO, about the Common Security Platform, the process that integrates EMC and RSA technologies. And Matt Buckley introduces our newest Speaking of Security blogger, Manju Mude, Senior Compliance Analyst at RSA. attached file: type: audio/mpeg size: 9.76 KB here Mon, 27 Aug 2007 02:00:00 +0200 Click here to listen/download (10:38).
As a follow-up to the Aug. 13 podcast, we present an excerpt from the Aug. 15 RSA web seminar: "Combining Network Access Control (NAC) with Strong Authentication." Denzil Wessels, technical marketing manager, Juniper Networks, takes us through what a NAC solution provides to an IT infrastructure. Click here for the entire replay of the webcast and/or download the accompanying slide deck. The Podcast Team will take Sept. 3 off for the U.S. Labor Day holiday but will return on Sept. 10 with a new edition. attached file: type: audio/mpeg size: 9.76 KB here Wed, 22 Aug 2007 02:00:00 +0200 In Greek mythology, Sisyphus was a king who was extremely crafty and dishonest, and the punishment brought down upon him from the gods was to roll a very large boulder up a hill. each time Sisyphus attempted to do this, the boulder would escape him before he was able to reach the top, and so he had to begin the task all over again... This continued throughout eternity.
This analogy has been applied to many problems over the course of history, including within the world of IT - where no matter how many resources are employed to solve a particular problem, it can be quite typical for the issue at hand to remain either largely or completely unsolved, and just as daunting as it had been before.
While I don't think we have quite reached a "Sisyphean state" in data security, an RSA survey conducted by Forrester Consulting...
Mon, 20 Aug 2007 02:00:00 +0200 Click here to listen/download (08:06).
Matt Buckley discusses the state of data security with Paul Stamp, Principal Analyst, Forrester Research. Paul is a leading expert on enterprise security technology, focusing on security architecture, and data security technologies, such as enterprise encryption. attached file: type: audio/mpeg size: 9.76 KB here Wed, 15 Aug 2007 02:00:00 +0200 Over the past year we have witnessed a significant increase in the number of data breach incidents due to mistakes by internal employees at many respected companies. These incidents run the gamut from missing or stolen laptops, vanishing BlackBerry's and disappearing USB drives. The typical response from companies that have suffered these sorts of breaches is: "Our policy prohibits employees from putting unencrypted sensitive company information on laptops, PDAs, and other devices." While you will get no argument from me that this is a good policy, how much of the responsibility for ensuring this policy is followed as intended should really fall on the employee's shoulders? Is it really possible to expect employees to be educated enough about such policies to always do the right thing?...
|
  |
contact |
All rss from this site
Print this article
Webmasters ! Get this feed on your site