|
| Home RSS Directory F.A.Q Try Custom Feed Sonneries Portable |
Latest Flows from this sub-category: random selection from this sub-category: |
 Speaking of Security is the RSA Blog and Podcast. It features a group of experts in identity management, encryption, privacy, policy, and enterprise security standards. Copyright: Copyright 2005 - 2008 RSA Security Inc. Fri, 10 Oct 2008 02:00:00 +0200 just returned from the Payment Card Industry's 2008 Members Council Meeting in Orlando, Florida. We had a blast despite the mood being somewhat dampened as a result of the uncertainty of the global financial markets (heartfelt thanks to those wise souls who've been living outside of their means and taking undue personal and commercial financial risk...). Anyhew, I met so many interesting people from both merchants and from the card brands like Visa, MasterCard, American Express, Discover & JCB International Co., Ltd.
Fri, 10 Oct 2008 02:00:00 +0200 I was one of the 650 attendees at the recent annual North American PCI Community Meeting. Held at the Omni Champions Gate resort in Orlando, it was great to speak with many of the merchants, banks and service providers in attendance about the challenges they are facing.
Fri, 10 Oct 2008 02:00:00 +0200 As Stewart Brand once said "Once a new technology rolls over you, if you're not part of the steamroller, you're part of the road".
I think this quote describes perfectly the role in which IT departments are playing in implementing security programs, specifically those attributed to the NERC Cyber Security Standards...
Thu, 09 Oct 2008 02:00:00 +0200 October's here, and you can't escape the coming onslaught of Halloween. Children (and quite a few adults) dressed up as vampires, ghosts, goblins and other scary creatures, going around asking people for treats and threatening them with tricks if they don't provide them. A cynical person might boil it down to a a combination of scare tactics and extortion. So what does this have to do with IT security and compliance? Unfortunately, the way security and compliance professionals have traditonally gone about obtaining funds and resources for tools and projects necessary to do their jobs all too closely parallels what happens on Halloween. We frequently use scare tactics such as new threats (the trick) to get management to cough up the funding and resources (the treats) we need to accomplish what we view as our jobs... Thu, 09 Oct 2008 02:00:00 +0200 The Institute of Applied Network Security released a case study on the implementation of RSA enVision at the Depository Trust Clearing Corporation (DTCC). DTCC is an organization that acts as the back end for Wall Street, processing $1.8 quadrillion in securities transactions in 2007, and thus an essential component in our economy.
Tue, 07 Oct 2008 02:00:00 +0200 Last week I took a trip out to our Executive Briefing Centre in Cork, Ireland. I was there to present to senior IT folk from pretty much all of the UK’s Police Forces as part of a two-day agenda that had been lined up for them by my colleagues from many of EMC’s lines-of-business. I guess there are few other organisations where the lines between physical and virtual security are brought so sharply into focus than in one where you are dealing – first-hand – with criminals in the way that our police officers must every day of their working lives. During our conversations we mused on various aspects of keeping information secure in such a fluid and volatile environment... Tue, 07 Oct 2008 02:00:00 +0200  Art Coviello on Security for Innovation
Speaking of Security co-host, Amanda VanVeen, introduces a new video featuring RSA President, Art Coviello. Art covers new IDC research on the topic of security and business innovation. Forward-thinking security leaders are driving tighter linkages between innovation goals and security strategies. attached file: type: video/mv4 size: 9.76 KB here Wed, 01 Oct 2008 02:00:00 +0200 Today RSA, The Security Division of EMC, released the latest research and insights from IDC and the Security for Business Innovation Council on the relationship – and disconnect – between security and business innovation. The IDC report centers on the fact that 80 percent of organizations worldwide confirm that security fears are indeed responsible for stifling business innovation.
Wed, 01 Oct 2008 02:00:00 +0200 Yet another analogy from the credit crunch shows us security folks that even if we changed jobs we probably wouldn't be able to escape our frustrations.
The executive branch is currently trying to win over Congress and convince them to hand over a large sum of money, or else something really bad is going to happen. This is a situation I'm sure many security folks have found themselves in, albeit under less extreme circumstances.
The people with the check books seldom know anything about what you're doing. Congress is full of politicians, not economists or experts on the banking system. They need to rely on their gut feeling to do the right thing. Same thing with your management, so it's up to you to guide them towards the right decision -- in their language...
Tue, 30 Sep 2008 02:00:00 +0200 The McCain-Palin campaign has offered a rather muted response to the Yahoo! email account breach of Gov. Palin, and so far, the grand jury has opted not to indict the hacker. Is this the end to this sordid tale? Not quite. I believe that the average citizen has been left with a myriad of questions as to the security in as basic a utility as free email. What’s going on? “Rubico”, as the hacker called himself, used an automated password recovery tool where he was asked fairly simple questions to identify himself as Gov. Palin [birthday, zip code, etc.]. Rubico found answers to these within 45 minutes on Google and Wikipedia! Wow! Is it really that easy to hack into email or messaging services that the common person uses globally?... Mon, 29 Sep 2008 02:00:00 +0200 Last week I made a flying visit to NYC to appear on a panel at Interop with John Pironti of Getronics, Khalid Kark of Forrester, Jennifer Mack of the PCI Standards Council and Jim Routh of DTCC. The subject was "Security By Compliance - A Discussion of Information Risk Management's Greatest Challenge". Mon, 29 Sep 2008 02:00:00 +0200 Click to Download/Listen (07:03)
Recent updates to the Fair and Accurate Credit Transactions Act (FACTA) of 2003 mandate that U.S. financial institutions and creditors must comply with the Identity Theft Red Flag provisions by November 1, 2008. Amanda Van Veen speaks with EMC's resident FACTA expert, Dennis Mayer from EMC Consulting about the upcoming deadline and what it means to those who must comply. attached file: type: audio/mpeg size: 9.76 KB here Thu, 25 Sep 2008 02:00:00 +0200 As reported in the Boston Globe on September 23rd, the Massachusetts Office of Consumer Affairs and Business Regulation issued regulations earlier this week that will place new requirements on businesses to safeguard personally-identifiable information (PII)... Wed, 24 Sep 2008 02:00:00 +0200 The numbers behind Google's processing are staggering. Indexing over one trillion URLs, the Internet search giant reported in January that it processes 20 Petabytes of data per day. Turns out a Petabyte is 1000 Terbytes. So Google processes over 20,000 Terabytes of data per day. Supporting all of this impossibly massive data crunching is a huge network of proprietary servers and custom made storage. It's the mythical Google grid. Google conceals the exact nature of the grid; it's one of their trade secrets. So, what if I told you Google is abandoning its mythical, proprietary, custom-made processing and storage grid, and is moving to an off-the-shelf third party processing platform? Any boffin would have choked on this scoop. OK, relax. Google isn't ditching its proprietary grid. But its eCrime equivalent is certainly doing exactly that. Mon, 22 Sep 2008 22:00:00 +0200 Click to Download/Listen (06:29)
Paul Joyal welcomes back Linda Lynch, RSA® Conference Europe Manager, to talk about the session highlights for the upcoming conference from October 27-29. The early bird registration deadline is fast approaching on September 26. Learn more or register today: www.rsaconference.com/2008/europe. attached file: type: audio/mpeg size: 9.76 KB here Mon, 22 Sep 2008 21:36:00 +0200 Identity Assurance was a hot topic at DigitalIDWorld this year, but as with many terms (such as policy or governance), it means different things to different people.According to the Liberty Alliance Project, “Identity” is “A unique name for single person” [sic] and “Assurance level” is “A degree of certainty that a claimant has presented a credential that refers to the claimant’s identity.” The Identity Assurance Expert Group (IAEG)’s goal is to “provide public and private sector organizations with a uniform means of relying on digital credentials... Mon, 22 Sep 2008 02:00:00 +0200 What a week it was in the financial markets! With Lehman Brothers filing for bankruptcy, and Barclays subsequently buying up some of the assets; with Merrill Lynch finding a safe harbour at Bank Of America; and then, closer to home (for me at least) the merger of two of the biggest UK retail banks, HBOS and LloydsTSB. During this coming period, it is a reasonably safe bet that we may be in for a flurry of phishing attacks targeting the customers of these institutions using ruses like share “windfalls” and the like to tempt individuals into disclosing their credentials. However, in this blog, that’s not what I want to talk about. The implications for the employees of these organisations are, of course, also huge, and the degree of uncertainty and change that will ensue for a period of time will provide ample opportunity for the criminal fraternity to exploit.... Tue, 16 Sep 2008 02:00:00 +0200 I’ve recently been looking at the implications of the second phase of the EU Data Retention Directive which will shortly be coming into force: as well as requiring telcos to keep call logs of who we called and when, ISPs will also now be required to keep logs of when we logged on and from where. Let’s leave the debate on whether all this logging is an invasion of our privacy or not – and whether that compromise of our personal freedom is justified in the global war on terror – for another time. For now, let’s just have a think about all that log data sitting around, waiting to be called upon... Tue, 16 Sep 2008 02:00:00 +0200 Compliance, Compliance, Compliance. It’s the word that’s on everybody’s lips in the security industry these days. Companies of all shapes & sizes are spending big bucks to ensure compliance, but what are they trying to be compliant to? Regulatory issues, legal issues, internal policies & procedures or all of the above??? Unfortunately, trying to be compliant in any of these areas brings challenges but there are some ways to make it a little easier...
Tue, 16 Sep 2008 02:00:00 +0200 Last week I was at a conference where security folks get together and vent their spleens about the problems they're facing. On day one, us vendors weren't allowed near the place, but on day two we got to pitch our products to potential buyers, and they got to shoot arrows at us. The highlight of the day for me, though, was the roundtable discussion on log management and SIEM. Mon, 15 Sep 2008 02:00:00 +0200 Click to Download/Listen (05:48)
RSA's reseller community is part of RSA SecurWorld program. In order to help these channel partners become better trained in our solutions and products, RSA host several conferences throughout the year. Listen in to find out how your reseller works hard to become your trusted advisor for IT security. attached file: type: audio/mpeg size: 9.76 KB here Fri, 12 Sep 2008 02:00:00 +0200 As part of my various duties here at RSA, I get the privilege of speaking with customers on a regular basis about how they can implement an Information Risk Management strategy. One of the most frequently asked questions that follow this discussion is: “how does this process change when I start to virtualize my environment?” So in this guest blog post, I thought I’d answer this question and talk a little about RSA’s collaboration with VMware for securing their virtual infrastructure solutions.
Before we get to security implications, we should start with a basic discussion of what virtualization does to the overall information infrastructure... Thu, 11 Sep 2008 02:00:00 +0200 Last week I did a podcast with Glenn Williamson of Canadian MSSP Cyberclix. I put forward what I thought a SOC ought to look like, and then Glenn talked about some
of the things he and his team were doing with RSA enVision in his SOC.
We've had some good feedback on the event, and if anyone missed it, it's available here. Thu, 11 Sep 2008 02:00:00 +0200 I’ve just attended a PCI special interest group meeting for the payments community in Europe, run by one of the key trade associations in that industry over here, Vendorcom. It was an interesting session with a number of different presentations from various vendors, QSAs and a special guest, the Head of IS Governance and Security from one of the UK’s top five retailers on their path to PCI compliance... Tue, 09 Sep 2008 02:00:00 +0200  What's New with PCI
Speaking of Security co-host, Paul Joyal, discusses the latest developments in the Payment Card Industry data security standards with Brad Davenport, Compliance and Solutions Marketing Manager at RSA. attached file: type: video/mv4 size: 9.76 KB here Mon, 08 Sep 2008 16:00:00 +0200 A commentary about the casual hack, phreaking, pretexting, and a new thing called CPNI
So, a company that I met with had a problem. This was not a ginormous problem itself, but rather it was an awakening to a new threat that had not emerged as public enemy number one before. Its employees. It so happens that this company has the best security that King Arthur could buy, but it's not being used right and someone thought it would be pretty clever to crash a database server and see what would happen. Or did they? Or was it the computer playing a practical joke? HAL, anyone? It turns out this company handles sensitive information about its customers, and yet they don't know WHO DONE IT or WHY?... Mon, 08 Sep 2008 02:00:00 +0200 While in Australia last week, I had lunch with the risk and compliance manager from a large financial institution. We had a lively discussion centered on compliance (I know, most people don't find compliance that exciting, but this was the right group for this conversation!)
Early in the conversation, the topic of the PCI Data Security Standard arose. This entity is beginning to look at the Standard's implications, and, based on reactions I've seen from other customers, I expected to hear a lot of frustration and annoyance. But, I asked the question anyway: "So, are you concerned about having to deal with the PCI requirements?"... Thu, 04 Sep 2008 02:00:00 +0200 When a small phishing gang decides to upgrade its infrastructure, it is often done in a quick and dirty fashion. The transition is almost immediate, and often buggy and unprofessional. But what happens when a gang on the scale of the Rock Phish group decides to abandon its old methods and upgrade its botnet infrastructure? It is done slowly, smoothly but most importantly -- professionally.
The RSA FraudAction Research Labs recently gathered information that indicates major changes in the tactics employed by the Rock Phish gang. We have reason to believe that the gang is replacing its phishing infrastructure, and upgrading it to an advanced Fast-Flux botnet. We also believe that this new infrastructure belongs to none other than the infamous Asprox Botnet, which has recently been spreading itself using surges of SQL injection attacks...
Wed, 03 Sep 2008 02:00:00 +0200 October is creeping up on us, and for most of us that means the beginning of the end of 2008, along with the nagging feeling that we should be doing some planning for 2009. This is the perfect opportunity to take stock of your security and compliance programs, and to develop a plan for improving things next year. If you've been following our various blogs here at RSA you probably realize by now that we espouse a security and compliance program based on three core pillars: it's information-centric, risk-driven and framework-based. Our compliance team has spoken with hundreds of customers from all over the world and in every industry segment this year, and we're finding that this approach is gaining acceptance at an ever-increasing rate. Organizations are realizing that they need to discover, manage and control their information assets in order to protect them...
Wed, 03 Sep 2008 02:00:00 +0200 This past weekend, I left Southeast Asia after a week-long trip to Bangkok, Singapore and Manila. The week was spent in back-to-back meetings with customers and our local sales teams, and the majority of our discussions centered on PCI DSS and compliance in general. One clear takeaway: Compliance is one of THE growing areas of concern for businesses in the region.
I found the degree to which customers in the region were concerned about compliance to be a bit of a surprise. I say 'surprise' because I often hear that compliance isn't as much of an issue outside of the U.S. From what we're seeing, though, the regulatory environment in non-U.S. geos, including Southeast Asia, is becoming more complicated... Thu, 28 Aug 2008 11:00:00 +0200 So, several weeks ago I wrote a piece discussing the "long road to ISO 27001" adoption. A question posed to readers at the end of the piece: "How far off are we from the point at which ISO 27001 certifications in the U.S. are standard operating procedure for businesses -- the exception, rather than the rule?"
Well, the results are in! Our servers nearly crashed thanks to the influx of responses, but, fortunately, that wasn't the case. Here are the results... Thu, 28 Aug 2008 02:00:00 +0200 I've just returned from my summer vacation, somewhat foolishly deciding to spend it under canvas in the south-west of the UK and expecting to get good weather. If my tent had leaked as badly in the last couple of weeks as data seems to have been leaking in the UK during the same period, I'd be in need of an aqualung by now! If it were an Olympic sport, Britain would have beaten China for pole position in the medals table!
It all started with the loss of a memory stick by a UK Government contractor which contained somewhere around 120,000 records, including the details of 10,000 of our nation's most serious criminals. We then heard about a compromise at global hotel chain Best Western... Mon, 25 Aug 2008 02:00:00 +0200 Click to Download/Listen (06:46)
Paul Davilman from RSA’s Compliance and Solutions team sits down with Amanda Van Veen to talk about the North American Electric Reliability Corporation (NERC) Cyber Security Standards and how these standards will impact IT security in the utility industries. Please note that due to the U.S. Labor Day holiday, we'll be back in two weeks (on September 8) with a new show. attached file: type: audio/mpeg size: 9.76 KB here Tue, 19 Aug 2008 02:00:00 +0200 On August 18 the PCI Security Standards Council formally announced (http://www.pcisecuritystandards.org/pdfs/08-18-08_2.pdf) forthcoming changes to the Payment Card Industry's Data Security Standard (PCI DSS) as it moves from version 1.1 to version 1.2 in October 2008. The release represents the first major update since September 2006.
What's my take on the summary of changes? Most merchants will be pleased to see that these are relatively minor changes... Tue, 19 Aug 2008 02:00:00 +0200 Information risk management, and lessons-learned in the financial industry
Last week's Economist had a good article entitled "Confessions of a Risk Manager", in which a risk manager from a global bank uses 20-20 hindsight to look at "what went wrong" in the lead-up to the credit crunch and the ensuing fallout.
I won't pretend to understand all the ins and outs of financial derivatives, but there were some points raised that anyone in the IT security space can identify with...
Mon, 18 Aug 2008 02:00:00 +0200 Click to Download/Listen (11:27)
This week, Amanda Van Veen speaks with analyst Rod Nelsestuen from the TowerGroup. Rod covers key issues affecting several financial industry segments including emerging markets and trend, security, and risk management matters and in this segment, talks with Amanda about the evolution of business continuity planning and security’s increasing role. attached file: type: audio/mpeg size: 9.76 KB here Wed, 13 Aug 2008 02:00:00 +0200 Although the NERC Cyber-Security Standards (http://www.nerc.com/files/CIP-002-1.pdf) are applicable only in the US, I think there's no doubt that cyber security is fast becoming a major concern of electric utility companies worldwide. In addition, other US critical infrastructure industry segments, such as water and chemical companies are also coming under increasing federal pressure to improve their own cyber-security efforts. Still, the NERC Cyber-Security standards have been criticized for being too ambiguous, providing little in the way of guidance, as well as for leaving loopholes for utility companies to beat the rules...
Mon, 11 Aug 2008 02:00:00 +0200 Click to Download/Listen (07:47)
In a recent RSA Web Seminar focused on the new FACTA Identify Red Flags provisions, industry analyst, Ken Herbert, with Frost & Sullivan, explained what financial institutions or creditors need to know about the upcoming November 1 FACTA deadline and provided some key recommendations for complying with the regulation. In this week's podcast, we'll share some of the questions and answers from this online event. To learn more, watch the entire webcast replay. attached file: type: audio/mpeg size: 9.76 KB here Fri, 08 Aug 2008 02:00:00 +0200 A recent survey confirmed that internal threats continue to grow and to represent a challenge to organizations' security postures. It revealed that, in scans of 100,000 PCs and servers in many industries: 12% of infected computers had a missing or disabled anti-virus program, 10.7% had unauthorized personal storage such as USB sticks or external hard drives, 9.1% had unauthorized peer-to-peer (P2P) applications installed, 8.5% had a missing 3rd party desktop agent, 2.6% had unprotected shared folders, 2.2% had unauthorized remote control software, and 2% had missing Microsoft service packs. These results continue to resonate with the conclusions of the CSI FBI survey that reported in 2007 that internal threats have now outpaced viruses in terms of risk to organizations...
Thu, 07 Aug 2008 02:00:00 +0200 In previous lives, both as a talking head and implementation guy, I'd get some pretty in-depth questions about subtle security issues -- usually as a result of something someone had read was a "best practice". Sometimes questions were about specific configuration settings for an OS or obscure firewall ports, other times it was a question about some arcane encryption algorithm or key length.
Usually, I'd respond by asking, "Is this the biggest issue you have?" Common examples include...
Thu, 07 Aug 2008 02:00:00 +0200 Europe is a hotbed of cutting-edge fashion. But why am I telling you guys this? You work in the Information Security business -- the kind of business that draws out the fashionista in all of us... And I guess that's one of the issues with what, in relative terms, is still a pretty young industry: every "season" we eagerly anticipate the new "line" from the next greatest new discovery.
That said, I do think that we're definitely starting to see signs of maturity in the market -- of the emergence of "design classics"... Wed, 06 Aug 2008 15:00:00 +0200 On August 5, 2008, federal law enforcement officials announced the indictment of 11 people charged with stealing and selling more than 41 million credit and debit card numbers from nine major US companies.
"This is the single largest and most complex identity theft case ever charged in this country," said US Attorney General Michael Mukasey. According to officials, the defendants -- three from the United States, one from Estonia, three from Ukraine, two from China, one from Belarus, and one of unknown origin -- tapped into wireless networks and installed programs that captured card numbers, passwords and account information. The stolen data was then hidden around the globe and sold for profit. This event reflects a growing trend in cyber crime... Wed, 06 Aug 2008 02:00:00 +0200  The Importance of Strong Authentication for Business Continuity
New Speaking of Security co-host, Amanda Van Veen, meets with Jeff Carpenter, Senior Product Marketing Manager at RSA, to discuss how the latest release of RSA Authentication Manager supports organizations focusing on business continuity. When natural or man-made disasters hit, it's important that employees be able to quickly and easily access network resources, but it's equally important to know just who those new remote workers are. attached file: type: video/mv4 size: 9.76 KB here Thu, 31 Jul 2008 19:35:05 +0200 During a meeting with an RSA customer earlier this week, I was asked a very detailed and pointed question about my interpretation of requirement 3.4. Specifically, the customer was using encryption to render PANs unreadable and wanted to know if their algorithm was indeed classified as "strong cryptography." Really, the customer was interested in making sure this particular encryption algorithm would pass their upcoming PCI audit.
While I was happy to voice my opinion, I stressed the critical importance of open and honest communication when it comes to passing an audit and successful PCI compliance in general...
Thu, 31 Jul 2008 02:00:00 +0200 I was interested to read in the papers here that the UK's Association of Private Client Investment Managers and Stockbrokers (Apcims) has raised concerns about changes to existing data security measures which are being imposed by the Financial Services Authority (FSA). The FSA is seeking to mandate strong authentication -- using secret questions (you know the kind of thing -- mother's maiden name, date of birth, name of your favourite Spice Girl, etc, etc) -- before brokers can get on with doing business with their clients by phone. This comes a few months after a city firm was hit with a £77k (~$150k) fine for failing to do just that.
Now, ordinarily, forcing mandatory extra authentication like this you'd think is a good idea, and something that should be applauded... Wed, 30 Jul 2008 02:00:00 +0200 The folks at NIST have just released a Performance Measurement Guide for Information Security, which is a really good guide for creating a metrics program. Luckily, I've been in enough of a procrastinatory mood to give it the once over. My take?
Mon, 28 Jul 2008 02:00:00 +0200 Click to Download/Listen (10:36)
A couple of weeks ago, Paul Joyal interviewed RSA’s Phil Marshall about Knowledge-based Authentication, or KBA. This week, we present a conversation on the same topic that Phil had with Tom Wills, Senior Analyst for Risk, Security & Fraud with Javelin Strategy and Research. attached file: type: audio/mpeg size: 9.76 KB here Fri, 25 Jul 2008 02:00:00 +0200 We keep hearing from analysts that the cost of compliance should go down each year but unfortunately our customers are telling us the exact opposite. They are continuing to get slammed by new regulations and feel compelled to implement all types of point products & solutions in order to meet immediate needs.
Fri, 25 Jul 2008 02:00:00 +0200 Most of us in the security trade work in a group or have a job description that contains (or in some cases, implies) the word 'information' - 'IT Security', 'Information Security', 'Office of the CIO', etc. This naming convention, while a seemingly trivial aspect of our jobs, should really be the primary driver for everything we do. Why? Because virtually everything we do has the ultimate goal of protecting some type of asset that is important to our organization, and that asset is almost always information. This basic truth can be most effectively illustrated by considering what drives the daily requirements of our work - compliance.
Fri, 25 Jul 2008 02:00:00 +0200 Data-security vendors sometimes get tall orders from customers. Not unheard of are: "I'd like a good digital signature system... with 20-bit keys" and "I want to use one-time pads for encryption... and I need to compress them." But one of the most challenging I've heard was recently offered up by colleagues in the RFID (Radio-Frequency IDentification) industry.
Thu, 24 Jul 2008 02:00:00 +0200 The first and most important thing when trying to grow a pool of malware-infected PCs is the infection stage. The goal is to infect as many users as possible, as quickly as possible -- and remain undetected for as long as possible.
Neosploit is a brand that could be relied upon to solve that problem rather well. Designed to ease the infection stage, Neosploit is an infection kit which exploits numerous system vulnerabilities and infects PCs worldwide with any type of malware. Neosploit checks "candidate" PCs in order to find vulnerabilities, and once these are found, the PC will be infected with the malware of the criminal's choice. However, the RSA FraudAction Research Labs recently received information indicating that we may soon see the last of this "Neosploitation". Thu, 24 Jul 2008 02:00:00 +0200 Over in the US, Senator Obama has recently been talking about his stance on Cyber terrorism. While there were many interesting points in his proposals, I wanted to home in on his comments regarding the protection of national infrastructure. You don't need to be a technological genius to have figured out that computers pretty much run every aspect of our daily lives these days -- transportation networks, utilities, broadcast information... you name it. It's fair to say, then, that if you could find a way of compromising those computers you could really mess up everyone's day....
Thu, 24 Jul 2008 02:00:00 +0200 Notwithstanding the fine bloggery that goes on at this site (excluding yours truly of course), there's a bunch of splendid social computing activity going on here at RSA. There's no better example of this than the RSA enVision Intelligence Community.
The Intelligence Community is an online community of RSA enVision customers, partners, systems engineers and product managers. It's getting quite a lot of use too, with interesting new posts around feature requests, tips and tricks and product announcements appearing every day. I was just trawling through it this morning, and I thought I'd pull out a few highlights... Tue, 22 Jul 2008 02:00:00 +0200 So, in conversations with customers of late, I've observed a steady increase in talk of plans to soon adopt ISO 27002, or active work to get the standard implemented in some fashion. This isn't necessarily surprising, particularly when you're talking with highly regulated companies or those more apt to understand information risk management, overall (e.g., those in banking, insurance and utilities, or more recently, thanks to PCI DSS, retail). Because, as I suspect most would agree (and speak up if you don't!), 27002 provides an incredibly broad and deep view into the types of security controls an organization should at least consider when building a security and information risk management program.
What has certainly come as more of a surprise, though, is... Mon, 21 Jul 2008 19:00:00 +0200 Click to Download/Listen (05:51)
New co-host Amanda Van Veen interviews Linda Lynch, RSA® Conference Europe Manager, about this year's Conference in October. Learn about the early bird registration special as well as other helpful travel hints and session highlights. Register today: www.rsaconference.com/2008/europe. attached file: type: audio/mpeg size: 9.76 KB here Mon, 21 Jul 2008 02:00:00 +0200 A couple of weeks ago I posted on the topic of "defining compliance." One of the suggestions raised was that businesses that identify a common control framework, or combination of frameworks, may have an opportunity to significantly reduce costs and redundancies associated with their compliance program. The idea is that rather than approaching each requirement in a silo, and therefore attacking each related security requirement in isolation, it would be better to ensure that the organization is looking more horizontally at the types of security controls that must be enacted in the context of all the requirements that must be met...
Thu, 17 Jul 2008 02:00:00 +0200 Yes folks, the PCI DSS's first major update since version 1.1 was announced in September 2006 is on the horizon. Unveiled in May by the PCI Security Standards Council, the new version, called 1.2, is due out in October. Over the past few weeks, I've received a myriad of inquiries from merchants and figured this would be a good forum to share some of them...
Tue, 15 Jul 2008 14:30:30 +0200 So this one's been digging away at me for a while. I just think that the term "Security Information and Event Management" doesn't do the space justice.
I'm not talking about the "information" vs "event" debate -- it's the "Security" part of it that I have a bit of a problem with. Log management doesn't really capture the essence of it either, as Greg Shipley pointed out in his recent Network World article, especially since we're dealing with all sorts of asset and vulnerability information too.
For a start, labeling these tools solely as security tools sets expectations about what these tools are best at....
Tue, 15 Jul 2008 02:00:00 +0200 Last Friday I spent the morning in the company of a lawyer from a top international law firm. Once we'd marvelled that the sun had finally deemed to make an appearance over the grey skies of London, our conversation turned to the rather weightier subject of data privacy. We've been doing a lot of work around using ISO27002 as a framework best practice in developing and deploying a robust information security strategy. As part of that work, I and my "Evangelist" colleagues have taken a stab at mapping various regulations against this "gold standard" in order to help customers understand where overlaps, or indeed gaps, may occur between these various regs...
Mon, 14 Jul 2008 02:00:00 +0200 Click to Download/Listen (11:11)
With users wanting more real-time, self-service options, many organizations have migrated their services to remote channels including the Internet or Call Centers but these services and benefits come with added risks of fraud and identity theft. Knowledge-based authentication (KBA) offers customers the opportunity to benefit from remote interactions with stronger security as well as the added convenience of real-time authentication. Learn more in this week's podcast. In other news, we bid a fond farewell to co-host Matt Buckley. attached file: type: audio/mpeg size: 9.76 KB here Tue, 08 Jul 2008 02:00:00 +0200 Virtualization is one of the most hyped technologies in Information Technology today -- and rightly so. It offers the potential to improve utilization, lower cost of ownership of computers, enhance productivity, ease compliance, increase reliability and potentially improve security.
Let's explore the last claim. Without a doubt, there is an impact of virtualization on security, and in particular authentication...
Mon, 07 Jul 2008 17:08:00 +0200  Art Coviello Keynote at EMC World Art Coviello tells a cautionary tale of the future of security and its impact on business innovation at this year's EMC World. Hear how to avoid the perfect storm by integrating security into the platform and using information risk management strategies. attached file: type: video/mv4 size: 9.76 KB here Mon, 07 Jul 2008 02:00:00 +0200 I don't want to spend all my time on this blog talking about HMRC (otherwise referred to in the UK as "the taxman"), but a colleague just forwarded me a phishing email he'd just received purporting to be from them, asking him to resubmit his personal details as a "new security measure"
While in itself there's nothing particularly big or clever about this attack, it's interesting in that it illustrates a couple of key things. Firstly, that sometimes in order for an attack to be successful, timing is everything...
Thu, 03 Jul 2008 21:30:00 +0200 Please join us in welcoming a two more RSA Bloggers. The RSA Compliance Solutions team (which already includes Dave Howell and Brad Davenport) has been joined by Andrew Maloney and John McDonald.
Please take advantage of the comments field to get answers to your compliance-related security queries! Thu, 03 Jul 2008 20:00:00 +0200 As an RSA 'Evangelist' with pan-EMEA responsibilities, I obviously take a special interest in what's happening in the information security world that pertains to this region. Last week saw the publication in the UK of the long-awaited Hannigan Report -- detailing the steps that UK Government departments have taken -- and are expected to take -- to mitigate recent data leakage events which have occurred, most notably in the instance of HMRC.
It's a cracking read and one I'd recommend to all insomniacs with an penchant for such topics, but I have to say, I'm actually pretty encouraged by what I read... Thu, 03 Jul 2008 19:26:29 +0200 I talk to a lot of security folks about SIEM and log management, and quite often the conversation turns to event correlation. You can spot the people who've never bought a SIEM product, because they start by saying, "Well, I want to know whenever 'x' happens, and then 'y' happens soon after". Admittedly, the situation they cite is a usually real one, and granted, if you do see 'x' and 'y' happening in reasonably quick succession then, chances are, you have a problem. But it's usually not their biggest problem -- in fact, far from it. My favorite is "the guy swiping his badge in Tokyo and then logging on in New York", which I hear time and time again...
Tue, 01 Jul 2008 02:00:00 +0200 Many of the merchants I speak with are sharply focused on addressing specific PCI security requirements. While implementing the controls needed to meet the requirements is absolutely critical, I can't stress enough the importance of taking time to aim before firing.
It's no secret that PCI compliance is focused on securing cardholder data and infrastructure. Simply put, you can't secure what you don't manage and you can't manage what you don't know about. Before you go looking for all instances of cardholder data, you must be prepared to find more than expected. Most merchants are aware of the cardholder data in their database(s). But what about payment applications or payment portals that temporarily store the data? Or customer service reps e-mailing credit card information to confirm or dispute an order?... Mon, 30 Jun 2008 02:00:00 +0200 Click to Download/Listen (07:04)
The fear of data leakage through loss, theft or careless use of USB flash drives is rising dramatically throughout the enterprise. This week we discuss the problem and potential solutions with Dror Todress, Senior Manager, Marketing, for SanDisk Corporation’s Enterprise Division, an RSA Secured Partner. attached file: type: audio/mpeg size: 9.76 KB here Thu, 26 Jun 2008 02:00:00 +0200 So earlier this year, again in my past life as an analyst, I spoke to a bunch of users, vendors and experts hoping to get some best practices about creating a Security Operations Center (SOC). For Forrester customers, I published my findings here.
To be honest, I originally came at this piece of research as a way to define what the place of a SIEM product in a SOC, so I diligently asked everyone I interviewed what technologies they thought were central to a security operations function. The answers I got were pretty unexpected, and normally started with the phrase "Technology? Oh that's an afterthought." When we think of a SOC, we often have this picture of a big room, full of people in rows staring at a big screen up front, with monitors in front of them... Wed, 25 Jun 2008 02:00:00 +0200 Please join us in welcoming a new set of RSA Bloggers. The RSA Compliance Solutions team--including Dave Howell and Brad Davenport--will be penning a set of blog entries for "Speaking of Security" around the theme of Simplified Compliance.
Please take advantage of the comments field to get answers to your compliance-related security queries!
Wed, 25 Jun 2008 02:00:00 +0200 As part of the RSA Compliance Solutions team I meet with companies all over the world to discuss their security challenges and priorities. Inevitably I spend much of my time discussing ... you guessed it ... compliance.
It is eye-opening to see how differently our customers and partners, as well as folks within RSA, define compliance. From what I've seen, most will immediately gravitate towards the notion of meeting the stated or implied security requirements within governmental mandates, such as Sarbanes-Oxley and HIPAA. In addition, "compliance" certainly conjures up images of the PCI Data Security Standard, which isn't surprising considering how many organizations these requirements impact. What we don't tend to see initially is a broader view of compliance... Tue, 24 Jun 2008 02:00:00 +0200 I met with a merchant this morning to talk PCI compliance. Like many of the conversations I've had with merchants, things got a bit more interesting when the discussion focused on cardholder data protection.
They joked that the new rev of the PCI Standard, version 1.2 -- due out in October -- would eliminate the data protection requirements. All joking aside, the truth is that data protection isn't going anywhere when it comes to the PCI DSS. While there are other alternatives, such as hashed indexes, truncation and...
Mon, 23 Jun 2008 02:00:00 +0200 Click to Download/Listen (12:39) Both Gartner and Forrester, two of the leading independent technology and market research firms, recently evaluated data loss prevention (or DLP) vendors in their annual reports on this market. RSA's Data Loss Prevention Suite was named as a leader by both of these firms. Paul Joyal talks about these reports with Tom Corn, Vice President of Products for RSA's Data Security Group. And we continue with another giveaway for Podcast Listener Appreciation Month for all responders to our Authentication Poll! Listen to this week's podcast for the secret word! attached file: type: audio/mpeg size: 9.76 KB here Thu, 19 Jun 2008 02:00:00 +0200 Morning all,
Welcome to my new blog, where I'll be musing upon the weird and occasionally fascinating world of security information and event management (SIEM). Before we start, though, people might have a few questions that I'll try to answer right now.
Didn't you used to be an analyst? Yep, I used to cover the SIEM space for Forrester, as well as a bunch of data security and architecture topics. However, all good things must come to an end - I was certainly approaching the end of my shelf life in that world. It was a privilege, though, as I got to spend a huge amount of time talking to people about their security priorities and looking at how that translated into requirements for new tools and ways of doing things. Now I get to help turn these conversations and ideas into something tangible... Mon, 16 Jun 2008 02:00:00 +0200 Click to Download/Listen (05:48)
Last week's headline: "RSA, The Security Division of EMC, Expands Identity Assurance Portfolio with Flexible Card-Shaped Authenticator to Provide Convenient Online Security" is the topic of this week's interview with RSA's Rachael Stockton. And we continue with another giveaway for Podcast Listener Appreciation Month for all responders to our Authentication Poll! Listen to this week's podcast for the secret word! attached file: type: audio/mpeg size: 9.76 KB here Mon, 09 Jun 2008 02:00:00 +0200 Click to Download/Listen (08:24)
We continue June with another giveaway for Podcast Listener Appreciation Month! Listen all month long for chances to WIN fabulous prizes... Details are in the podcast for this week's contest. In this episode, Matt Buckley interviews one of our new Speaking of Security Bloggers, Paul Stamp, formerly of Forrester Research who is now a Senior Manager, Product Marketing, in RSA's Information and Event Management Group. Speaking of SIEM, RSA is positioned in the Leaders quadrant within Gartner's Q12008 Magic Quadrant for SIEM. attached file: type: audio/mpeg size: 9.76 KB here Fri, 06 Jun 2008 19:22:32 +0200 So the weekend is approaching and you decide to go to the movies. If you are like me, you probably check your trusted source for movie reviews and then think twice about going if the review is less than favorable. In the IT industry, the opinions of Forrester and other lead analysts carry even greater weight in the eyes of customers than Siskel and Ebert in their heyday.
So, we are very pleased indeed to see the June 2008 Forrester Wave™: Data Leak Prevention, Q2 2008 which cited RSA as a leader in the Data Loss Prevention (DLP) product category with our RSA DLP Suite. Some highlights from the report include...
Fri, 06 Jun 2008 02:00:00 +0200 I've just returned from EMC's annual user conference, EMC World. The attendance at the PCI sessions and the related discussion between many of the 9,000 customers and partners in attendance really underscored the progress that's being made with respect to cardholder data security. One of the issues that came up in nearly every conversation I had, in some form or another, was: "What does PCI compliance really mean?" This question brings up two very important concepts....
Mon, 02 Jun 2008 02:00:00 +0200 Click to Dowload/Listen (08:24)
June is Podcast Listener Appreciation Month! Listen all month long for chances to WIN fabulous prizes... Details are in the podcast for this week's contest. This episode also includes an encryption Q&A with Rich Mogull, founder of Securosis.com and formerly of Gartner. Earlier this week he presented "How Encryption and Key Management Solutions Fit into an Overall Information Risk Management Strategy" during part 1 of a 2-part RSA web seminar series on encryption. Watch the full replay here and/or sign up for next week's part 2 here. attached file: type: audio/mpeg size: 9.76 KB here Thu, 29 May 2008 02:00:00 +0200 We often swallow ideas that we needn't or shouldn't. Take the onetime urging of nutritionists to substitute margarine for butter in the cause of cardiovascular health. When this advice was first circulating, most margarines contained high quantities of trans fats, concoctions that have turned out to be so harmful - to the heart, among other things - that they are now banned in restaurants in NYC. Similar dogma applies to the advice to drink eight eight-ounce glasses of water a day for overall good health. Everyone knows the advice. But no one seems to know where the 8x8 rule comes from or if it is good or bad.
So what pieces of conventional wisdom in computer security are like margarine and the 8x8 water doctrine? I'd hold forth password expiration as a prime candidate.
Mon, 26 May 2008 02:00:00 +0200 Click to Dowload/Listen (07:13)
Paul Joyal interviews RSA's Rachael Stockton and Phil Darringer about how the RSA SecurID software token for BlackBerry and other mobile and portable devices can be used to authenticate to network and online resources. For more information on this technology, visit www.rsa.com and/or download our solution brief, "RSA SecurID® Authentication Solutions for BlackBerry® Devices." attached file: type: audio/mpeg size: 9.76 KB here Wed, 21 May 2008 02:00:00 +0200 Today's hearing on the security of the United States' critical infrastructure was as spirited of a Congressional hearing on cyber security issues that I have seen during my career, and it's clear that key Members of Congress from both political parties are running out of patience and want to see immediately cyber vulnerabilities taken more seriously in the bulk power industry in particular.
In a scathing opening statement, U.S. Representative Jim Langevin (D-RI), Chairman of the Subcommittee on Emerging Threats, Cybersecurity, and Science & Technology, said that "I think we could search far and wide and not find a more disorganized, ineffective response to an issue of national security."...
Tue, 20 May 2008 02:00:00 +0200  A Framework-Based Approach to Regulatory Compliance
In Speaking of Security's 105th security podcast we talk to Dave Howell, Senior Manager Solutions Marketing, about how organizations are turning to a framework-based approach to manage ever-expanding and overlapping regulatory requirements.
attached file: type: video/mv4 size: 9.76 KB here Thu, 15 May 2008 02:00:00 +0200 The United Kingdom's Information Commissioner's Office received new authority to levy fines on organizations that "deliberately" or "recklessly" violate the U.K.'s "Data Protection Act", or DPA, of 1998. In a little noticed amendment to the Criminal Justice and Immigration Act of 2008, the 1998 DPA was updated to enable the Information Commissioner to impose serious fines on organizations. This change in the UK's data protection law was spurred by a string of high-profile breaches of personally-identifiable information in the U.K. over the last year, including the large-scale data breach at Her Majesty's Revenue and Customs agency...
Tue, 13 May 2008 02:00:00 +0200 It was another great RSA Conference this year, with interesting workshops, great exhibitor activity, informative sessions and lots of time to network with customers, partners and fellow employees. My flight was cancelled on Sunday, so I missed the Concordia Workshop on Monday, but the Liberty Alliance Workshop was very interesting. Geisinger Health System had a very nice presentation on how they are using federation to provide improved information to health care providers to improve patient care, particularly in emergency room visits.
RSA also made a number of exciting announcements...
Mon, 12 May 2008 02:00:00 +0200 Click to Listen/Download (10:14)
Paul Joyal interview's the President of Corporate Integrity, Michael Rasmussen, about "Developing a Sustainable and Cost Effective IT Compliance Program." For the companion white paper, click here. Other RSA resources on this approach can be found at www.rsa.com/compliance. attached file: type: audio/mpeg size: 9.76 KB here Mon, 05 May 2008 02:00:00 +0200  EMC PowerPath Encryption with RSA
Happy Cinco de Mayo and welcome to the latest Speaking of Security video podcast. Today Host Paul Joyal speaks with Colin Bailey of EMC and Katie Curtin-Mestre of RSA, The Security Division of EMC, about this new scalable solution that leverages RSA Key Manager for the Datacenter. attached file: type: video/mv4 size: 9.76 KB here Thu, 01 May 2008 02:00:00 +0200 Kevin Bowers is a Research Scientist at RSA Laboratories. Here are his views on the controversy surrounding REAL ID. What do you think?
I'm getting married this summer and my family will be traveling to the wedding. In order to make the trip, my parents recently renewed their passports. Not because I'm getting married at an exotic destination, but because they live in Montana and have to fly to the wedding. Like several other states, Montana has refused to comply with the requirements of the REAL ID Act of 2005. The Department of Homeland Security (DHS) had threatened to prevent residents from those states from using their state-issued driver's licenses as identification at airport security, effective May 11th. As it happens, the DHS recently granted all states an extension to the May 11th deadline, allowing them additional time to become REAL ID compliant. Mon, 28 Apr 2008 02:00:00 +0200 Click to listen or download (6:39)
Paul Joyal interview's RSA's Paul Davilman on What is Sarbanes-Oxley & How is it Applicable to IT Security? For additional information on SOX and IT Security, read more here. attached file: type: audio/mpeg size: 9.76 KB here Wed, 23 Apr 2008 02:00:00 +0200 As I mentioned in a blog post in late October 2007, the IT industry and other stakeholders have been calling for the U.S. Congress to pass legislation that would help empower law enforcement to more effectively investigate and prosecute cyber criminals -- while updating penalties in U.S. criminal code so that the punishment fits the crime. It's stunning to me that the Congress has not yet sent legislation to the President for his signature to address this important issue...
Tue, 22 Apr 2008 02:00:00 +0200 Click here to download/listen (11:23).
In a recent RSA Web Seminar, Juniper Networks' Smitha Murthy and RSA's John Masotta discussed the benefits of an SSL VPN and how best to secure its access with strong authentication. Hear a snippet in this week's podcast or check out the entire replay of the event. attached file: type: audio/mpeg size: 9.76 KB here Mon, 21 Apr 2008 02:00:00 +0200 Today (the date I'm writing this entry) is my birthday. Birthdays are a time of quiet contemplation for me (and quiet desperation for my mother). As I think about the past year and the progress I've made (things are looking good for my long-term goal of spending my old age miserable and alone), I keep thinking of change and how people and things advance.
The past year has shown much progress. Women have rejected me, technology products have been launched, iPhones were purchased and even the world of financial crime has not been silent.
The Rock Phish group is a phishing gang believed to be based out of Russia -- and, by some accounts, is responsible for roughly 50% of phishing attacks by volume...
Thu, 17 Apr 2008 02:00:00 +0200 I have been attending RSA Conferences since early this decade. The U.S. version of the Conference has been around since 1991 and it's grown from 50 attendees (all cryptologists) to around 17,000 participants annually from the private and public sectors including security professionals, business executives, lawyers, academics, privacy advocates, regulators, and journalists. For the first-time attendee it can be absolutely overwhelming because there are so many speakers, so many issues, so many events during the week, and if you go to the show floor, literally hundreds of organizations showing their wares.
Well, being a veteran RSA Conference attendee, I thought I was ready for another busy but ultimately manageable week despite the multiple commitments and responsibilities that I had to balance. Well, that theory was turned on its head, starting on Sunday... Wed, 16 Apr 2008 02:00:00 +0200  The Challenges of Identity Assurance with Marc Gaffan
In Speaking of Security's blockbuster 100th security podcast we talk to Marc Gaffan, Director Product Marketing, about Identity Assurance and its importance to enterprise-level security and compliance.
attached file: type: video/mv4 size: 9.76 KB here Wed, 09 Apr 2008 02:00:00 +0200 Yesterday at the RSA Conference Art Coviello addressed how security fears have stifled innovation at organizations large and small around the world. IDG Research reports that 80 percent of IT, security, and business executives surveyed admit that their organizations have shied away from business innovation opportunities because of information security concerns.
RSA is committed to countering this trend by starting an industry-wide conversation about smart ways to manage information risk. As we mentioned in yesterday's blog posting, we were able to pick the brains of 10 top security executives from global enterprises in a variety of industries and get THEIR suggestions. But we'd like to hear from you... Tue, 08 Apr 2008 10:00:00 +0200 His keynote will begin at 11:30 AM. Let us know if you're going to be there and leave us your impressions.
Tue, 08 Apr 2008 02:00:00 +0200 This morning at Art Coviello, Executive Vice President, EMC Corporation and President, RSA, The Security Division of EMC, gave his yearly keynote at the RSA Conference in San Francisco. Art uses this venue each year to present a "state of the industry"--reviewing major security developments--and to share his ideas on where security is going in the coming year.
Here is a transcript of the talk: http://www.rsa.com/innovation/docs/coviellokeynote2008.pdf It's a good read, with a lot of interesting insights... Mon, 31 Mar 2008 02:00:00 +0200 Click here to download/listen (11:15).
Part 2: Paul Joyal speaks with award-winning USA Today journalists, Byron Acohido and Jon Swartz. They are the co-authors of Zero Day Threat: The Shocking Truth of How Banks and Credit Bureaus Help Cyber Crooks Steal Your Money and Identity, which is scheduled for an April 2008 release. Byron and Jon talk about the inspiration for their book and more in part two of this two-part interview. See Byron, Jon and Paul next week at the RSA® Conference 2008, registrations are still being accepted! attached file: type: audio/mpeg size: 9.76 KB here Fri, 28 Mar 2008 01:00:00 +0100 While RSA, The Security Division of EMC has evolved into a broad organization focusing on Information-Centric Security through Information Risk Management, securing Virtual Private Networks (VPNs) is still a significant portion of our business.
The main use case for RSA SecurID, in its various forms, continues to be supporting the needs of the mobile workforce. As organizations mature, they are now extending beyond the VPN power user to additional (and often very large) populations ...
Mon, 24 Mar 2008 01:00:00 +0100 Click here to download/listen (10:35).
Part 1: Paul Joyal speaks with award-winning USA Today journalists, Byron Acohido and Jon Swartz. They are the co-authors of Zero Day Threat: The Shocking Truth of How Banks and Credit Bureaus Help Cyber Crooks Steal Your Money and Identity, which is scheduled for an April 2008 release. Byron and Jon talk about the inspiration for their book, the state of cybercrime, and more in part one of this two-part interview. Tune in next week for part two! attached file: type: audio/mpeg size: 9.76 KB here |
  |
contact |
All rss from this site
Print this article
Webmasters ! Get this feed on your site