RSA Security Blog: A Blog for Security Professiona

RSS Feed Homepage

Articles: 1, 2, 3, 4, 5, 6, 7

Planning for a new year
2008-09-03 02:00:00
October is creeping up on us, and for most of us that means the beginning of the end of 2008, along with the nagging feeling that we should be doing some planning for 2009. This is the perfect opportunity to take stock of your security and compliance programs, and to develop a plan for improving things next year. If you've been following our various blogs here at RSA you probably realize by now that we espouse a security and compliance program based on three core pillars: it's information-centric, risk-driven and framework-based. Our compliance team has spoken with hundreds of customers from all over the world and in every industry segment this year, and we're finding that this approach is gaining acceptance at an ever-increasing rate. Organizations are realizing that they need to discover, manage and control their information assets in order to protect them...
More About: New Year , Planning , Year

Southeast Asia: Perspectives on Compliance
2008-09-03 02:00:00
This past weekend, I left Southeast Asia after a week-long trip to Bangkok, Singapore and Manila. The week was spent in back-to-back meetings with customers and our local sales teams, and the majority of our discussions centered on PCI DSS and compliance in general. One clear takeaway: Compliance is one of THE growing areas of concern for businesses in the region. I found the degree to which customers in the region were concerned about compliance to be a bit of a surprise. I say 'surprise' because I often hear that compliance isn't as much of an issue outside of the U.S. From what we're seeing, though, the regulatory environment in non-U.S. geos, including Southeast Asia , is becoming more complicated...
More About: Perspectives

ISO 27001 Adoption Poll Results are In
2008-08-28 11:00:00
So, several weeks ago I wrote a piece discussing the "long road to ISO 27001" adoption. A question posed to readers at the end of the piece: "How far off are we from the point at which ISO 27001 certifications in the U.S. are standard operating procedure for businesses -- the exception, rather than the rule?" Well, the results are in! Our servers nearly crashed thanks to the influx of responses, but, fortunately, that wasn't the case. Here are the results...
More About: Adoption , Results , Poll

If there were gold medals for Data Leakage...
2008-08-28 02:00:00
I've just returned from my summer vacation, somewhat foolishly deciding to spend it under canvas in the south-west of the UK and expecting to get good weather. If my tent had leaked as badly in the last couple of weeks as data seems to have been leaking in the UK during the same period, I'd be in need of an aqualung by now! If it were an Olympic sport, Britain would have beaten China for pole position in the medals table! It all started with the loss of a memory stick by a UK Government contractor which contained somewhere around 120,000 records, including the details of 10,000 of our nation's most serious criminals. We then heard about a compromise at global hotel chain Best Western...
More About: Gold , Data

Speaking of Security Podcast #119
2008-08-25 02:00:00
Click to Download/Listen (06:46)Paul Davilman from RSA’s Compliance and Solutions team sits down with Amanda Van Veen to talk about the North American Electric Reliability Corporation (NERC) Cyber Security Standards and how these standards will impact IT security in the utility industries. Please note that due to the U.S. Labor Day holiday, we'll be back in two weeks (on September 8) with a new show.
More About: Podcast , Speaking

PCI Compliance: Reaction to the Summary of Changes
2008-08-19 02:00:00
On August 18 the PCI Security Standards Council formally announced (http://www.pcisecuritystandards.org/pdfs /08-18-08_2.pdf) forthcoming changes to the Payment Card Industry's Data Security Standard (PCI DSS) as it moves from version 1.1 to version 1.2 in October 2008. The release represents the first major update since September 2006. What's my take on the summary of changes? Most merchants will be pleased to see that these are relatively minor changes...
More About: Compliance , Summary , Reaction

Information risk management, and lessons-learned in the financial industry
2008-08-19 02:00:00
Information risk management, and lessons-learned in the financial industry Last week's Economist had a good article entitled "Confessions of a Risk Manager", in which a risk manager from a global bank uses 20-20 hindsight to look at "what went wrong" in the lead-up to the credit crunch and the ensuing fallout. I won't pretend to understand all the ins and outs of financial derivatives, but there were some points raised that anyone in the IT security space can identify with...
More About: Information , Industry , Management , Risk Management , Financial

Speaking of Security Podcast #118
2008-08-18 02:00:00
Click to Download/Listen (11:27)This week, Amanda Van Veen speaks with analyst Rod Nelsestuen from the TowerGroup. Rod covers key issues affecting several financial industry segments including emerging markets and trend, security, and risk management matters and in this segment, talks with Amanda about the evolution of business continuity planning and security’s increasing role.
More About: Security , Podcast , Speaking

Addressing NERC Cyber Security Standards Using a Frameworks-Based Approach
2008-08-13 02:00:00
Although the NERC Cyber -Security Standards (http://www.nerc.com/files/CIP-002-1.pdf) are applicable only in the US, I think there's no doubt that cyber security is fast becoming a major concern of electric utility companies worldwide. In addition, other US critical infrastructure industry segments, such as water and chemical companies are also coming under increasing federal pressure to improve their own cyber-security efforts. Still, the NERC Cyber-Security standards have been criticized for being too ambiguous, providing little in the way of guidance, as well as for leaving loopholes for utility companies to beat the rules...
More About: Frameworks

Speaking of Security Podcast #117
2008-08-11 02:00:00
Click to Download/Listen (07:47) In a recent RSA Web Seminar focused on the new FACTA Identify Red Flags provisions, industry analyst, Ken Herbert, with Frost & Sullivan, explained what financial institutions or creditors need to know about the upcoming November 1 FACTA deadline and provided some key recommendations for complying with the regulation. In this week's podcast, we'll share some of the questions and answers from this online event. To learn more, watch the entire webcast replay.
More About: Security , Podcast , Speaking

Proactive Education: Remedying the 'Strain' of Compliance
2008-08-08 02:00:00
A recent survey confirmed that internal threats continue to grow and to represent a challenge to organizations' security postures. It revealed that, in scans of 100,000 PCs and servers in many industries: 12% of infected computers had a missing or disabled anti-virus program, 10.7% had unauthorized personal storage such as USB sticks or external hard drives, 9.1% had unauthorized peer-to-peer (P2P) applications installed, 8.5% had a missing 3rd party desktop agent, 2.6% had unprotected shared folders, 2.2% had unauthorized remote control software, and 2% had missing Microsoft service packs. These results continue to resonate with the conclusions of the CSI FBI survey that reported in 2007 that internal threats have now outpaced viruses in terms of risk to organizations...
More About: Education , Strain , Proactive , Compliance

What's Hot and What's Not in Europe This Year...
2008-08-07 02:00:00
Europe is a hotbed of cutting-edge fashion. But why am I telling you guys this? You work in the Information Security business -- the kind of business that draws out the fashionista in all of us... And I guess that's one of the issues with what, in relative terms, is still a pretty young industry: every "season" we eagerly anticipate the new "line" from the next greatest new discovery. That said, I do think that we're definitely starting to see signs of maturity in the market -- of the emergence of "design classics"...
More About: Europe , Year

Get in the habit of asking: "Is this your biggest issue?"
2008-08-07 02:00:00
In previous lives, both as a talking head and implementation guy, I'd get some pretty in-depth questions about subtle security issues -- usually as a result of something someone had read was a "best practice". Sometimes questions were about specific configuration settings for an OS or obscure firewall ports, other times it was a question about some arcane encryption algorithm or key length. Usually, I'd respond by asking, "Is this the biggest issue you have?" Common examples include...
More About: Issue , Habit

PCI Compliance: Book 'Em!
2008-08-06 15:00:00
On August 5, 2008, federal law enforcement officials announced the indictment of 11 people charged with stealing and selling more than 41 million credit and debit card numbers from nine major US companies. "This is the single largest and most complex identity theft case ever charged in this country," said US Attorney General Michael Mukasey. According to officials, the defendants -- three from the United States, one from Estonia, three from Ukraine, two from China, one from Belarus, and one of unknown origin -- tapped into wireless networks and installed programs that captured card numbers, passwords and account information. The stolen data was then hidden around the globe and sold for profit. This event reflects a growing trend in cyber crime...
More About: Book , Compliance

Speaking of Security Podcast #116
2008-08-06 02:00:00
The Importance of Strong Authentication for Business Continuity New Speaking of Security co-host, Amanda VanVeen, meets with Jeff Carpenter, Senior Product Marketing Manager at RSA, to discuss how the latest release of RSA Authentication Manager supports organizations focusing on business continuity. When natural or man-made disasters hit, it's important that employees be able to quickly and easily access network resources, but it's equally important to know just who those new remote workers are.
More About: Podcast

PCI Compliance? Let's Talk!
2008-07-31 19:35:00
During a meeting with an RSA customer earlier this week, I was asked a very detailed and pointed question about my interpretation of requirement 3.4. Specifically, the customer was using encryption to render PANs unreadable and wanted to know if their algorithm was indeed classified as "strong cryptography." Really, the customer was interested in making sure this particular encryption algorithm would pass their upcoming PCI audit. While I was happy to voice my opinion, I stressed the critical importance of open and honest communication when it comes to passing an audit and successful PCI compliance in general...
More About: Talk , Compliance

"Off the Peg" Authentication can lead to an ill-fitting suit
2008-07-31 02:00:00
I was interested to read in the papers here that the UK's Association of Private Client Investment Managers and Stockbrokers (Apcims) has raised concerns about changes to existing data security measures which are being imposed by the Financial Services Authority (FSA). The FSA is seeking to mandate strong authentication -- using secret questions (you know the kind of thing -- mother's maiden name, date of birth, name of your favourite Spice Girl, etc, etc) -- before brokers can get on with doing business with their clients by phone. This comes a few months after a city firm was hit with a £77k (~$150k) fine for failing to do just that. Now, ordinarily, forcing mandatory extra authentication like this you'd think is a good idea, and something that should be applauded...
More About: Authentication , Lead , Suit

At last: security metrics for the masses
2008-07-30 02:00:00
The folks at NIST have just released a Performance Measurement Guide for Information Security , which is a really good guide for creating a metrics program. Luckily, I've been in enough of a procrastinatory mood to give it the once over. My take?
More About: Metrics

Speaking of Security Podcast #115
2008-07-28 02:00:00
Click to Download/Listen (10:36)A couple of weeks ago, Paul Joyal interviewed RSA’s Phil Marshall about Knowledge-based Authentication, or KBA. This week, we present a conversation on the same topic that Phil had with Tom Wills, Senior Analyst for Risk, Security & Fraud with Javelin Strategy and Research.
More About: Podcast , Speaking

The Latest from RSA Labs: The Keys to RFID Privacy
2008-07-25 02:00:00
Data-security vendors sometimes get tall orders from customers. Not unheard of are: "I'd like a good digital signature system... with 20-bit keys" and "I want to use one-time pads for encryption... and I need to compress them." But one of the most challenging I've heard was recently offered up by colleagues in the RFID (Radio-Frequency IDentification) industry.
More About: Privacy , Labs , Keys

Addressing Cost Issues in the Ever-Changing World of Compliance
2008-07-25 02:00:00
We keep hearing from analysts that the cost of compliance should go down each year but unfortunately our customers are telling us the exact opposite. They are continuing to get slammed by new regulations and feel compelled to implement all types of point products & solutions in order to meet immediate needs.
More About: World , Issues , Cost , Changing , Compliance

In Security & Compliance, it's all about the 'I'
2008-07-25 02:00:00
Most of us in the security trade work in a group or have a job description that contains (or in some cases, implies) the word 'information' - 'IT Security ', 'Information Security', 'Office of the CIO', etc. This naming convention, while a seemingly trivial aspect of our jobs, should really be the primary driver for everything we do. Why? Because virtually everything we do has the ultimate goal of protecting some type of asset that is important to our organization, and that asset is almost always information. This basic truth can be most effectively illustrated by considering what drives the daily requirements of our work - compliance.
More About: Compliance

We're Web 2.0 Crazy Here At RSA
2008-07-24 02:00:00
Notwithstanding the fine bloggery that goes on at this site (excluding yours truly of course), there's a bunch of splendid social computing activity going on here at RSA. There's no better example of this than the RSA enVision Intelligence Community. The Intelligence Community is an online community of RSA enVision customers, partners, systems engineers and product managers. It's getting quite a lot of use too, with interesting new posts around feature requests, tips and tricks and product announcements appearing every day. I was just trawling through it this morning, and I thought I'd pull out a few highlights...
More About: Crazy

The End of Neosploit?
2008-07-24 02:00:00
The first and most important thing when trying to grow a pool of malware-infected PCs is the infection stage. The goal is to infect as many users as possible, as quickly as possible -- and remain undetected for as long as possible. Neosploit is a brand that could be relied upon to solve that problem rather well. Designed to ease the infection stage, Neosploit is an infection kit which exploits numerous system vulnerabilities and infects PCs worldwide with any type of malware. Neosploit checks "candidate" PCs in order to find vulnerabilities, and once these are found, the PC will be infected with the malware of the criminal's choice. However, the RSA FraudAction Research Labs recently received information indicating that we may soon see the last of this "Neosploitation".

Is More Regulation Always the Way to Go?
2008-07-24 02:00:00
Over in the US, Senator Obama has recently been talking about his stance on Cyber terrorism. While there were many interesting points in his proposals, I wanted to home in on his comments regarding the protection of national infrastructure. You don't need to be a technological genius to have figured out that computers pretty much run every aspect of our daily lives these days -- transportation networks, utilities, broadcast information... you name it. It's fair to say, then, that if you could find a way of compromising those computers you could really mess up everyone's day....
More About: Regulation

The Long Road Towards an ISO 27001 "Tipping Point" (and a true Reader's Pol
2008-07-22 02:00:00
So, in conversations with customers of late, I've observed a steady increase in talk of plans to soon adopt ISO 27002, or active work to get the standard implemented in some fashion. This isn't necessarily surprising, particularly when you're talking with highly regulated companies or those more apt to understand information risk management, overall (e.g., those in banking, insurance and utilities, or more recently, thanks to PCI DSS, retail). Because, as I suspect most would agree (and speak up if you don't!), 27002 provides an incredibly broad and deep view into the types of security controls an organization should at least consider when building a security and information risk management program. What has certainly come as more of a surprise, though, is...
More About: Tipping Point , True , Long , Point , Road

Speaking of Security Podcast #114
2008-07-21 19:00:00
Click to Download/Listen (05:51) New co-host Amanda Van Veen interviews Linda Lynch, RSA® Conference Europe Manager, about this year's Conference in October. Learn about the early bird registration special as well as other helpful travel hints and session highlights. Register today: www.rsaconference.com/2008/europe.
More About: Security , Podcast , Speaking

Reader Poll: Do you think ISO?
2008-07-21 02:00:00
A couple of weeks ago I posted on the topic of "defining compliance." One of the suggestions raised was that businesses that identify a common control framework, or combination of frameworks, may have an opportunity to significantly reduce costs and redundancies associated with their compliance program. The idea is that rather than approaching each requirement in a silo, and therefore attacking each related security requirement in isolation, it would be better to ensure that the organization is looking more horizontally at the types of security controls that must be enacted in the context of all the requirements that must be met...
More About: Reader , Poll

A new version?
2008-07-17 02:00:00
Yes folks, the PCI DSS's first major update since version 1.1 was announced in September 2006 is on the horizon. Unveiled in May by the PCI Security Standards Council, the new version, called 1.2, is due out in October. Over the past few weeks, I've received a myriad of inquiries from merchants and figured this would be a good forum to share some of them...
More About: Version

SIEM - anyone got a better name?
2008-07-15 14:30:00
So this one's been digging away at me for a while. I just think that the term "Security Information and Event Management" doesn't do the space justice. I'm not talking about the "information" vs "event" debate -- it's the "Security" part of it that I have a bit of a problem with. Log management doesn't really capture the essence of it either, as Greg Shipley pointed out in his recent Network World article, especially since we're dealing with all sorts of asset and vulnerability information too. For a start, labeling these tools solely as security tools sets expectations about what these tools are best at....