RSA Security Blog: A Blog for Security Professiona

RSS Feed Homepage

Articles: 1, 2, 3, 4, 5, 6, 7

The 5 'P's of Security and Compliance
2008-10-24 02:00:00
I have the good fortune to be able to talk to a lot of different customers about their security and compliance efforts, and in the process I learn a lot about what works and what doesn't. I also have the benefit of over 27 years’ experience in the IT industry, which means I've seen (and yes, made) pretty much every kind of mistake that can happen. But the one thing that always strikes me the hardest is that we keep making the most basic mistake over and over again, and, as you would expect, the results are inevitably the same. The mistake I'm referring to is ignoring the 5 'P's - Proper Planning Prevents Poor Performance...
More About: Security , Compliance

The Lingua Franca of Information Security
2008-10-24 02:00:00
Working across the EMEA region and being employed by an American-headquartered company, I’m fortunate (and occasionally unfortunate!) to encounter the many cultural differences which unite and divide us. Today for example, I’m speaking at our EMC Forum in Moscow, earlier in the week I was in Sweden, and just last week I was with customers and colleagues in the somewhat sunnier climes of Dubai. It’s interesting then to note what changes, but perhaps more importantly the many more things that stay the same as you talk information security strategy throughout the region…...
More About: Security , Information , Information Security

Speaking of Security Podcast #125
2008-10-20 17:52:00
Click to Download/Listen (07:52)On Monday, October 13 RSA, The Security Division of EMC, released the results of a new insider threat survey. The survey shows that employees are well aware of the restrictions placed upon them by their corporate IT departments, yet many often work around these controls in order to get their jobs done. RSA VP, Sam Curry, digs deeper into the issue in our latest podcast.
More About: Podcast , Speaking

The High Cost of Being Wrong: Why Data Detection Matters
2008-10-20 10:00:00
Imagine you see a car stopped on some train tracks, and you hear a train coming. How do you react? Do you ignore the sound of the train, thinking it won’t hit the car? In that same vein, not having an accurate data loss prevention (DLP) solution in place within your organization is akin to standing by and watching that train wreck about to happen – all while pretending you can’t see what’s going on even though the train’s horn is blaring. In my ten years of experience in the search and categorization space, I can tell you that the risk of a DLP software policy allowing false negatives, when sensitive documents are missed by the policy and considered safe, is potentially extremely costly to a company...
More About: Data , Cost , High , Detection , Wrong

DHS Secretary Chertoff discusses cyber security, highlights supply chain se
2008-10-20 02:00:00
I had not seen the Secretary of Homeland Security , Michael Chertoff, speak on cyber security issues at a public forum since he keynoted the industry-wide RSA Conference in April 2008, so I decided to attend a forum at the U.S. Chamber of Commerce on Tuesday, October 15th where he was scheduled to keynote. Titled “Enhancing Cyber Security as Part of Enterprise Risk Management Planning” and held as part of a series of National Cyber Security Awareness Month events, Secretary Chertoff addressed the group of mostly business community attendees to highlight what he dubbed as “one of the most important initiatives that we have ever undertaken as a department or country”...
More About: Highlights , Supply Chain , Chain

Halloween Came a Little Early...
2008-10-16 02:00:00
Halloween came a little early for Rob Enderle. Is he right to be very, very afraid..? Rob Enderle recently attended an EMC conference where, among the speakers, he heard from Uri Rivner regarding the growing sophistication–and mass-production capabilities—of the online fraud industry. In his excellent piece in Dark Reading on the subject entitled “How RSA/EMC Scared Me Half to Death”, Rob admitted to being more than a little scared by what he heard. And among his fears is that, in these tight economic times, companies will not make the investments needed to ensure that they and their customers are secure against these increasingly robust threats...
More About: Early , Halloween

Infinite Diversity in Infinite Combinations
2008-10-16 02:00:00
Followers of Star Trek might have noticed the small IDIC symbol Mr. Spock wore in events requiring official Vulcan dress code.  IDIC stands for “Infinite Diversity in Infinite Combinations” a remarkable philosophy in spite of its pop origins and an enduring legacy of the late Mr. Roddenberry. Hello folks: my name is Sam.  My first anniversary at RSA just passed, and it seemed like as good a time as any to plunge into the security blog-o-sphere. I sit in a unique position within RSA: in the middle of the customers, the partners, the markets and the technology. In the course of the last year, I’ve met with hundreds of people with whom we do business, with whom we do science and with whom we look to change the way the world works. And, let me tell you this: things are becoming more complex...

Uncommon Assurance With Common Criteria
2008-10-15 02:00:00
Corporations spend millions of dollars in getting their products Common Criteria -certified. It is a validation of being tested per an international security evaluation standard for meeting stated security claims. Yet, the claims made by companies are not mandated to be at rigorous security levels by the Common Criteria standard — it merely advocates thorough testing.
More About: Uncommon

Product Assurance is Top-of-Mind and SAFECode is Making Progress
2008-10-14 02:00:00
If you are working on information assurance issues and walking the halls of government buildings, you can't go anywhere these days — whether in Washington, D.C. or London, England — and not hear about the importance of "software assurance" or "product assurance". Government buyers nearly everywhere are insisting on more secure products and some level of assurance that the software or hardware that you are selling them is secure. And, of course, they should be doing that.
More About: Product , Mind , Progress

"Catch Me, Yes YOU Can": Realized Threats at the Corner Store
2008-10-10 02:00:00
just returned from the Payment Card Industry's 2008 Members Council Meeting in Orlando, Florida. We had a blast despite the mood being somewhat dampened as a result of the uncertainty of the global financial markets (heartfelt thanks to those wise souls who've been living outside of their means and taking undue personal and commercial financial risk...). Anyhew, I met so many interesting people from both merchants and from the card brands like Visa, MasterCard, American Express, Discover & JCB International Co., Ltd.
More About: Store , Corner , Catch , Threats , The Corner

North America Recap
2008-10-10 02:00:00
I was one of the 650 attendees at the recent annual North America n PCI Community Meeting. Held at the Omni Champions Gate resort in Orlando, it was great to speak with many of the merchants, banks and service providers in attendance about the challenges they are facing.
More About: North America , Recap

NERC Critical Infrastructure Protection Will Always Change with the Evoluti
2008-10-10 02:00:00
As Stewart Brand once said "Once a new technology rolls over you, if you're not part of the steamroller, you're part of the road". I think this quote describes perfectly the role in which IT departments are playing in implementing security programs, specifically those attributed to the NERC Cyber Security Standards...
More About: Change , Infrastructure , Critical

New case study on RSA enVision
2008-10-09 02:00:00
The Institute of Applied Network Security released a case study on the implementation of RSA enVision at the Depository Trust Clearing Corporation (DTCC). DTCC is an organization that acts as the back end for Wall Street, processing $1.8 quadrillion in securities transactions in 2007, and thus an essential component in our economy.
More About: Study , Case , Envision

Trick or Treat
2008-10-09 02:00:00
October's here, and you can't escape the coming onslaught of Halloween. Children (and quite a few adults) dressed up as vampires, ghosts, goblins and other scary creatures, going around asking people for treats and threatening them with tricks if they don't provide them. A cynical person might boil it down to a a combination of scare tactics and extortion. So what does this have to do with IT security and compliance? Unfortunately, the way security and compliance professionals have traditonally gone about obtaining funds and resources for tools and projects necessary to do their jobs all too closely parallels what happens on Halloween. We frequently use scare tactics such as new threats (the trick) to get management to cough up the funding and resources (the treats) we need to accomplish what we view as our jobs...
More About: Trick , Treat

Speaking of Security Podcast #124
2008-10-07 02:00:00
Art Coviello on Security for Innovation Speaking of Security co-host, Amanda VanVeen, introduces a new video featuring RSA President, Art Coviello. Art covers new IDC research on the topic of security and business innovation. Forward-thinking security leaders are driving tighter linkages between innovation goals and security strategies.
More About: Podcast

Perimeter-centric Regulations in an Information-centric World
2008-10-07 02:00:00
Last week I took a trip out to our Executive Briefing Centre in Cork, Ireland. I was there to present to senior IT folk from pretty much all of the UK’s Police Forces as part of a two-day agenda that had been lined up for them by my colleagues from many of EMC’s lines-of-business. I guess there are few other organisations where the lines between physical and virtual security are brought so sharply into focus than in one where you are dealing – first-hand – with criminals in the way that our police officers must every day of their working lives. During our conversations we mused on various aspects of keeping information secure in such a fluid and volatile environment...
More About: Information , World , Regulations

RSA Offers new Insights into Security and Innovation
2008-10-01 02:00:00
Today RSA, The Security Division of EMC, released the latest research and insights from IDC and the Security for Business Innovation Council on the relationship – and disconnect – between security and business innovation. The IDC report centers on the fact that 80 percent of organizations worldwide confirm that security fears are indeed responsible for stifling business innovation. IDC also found that although 80 percent of CEOs believe their security teams are being held formally accountable for their contributions to business growth and innovation, only 44 percent of security leaders believe they are being measured on their contributions to innovation. This finding points to a surprising lack of alignment between the expectations of C-level management and the priorities of security professionals...
More About: Offers , Insights

Be careful what hand you play, and when you play it
2008-10-01 02:00:00
Yet another analogy from the credit crunch shows us security folks that even if we changed jobs we probably wouldn't be able to escape our frustrations. The executive branch is currently trying to win over Congress and convince them to hand over a large sum of money, or else something really bad is going to happen. This is a situation I'm sure many security folks have found themselves in, albeit under less extreme circumstances. The people with the check books seldom know anything about what you're doing. Congress is full of politicians, not economists or experts on the banking system. They need to rely on their gut feeling to do the right thing. Same thing with your management, so it's up to you to guide them towards the right decision -- in their language...
More About: Play , Hand , Careful

Gov. Palin, Yahoo! Email and Security—A Call To Action?
2008-09-30 02:00:00
The McCain-Palin campaign has offered a rather muted response to the Yahoo ! email account breach of Gov. Palin, and so far, the grand jury has opted not to indict the hacker. Is this the end to this sordid tale? Not quite. I believe that the average citizen has been left with a myriad of questions as to the security in as basic a utility as free email. What’s going on? “Rubico”, as the hacker called himself, used an automated password recovery tool where he was asked fairly simple questions to identify himself as Gov. Palin [birthday, zip code, etc.]. Rubico found answers to these within 45 minutes on Google and Wikipedia! Wow! Is it really that easy to hack into email or messaging services that the common person uses globally?...
More About: Security , Email , Action , Call

The Virtues and Dangers of Security and Compliance
2008-09-29 02:00:00
Last week I made a flying visit to NYC to appear on a panel at Interop with John Pironti of Getronics, Khalid Kark of Forrester, Jennifer Mack of the PCI Standards Council and Jim Routh of DTCC. The subject was "Security By Compliance - A Discussion of Information Risk Management's Greatest Challenge".

Speaking of Security Podcast #123
2008-09-29 02:00:00
Click to Download/Listen (07:03)Recent updates to the Fair and Accurate Credit Transactions Act (FACTA) of 2003 mandate that U.S. financial institutions and creditors must comply with the Identity Theft Red Flag provisions by November 1, 2008. Amanda Van Veen speaks with EMC's resident FACTA expert, Dennis Mayer from EMC Consulting about the upcoming deadline and what it means to those who must comply.
More About: Security , Podcast , Speaking

Massachusetts issues new rules for businesses to protect personally identif
2008-09-25 02:00:00
As reported in the Boston Globe on September 23rd, the Massachusetts Office of Consumer Affairs and Business Regulation issued regulations earlier this week that will place new requirements on businesses to safeguard personally-identifiable information (PII)...
More About: Issues , Rules , Businesses

Google Moves to 3rd Party Processing - The eCrime equivalent
2008-09-24 02:00:00
The numbers behind Google 's processing are staggering. Indexing over one trillion URLs, the Internet search giant reported in January that it processes 20 Petabytes of data per day. Turns out a Petabyte is 1000 Terbytes. So Google processes over 20,000 Terabytes of data per day. Supporting all of this impossibly massive data crunching is a huge network of proprietary servers and custom made storage. It's the mythical Google grid. Google conceals the exact nature of the grid; it's one of their trade secrets. So, what if I told you Google is abandoning its mythical, proprietary, custom-made processing and storage grid, and is moving to an off-the-shelf third party processing platform? Any boffin would have choked on this scoop. OK, relax. Google isn't ditching its proprietary grid. But its eCrime equivalent is certainly doing exactly that.
More About: Party , Moves

Speaking of Security Podcast #122
2008-09-22 22:00:00
Click to Download/Listen (06:29) Paul Joyal welcomes back Linda Lynch, RSA® Conference Europe Manager, to talk about the session highlights for the upcoming conference from October 27-29. The early bird registration deadline is fast approaching on September 26. Learn more or register today: www.rsaconference.com/2008/europe.
More About: Security , Podcast , Speaking

The Semantics of Identity Assurance
2008-09-22 21:36:00
Identity Assurance was a hot topic at DigitalIDWorld this year, but as with many terms (such as policy or governance), it means different things to different people.According to the Liberty Alliance Project, “Identity” is “A unique name for single person” [sic] and “Assurance level” is “A degree of certainty that a claimant has presented a credential that refers to the claimant’s identity.” The Identity Assurance Expert Group (IAEG)’s goal is to “provide public and private sector organizations with a uniform means of relying on digital credentials...
More About: Identity

Bank Employees become Phish Bait?
2008-09-22 02:00:00
What a week it was in the financial markets! With Lehman Brothers filing for bankruptcy, and Barclays subsequently buying up some of the assets; with Merrill Lynch finding a safe harbour at Bank Of America; and then, closer to home (for me at least) the merger of two of the biggest UK retail banks, HBOS and LloydsTSB. During this coming period, it is a reasonably safe bet that we may be in for a flurry of phishing attacks targeting the customers of these institutions using ruses like share “windfalls” and the like to tempt individuals into disclosing their credentials. However, in this blog, that’s not what I want to talk about. The implications for the employees of these organisations are, of course, also huge, and the degree of uncertainty and change that will ensue for a period of time will provide ample opportunity for the criminal fraternity to exploit....
More About: Employees , Phish

The Buzzword Bandwagon: Lessons learned from a user conference
2008-09-16 02:00:00
Last week I was at a conference where security folks get together and vent their spleens about the problems they're facing. On day one, us vendors weren't allowed near the place, but on day two we got to pitch our products to potential buyers, and they got to shoot arrows at us. The highlight of the day for me, though, was the roundtable discussion on log management and SIEM. Different people in the room talked about some of their experiences with log management and SIEM – some were very positive, others not so much. Either way, though, what struck me was the disparity between what people wanted to do with their SIEM products, and what they were actually managing to do...
More About: User , Buzzword , Lessons , Conference , Learned

Breaking Down the Walls of Compliance Challenges
2008-09-16 02:00:00
Compliance, Compliance, Compliance.  It’s the word that’s on everybody’s lips in the security industry these days.   Companies of all shapes & sizes are spending big bucks to ensure compliance, but what are they trying to be compliant to?  Regulatory issues, legal issues, internal policies & procedures or all of the above???    Unfortunately, trying to be compliant in any of these areas brings challenges but there are some ways to make it a little easier...
More About: Breaking , Compliance , Walls

A World Becoming "Data Retentive"
2008-09-16 02:00:00
I’ve recently been looking at the implications of the second phase of the EU Data Retention Directive which will shortly be coming into force: as well as requiring telcos to keep call logs of who we called and when, ISPs will also now be required to keep logs of when we logged on and from where. Let’s leave the debate on whether all this logging is an invasion of our privacy or not – and whether that compromise of our personal freedom is justified in the global war on terror – for another time. For now, let’s just have a think about all that log data sitting around, waiting to be called upon...
More About: World

Speaking of Security Podcast #121
2008-09-15 02:00:00
Click to Download/Listen (05:48)RSA's reseller community is part of RSA SecurWorld program. In order to help these channel partners become better trained in our solutions and products, RSA host several conferences throughout the year. Listen in to find out how your reseller works hard to become your trusted advisor for IT security.
More About: Security , Podcast , Speaking