RSA Security Blog: A Blog for Security Professiona

RSS Feed Homepage

Articles: 1, 2, 3, 4, 5, 6, 7

Security and Virtualization
2008-09-12 02:00:00
As part of my various duties here at RSA, I get the privilege of speaking with customers on a regular basis about how they can implement an Information Risk Management strategy. One of the most frequently asked questions that follow this discussion is: “how does this process change when I start to virtualize my environment?” So in this guest blog post, I thought I’d answer this question and talk a little about RSA’s collaboration with VMware for securing their virtual infrastructure solutions. Before we get to security implications, we should start with a basic discussion of what virtualization does to the overall information infrastructure...
More About: Security , Virtualization

RSA enVision and the Security Operations Center
2008-09-11 02:00:00
Last week I did a podcast with Glenn Williamson of Canadian MSSP Cyberclix. I put forward what I thought a SOC ought to look like, and then Glenn talked about some of the things he and his team were doing with RSA enVision in his SOC. We've had some good feedback on the event, and if anyone missed it, it's available here.
More About: Security , Center , Envision

PCI vs. SEPA - Friend or Foe?
2008-09-11 02:00:00
I’ve just attended a PCI special interest group meeting for the payments community in Europe, run by one of the key trade associations in that industry over here, Vendorcom. It was an interesting session with a number of different presentations from various vendors, QSAs and a special guest, the Head of IS Governance and Security from one of the UK’s top five retailers on their path to PCI compliance...
More About: Friend , Friend or Foe

Speaking of Security Podcast #120
2008-09-09 02:00:00
What's New with PCI Speaking of Security co-host, Paul Joyal, discusses the latest developments in the Payment Card Industry data security standards with Brad Davenport, Compliance and Solutions Marketing Manager at RSA.
More About: Podcast

When there's something strange in the neighborhood, who you gonna call?
2008-09-08 16:00:00
A commentary about the casual hack, phreaking, pretexting, and a new thing called CPNI So, a company that I met with had a problem. This was not a ginormous problem itself, but rather it was an awakening to a new threat that had not emerged as public enemy number one before. Its employees. It so happens that this company has the best security that King Arthur could buy, but it's not being used right and someone thought it would be pretty clever to crash a database server and see what would happen. Or did they? Or was it the computer playing a practical joke? HAL, anyone? It turns out this company handles sensitive information about its customers, and yet they don't know WHO DONE IT or WHY?...
More About: Strange , Call , Neighborhood , Gonna

PCI Doesn't Scare one FSI
2008-09-08 02:00:00
While in Australia last week, I had lunch with the risk and compliance manager from a large financial institution. We had a lively discussion centered on compliance (I know, most people don't find compliance that exciting, but this was the right group for this conversation!) Early in the conversation, the topic of the PCI Data Security Standard arose. This entity is beginning to look at the Standard's implications, and, based on reactions I've seen from other customers, I expected to hear a lot of frustration and annoyance. But, I asked the question anyway: "So, are you concerned about having to deal with the PCI requirements?"...

What's Going on Between Asprox and Rock Phish?
2008-09-04 02:00:00
When a small phishing gang decides to upgrade its infrastructure, it is often done in a quick and dirty fashion. The transition is almost immediate, and often buggy and unprofessional. But what happens when a gang on the scale of the Rock Phish group decides to abandon its old methods and upgrade its botnet infrastructure? It is done slowly, smoothly but most importantly -- professionally. The RSA FraudAction Research Labs recently gathered information that indicates major changes in the tactics employed by the Rock Phish gang. We have reason to believe that the gang is replacing its phishing infrastructure, and upgrading it to an advanced Fast-Flux botnet. We also believe that this new infrastructure belongs to none other than the infamous Asprox Botnet, which has recently been spreading itself using surges of SQL injection attacks...

Planning for a new year
2008-09-03 02:00:00
October is creeping up on us, and for most of us that means the beginning of the end of 2008, along with the nagging feeling that we should be doing some planning for 2009. This is the perfect opportunity to take stock of your security and compliance programs, and to develop a plan for improving things next year. If you've been following our various blogs here at RSA you probably realize by now that we espouse a security and compliance program based on three core pillars: it's information-centric, risk-driven and framework-based. Our compliance team has spoken with hundreds of customers from all over the world and in every industry segment this year, and we're finding that this approach is gaining acceptance at an ever-increasing rate. Organizations are realizing that they need to discover, manage and control their information assets in order to protect them...
More About: New Year , Planning , Year

Southeast Asia: Perspectives on Compliance
2008-09-03 02:00:00
This past weekend, I left Southeast Asia after a week-long trip to Bangkok, Singapore and Manila. The week was spent in back-to-back meetings with customers and our local sales teams, and the majority of our discussions centered on PCI DSS and compliance in general. One clear takeaway: Compliance is one of THE growing areas of concern for businesses in the region. I found the degree to which customers in the region were concerned about compliance to be a bit of a surprise. I say 'surprise' because I often hear that compliance isn't as much of an issue outside of the U.S. From what we're seeing, though, the regulatory environment in non-U.S. geos, including Southeast Asia , is becoming more complicated...
More About: Perspectives

ISO 27001 Adoption Poll Results are In
2008-08-28 11:00:00
So, several weeks ago I wrote a piece discussing the "long road to ISO 27001" adoption. A question posed to readers at the end of the piece: "How far off are we from the point at which ISO 27001 certifications in the U.S. are standard operating procedure for businesses -- the exception, rather than the rule?" Well, the results are in! Our servers nearly crashed thanks to the influx of responses, but, fortunately, that wasn't the case. Here are the results...
More About: Adoption , Results , Poll

If there were gold medals for Data Leakage...
2008-08-28 02:00:00
I've just returned from my summer vacation, somewhat foolishly deciding to spend it under canvas in the south-west of the UK and expecting to get good weather. If my tent had leaked as badly in the last couple of weeks as data seems to have been leaking in the UK during the same period, I'd be in need of an aqualung by now! If it were an Olympic sport, Britain would have beaten China for pole position in the medals table! It all started with the loss of a memory stick by a UK Government contractor which contained somewhere around 120,000 records, including the details of 10,000 of our nation's most serious criminals. We then heard about a compromise at global hotel chain Best Western...
More About: Gold , Data

Speaking of Security Podcast #119
2008-08-25 02:00:00
Click to Download/Listen (06:46)Paul Davilman from RSA’s Compliance and Solutions team sits down with Amanda Van Veen to talk about the North American Electric Reliability Corporation (NERC) Cyber Security Standards and how these standards will impact IT security in the utility industries. Please note that due to the U.S. Labor Day holiday, we'll be back in two weeks (on September 8) with a new show.
More About: Podcast , Speaking

Information risk management, and lessons-learned in the financial industry
2008-08-19 02:00:00
Information risk management, and lessons-learned in the financial industry Last week's Economist had a good article entitled "Confessions of a Risk Manager", in which a risk manager from a global bank uses 20-20 hindsight to look at "what went wrong" in the lead-up to the credit crunch and the ensuing fallout. I won't pretend to understand all the ins and outs of financial derivatives, but there were some points raised that anyone in the IT security space can identify with...
More About: Information , Industry , Management , Risk Management , Financial

PCI Compliance: Reaction to the Summary of Changes
2008-08-19 02:00:00
On August 18 the PCI Security Standards Council formally announced (http://www.pcisecuritystandards.org/pdfs /08-18-08_2.pdf) forthcoming changes to the Payment Card Industry's Data Security Standard (PCI DSS) as it moves from version 1.1 to version 1.2 in October 2008. The release represents the first major update since September 2006. What's my take on the summary of changes? Most merchants will be pleased to see that these are relatively minor changes...
More About: Compliance , Summary , Reaction

Speaking of Security Podcast #118
2008-08-18 02:00:00
Click to Download/Listen (11:27)This week, Amanda Van Veen speaks with analyst Rod Nelsestuen from the TowerGroup. Rod covers key issues affecting several financial industry segments including emerging markets and trend, security, and risk management matters and in this segment, talks with Amanda about the evolution of business continuity planning and security’s increasing role.
More About: Security , Podcast , Speaking

Addressing NERC Cyber Security Standards Using a Frameworks-Based Approach
2008-08-13 02:00:00
Although the NERC Cyber -Security Standards (http://www.nerc.com/files/CIP-002-1.pdf) are applicable only in the US, I think there's no doubt that cyber security is fast becoming a major concern of electric utility companies worldwide. In addition, other US critical infrastructure industry segments, such as water and chemical companies are also coming under increasing federal pressure to improve their own cyber-security efforts. Still, the NERC Cyber-Security standards have been criticized for being too ambiguous, providing little in the way of guidance, as well as for leaving loopholes for utility companies to beat the rules...
More About: Frameworks

Speaking of Security Podcast #117
2008-08-11 02:00:00
Click to Download/Listen (07:47) In a recent RSA Web Seminar focused on the new FACTA Identify Red Flags provisions, industry analyst, Ken Herbert, with Frost & Sullivan, explained what financial institutions or creditors need to know about the upcoming November 1 FACTA deadline and provided some key recommendations for complying with the regulation. In this week's podcast, we'll share some of the questions and answers from this online event. To learn more, watch the entire webcast replay.
More About: Security , Podcast , Speaking

Proactive Education: Remedying the 'Strain' of Compliance
2008-08-08 02:00:00
A recent survey confirmed that internal threats continue to grow and to represent a challenge to organizations' security postures. It revealed that, in scans of 100,000 PCs and servers in many industries: 12% of infected computers had a missing or disabled anti-virus program, 10.7% had unauthorized personal storage such as USB sticks or external hard drives, 9.1% had unauthorized peer-to-peer (P2P) applications installed, 8.5% had a missing 3rd party desktop agent, 2.6% had unprotected shared folders, 2.2% had unauthorized remote control software, and 2% had missing Microsoft service packs. These results continue to resonate with the conclusions of the CSI FBI survey that reported in 2007 that internal threats have now outpaced viruses in terms of risk to organizations...
More About: Education , Strain , Proactive , Compliance

What's Hot and What's Not in Europe This Year...
2008-08-07 02:00:00
Europe is a hotbed of cutting-edge fashion. But why am I telling you guys this? You work in the Information Security business -- the kind of business that draws out the fashionista in all of us... And I guess that's one of the issues with what, in relative terms, is still a pretty young industry: every "season" we eagerly anticipate the new "line" from the next greatest new discovery. That said, I do think that we're definitely starting to see signs of maturity in the market -- of the emergence of "design classics"...
More About: Europe , Year

Get in the habit of asking: "Is this your biggest issue?"
2008-08-07 02:00:00
In previous lives, both as a talking head and implementation guy, I'd get some pretty in-depth questions about subtle security issues -- usually as a result of something someone had read was a "best practice". Sometimes questions were about specific configuration settings for an OS or obscure firewall ports, other times it was a question about some arcane encryption algorithm or key length. Usually, I'd respond by asking, "Is this the biggest issue you have?" Common examples include...
More About: Issue , Habit

PCI Compliance: Book 'Em!
2008-08-06 15:00:00
On August 5, 2008, federal law enforcement officials announced the indictment of 11 people charged with stealing and selling more than 41 million credit and debit card numbers from nine major US companies. "This is the single largest and most complex identity theft case ever charged in this country," said US Attorney General Michael Mukasey. According to officials, the defendants -- three from the United States, one from Estonia, three from Ukraine, two from China, one from Belarus, and one of unknown origin -- tapped into wireless networks and installed programs that captured card numbers, passwords and account information. The stolen data was then hidden around the globe and sold for profit. This event reflects a growing trend in cyber crime...
More About: Book , Compliance

Speaking of Security Podcast #116
2008-08-06 02:00:00
The Importance of Strong Authentication for Business Continuity New Speaking of Security co-host, Amanda VanVeen, meets with Jeff Carpenter, Senior Product Marketing Manager at RSA, to discuss how the latest release of RSA Authentication Manager supports organizations focusing on business continuity. When natural or man-made disasters hit, it's important that employees be able to quickly and easily access network resources, but it's equally important to know just who those new remote workers are.
More About: Podcast

PCI Compliance? Let's Talk!
2008-07-31 19:35:00
During a meeting with an RSA customer earlier this week, I was asked a very detailed and pointed question about my interpretation of requirement 3.4. Specifically, the customer was using encryption to render PANs unreadable and wanted to know if their algorithm was indeed classified as "strong cryptography." Really, the customer was interested in making sure this particular encryption algorithm would pass their upcoming PCI audit. While I was happy to voice my opinion, I stressed the critical importance of open and honest communication when it comes to passing an audit and successful PCI compliance in general...
More About: Talk , Compliance

"Off the Peg" Authentication can lead to an ill-fitting suit
2008-07-31 02:00:00
I was interested to read in the papers here that the UK's Association of Private Client Investment Managers and Stockbrokers (Apcims) has raised concerns about changes to existing data security measures which are being imposed by the Financial Services Authority (FSA). The FSA is seeking to mandate strong authentication -- using secret questions (you know the kind of thing -- mother's maiden name, date of birth, name of your favourite Spice Girl, etc, etc) -- before brokers can get on with doing business with their clients by phone. This comes a few months after a city firm was hit with a £77k (~$150k) fine for failing to do just that. Now, ordinarily, forcing mandatory extra authentication like this you'd think is a good idea, and something that should be applauded...
More About: Authentication , Lead , Suit

At last: security metrics for the masses
2008-07-30 02:00:00
The folks at NIST have just released a Performance Measurement Guide for Information Security , which is a really good guide for creating a metrics program. Luckily, I've been in enough of a procrastinatory mood to give it the once over. My take?
More About: Metrics

Speaking of Security Podcast #115
2008-07-28 02:00:00
Click to Download/Listen (10:36)A couple of weeks ago, Paul Joyal interviewed RSA’s Phil Marshall about Knowledge-based Authentication, or KBA. This week, we present a conversation on the same topic that Phil had with Tom Wills, Senior Analyst for Risk, Security & Fraud with Javelin Strategy and Research.
More About: Podcast , Speaking

The Latest from RSA Labs: The Keys to RFID Privacy
2008-07-25 02:00:00
Data-security vendors sometimes get tall orders from customers. Not unheard of are: "I'd like a good digital signature system... with 20-bit keys" and "I want to use one-time pads for encryption... and I need to compress them." But one of the most challenging I've heard was recently offered up by colleagues in the RFID (Radio-Frequency IDentification) industry.
More About: Privacy , Labs , Keys

Addressing Cost Issues in the Ever-Changing World of Compliance
2008-07-25 02:00:00
We keep hearing from analysts that the cost of compliance should go down each year but unfortunately our customers are telling us the exact opposite. They are continuing to get slammed by new regulations and feel compelled to implement all types of point products & solutions in order to meet immediate needs.
More About: World , Issues , Cost , Changing , Compliance

In Security & Compliance, it's all about the 'I'
2008-07-25 02:00:00
Most of us in the security trade work in a group or have a job description that contains (or in some cases, implies) the word 'information' - 'IT Security ', 'Information Security', 'Office of the CIO', etc. This naming convention, while a seemingly trivial aspect of our jobs, should really be the primary driver for everything we do. Why? Because virtually everything we do has the ultimate goal of protecting some type of asset that is important to our organization, and that asset is almost always information. This basic truth can be most effectively illustrated by considering what drives the daily requirements of our work - compliance.
More About: Compliance

Is More Regulation Always the Way to Go?
2008-07-24 02:00:00
Over in the US, Senator Obama has recently been talking about his stance on Cyber terrorism. While there were many interesting points in his proposals, I wanted to home in on his comments regarding the protection of national infrastructure. You don't need to be a technological genius to have figured out that computers pretty much run every aspect of our daily lives these days -- transportation networks, utilities, broadcast information... you name it. It's fair to say, then, that if you could find a way of compromising those computers you could really mess up everyone's day....
More About: Regulation