RSA Security Blog: A Blog for Security Professiona

RSS Feed Homepage

Articles: 1, 2, 3, 4, 5, 6, 7

Should Employees Carry So Much of the Heavy Burden of Security?
2007-08-15 02:00:00
Over the past year we have witnessed a significant increase in the number of data breach incidents due to mistakes by internal employees at many respected companies. These incidents run the gamut from missing or stolen laptops, vanishing BlackBerry's and disappearing USB drives. The typical response from companies that have suffered these sorts of breaches is: "Our policy prohibits employees from putting unencrypted sensitive company information on laptops, PDAs, and other devices." While you will get no argument from me that this is a good policy, how much of the responsibility for ensuring this policy is followed as intended should really fall on the employee's shoulders? Is it really possible to expect employees to be educated enough about such policies to always do the right thing?...
More About: Security , Employees , Heavy , Carry

Speaking of Security Podcast #72
2007-08-13 19:00:00
Click here to listen/download (09:24).Last week RSA, The Security Division of EMC, announced its intent to acquire Tablus Inc., a leading provider of data loss prevention solutions based in San Mateo, California. This acquisition should significantly expand RSA's Data Security Strategy, adding key technologies to help discover, classify and protect sensitive information. Tom Corn, Vice President of Products for RSA's Data Security Group tell us more. And the RSA Web Seminar Series presents "Combining Network Access Control (NAC) and Strong Authentication" on with technology partner, Juniper Networks. Listen to a preview of what you could learn during this event on August 15 or on the replay.
More About: Podcast , Speaking , Peak

The Return on Investment for Securing Information
2007-08-13 02:00:00
There have been quite a few blogs written about the Return on Investment (ROI) of security. Amrit Williams has several links in his recent discussion of the topic. This reminds me of some work that I did with BearingPoint on the ROI of a Services-Oriented Architecture (SOA), a similarly challenging area in which to quantify value. The framework we used for justification involved underlying business initiatives, traditional ROI metrics and overall strategic drivers. The difficulty in quantifying a business initiative, like extending services through new distribution channels via federation, may be relatively low. Quantifying traditional ROI metrics, on the other hand, may range in difficulty. The value of risk reduction may be more amorphous...
More About: Information , The Return

Summer School on Trusted Infrastructure
2007-08-07 06:00:00
One of many examples of the broader research opportunity RSA now has as part of EMC (as I described in my podcast on my new role) is this month's 1st Asia-Pacific Summer School on Trusted Infrastructure Technologies, which will be held in Guangdong, China. Dr. Wenbo Mao, who recently joined EMC to lead our new research center in Beijing, and his team have put together an excellent international program. Just as significant is the emphasis they've placed on providing sponsorships so that top students can attend...
More About: Summer School , Structure

Summer School on Trusted Infrastructure
2007-08-07 02:00:00
One of many examples of the broader research opportunity RSA now has as part of EMC (as I described in my podcast on my new role) is this month's 1st Asia-Pacific Summer School on Trusted Infrastructure Technologies, which will be held in Guangdong, China. Dr. Wenbo Mao, who recently joined EMC to lead our new research center in Beijing, and his team have put together an excellent international program. Just as significant is the emphasis they've placed on providing sponsorships so that top students can attend...
More About: Summer School , Structure

Speaking of Security Podcast #71
2007-08-06 06:00:00
Click here to listen/download (06:06).Listen to how Bank of the West, the second largest bank based in California, has met the FFIEC guidance for providing multi-factor authentication to help further protect bank customers, their funds and personal information when banking online. The combination of deploying behind-the-scenes protection as well as visible site-to-user authentication is designed to provide strong security that involves bank customers in a user-friendly way, reassures them and boosts their confidence online, while not hindering their banking experience. Paul Joyal talks to CIO Donald Duggan about this initiative.
More About: Security , Podcast , Speaking , Peak

Speaking of Security Podcast #71
2007-08-06 02:00:00
Click here to listen/download (06:06).Listen to how Bank of the West, the second largest bank based in California, has met the FFIEC guidance for providing multi-factor authentication to help further protect bank customers, their funds and personal information when banking online. The combination of deploying behind-the-scenes protection as well as visible site-to-user authentication is designed to provide strong security that involves bank customers in a user-friendly way, reassures them and boosts their confidence online, while not hindering their banking experience. Paul Joyal talks to CIO Donald Duggan about this initiative.
More About: Security , Podcast , Speaking , Peak

Speaking of Security Podcast #70
2007-07-30 06:00:00
Click here to listen/download (10:15).October's RSA Conference Europe promises to be bigger and better than ever! In this podcast we talk with two of the conference's movers and shakers from RSA's U.K. headquarters. And we also welcome our newest Speaking of Security Blogger, Sean Kline, and learn some of his thoughts for the RSA blog and what security topics he plans to tackle.
More About: Podcast , Peak

Speaking of Security Podcast #70
2007-07-30 02:00:00
Click here to listen/download (10:15).October's RSA Conference Europe promises to be bigger and better than ever! In this podcast we talk with two of the conference's movers and shakers from RSA's U.K. headquarters. And we also welcome our newest Speaking of Security Blogger, Sean Kline, and learn some of his thoughts for the RSA blog and what security topics he plans to tackle.
More About: Podcast , Peak

New Blogs on RSA Conference site
2007-07-27 06:00:00
Take a moment to review the new blog available over at RSA Conference . Recently hired Tim M. Mather, Chief Security Strategist, RSA Conference, offers his insights into the business of security--including mergers and acquisitions. TechDirt, a well respected technology blog, is posing an interesting question: "Will Security Software Mergers and Acquisition Continue?" To me, the simple answer is 'yes'.
More About: Blogs , Site , Ferenc

New Blogs on RSA Conference site
2007-07-27 02:00:00
Take a moment to review the new blog available over at RSA Conference . Recently hired Tim M. Mather, Chief Security Strategist, RSA Conference, offers his insights into the business of security--including mergers and acquisitions. TechDirt, a well respected technology blog, is posing an interesting question: "Will Security Software Mergers and Acquisition Continue?" To me, the simple answer is 'yes'.
More About: Blogs , Site , Ferenc

Speaking of Security Podcast #69
2007-07-24 06:00:00
Click here to listen/download (10:55). Speaking of Security Blogger, Shannon Kellogg, interviews Hord Tipton, former CIO of the U.S. Department of Interior. Hord shares a bit about how he led the reorganization and development the Department's IT infrastructure across eight major bureaus and how his focus moved more and more toward information security initiatives.
More About: Podcast , Peak

Speaking of Security Podcast #69
2007-07-24 02:00:00
Click here to listen/download (10:55). Speaking of Security Blogger, Shannon Kellogg, interviews Hord Tipton, former CIO of the U.S. Department of Interior. Hord shares a bit about how he led the reorganization and development the Department's IT infrastructure across eight major bureaus and how his focus moved more and more toward information security initiatives.
More About: Podcast , Peak

Phish and Foul
2007-07-20 06:00:00
"Phish ing," as you probably know, is a form of online con game. Users are lured by e-mail messages to legitimate-seeming but criminal sites--typically falsified versions of their real banking sites--and encouraged to enter password information. Having harvested this information, the operators of the criminal sites use it to break into victims' accounts. (As the term suggests, most "phishing" e-mail goes wide of the mark, arriving as spam unconnected with the recipient's bank. A phishing expedition, though, can be profitable with only a few successes.) The remedies offered by the security community are numerous. Most prevalent are various types of red flags...

Phish and Foul
2007-07-20 02:00:00
"Phish ing," as you probably know, is a form of online con game. Users are lured by e-mail messages to legitimate-seeming but criminal sites--typically falsified versions of their real banking sites--and encouraged to enter password information. Having harvested this information, the operators of the criminal sites use it to break into victims' accounts. (As the term suggests, most "phishing" e-mail goes wide of the mark, arriving as spam unconnected with the recipient's bank. A phishing expedition, though, can be profitable with only a few successes.) The remedies offered by the security community are numerous. Most prevalent are various types of red flags...

Out of the Box
2007-07-19 06:00:00
I went on a date the other night. She was a "set-up" from a new acquaintance at the office who did not know me well enough not to set me up on dates. So here I am sitting across from this blonde beauty, in a tapas bar, and she is gorgeous: her soft golden tresses frame a pale heart-shaped face and her curves are paralleled only by the desperately bored look in her glazed ice-blue eyes, through her drooping eye-lids. Now I'm as socially astute as anyone who has ever written network device drivers...
More About: Out of the box

Out of the Box
2007-07-19 02:00:00
I went on a date the other night. She was a "set-up" from a new acquaintance at the office who did not know me well enough not to set me up on dates. So here I am sitting across from this blonde beauty, in a tapas bar, and she is gorgeous: her soft golden tresses frame a pale heart-shaped face and her curves are paralleled only by the desperately bored look in her glazed ice-blue eyes, through her drooping eye-lids. Now I'm as socially astute as anyone who has ever written network device drivers...

Managing Security Event Information
2007-07-16 12:21:00
Recently EMCer Chuck Hollis addressed the challenges of managing and mining event data from network devices. "A while ago, I opined that IMSPs (information management service providers) might be hampered by corporate information security mandates. At the time, I had started to meet customers who wouldn't consider using a service provider for backup, archiving, etc. simply because they (or their security officer) couldn't get over the idea of sending their important information to a third party for safekeeping. Since then, the tide seems to have turned. I see more and more customers who are actively pursuing strategies to move more and more of the information management burden to specialized service providers. I guess they're getting more comfortable with the security provisions of these offerings..."
More About: Security , Information , Event , Format , Vent

Speaking of Security Podcast #68
2007-07-16 11:00:00
Click here to listen/download (11:01). The Speaking of Security Podcast is back and offers an in-depth interview with Senior Product Marketing Manager, Jens Hinrichsen, regarding the evolution of phishing attacks. Big upticks of spear phishing and "man-in-the-middle" attacks. Also discusses the difference between Phishing and Crimeware/Malware. For more, check out the monthly RSA Online Fraud Intelligence Report.
More About: Peak

Managing Security Event Information
2007-07-16 08:21:00
Recently EMCer Chuck Hollis addressed the challenges of managing and mining event data from network devices. "A while ago, I opined that IMSPs (information management service providers) might be hampered by corporate information security mandates. At the time, I had started to meet customers who wouldn't consider using a service provider for backup, archiving, etc. simply because they (or their security officer) couldn't get over the idea of sending their important information to a third party for safekeeping. Since then, the tide seems to have turned. I see more and more customers who are actively pursuing strategies to move more and more of the information management burden to specialized service providers. I guess they're getting more comfortable with the security provisions of these offerings..."
More About: Security , Information , Event , Vent

Speaking of Security Podcast #68
2007-07-16 06:00:00
Click here to listen/download (11:01). The Speaking of Security Podcast is back and offers an in-depth interview with Senior Product Marketing Manager, Jens Hendrickson, regarding the evolution of phishing attacks. Big upticks of spear phishing and "man-in-the-middle" attacks. Also discusses the difference between Phishing and Crimeware/Malware. For more, check out the monthly RSA Online Fraud Intelligence Report.
More About: Peak

Convergence of Access and Information Policies
2007-07-10 06:00:00
It has been a year since EMC announced its acquisition of RSA and it is very interesting to observe how our worldview has evolved. While we were not the first to report the deterioration of perimeters as a means to protect information, the industry still appears to operate in a very segmented fashion. I spoke at the Network Applications Consortium Spring Conference and there was great industry participation and discussion around Enterprise Authorization Management. The model that most people described at the conference still segments authentication from authorization and does not tend to talk about policy on the information itself...
More About: Information , Access , Convergence , Policies , Format

Convergence of Access and Information Policies
2007-07-10 02:00:00
It has been a year since EMC announced its acquisition of RSA and it is very interesting to observe how our worldview has evolved. While we were not the first to report the deterioration of perimeters as a means to protect information, the industry still appears to operate in a very segmented fashion. I spoke at the Network Applications Consortium Spring Conference and there was great industry participation and discussion around Enterprise Authorization Management. The model that most people described at the conference still segments authentication from authorization and does not tend to talk about policy on the information itself...
More About: Information , Access , Convergence , Policies , Converge

Will the recent cyber attacks on Estonia be a wake up call for European and
2007-07-02 06:00:00
Will the recent cyber attacks on Estonia be a wake up call for European and U.S. leaders? According to a Reuters story on Friday, June 30th, the answer is apparently yes – at least on the other side of the Atlantic Ocean. What about the U.S.?
More About: Wake , Cyber , Recent

Will the recent cyber attacks on Estonia be a wake up call for European and
2007-07-02 02:00:00
Will the recent cyber attacks on Estonia be a wake up call for European and U.S. leaders? According to a Reuters story on Friday, June 30th, the answer is apparently yes – at least on the other side of the Atlantic Ocean. What about the U.S.?
More About: Wake , Cyber , Recent

Speaking of Security Podcast #67
2007-06-25 06:00:00
Click here to listen/download (08:35). We end our listener appreciation month with a discussion with Michael Farnum, a Security Engineer with Accuvant and prolific security blogger: An Information Security Place and for Computerworld. He talks about how performing a security assessment is like a trip to the dentist, about how educational organizations deal with security, and what he thinks are the hot issues in security for the second half of 2007. Please note that your Speaking of Security podcast team will be on hiatus for the next two weeks. Tune in on July 16 for our next edition. In the meantime, tell us what you think by taking our short survey.
More About: Podcast , Peak

Speaking of Security Podcast #67
2007-06-25 02:00:00
Click here to listen/download (08:35). We end our listener appreciation month with a discussion with Michael Farnum, a Security Engineer with Accuvant and prolific security blogger: An Information Security Place and for Computerworld. He talks about how performing a security assessment is like a trip to the dentist, about how educational organizations deal with security, and what he thinks are the hot issues in security for the second half of 2007. Please note that your Speaking of Security podcast team will be on hiatus for the next two weeks. Tune in on July 16 for our next edition. In the meantime, tell us what you think by taking our short survey.
More About: Podcast , Peak

Speaking of Security Podcast
2007-06-18 06:00:00
Click here to listen/download (12:19).RSA's annual Wireless Survey Results are in: "Wireless security highest in London; but one-fifth of business networks remain unsecured in all surveyed cities". Learn more from RSA Product Marketing Manager, John Masotta. And we share an excerpt from one of our popular past podcasts: an interview with "The Security Career Guy," Mike Murray.We also invite listeners to complete a short survey as part of Speaking of Security Podcast Listener Appreciation Month for a chance to win a $100 American Express Gift Card (Official Contest Rules).
More About: Peak

REAL ID continues to have 'real' challenges
2007-06-18 06:00:00
I have been meaning to write something about "REAL ID" for a while now, so will attempt to provide an update on what's happening with this initiative and some additional food for thought. What is REAL ID you say? Well, for those of you who haven't managed to hear about this identity card mandate, it started with the 9/11 Commission's recommendations (Recommendation #14 in fact) and became a matter of law in 2005 as the "REAL ID Act." The authors of the 9/11 recommendation and the subsequent legislation all were ostensibly aiming for the same thing: preventing the use of a fraudulent driver's license by terrorists through the development of safeguards that would help prevent tampering and use of such a document for false identification -- and that would also enable more effective and trustworthy authentication of individuals for purposes such as boarding a plane...
More About: Real , Allen , Conti , Halle

Speaking of Security Podcast #66
2007-06-18 02:00:00
Click here to listen/download (12:19).RSA's annual Wireless Survey Results are in: "Wireless security highest in London; but one-fifth of business networks remain unsecured in all surveyed cities". Learn more from RSA Product Marketing Manager, John Masotta. And we share an excerpt from one of our popular past podcasts: an interview with "The Security Career Guy," Mike Murray.We also invite listeners to complete a short survey as part of Speaking of Security Podcast Listener Appreciation Month for a chance to win a $100 American Express Gift Card (Official Contest Rules).
More About: Peak