RSA Security Blog: A Blog for Security Professiona

RSS Feed Homepage

Articles: 1, 2, 3, 4, 5, 6, 7

RSA Offers new Insights into Security and Innovation
2008-10-01 02:00:00
Today RSA, The Security Division of EMC, released the latest research and insights from IDC and the Security for Business Innovation Council on the relationship – and disconnect – between security and business innovation. The IDC report centers on the fact that 80 percent of organizations worldwide confirm that security fears are indeed responsible for stifling business innovation. IDC also found that although 80 percent of CEOs believe their security teams are being held formally accountable for their contributions to business growth and innovation, only 44 percent of security leaders believe they are being measured on their contributions to innovation. This finding points to a surprising lack of alignment between the expectations of C-level management and the priorities of security professionals...
More About: Offers , Insights

Be careful what hand you play, and when you play it
2008-10-01 02:00:00
Yet another analogy from the credit crunch shows us security folks that even if we changed jobs we probably wouldn't be able to escape our frustrations. The executive branch is currently trying to win over Congress and convince them to hand over a large sum of money, or else something really bad is going to happen. This is a situation I'm sure many security folks have found themselves in, albeit under less extreme circumstances. The people with the check books seldom know anything about what you're doing. Congress is full of politicians, not economists or experts on the banking system. They need to rely on their gut feeling to do the right thing. Same thing with your management, so it's up to you to guide them towards the right decision -- in their language...
More About: Play , Hand , Careful

Gov. Palin, Yahoo! Email and Security—A Call To Action?
2008-09-30 02:00:00
The McCain-Palin campaign has offered a rather muted response to the Yahoo! email account breach of Gov. Palin, and so far, the grand jury has opted not to indict the hacker. Is this the end to this sordid tale? Not quite. I believe that the average citizen has been left with a myriad of questions as to the security in as basic a utility as free email. What’s going on? “Rubico”, as the hacker called himself, used an automated password recovery tool where he was asked fairly simple questions to identify himself as Gov. Palin [birthday, zip code, etc.]. Rubico found answers to these within 45 minutes on Google and Wikipedia! Wow! Is it really that easy to hack into email or messaging services that the common person uses globally?...
More About: Call , Call to Action

The Virtues and Dangers of Security and Compliance
2008-09-29 02:00:00
Last week I made a flying visit to NYC to appear on a panel at Interop with John Pironti of Getronics, Khalid Kark of Forrester, Jennifer Mack of the PCI Standards Council and Jim Routh of DTCC. The subject was "Security By Compliance - A Discussion of Information Risk Management's Greatest Challenge".

Speaking of Security Podcast #123
2008-09-29 02:00:00
Click to Download/Listen (07:03)Recent updates to the Fair and Accurate Credit Transactions Act (FACTA) of 2003 mandate that U.S. financial institutions and creditors must comply with the Identity Theft Red Flag provisions by November 1, 2008. Amanda Van Veen speaks with EMC's resident FACTA expert, Dennis Mayer from EMC Consulting about the upcoming deadline and what it means to those who must comply.
More About: Podcast , Speaking

Massachusetts issues new rules for businesses to protect personally identif
2008-09-25 02:00:00
As reported in the Boston Globe on September 23rd, the Massachusetts Office of Consumer Affairs and Business Regulation issued regulations earlier this week that will place new requirements on businesses to safeguard personally-identifiable information (PII)...
More About: Issues , Rules , Businesses

Google Moves to 3rd Party Processing - The eCrime equivalent
2008-09-24 02:00:00
The numbers behind Google's processing are staggering. Indexing over one trillion URLs, the Internet search giant reported in January that it processes 20 Petabytes of data per day. Turns out a Petabyte is 1000 Terbytes. So Google processes over 20,000 Terabytes of data per day. Supporting all of this impossibly massive data crunching is a huge network of proprietary servers and custom made storage. It's the mythical Google grid. Google conceals the exact nature of the grid; it's one of their trade secrets. So, what if I told you Google is abandoning its mythical, proprietary, custom-made processing and storage grid, and is moving to an off-the-shelf third party processing platform? Any boffin would have choked on this scoop. OK, relax. Google isn't ditching its proprietary grid. But its eCrime equivalent is certainly doing exactly that.
More About: Moves

Speaking of Security Podcast #122
2008-09-22 22:00:00
Click to Download/Listen (06:29) Paul Joyal welcomes back Linda Lynch, RSA® Conference Europe Manager, to talk about the session highlights for the upcoming conference from October 27-29. The early bird registration deadline is fast approaching on September 26. Learn more or register today: www.rsaconference.com/2008/europe.
More About: Podcast , Speaking

The Semantics of Identity Assurance
2008-09-22 21:36:00
Identity Assurance was a hot topic at DigitalIDWorld this year, but as with many terms (such as policy or governance), it means different things to different people.According to the Liberty Alliance Project, “Identity” is “A unique name for single person” [sic] and “Assurance level” is “A degree of certainty that a claimant has presented a credential that refers to the claimant’s identity.” The Identity Assurance Expert Group (IAEG)’s goal is to “provide public and private sector organizations with a uniform means of relying on digital credentials...
More About: Identity

Bank Employees become Phish Bait?
2008-09-22 02:00:00
What a week it was in the financial markets! With Lehman Brothers filing for bankruptcy, and Barclays subsequently buying up some of the assets; with Merrill Lynch finding a safe harbour at Bank Of America; and then, closer to home (for me at least) the merger of two of the biggest UK retail banks, HBOS and LloydsTSB. During this coming period, it is a reasonably safe bet that we may be in for a flurry of phishing attacks targeting the customers of these institutions using ruses like share “windfalls” and the like to tempt individuals into disclosing their credentials. However, in this blog, that’s not what I want to talk about. The implications for the employees of these organisations are, of course, also huge, and the degree of uncertainty and change that will ensue for a period of time will provide ample opportunity for the criminal fraternity to exploit....
More About: Employees , Phish

The Buzzword Bandwagon: Lessons learned from a user conference
2008-09-16 02:00:00
Last week I was at a conference where security folks get together and vent their spleens about the problems they're facing. On day one, us vendors weren't allowed near the place, but on day two we got to pitch our products to potential buyers, and they got to shoot arrows at us. The highlight of the day for me, though, was the roundtable discussion on log management and SIEM. Different people in the room talked about some of their experiences with log management and SIEM – some were very positive, others not so much. Either way, though, what struck me was the disparity between what people wanted to do with their SIEM products, and what they were actually managing to do...
More About: User , Buzzword , Lessons , Conference , Learned

A World Becoming "Data Retentive"
2008-09-16 02:00:00
I’ve recently been looking at the implications of the second phase of the EU Data Retention Directive which will shortly be coming into force: as well as requiring telcos to keep call logs of who we called and when, ISPs will also now be required to keep logs of when we logged on and from where. Let’s leave the debate on whether all this logging is an invasion of our privacy or not – and whether that compromise of our personal freedom is justified in the global war on terror – for another time. For now, let’s just have a think about all that log data sitting around, waiting to be called upon...

Breaking Down the Walls of Compliance Challenges
2008-09-16 02:00:00
Compliance, Compliance, Compliance.  It’s the word that’s on everybody’s lips in the security industry these days.   Companies of all shapes & sizes are spending big bucks to ensure compliance, but what are they trying to be compliant to?  Regulatory issues, legal issues, internal policies & procedures or all of the above???    Unfortunately, trying to be compliant in any of these areas brings challenges but there are some ways to make it a little easier...
More About: Breaking , Compliance

Speaking of Security Podcast #121
2008-09-15 02:00:00
Click to Download/Listen (05:48)RSA's reseller community is part of RSA SecurWorld program. In order to help these channel partners become better trained in our solutions and products, RSA host several conferences throughout the year. Listen in to find out how your reseller works hard to become your trusted advisor for IT security.
More About: Podcast , Speaking

Security and Virtualization
2008-09-12 02:00:00
As part of my various duties here at RSA, I get the privilege of speaking with customers on a regular basis about how they can implement an Information Risk Management strategy. One of the most frequently asked questions that follow this discussion is: “how does this process change when I start to virtualize my environment?” So in this guest blog post, I thought I’d answer this question and talk a little about RSA’s collaboration with VMware for securing their virtual infrastructure solutions. Before we get to security implications, we should start with a basic discussion of what virtualization does to the overall information infrastructure...
More About: Security , Virtualization

RSA enVision and the Security Operations Center
2008-09-11 02:00:00
Last week I did a podcast with Glenn Williamson of Canadian MSSP Cyberclix. I put forward what I thought a SOC ought to look like, and then Glenn talked about some of the things he and his team were doing with RSA enVision in his SOC. We've had some good feedback on the event, and if anyone missed it, it's available here.
More About: Security , Center , Envision

PCI vs. SEPA - Friend or Foe?
2008-09-11 02:00:00
I’ve just attended a PCI special interest group meeting for the payments community in Europe, run by one of the key trade associations in that industry over here, Vendorcom. It was an interesting session with a number of different presentations from various vendors, QSAs and a special guest, the Head of IS Governance and Security from one of the UK’s top five retailers on their path to PCI compliance...
More About: Friend , Friend or Foe

Speaking of Security Podcast #120
2008-09-09 02:00:00
What's New with PCI Speaking of Security co-host, Paul Joyal, discusses the latest developments in the Payment Card Industry data security standards with Brad Davenport, Compliance and Solutions Marketing Manager at RSA.
More About: Podcast

When there's something strange in the neighborhood, who you gonna call?
2008-09-08 16:00:00
A commentary about the casual hack, phreaking, pretexting, and a new thing called CPNI So, a company that I met with had a problem. This was not a ginormous problem itself, but rather it was an awakening to a new threat that had not emerged as public enemy number one before. Its employees. It so happens that this company has the best security that King Arthur could buy, but it's not being used right and someone thought it would be pretty clever to crash a database server and see what would happen. Or did they? Or was it the computer playing a practical joke? HAL, anyone? It turns out this company handles sensitive information about its customers, and yet they don't know WHO DONE IT or WHY?...
More About: Strange , Call , Neighborhood , Gonna

PCI Doesn't Scare one FSI
2008-09-08 02:00:00
While in Australia last week, I had lunch with the risk and compliance manager from a large financial institution. We had a lively discussion centered on compliance (I know, most people don't find compliance that exciting, but this was the right group for this conversation!) Early in the conversation, the topic of the PCI Data Security Standard arose. This entity is beginning to look at the Standard's implications, and, based on reactions I've seen from other customers, I expected to hear a lot of frustration and annoyance. But, I asked the question anyway: "So, are you concerned about having to deal with the PCI requirements?"...

What's Going on Between Asprox and Rock Phish?
2008-09-04 02:00:00
When a small phishing gang decides to upgrade its infrastructure, it is often done in a quick and dirty fashion. The transition is almost immediate, and often buggy and unprofessional. But what happens when a gang on the scale of the Rock Phish group decides to abandon its old methods and upgrade its botnet infrastructure? It is done slowly, smoothly but most importantly -- professionally. The RSA FraudAction Research Labs recently gathered information that indicates major changes in the tactics employed by the Rock Phish gang. We have reason to believe that the gang is replacing its phishing infrastructure, and upgrading it to an advanced Fast-Flux botnet. We also believe that this new infrastructure belongs to none other than the infamous Asprox Botnet, which has recently been spreading itself using surges of SQL injection attacks...

Southeast Asia: Perspectives on Compliance
2008-09-03 02:00:00
This past weekend, I left Southeast Asia after a week-long trip to Bangkok, Singapore and Manila. The week was spent in back-to-back meetings with customers and our local sales teams, and the majority of our discussions centered on PCI DSS and compliance in general. One clear takeaway: Compliance is one of THE growing areas of concern for businesses in the region. I found the degree to which customers in the region were concerned about compliance to be a bit of a surprise. I say 'surprise' because I often hear that compliance isn't as much of an issue outside of the U.S. From what we're seeing, though, the regulatory environment in non-U.S. geos, including Southeast Asia , is becoming more complicated...
More About: Perspectives

Planning for a new year
2008-09-03 02:00:00
October is creeping up on us, and for most of us that means the beginning of the end of 2008, along with the nagging feeling that we should be doing some planning for 2009. This is the perfect opportunity to take stock of your security and compliance programs, and to develop a plan for improving things next year. If you've been following our various blogs here at RSA you probably realize by now that we espouse a security and compliance program based on three core pillars: it's information-centric, risk-driven and framework-based. Our compliance team has spoken with hundreds of customers from all over the world and in every industry segment this year, and we're finding that this approach is gaining acceptance at an ever-increasing rate. Organizations are realizing that they need to discover, manage and control their information assets in order to protect them...
More About: New Year , Planning , Year

ISO 27001 Adoption Poll Results are In
2008-08-28 11:00:00
So, several weeks ago I wrote a piece discussing the "long road to ISO 27001" adoption. A question posed to readers at the end of the piece: "How far off are we from the point at which ISO 27001 certifications in the U.S. are standard operating procedure for businesses -- the exception, rather than the rule?" Well, the results are in! Our servers nearly crashed thanks to the influx of responses, but, fortunately, that wasn't the case. Here are the results...
More About: Adoption , Results , Poll

If there were gold medals for Data Leakage...
2008-08-28 02:00:00
I've just returned from my summer vacation, somewhat foolishly deciding to spend it under canvas in the south-west of the UK and expecting to get good weather. If my tent had leaked as badly in the last couple of weeks as data seems to have been leaking in the UK during the same period, I'd be in need of an aqualung by now! If it were an Olympic sport, Britain would have beaten China for pole position in the medals table! It all started with the loss of a memory stick by a UK Government contractor which contained somewhere around 120,000 records, including the details of 10,000 of our nation's most serious criminals. We then heard about a compromise at global hotel chain Best Western...
More About: Gold , Data

Speaking of Security Podcast #119
2008-08-25 02:00:00
Click to Download/Listen (06:46)Paul Davilman from RSA’s Compliance and Solutions team sits down with Amanda Van Veen to talk about the North American Electric Reliability Corporation (NERC) Cyber Security Standards and how these standards will impact IT security in the utility industries. Please note that due to the U.S. Labor Day holiday, we'll be back in two weeks (on September 8) with a new show.
More About: Podcast , Speaking

Information risk management, and lessons-learned in the financial industry
2008-08-19 02:00:00
Information risk management, and lessons-learned in the financial industry Last week's Economist had a good article entitled "Confessions of a Risk Manager", in which a risk manager from a global bank uses 20-20 hindsight to look at "what went wrong" in the lead-up to the credit crunch and the ensuing fallout. I won't pretend to understand all the ins and outs of financial derivatives, but there were some points raised that anyone in the IT security space can identify with...
More About: Information , Industry , Management , Risk Management , Financial

PCI Compliance: Reaction to the Summary of Changes
2008-08-19 02:00:00
On August 18 the PCI Security Standards Council formally announced (http://www.pcisecuritystandards.org/pdfs /08-18-08_2.pdf) forthcoming changes to the Payment Card Industry's Data Security Standard (PCI DSS) as it moves from version 1.1 to version 1.2 in October 2008. The release represents the first major update since September 2006. What's my take on the summary of changes? Most merchants will be pleased to see that these are relatively minor changes...
More About: Compliance , Summary , Reaction

Speaking of Security Podcast #118
2008-08-18 02:00:00
Click to Download/Listen (11:27)This week, Amanda Van Veen speaks with analyst Rod Nelsestuen from the TowerGroup. Rod covers key issues affecting several financial industry segments including emerging markets and trend, security, and risk management matters and in this segment, talks with Amanda about the evolution of business continuity planning and security’s increasing role.
More About: Security , Podcast , Speaking

Addressing NERC Cyber Security Standards Using a Frameworks-Based Approach
2008-08-13 02:00:00
Although the NERC Cyber -Security Standards (http://www.nerc.com/files/CIP-002-1.pdf) are applicable only in the US, I think there's no doubt that cyber security is fast becoming a major concern of electric utility companies worldwide. In addition, other US critical infrastructure industry segments, such as water and chemical companies are also coming under increasing federal pressure to improve their own cyber-security efforts. Still, the NERC Cyber-Security standards have been criticized for being too ambiguous, providing little in the way of guidance, as well as for leaving loopholes for utility companies to beat the rules...
More About: Frameworks