With data-mining firms harvesting personal information from online activity, privacy advocates, if not yet consumers, are alarmed, reports James Hale.
Aaron Swartz's death inspired Rep. Zoe Lofgren to want to reform the federal anti-hacking law, but some security pros worry this would sterilize a potent enforcement weapon, reports Dan Kaplan.
Are there ways to catch sophisticated malware that hides in trusted processes and services? Deb Radcliff finds out.
Health providers have pressing reasons to now embrace security, says INTEGRIS Health's John Delano. Karen Epper Hoffman reports.
There are steps security pros can take to achieve greater peace of mind with cloud implementations, reports Alan Earls.
The ever-increasing use of personal devices has tested enterprise defenses, so plans must be created to meet the challenge, reports James Hale.
Industrial control systems remain troublingly vulnerable to both internal error and outside intruders, reports Danielle Walker.
With almost daily advanced attacks, organizations of all sizes must be at the ready, according to respondents to this year's "Guarding Against a Data Breach" survey. Illena Armstrong reports.
John South joined Heartland Payment Systems when it still was reeling from a devastating breach...and it's the best career decision he's ever made. Dan Kaplan reports.
Our program profiling the winners and finalists of the 2013 SC Awards U.S., held Feb. 26 in San Francisco.
Despite the ubiquity of the Trusted Platform Module, holdups exist and adoption remains slow. Among them are issues with interoperability, considering Apple, Google and Microsoft all use different standards.
Results from our sixth-annual data breach survey are out next month, but here's a sampling of what's to come from our study of budgets, hiring practices, security solutions and more.
PayPal's Andy Steingruebl knows security is not an insular task. By looking outside of its own walls, the company has taken the fight to the enemy, and helped everyone else in the process.
The United States has established itself as a major force in a new era of combat, but what repercussions do state-sponsored actions in cyber space have on all of us?
Rodney Dangerfield couldn't get any respect, and neither can CISOs, who still struggle for recognition within the C-suite. But ignore them at your own risk, says Deven Bhatt, CISO for WEX.
Compliance brings with it the stigma of cost, complexity and confusion, but viewing it from a risk point-of-view may help make it more tolerable.
Cloud computing still is trying to overcome the trust and reliability issues that has made it a questionable proposition for many organizations.
For those organizations at risk to a nation-state attack, preparation should come with the expectation of compromise, as well as knowledge that the damage can be mitigated.
A group of prominent security professionals forecast the most significant industry shifts in 2013. Greg Masters compiles the responses.
The threats to enterprise networks continued to grow this year, but the tech grab bag is also getting more potent, reports Alan Earls.
The old notions of defense-in-depth are being challenged, and architectures tend to have what appear to be single points of failure or compromise.
For the last several years, security experts have been stressing the vulnerability of industrial control systems. Now, with attacks like Stuxnet proof of the risk, the big question is: How will industry respond?
The intrusion prevention system is a mainstay of any organization's perimeter-focused security infrastructure, but its days may be numbered as a standalone technology. Yet, its purpose lives on.
External adversaries, such as nation-state attackers or criminals after credit card data, may get all the attention, but insiders pose a signfiicant threat. Can the non-malicious ones be taught to act securely?
Most organizations cite trust issues as their primary reason for deciding against outsourcing their computing resources and data assets. So just what are cloud providers doing to ensure protection?
No a business' size, employees are yearning to connect their personal devices to the corporate network. But fear not: Solutions and best practices are starting to emerge to manage the risk attached with this craze.
With users flocking toward mobile platforms, fraudsters will join as well. But businesses have a bigger problem: What to do about employees wanting to use their devices to connect to the corporate network.
Sanjeev Sah has been CISO of UNC-Charlotte for just over a year, and he's already well versed on the unique circumstances that make securing colleges unlike any other vertical.
Web browsers have become today's de facto operating system -- the single place where end-users spend most of their time. As such, they're ground zero for attacks. Technology, though, is coming to the rescue.
The ability to marry physical and logical security controls is maturing, which means companies can find efficiency wins, while in the process lowering their risk profile.
Applications provide the path to an organization's coveted assets. And even if they're not public-facing, they still can be a ripe target. We talk to Marcus Prendergast, CSO of ITG, for this month's cover story.
When the history of the cyber arms race is written, the first chapter surely will be devoted to Stuxnet. But now that these sophisticated strikes have started, there are plenty of questions to answer.
With breaches grabbing headlines and cash funneling toward infosec budgets, the role of the security executive is shifting from tech and compliance wonk to savvy businessperson.
Businesses may no longer be able to turn away employees who want to bring their smartphones and tablets to work, and connect to the corporate network. But is that actually a good thing?
Security metrics remain elusive for many organizations, but key performance indicators, or KPIs, are achievable measurements that can help guide business planning and strategy.
Many view information sharing as an elusive quest, hampered by various roadblocks. But Georgia Tech researchers want to tear down these hurdles with a new threat intelligence system known as Titan.
Many organizations are focusing their security efforts on deterring the external attack -- often at the expense of catching the insider threat. This could be a costly oversight, especially with the rise of BYOD.
The loss of personally identifiable information (PII) by an organization can lead to customer loss, reputational harm, and fines, but before this data can be properly guarded, it must be located.
Firewalls have been an enterprise security mainstay for years. But with a majority of attacks now being launched against the web application layer of the stack, the technology must evolve.
In 1854, an English physician was one of the first to use an epidemiological method to ID disease risk. Ben Sapiro of the Dominion of General Insurance Co. wants his peers to do the same with security.
Sites such as Facebook and Twitter contain seemingly infinite amounts of personal data, so it's no wonder criminals have turned their focus there. But social media providers and end-users can protect themselves.
The only way to gain the upper hand on today's advanced adversaries is by being proactive -- even aggressive, a tactic that can take many forms, says Joel Yonts, CISO of an automotive supply company.
Health care traditionally, compared with other industries, has lagged in terms of cyber defense, but with attackers now specifically targeting these organizations for patient data, inaction is no longer an option.
For a while, only traditional PCs were connected to the public internet. But with most devices now gaining networked capabilities, it's only a matter of time before your television can contract a virus.
The decision to move to the cloud has always been wrought with anxiety over entrusting one's data to a third-party. Learning which questions to ask of a provider can help mitigate that concern.
Certifications have long validated security skills, says W. Hord Tipton of (ISC)2. But as the profession evolves and more educational opportunities pop up, how valuable do they remain?
At a recent SC Magazine Roundtable, gov't security pros bemoaned the difficulty in obtaining resources. But instead of crying over spilled milk, they traded ideas for mitigating risk in a down economy.
The FBI-led takedown of Hong Kong-based P2P site MegaUpload -- and the arrests in New Zealand of its leaders -- was a big win for law enforcement. But pursuing suspects across borders can be tricky.
Much of the breach conversation over the past year has been devoted to so-called hacktivists. But nation-state adversaries, bent on looting organizations of intellectual property, are another breed entirely.
With data proliferating at astonishing rates, organizations are tearing into it, hoping to derive new business value, which, according to Zions CSO Preston Wood, includes better security decision making.
The threat posed by politically motivated attackers, known as hacker activists, or hacktivists, is far-reaching, yet authorities are finding it difficult to take down a structurally decentralized movement.
More-than-decade-old bugs still plague web applications, and the challenge is only growing for programs migrating to the cloud. But new frameworks and heightened awareness can mitigate the threat.
Stephen Scarf was a history major and an English minor in college. He then negotiated a diverse career path to reach his current role as global CISO of Experian. But, he wouldn't change a thing.
Criminals are finding social media websites like Facebook, which contain a vast array of personal assets, to be a treasure trove of information that they can use to launch further attacks.
Turf wars remain a major roadblock to embracing the merger of physical and logical security. But Honolulu CIO Gordon Bruce believes the right time for such a project is now.
Organizations are working overtime to design ways to control, via policy and technology, employees' penchant for sharing private information across social networking and mobile devices.
Data security measures have a long, storied history of meeting their demise on Capitol Hill. But two proposals have the bipartisan support that give them at least a shot at passage in 2012.
Security conversations are as audible as ever, yet budgets remain largely flat. However, an expected influx of compliance audits may serve as the driver for more dollars. We polled 488 pros for their thoughts.
Sometimes a little bit of competition is what it takes to get students on the path to careers in security. Software engineer Alex Levinson, who won the U.S. Cyber Challenge, was one of those people.
Stealthy, targeted attacks are real -- as evidenced by operations such as Shady RAT and Stuxnet -- and there isn't a one-size-fits-all remedy to deal with them.
Then-candidate Barack Obama masterfully leveraged the web in a way never before done by a presidential candidate, but he also witnessed the online medium's underbelly.
While the financial services industry traditionally has been quicker to embrace cybersecurity than other verticals, the challenges it faces, like meeting compliance and deterring fraud, never let up.
Guesses for what a new year will bring often are wrong, but that doesn't mean we can't try, right? A group of some of our most trusted sources break out the DeLorean and set it to "2012."
This year-end special section focuses on people who represent the highest degree of professionalism in security, individuals who stand out for their technical skills, managerial prowess, insight and advocacy.
Is it an ISP's responsibility to combat botnets, asks SC Magazine Executive Editor Dan Kaplan.
Age-old vulnerabilities, like SQL injection and cross-site scripting, remain prevalent in applications. And that trend will continue, unless there is a fundamental shift in how programs are developed and secured.
Data protection traditionally has lagged at health care organizations when compared to other industry verticals, and emerging technology like mobile devices and cloud computing doesn't make the challenge any easier.
Recognizing their code bases contain weaknesses and are prime targets for attackers, software companies such as Facebook are beginning to view the research community as more friend than foe.
No longer with the option of saying "no" to its employees, organizations are finding that solutions and techniques exist for managing and securing the mobile devices workers wish to connect to the corporate network.
Implementing proper security practices protects against today's and tomorrow's risks, says Vicki Ames, former information system security officer at a federal medical research agency .
Subject matter experts (SME) are the hot property at many leading consultancy firms.
The goal is to change the perception that security people usually say "no."
A roundup of personnel announcements, launches, partnerships and merger and acquisition activity.
The foundational assurance of the internet is in doubt these days, following attacks against certificate authorities Comodo and DigiNotar.
Morto recently rose to fame as the first worm to leverage the Microsoft RDP protocol to propagate.
A roundup of what's making news in IT security.
As agencies are forced to do more with less, government security pros at a recent SC Magazine Roundtable discussion said they are being challenged to fight emerging threats and secure new technologies.
The work being done by Kathleen Styles at the U.S. Department of Education is emblematic of a growing surge of privacy-led initiatives within the public and private sector. But many other firms are still falling short.
Increased compliance and improved data-protection methods have helped ward off a major credit card breach this year. Yet plenty of holes at the merchant level still remain for a class as dedicated as criminals.
The "bring your own device" revolution means that skilled malware writers are going to pay more and more attention to pushing their wares on mobile endpoints. How should businesses respond?
A roundup of cybercriminal activity across the globe.
PCI rules have evolved to keep up with new technologies, and adoption rates are growing, says Visa's Eduardo Perez.
This month's personnel announcements, launches and merger and acquisition activity.
Advancing companies' awareness of cyber risks and effective, enterprise-wide approaches to managing these risks.
Spam levels dropped last year by nearly a third, but owing to new strategies spammers are making more money than ever before.
Two security experts duke it out over whether organizations should invest in user awareness training.
FBI nabs PayPal hackers, report from Black Hat, announcements from Facebook and Cloud Security Alliance, plus more
Stuxnet demonstrated that even isolated physical networks could be hacked.
Suddenly, corporations can no longer ignore next-generation smartphones and tablets.
The time is ripe for open dialogue around teaching trust, says RSA Conference's Hugh Thompson.
The perimeter is a distant memory of what it once was, considering the influx of third-party workers combined with new technologies, such as cloud and mobile. But it still needs safeguarding.
A sound approach to identification and authentication is an elementary building block to security policy within most any organization, but management of these disciplines face fresh challenges.
Today's flurry of cybercrimes rely on an array of motivations, techniques and technologies, making the job of an investigator to track down the offender that much more difficult.
Following a major breach this year, Lockheed Martin CISO Chandra McMahon explains how a quick and calculated reaction helped stave off a disaster. What are the tricks of the trade when it comes to IR?
Transparency after a breach does more than save face.
Cybercriminal activity across the globe, plus a roundup of security-related news.
We need to do a far better job of demonstrating that the infrastructure and services we are putting into the cloud are superior to what we have today.
Forensics enables organizations to investigate and better understand a breach, but it also can extract insight that can be used to prevent future compromises.
