Information sharing is vital, and it always will be, says Stephen Orfei, general manager at PCI SSC.
Companies benefit by communicating with each other about the attacks they've incurred, reports Jesse Staniforth.
Risk is with us, whether physical or online, says Doug Johnson, American Bankers Association. James Hale reports.
Lancope has appointed Tom Cross as director of security research, Wells Fargo & Co. has named Rich Baich CISO, and other personnel announcements and corporate happenings.
The Cybersecurity Act of 2012 was defeated in the Senate, FinFisher spyware analyzed, nation-state-created espionage malware Gauss, and other breaking security news
A round-up of new launches, mergers and acquisitions, personnel moves and other company news.
At a recent SC Magazine Roundtable, gov't security pros bemoaned the difficulty in obtaining resources. But instead of crying over spilled milk, they traded ideas for mitigating risk in a down economy.
There are a whole host of things driving budget, resources and tweaks to security/risk management programs.
Stephen Scarf was a history major and an English minor in college. He then negotiated a diverse career path to reach his current role as global CISO of Experian. But, he wouldn't change a thing.
While the financial services industry traditionally has been quicker to embrace cybersecurity than other verticals, the challenges it faces, like meeting compliance and deterring fraud, never let up.
As agencies are forced to do more with less, government security pros at a recent SC Magazine Roundtable discussion said they are being challenged to fight emerging threats and secure new technologies.
A need for risk managers with specific skills in business continuity planning and disaster recovery.
A need for risk managers with specific skills in business continuity planning and disaster recovery.
Ashwin Altekar, security risk manager at Heartland Payment Systems, says he must first understand the level of risk that technologies create for customers, and then implement controls that manage that risk so it is invisible to customers.
Development teams often ignore application security requirements in order to meet all their hard-pressed deadlines and requirements, says Fares Alraie software security specialist at the Royal Bank of Canada.
SC Magazine has recognized Scott Sysol of CUNA Mutual Group as CSO of the Year for his work around data privacy, risk reduction, enterprise-wide IT controls and tapeless backup.
Still facing budgetary pressures, security execs must apply unique thinking to security spend, which might mean studying metrics, making friends and passing compliance on the cheap.
A monthly Q&A with an IT security professional.
The financial crisis will have a lasting impact, but some organizations have found ways of doing more with less.
Gary Warner of the University of Alabama at Birmingham wants to pursue small-time cybercriminals through a new partnership teaming university researchers and local and state authorities.
Security is not compliance, and compliance is not security.
As more regulators scrutinize the business practices of financial services companies, IT security pros must advance their data processes and safeguards, reports Illena Armstrong.
During an SC Magazine Financial Services Roundtable, leading information security pros discussed how they are refining IT security tactics, and more, reports Illena Armstrong.
When it comes to protecting financial info, IT security professionals can never rest on their laurels, reports Jean Thilmany.
And so we reach the end of this year's batch of innovators. But, as we look at this subcategory, we find that it wraps the whole shebang into a neat package, defining what needs to be done to secure the enterprise (and prove it) and why.
All of us old-timers remember LanDesk from its days as part of Intel. It always was a solid suite of products. Now that it is part of Avocent, its promise as a hybrid of network and security policy management is being realized. The notion of managing the desktop and evolving that into security policy management makes a lot of sense.
The views of the visionary I spoke with from this veteran anti-malware company took the conversation in directions I had not expected. He started out by asking, "Why, if I have done everything I can to secure my enterprise, is my data still being compromised?"
I don't recall the first time I heard the term "extrusion prevention system." It was, I think, an effort on the part of some marketer to tie the notion of preventing data from unauthorized exit (extrusion) from the enterprise to the notion of unauthorized entry (intrusion). Very clever.
No matter how much things change, they stay the same. As I have pointed out, there have been massive changes in security drivers over the past 12 months. The changes have generated a new set of challenges, but, even though our encryption innovator has done a first-rate job of addressing them over the past year, the new issues are generating a sort of déjà vu picture of the encryption market.
The big question I had for Tumbleweed was, "What is email security?" Over the past two years, as we have passed products through SC Labs, I have noticed that the vendor public relations folks who we talk to seem to have a hard time differentiating between the many aspects of threats associated with email.
Wireless, is it? Everything is going wireless - well almost everything. That, in itself, poses a challenge for a wireless security company, such as this innovator. It also offers big opportunities and AirMagnet has identified and addressed them.
If you thought the UTM market was crowded, take a look at the intrusion prevention systems (IPS) market. We bluntly asked our innovator in this product space why they thought that they were innovators in such a commoditized market. The answer was immediate and unambiguous: "When a product category becomes mainstream, there are big opportunities, but you must innovate to take advantage of them."
Sometimes a different approach is needed. The notion of the UTM was developed from the need to consolidate point solutions. There are a lot of problems, of course. They cost more to buy and manage, they use more power and they need a sophisticated staff to manage them.
Sometimes you run across a company that just deserves to be selected as an innovator. You look them over and wonder why you didn't pick up on them before. Mandiant is one of those companies. There is a reason, of course. Mandiant started as a services company providing forensics, litigation support and incident response. So if you were in the product purchasing mood, you would not have run across these folks.
ArcSight gets a lot of play among security experts in the security event management (SEM)/security information manager (SIM) game.
How do you differentiate a product that keeps getting mixed up with a commoditized market, but really doesn't belong there? What differentiators do you look for that can keep you from being included in a herd where you don't belong?
I just love these folks. Take the best open source pen testing tool you can think of, put it on steroids, give it a user interface that makes it simple and fast to pen test in a production environment without losing the granularity of manual testing if you need it, and you have Core Impact. Well, almost. Every year I say that I am going to find a better tool, and I actually do comb the market -- unsuccessfully.
When your price starts at $50,000 and you are unique in your marketplace, you'd better have a good product. For Mu Dynamics, that is just where the story starts. When I first met the Mu folks, they were Mu Security. A new name later, they still are the innovators they were a couple of years ago. My conversation with a Mu visionary was an eye-opener.
This Swedish company will, I predict, set the benchmark here in the United States for how access to applications should be controlled. AppGate has helped shape the direction of network infrastructure security in Europe for some years, and now this innovator is bringing its unique thoughts to the States.
What sets these guys apart from the multifactor herd? In a word, vision. From the start, TriCipher has had the vision of evolving into a full identity management provider. That is a pretty heady ambition for a developer of multifactor authentication tools. So how does this innovator plan to make the trip from providing a piece of the puzzle to offering the whole thing, already assembled, framed and hung on the wall?
Start with the recognition that identity management is just too hard to do, create a solution for that problem and then morph it into a successful service and you have the recipe for a real innovator.
Here is another vendor that we see a lot of in our labs. Passlogix knows who it is and concentrates on doing what it does as well as it can be done. And what they do is credential management.
Bradford Networks is no stranger to these pages. An innovator from last year, Bradford has been reviewed a number of times over the years, always doing well. This year we asked them how well their crystal ball last year worked as 2008 unfolded.
A bank replaced its anti-virus when it found it could more effectively guard its systems with anti-malware, reports Greg Masters.
The inaugural SC World Congress takes place December 9-10 in New York City's Javits Convention Center.
Sidney Gellineau, CIO, NYC Transit, embraces the original vision of NAC - to vet unmanaged guest devices, reports Dan Kaplan.
Integrating the networking and IT security staffs delivers operational benefits, but comes with challenges, reports Jim Carr.
Financial institutions should be prepared to deal with security incidents involving physical facilities, network infrastructures, systems, applications, and most importantly, data, says Inno Eroraha, president of NetSecurity Corporation.
Global companies face a significant cultural and legal challenge when dealing with security across international borders, says James Ritchie, former principal auditor, Integralis.
As long as there has been credit granting there have been customers committing first party fraud, says Jasbir Anand, Actimize, Inc.
A growing number of organizations in the retail and financial services industries are recognizing the benefits of implementing and adhering to the Payment Card Industry Data Security Standard (PCI DSS).
Not long ago, audits were a sporadic occurrence for an IT department. While most regulatory mandates included sections that addressed IT controls, these sections were not the initial focus of auditors, so they were largely ignored. In today's security environment, it no longer makes sense to think of each of these audits as a one-off event.
Business process outsourcing (BPO) is a common practice these days, but the benefits of BPO also come with an increase in risk. This requires a new way of looking at data security — as an "inside-out" threat environment - that is, from the data core out and as a problem of insiders that needs to be monitored. Here is a primer for dealing with the security challenges posed by BPO.
Tools to encrypt sensitive data have been with us at least since the reign of Julius Caesar, who used a simple letter-shifting code to communicate with his generals. Encryption now is on the front lines of the war on data theft, tipping the battle in favor of the "good guys."
High-profile data breaches and compliance incidents - such as the recent rogue trading scandal at Societe Generale in France - have given a second meaning to ROI: "Risk of Insiders."
Learning applications that add a layer of multi-dimensional intelligence to DLP can identify what high-business-impact data is, who is using it, who should get it, and how it should go to them.
Data-theft attacks against web applications have expanded in scope—from attempts to extract credit card information from e-commerce sites to scraping entire libraries of valuable information from subscription-based sites.
John Penrod, CISO of The Weather Channel, discusses how the IT pro can manage business risk.
As the experience of one insurance broker proves, securing mobile devices requires a two-pronged approach.
Contracted third parties and other insiders create a bevy of risks for companies looking to secure data.
Some retailers are slow to embrace the new objectives required by the payment card industry.
Attacks on the firmware that sits within computers and enterprise networks is closer than you think.
Are multifactor solutions enough to protect today's financial customers?
Information security pros are increasingly confronted by cybercriminals trawling their corporate networks for customers' private data. More than 80 percent of the respondants to the SC Magazine/MXI Security survey say guarding against data breaches is the focus of current security initiatives, reports SC Magazine Editor-In-Chief Illena Armstrong.
A recent survey of 100 IT managers and CIOs from the financial services, health care, retail, manufacturing and government business sectors shows that despite a torrent of bad press on data-security breaches involving FTP (file-transfer protocol), its use is prevalent and growing.
Welcome to the first Group Test reviews of 2008. Appropriately, we start this year with two important groups: identity management and multifactor authentication products
On the hunt for more innovative solutions to holistically safeguard organizations' growing networks, Peter Stephenson pinpoints the product categories and solutions you might consider next year.
The end of yet another year sees in this final 2007 edition of SC Magazine our annual roundup of top thinkers, interesting happenings, business developments and criminal acts.
The top cybersecurity events of the year.
We handed out crystal balls to several analysts, consultants, professors and CSOs and asked them to answer questions about next year.
This is a very special issue to me and the team at SC Labs because it is based on a year of seeing the good and the not so good. We actually saw almost no bad products, so it was a pretty good year overall. It is special for you because it helps answer the question, "If we are going to buy security tools in the next 12 to 18 months, what should we be looking at?"
Preston Wood is one CISO on top of the integration of enterprise security and networking operations, says Jim Carr.
Nominations are now open for the 2008 SC Magazine Awards, so cast your ballot in any of 20 Reader Trust categories.
Access control is the order of the day for this issue. All of our reviews focus on aspects of access control and management. This, of course, is a key aspect of enforcing the security of the enterprise. We address the topic with two First Looks and two Group Test reviews.
The reality of the security market has brought new demands for any business dealing with large financial institutions. No matter how large or small, or whether public or private, if a partner is handling bank information theyll be subject to the same measure of security as their customers.
In this special section, we look at how the IT security industry works to protect banks and financial institutions and keeps up with the rise of online transactions.
What began as a frantic effort to meet federally mandated personal authentication guidelines for online banking has morphed into a drive to boost the bottom line for a large number of financial services companies.
Recent headlines illustrate that data breaches continue to occur across all industries. The Privacy Rights Clearinghouse reports that more than 155 million records including sensitive information have been involved in security breaches to date.
Banks and financial institutions are targets not only because, in the words of bank-robber Willy Sutton, thats where the money is, but because they are also depositories of vast amounts of data, worth perhaps even more than gold to interested parties.
Like many businesses, Depository Trust and Clearing Corporation (DTCC) depends on its application developers to drive value for its organization. As the primary clearing agency in the United States responsible for clearing and settling securities transactions for a wide range of exchanges — including equities, corporate and municipal bonds, and government and mortgage-backed securities — DTCC handles approximately $5.5 trillion in transactions a day through its systems. These transactions are primarily routed through hundreds of applications built in-house.
Harry hack A hacker named Gabriel claimed to have breached the networks of the UKs Bloomsbury Publishing, uncovering the ending of Harry Potter and the Deathly Hallows prior to its release. Experts contended that the claim, posted on hacker websites, was likely a sham, saying that if accurate more evidence would otherwise have been offered.
Here is an update from the IT security industrys boardrooms.
By blood-and-guts standards, Cary, N.C. is as safe a suburb as there is in the nation. The 121,000-person bedroom community regularly ranks near the statistical bottom of all the major crime categories, including murders, aggravated assaults and robberies.
Just a week after taking home the Rookie Security Company of the Year prize at the 2007 SC Magazine Awards Gala, The 41st Parameter landed an unexpected meeting with an industry heavyweight. Ori Eisen, founder and chief innovation officer at the Scottsdale, Ariz.-based anti-fraud firm, says executives from Oracle who attended the annual awards ceremony were impressed with The 41st Parameter and wanted to learn more about the company after seeing it win.
Campus exploit Hackers exploited an unpatched flaw and a disabled firewall to infiltrate a server at the University of Colorado, Boulder, compromising the personal information of nearly 45,000 students. Attackers exploited a flaw in Symantecs Norton AntiVirus to launch a worm into the server of the College of Arts and Sciences Academic Advising Center, making off with student info.
Here are the latest happenings from the boardrooms of the IT security world.
How do you explain your job to non-technical people?I'd say that I'm the person where the "buck stops here." My semi-official role is to be risk mitigator of a network that contains sensitive information. In that role I try to also influence my industry and peers to do a better job. In the past, I've been chair of the Technology Committee of the California CPA Society, and used my time to educate fellow certified public accountants on the risk of running systems with full administrative rights. I set up the website threatcode.com to help educate fellow technical CPAs and assist in getting vendors to change their ways.
Never mind the Fourth of July, New Year's Eve or even his birthday. The occasion George Dolicker celebrated most merrily last year was International Computer Security Day. After all, the 19-year-old annual event marked the day that Dolicker, chief information security officer of computer maker Lenovo, unveiled the company's first home-grown information security program, complete with a comprehensive user education component.
Fed breach lawA federal ID theft task force backed a breach notification law on government use of personal information. The President's Identity Task Force, co-chaired by Federal Trade Commission Chairwoman Deborah Platt Majoras and Attorney General Alberto Gonzales, urged lawmakers to educate customers, as well as back a federal ID-theft law.
If you felt the floor shake after the feds helped indict the owners of e-gold on money laundering charges, it might be attributable to an underground fraudster community in panic mode.
Recently, there has been a lot of focus in the financial, security and merchant world on a few high-profile breaches of data security. The TJX breach alone has evolved to become the largest data breach ever, affecting 46 million credit card holders, and multiple brands in different geographic regions. There are a lot of lessons to be learned.
The Internet Security Alliance, a nonprofit forum for information sharing, has appointed Larry Clinton president. Since 2002, Clinton had served as deputy executive director and COO of the alliance. Prior to joining the group, he was vice president at the U.S. Telecom Association.
A vulnerability on the website of former New York City Mayor Rudy Giuliani could have allowed SQL injection attacks and expose confidential information. Meanwhile, the MySpace page of U.S. Sen. John McCain, R-Ariz., was altered by Mike Davidson, who was upset the campaign had used his design templates and imagery without permission.
Here is a roundup of the latest IT security news included in April's SC Magazine:
The heyday of massive salaries, extravagant raises and unrestrained bonuses that this industry experienced at the start of the 21st century has long since passed by the information security professional.
As Oracle's Wynn White strolled the floor during this year's RSA Conference, he noticed something odd: No longer was he only surrounded by techies, researchers, product salespeople and security pros.
Here are the latest corporate happenings in the IT security industry:
Here are the latest happenings in IT securitys boardrooms.
Another buySymantec announced its intention to acquire enterprise management software provider Altiris in an $830 million deal. The purchase, intended to better Symantec's standing in the endpoint-management market, came as Symantec representatives said that endpoint security and management markets were converging.
Send your comments, praise or criticisms to scfeedbackUS@haymarketmedia.com. We reserve the right to edit letters.
When the University of California, Los Angeles (UCLA) recently announced that hackers had compromised a database of more than 800,000 people associated with the university, perhaps one of the most shocking aspects of the event was how long the bad guys had gone undetected. The hackers accessed information for over a year before security personnel at UCLA suspected any malfeasance.