Features Devaluing data: Payment card data

Devaluing data: Payment card data

Information sharing is vital, and it always will be, says Stephen Orfei, general manager at PCI SSC.

Features Talk therapy: Information sharing

Talk therapy: Information sharing

Companies benefit by communicating with each other about the attacks they've incurred, reports Jesse Staniforth.

Features Bank on it: Attacks on financial institutions

Bank on it: Attacks on financial institutions

Risk is with us, whether physical or online, says Doug Johnson, American Bankers Association. James Hale reports.


Company News: Lancope's new director of security research and more hires

Lancope has appointed Tom Cross as director of security research, Wells Fargo & Co. has named Rich Baich CISO, and other personnel announcements and corporate happenings.

News News briefs: Breaking security news from the Cybersecurity Act to Gauss

News briefs: Breaking security news from the Cybersecurity Act to Gauss

The Cybersecurity Act of 2012 was defeated in the Senate, FinFisher spyware analyzed, nation-state-created espionage malware Gauss, and other breaking security news

News Univ. of Washington students win collegiate cyber contest

Univ. of Washington students win collegiate cyber contest

A round-up of new launches, mergers and acquisitions, personnel moves and other company news.

Features Tightening the fed's belt: Government Roundtable

Tightening the fed's belt: Government Roundtable

At a recent SC Magazine Roundtable, gov't security pros bemoaned the difficulty in obtaining resources. But instead of crying over spilled milk, they traded ideas for mitigating risk in a down economy.

Editorial Evolutionary conundrums...

Evolutionary conundrums...

There are a whole host of things driving budget, resources and tweaks to security/risk management programs.

Features CSO of the Year: Stephen Scharf

CSO of the Year: Stephen Scharf

Stephen Scarf was a history major and an English minor in college. He then negotiated a diverse career path to reach his current role as global CISO of Experian. But, he wouldn't change a thing.

Features Paying dividends: Financial Services Roundtable

Paying dividends: Financial Services Roundtable

While the financial services industry traditionally has been quicker to embrace cybersecurity than other verticals, the challenges it faces, like meeting compliance and deterring fraud, never let up.

Features Cutting the red tape: SC Roundtable

Cutting the red tape: SC Roundtable

As agencies are forced to do more with less, government security pros at a recent SC Magazine Roundtable discussion said they are being challenged to fight emerging threats and secure new technologies.

Features A need for risk managers with specific skills in business continuity planning and disaster recovery.

A need for risk managers with specific skills in business continuity planning and disaster recovery.

A need for risk managers with specific skills in business continuity planning and disaster recovery.

Features Ashwin Altekar security risk manager, Heartland Payment Systems

Ashwin Altekar security risk manager, Heartland Payment Systems

Ashwin Altekar, security risk manager at Heartland Payment Systems, says he must first understand the level of risk that technologies create for customers, and then implement controls that manage that risk so it is invisible to customers.

Features Me and my job: Fares Alraie of Royal Bank of Canada

Me and my job: Fares Alraie of Royal Bank of Canada

Development teams often ignore application security requirements in order to meet all their hard-pressed deadlines and requirements, says Fares Alraie software security specialist at the Royal Bank of Canada.

Features SC Magazine's CSO of the Year

SC Magazine's CSO of the Year

SC Magazine has recognized Scott Sysol of CUNA Mutual Group as CSO of the Year for his work around data privacy, risk reduction, enterprise-wide IT controls and tapeless backup.

Features Ensuring efficiency: Budget issues

Ensuring efficiency: Budget issues

Still facing budgetary pressures, security execs must apply unique thinking to security spend, which might mean studying metrics, making friends and passing compliance on the cheap.

Features Me and My Job: Steven Jones, Synovus Financial Corp.

Me and My Job: Steven Jones, Synovus Financial Corp.

A monthly Q&A with an IT security professional.

Features IT security budget issues: Fiscal reality

IT security budget issues: Fiscal reality

The financial crisis will have a lasting impact, but some organizations have found ways of doing more with less.

Features Law enforcement of cybercrime: Bringing justice

Law enforcement of cybercrime: Bringing justice

Gary Warner of the University of Alabama at Birmingham wants to pursue small-time cybercriminals through a new partnership teaming university researchers and local and state authorities.

Features Reducing compliance workloads

Reducing compliance workloads

Security is not compliance, and compliance is not security.

Features Financial vertical: An economic dissection

Financial vertical: An economic dissection

As more regulators scrutinize the business practices of financial services companies, IT security pros must advance their data processes and safeguards, reports Illena Armstrong.

Features SC Magazine Financial Roundtable: Across the board

SC Magazine Financial Roundtable: Across the board

During an SC Magazine Financial Services Roundtable, leading information security pros discussed how they are refining IT security tactics, and more, reports Illena Armstrong.


In the vault

When it comes to protecting financial info, IT security professionals can never rest on their laurels, reports Jean Thilmany.

Features IT-GRC: Agiliance

IT-GRC: Agiliance

And so we reach the end of this year's batch of innovators. But, as we look at this subcategory, we find that it wraps the whole shebang into a neat package, defining what needs to be done to secure the enterprise (and prove it) and why.

Features Policy management: LanDesk (Avocent)

Policy management: LanDesk (Avocent)

All of us old-timers remember LanDesk from its days as part of Intel. It always was a solid suite of products. Now that it is part of Avocent, its promise as a hybrid of network and security policy management is being realized. The notion of managing the desktop and evolving that into security policy management makes a lot of sense.

Features Content management: Finjan

Content management: Finjan

The views of the visionary I spoke with from this veteran anti-malware company took the conversation in directions I had not expected. He started out by asking, "Why, if I have done everything I can to secure my enterprise, is my data still being compromised?"

Features Data leakage/extrusion prevention: Trend Micro

Data leakage/extrusion prevention: Trend Micro

I don't recall the first time I heard the term "extrusion prevention system." It was, I think, an effort on the part of some marketer to tie the notion of preventing data from unauthorized exit (extrusion) from the enterprise to the notion of unauthorized entry (intrusion). Very clever.

Features Encryption: PGP

Encryption: PGP

No matter how much things change, they stay the same. As I have pointed out, there have been massive changes in security drivers over the past 12 months. The changes have generated a new set of challenges, but, even though our encryption innovator has done a first-rate job of addressing them over the past year, the new issues are generating a sort of déjà vu picture of the encryption market.

Features Email security: Tumbleweed Communications (Axway)

Email security: Tumbleweed Communications (Axway)

The big question I had for Tumbleweed was, "What is email security?" Over the past two years, as we have passed products through SC Labs, I have noticed that the vendor public relations folks who we talk to seem to have a hard time differentiating between the many aspects of threats associated with email.

Features Wireless Security: AirMagnet

Wireless Security: AirMagnet

Wireless, is it? Everything is going wireless - well almost everything. That, in itself, poses a challenge for a wireless security company, such as this innovator. It also offers big opportunities and AirMagnet has identified and addressed them.

Features IPS: Top Layer Security

IPS: Top Layer Security

If you thought the UTM market was crowded, take a look at the intrusion prevention systems (IPS) market. We bluntly asked our innovator in this product space why they thought that they were innovators in such a commoditized market. The answer was immediate and unambiguous: "When a product category becomes mainstream, there are big opportunities, but you must innovate to take advantage of them."

Features UTM: Global DataGuard

UTM: Global DataGuard

Sometimes a different approach is needed. The notion of the UTM was developed from the need to consolidate point solutions. There are a lot of problems, of course. They cost more to buy and manage, they use more power and they need a sophisticated staff to manage them.

Features Forensic tools: Mandiant

Forensic tools: Mandiant

Sometimes you run across a company that just deserves to be selected as an innova­tor. You look them over and won­der why you didn't pick up on them before. Mandiant is one of those companies. There is a reason, of course. Mandiant started as a services company providing forensics, litigation support and incident response. So if you were in the product purchasing mood, you would not have run across these folks.

Features SIEM: ArcSight

SIEM: ArcSight

ArcSight gets a lot of play among security experts in the security event management (SEM)/security information manager (SIM) game.

Features Threat analysis: NitroSecurity

Threat analysis: NitroSecurity

How do you differentiate a product that keeps getting mixed up with a commod­itized market, but really doesn't belong there? What differentiators do you look for that can keep you from being included in a herd where you don't belong?

Features Penetration testing: Core Security

Penetration testing: Core Security

I just love these folks. Take the best open source pen testing tool you can think of, put it on steroids, give it a user interface that makes it simple and fast to pen test in a production environ­ment without losing the granularity of manual testing if you need it, and you have Core Impact. Well, almost. Every year I say that I am going to find a better tool, and I actually do comb the market -- unsuccessfully.

Features Vulnerability analysis: Mu Dynamics

Vulnerability analysis: Mu Dynamics

When your price starts at $50,000 and you are unique in your marketplace, you'd better have a good product. For Mu Dynamics, that is just where the story starts. When I first met the Mu folks, they were Mu Security. A new name later, they still are the innovators they were a couple of years ago. My conversation with a Mu visionary was an eye-opener.

Features Access magagement: AppGate Network Security

Access magagement: AppGate Network Security

This Swedish company will, I predict, set the benchmark here in the United States for how access to applications should be controlled. AppGate has helped shape the direction of network infrastructure security in Europe for some years, and now this innovator is bringing its unique thoughts to the States.

Features Multifactor authentication:TriCipher

Multifactor authentication:TriCipher

What sets these guys apart from the multifactor herd? In a word, vision. From the start, TriCipher has had the vision of evolving into a full identity management provider. That is a pretty heady ambition for a developer of multifactor authentication tools. So how does this innovator plan to make the trip from providing a piece of the puzzle to offering the whole thing, already assembled, framed and hung on the wall?

Features Identity management: Fischer International

Identity management: Fischer International

Start with the recognition that identity management is just too hard to do, cre­ate a solution for that problem and then morph it into a successful service and you have the recipe for a real innovator.

Features Credential management: Passlogix

Credential management: Passlogix

Here is another vendor that we see a lot of in our labs. Passlogix knows who it is and concentrates on doing what it does as well as it can be done. And what they do is credential management.

Features NAC: Bradford Networks

NAC: Bradford Networks

Bradford Networks is no stranger to these pages. An innovator from last year, Bradford has been reviewed a num­ber of times over the years, always doing well. This year we asked them how well their crystal ball last year worked as 2008 unfolded.

Features Bank on it: An end to anti-virus

Bank on it: An end to anti-virus

A bank replaced its anti-virus when it found it could more effectively guard its systems with anti-malware, reports Greg Masters.

Features Into the breach

Into the breach

The inaugural SC World Congress takes place December 9-10 in New York City's Javits Convention Center.

Features The new perimeter

The new perimeter

Sidney Gellineau, CIO, NYC Transit, embraces the original vision of NAC - to vet unmanaged guest devices, reports Dan Kaplan.

Features A more secure union

A more secure union

Integrating the networking and IT security staffs delivers operational benefits, but comes with challenges, reports Jim Carr.

Finance Responding to a financial security breach

Responding to a financial security breach

Financial institutions should be prepared to deal with security incidents involving physical facilities, network infrastructures, systems, applications, and most importantly, data, says Inno Eroraha, president of NetSecurity Corporation.


Global security challenges

Global companies face a significant cultural and legal challenge when dealing with security across international borders, says James Ritchie, former principal auditor, Integralis.


First party fraud

As long as there has been credit granting there have been customers committing first party fraud, says Jasbir Anand, Actimize, Inc.

Finance Easing PCI Compliance

Easing PCI Compliance

A growing number of organizations in the retail and financial services industries are recognizing the benefits of implementing and adhering to the Payment Card Industry Data Security Standard (PCI DSS).

Features Changing a mindset: Audits are no longer one-off events

Changing a mindset: Audits are no longer one-off events

Not long ago, audits were a sporadic occurrence for an IT department. While most regulatory mandates included sections that addressed IT controls, these sections were not the initial focus of auditors, so they were largely ignored. In today's security environment, it no longer makes sense to think of each of these audits as a one-off event.

Finance Data Security and Outsourcing: Oxymoron?

Data Security and Outsourcing: Oxymoron?

Business process outsourcing (BPO) is a common practice these days, but the benefits of BPO also come with an increase in risk. This requires a new way of looking at data security — as an "inside-out" threat environment - that is, from the data core out and as a problem of insiders that needs to be monitored. Here is a primer for dealing with the security challenges posed by BPO.

Features Encryption: Why now?

Encryption: Why now?

Tools to encrypt sensitive data have been with us at least since the reign of Julius Caesar, who used a simple letter-shifting code to communicate with his generals. Encryption now is on the front lines of the war on data theft, tipping the battle in favor of the "good guys."

Features New meaning for ROI: "Risk of Insiders"

New meaning for ROI: "Risk of Insiders"

High-profile data breaches and compliance incidents - such as the recent rogue trading scandal at Societe Generale in France - have given a second meaning to ROI: "Risk of Insiders."


Learning applications: Revolutionizing data loss prevention

Learning applications that add a layer of multi-dimensional intelligence to DLP can identify what high-business-impact data is, who is using it, who should get it, and how it should go to them.

Features Scraping: Data theft is scaling up

Scraping: Data theft is scaling up

Data-theft attacks against web applications have expanded in scope—from attempts to extract credit card information from e-commerce sites to scraping entire libraries of valuable information from subscription-based sites.

Features Vulnerability management: weathering the storm

Vulnerability management: weathering the storm

John Penrod, CISO of The Weather Channel, discusses how the IT pro can manage business risk.

Features Portable device security: mobile madness

Portable device security: mobile madness

As the experience of one insurance broker proves, securing mobile devices requires a two-pronged approach.


Data theft: the in crowd

Contracted third parties and other insiders create a bevy of risks for companies looking to secure data.

Features Compliance: PCI's growing pains

Compliance: PCI's growing pains

Some retailers are slow to embrace the new objectives required by the payment card industry.

Features Firmware: hacking the chip

Firmware: hacking the chip

Attacks on the firmware that sits within computers and enterprise networks is closer than you think.

Features Two-factor authentication: ask the right questions

Two-factor authentication: ask the right questions

Are multifactor solutions enough to protect today's financial customers?


Survey 2008: Guarding against a data breach

Information security pros are increasingly confronted by cybercriminals trawling their corporate networks for customers' private data. More than 80 percent of the respondants to the SC Magazine/MXI Security survey say guarding against data breaches is the focus of current security initiatives, reports SC Magazine Editor-In-Chief Illena Armstrong.


Survey: 80 percent of financial security chiefs rely on FTP transfers despite data breaches

A recent survey of 100 IT managers and CIOs from the financial services, health care, retail, manufacturing and government business sectors shows that despite a torrent of bad press on data-security breaches involving FTP (file-transfer protocol), its use is prevalent and growing.

Features Product section: Managing access - first line of enterprise defense

Product section: Managing access - first line of enterprise defense

Welcome to the first Group Test reviews of 2008. Appropriately, we start this year with two important groups: identity management and multifactor authentication products


Look ahead: Search for pioneers

On the hunt for more innovative solutions to holistically safeguard organizations' growing networks, Peter Stephenson pinpoints the product categories and solutions you might consider next year.


IT Security Reboot 2007

The end of yet another year sees in this final 2007 edition of SC Magazine our annual roundup of top thinkers, interesting happenings, business developments and criminal acts.

Features Roundup 2007: The year's top fives

Roundup 2007: The year's top fives

The top cybersecurity events of the year.

Features Roundup 2007: Gazing into the crystal ball

Roundup 2007: Gazing into the crystal ball

We handed out crystal balls to several analysts, consultants, professors and CSOs and asked them to answer questions about next year.

2006 Awards Product section: Our 2007 industry innovators

Product section: Our 2007 industry innovators

This is a very special issue to me and the team at SC Labs because it is based on a year of seeing the good and the not so good. We actually saw almost no bad products, so it was a pretty good year overall. It is special for you because it helps answer the question, "If we are going to buy security tools in the next 12 to 18 months, what should we be looking at?"

Features In the driver's seat: the integration of enterprise security and networking operations

In the driver's seat: the integration of enterprise security and networking operations

Preston Wood is one CISO on top of the integration of enterprise security and networking operations, says Jim Carr.

Features The polls are open - cast your ballot for the 2008 SC Magazine Awards

The polls are open - cast your ballot for the 2008 SC Magazine Awards

Nominations are now open for the 2008 SC Magazine Awards, so cast your ballot in any of 20 Reader Trust categories.

Features Product section: Meeting the challenge of managing access

Product section: Meeting the challenge of managing access

Access control is the order of the day for this issue. All of our reviews focus on aspects of access control and management. This, of course, is a key aspect of enforcing the security of the enterprise. We address the topic with two First Looks and two Group Test reviews.


Debt Exchange improves security with scanning service

The reality of the security market has brought new demands for any business dealing with large financial institutions. No matter how large or small, or whether public or private, if a partner is handling bank information theyll be subject to the same measure of security as their customers.


Special section: IT security and the financial vertical

In this special section, we look at how the IT security industry works to protect banks and financial institutions and keeps up with the rise of online transactions.


FFIEC guidelines mandate financial services security upgrades

What began as a frantic effort to meet federally mandated personal authentication guidelines for online banking has morphed into a drive to boost the bottom line for a large number of financial services companies.


The financial vertical: Five ways to protect data and IP

Recent headlines illustrate that data breaches continue to occur across all industries. The Privacy Rights Clearinghouse reports that more than 155 million records including sensitive information have been involved in security breaches to date.


The financial vertical: How institutions protect data - from unaware employees and outsiders

Banks and financial institutions are targets not only because, in the words of bank-robber Willy Sutton, thats where the money is, but because they are also depositories of vast amounts of data, worth perhaps even more than gold to interested parties.


Robust web application security builds trust for DTCC

Like many businesses, Depository Trust and Clearing Corporation (DTCC) depends on its application developers to drive value for its organization. As the primary clearing agency in the United States responsible for clearing and settling securities transactions for a wide range of exchanges — including equities, corporate and municipal bonds, and government and mortgage-backed securities — DTCC handles approximately $5.5 trillion in transactions a day through its systems. These transactions are primarily routed through hundreds of applications built in-house.


News briefs

Harry hack A hacker named Gabriel claimed to have breached the networks of the UKs Bloomsbury Publishing, uncovering the ending of Harry Potter and the Deathly Hallows prior to its release. Experts contended that the claim, posted on hacker websites, was likely a sham, saying that if accurate more evidence would otherwise have been offered.


Company news

Here is an update from the IT security industrys boardrooms.


Law and order: A national computer forensic center takes shape

By blood-and-guts standards, Cary, N.C. is as safe a suburb as there is in the nation. The 121,000-person bedroom community regularly ranks near the statistical bottom of all the major crime categories, including murders, aggravated assaults and robberies.


The SC Magazine Awards - be great in 08

Just a week after taking home the Rookie Security Company of the Year prize at the 2007 SC Magazine Awards Gala, The 41st Parameter landed an unexpected meeting with an industry heavyweight. Ori Eisen, founder and chief innovation officer at the Scottsdale, Ariz.-based anti-fraud firm, says executives from Oracle who attended the annual awards ceremony were impressed with The 41st Parameter and wanted to learn more about the company after seeing it win.


News briefs

Campus exploit Hackers exploited an unpatched flaw and a disabled firewall to infiltrate a server at the University of Colorado, Boulder, compromising the personal information of nearly 45,000 students. Attackers exploited a flaw in Symantecs Norton AntiVirus to launch a worm into the server of the College of Arts and Sciences Academic Advising Center, making off with student info.


Company news

Here are the latest happenings from the boardrooms of the IT security world.


Me and my job

How do you explain your job to non-technical people?I'd say that I'm the person where the "buck stops here." My semi-official role is to be risk mitigator of a network that contains sensitive information. In that role I try to also influence my industry and peers to do a better job. In the past, I've been chair of the Technology Committee of the California CPA Society, and used my time to educate fellow certified public accountants on the risk of running systems with full administrative rights. I set up the website threatcode.com to help educate fellow technical CPAs and assist in getting vendors to change their ways.


Educating the masses for IT security

Never mind the Fourth of July, New Year's Eve or even his birthday. The occasion George Dolicker celebrated most merrily last year was International Computer Security Day. After all, the 19-year-old annual event marked the day that Dolicker, chief information security officer of computer maker Lenovo, unveiled the company's first home-grown information security program, complete with a comprehensive user education component.


News briefs

Fed breach lawA federal ID theft task force backed a breach notification law on government use of personal information. The President's Identity Task Force, co-chaired by Federal Trade Commission Chairwoman Deborah Platt Majoras and Attorney General Alberto Gonzales, urged lawmakers to educate customers, as well as back a federal ID-theft law.


The cost of e-gold falling

If you felt the floor shake after the feds helped indict the owners of e-gold on money laundering charges, it might be attributable to an underground fraudster community in panic mode.


Strengthen the PCI Data Security Standard

Recently, there has been a lot of focus in the financial, security and merchant world on a few high-profile breaches of data security. The TJX breach alone has evolved to become the largest data breach ever, affecting 46 million credit card holders, and multiple brands in different geographic regions. There are a lot of lessons to be learned.


Company news

The Internet Security Alliance, a nonprofit forum for information sharing, has appointed Larry Clinton president. Since 2002, Clinton had served as deputy executive director and COO of the alliance. Prior to joining the group, he was vice president at the U.S. Telecom Association.


News briefs

A vulnerability on the website of former New York City Mayor Rudy Giuliani could have allowed SQL injection attacks and expose confidential information. Meanwhile, the MySpace page of U.S. Sen. John McCain, R-Ariz., was altered by Mike Davidson, who was upset the campaign had used his design templates and imagery without permission.


News briefs

Here is a roundup of the latest IT security news included in April's SC Magazine:


Money matters: SC Magazine/EC-Council Salary Survey 2007

The heyday of massive salaries, extravagant raises and unrestrained bonuses that this industry experienced at the start of the 21st century has long since passed by the information security professional.


Cooperation among departments key to organizational security

As Oracle's Wynn White strolled the floor during this year's RSA Conference, he noticed something odd: No longer was he only surrounded by techies, researchers, product salespeople and security pros.


Company news

Here are the latest corporate happenings in the IT security industry:


Company news

Here are the latest happenings in IT securitys boardrooms.


News briefs

Another buySymantec announced its intention to acquire enterprise management software provider Altiris in an $830 million deal. The purchase, intended to better Symantec's standing in the endpoint-management market, came as Symantec representatives said that endpoint security and management markets were converging.


Got something to say?

Send your comments, praise or criticisms to scfeedbackUS@haymarketmedia.com. We reserve the right to edit letters.


Organizations turn to new techniques to fight financially motivated attacks

When the University of California, Los Angeles (UCLA) recently announced that hackers had compromised a database of more than 800,000 people associated with the university, perhaps one of the most shocking aspects of the event was how long the bad guys had gone undetected. The hackers accessed information for over a year before security personnel at UCLA suspected any malfeasance.


Sign up to our newsletters