While the financial services industry traditionally has been quicker to embrace cybersecurity than other verticals, the challenges it faces, like meeting compliance and deterring fraud, never let up.
As agencies are forced to do more with less, government security pros at a recent SC Magazine Roundtable discussion said they are being challenged to fight emerging threats and secure new technologies.
Ashwin Altekar, security risk manager at Heartland Payment Systems, says he must first understand the level of risk that technologies create for customers, and then implement controls that manage that risk so it is invisible to customers.
Development teams often ignore application security requirements in order to meet all their hard-pressed deadlines and requirements, says Fares Alraie software security specialist at the Royal Bank of Canada.
A monthly Q&A with an IT security professional.
Gary Warner of the University of Alabama at Birmingham wants to pursue small-time cybercriminals through a new partnership teaming university researchers and local and state authorities.
Security is not compliance, and compliance is not security.
As more regulators scrutinize the business practices of financial services companies, IT security pros must advance their data processes and safeguards, reports Illena Armstrong.
During an SC Magazine Financial Services Roundtable, leading information security pros discussed how they are refining IT security tactics, and more, reports Illena Armstrong.
When it comes to protecting financial info, IT security professionals can never rest on their laurels, reports Jean Thilmany.
And so we reach the end of this year's batch of innovators. But, as we look at this subcategory, we find that it wraps the whole shebang into a neat package, defining what needs to be done to secure the enterprise (and prove it) and why.
All of us old-timers remember LanDesk from its days as part of Intel. It always was a solid suite of products. Now that it is part of Avocent, its promise as a hybrid of network and security policy management is being realized. The notion of managing the desktop and evolving that into security policy management makes a lot of sense.
The views of the visionary I spoke with from this veteran anti-malware company took the conversation in directions I had not expected. He started out by asking, "Why, if I have done everything I can to secure my enterprise, is my data still being compromised?"
I don't recall the first time I heard the term "extrusion prevention system." It was, I think, an effort on the part of some marketer to tie the notion of preventing data from unauthorized exit (extrusion) from the enterprise to the notion of unauthorized entry (intrusion). Very clever.
No matter how much things change, they stay the same. As I have pointed out, there have been massive changes in security drivers over the past 12 months. The changes have generated a new set of challenges, but, even though our encryption innovator has done a first-rate job of addressing them over the past year, the new issues are generating a sort of déjà vu picture of the encryption market.
The big question I had for Tumbleweed was, "What is email security?" Over the past two years, as we have passed products through SC Labs, I have noticed that the vendor public relations folks who we talk to seem to have a hard time differentiating between the many aspects of threats associated with email.
Wireless, is it? Everything is going wireless - well almost everything. That, in itself, poses a challenge for a wireless security company, such as this innovator. It also offers big opportunities and AirMagnet has identified and addressed them.
If you thought the UTM market was crowded, take a look at the intrusion prevention systems (IPS) market. We bluntly asked our innovator in this product space why they thought that they were innovators in such a commoditized market. The answer was immediate and unambiguous: "When a product category becomes mainstream, there are big opportunities, but you must innovate to take advantage of them."
Sometimes a different approach is needed. The notion of the UTM was developed from the need to consolidate point solutions. There are a lot of problems, of course. They cost more to buy and manage, they use more power and they need a sophisticated staff to manage them.
Sometimes you run across a company that just deserves to be selected as an innovator. You look them over and wonder why you didn't pick up on them before. Mandiant is one of those companies. There is a reason, of course. Mandiant started as a services company providing forensics, litigation support and incident response. So if you were in the product purchasing mood, you would not have run across these folks.
ArcSight gets a lot of play among security experts in the security event management (SEM)/security information manager (SIM) game.
How do you differentiate a product that keeps getting mixed up with a commoditized market, but really doesn't belong there? What differentiators do you look for that can keep you from being included in a herd where you don't belong?
I just love these folks. Take the best open source pen testing tool you can think of, put it on steroids, give it a user interface that makes it simple and fast to pen test in a production environment without losing the granularity of manual testing if you need it, and you have Core Impact. Well, almost. Every year I say that I am going to find a better tool, and I actually do comb the market -- unsuccessfully.
When your price starts at $50,000 and you are unique in your marketplace, you'd better have a good product. For Mu Dynamics, that is just where the story starts. When I first met the Mu folks, they were Mu Security. A new name later, they still are the innovators they were a couple of years ago. My conversation with a Mu visionary was an eye-opener.
This Swedish company will, I predict, set the benchmark here in the United States for how access to applications should be controlled. AppGate has helped shape the direction of network infrastructure security in Europe for some years, and now this innovator is bringing its unique thoughts to the States.
What sets these guys apart from the multifactor herd? In a word, vision. From the start, TriCipher has had the vision of evolving into a full identity management provider. That is a pretty heady ambition for a developer of multifactor authentication tools. So how does this innovator plan to make the trip from providing a piece of the puzzle to offering the whole thing, already assembled, framed and hung on the wall?
Start with the recognition that identity management is just too hard to do, create a solution for that problem and then morph it into a successful service and you have the recipe for a real innovator.
Here is another vendor that we see a lot of in our labs. Passlogix knows who it is and concentrates on doing what it does as well as it can be done. And what they do is credential management.
Bradford Networks is no stranger to these pages. An innovator from last year, Bradford has been reviewed a number of times over the years, always doing well. This year we asked them how well their crystal ball last year worked as 2008 unfolded.
A bank replaced its anti-virus when it found it could more effectively guard its systems with anti-malware, reports Greg Masters.
The inaugural SC World Congress takes place December 9-10 in New York City's Javits Convention Center.
Integrating the networking and IT security staffs delivers operational benefits, but comes with challenges, reports Jim Carr.
Financial institutions should be prepared to deal with security incidents involving physical facilities, network infrastructures, systems, applications, and most importantly, data, says Inno Eroraha, president of NetSecurity Corporation.
Global companies face a significant cultural and legal challenge when dealing with security across international borders, says James Ritchie, former principal auditor, Integralis.
As long as there has been credit granting there have been customers committing first party fraud, says Jasbir Anand, Actimize, Inc.
A growing number of organizations in the retail and financial services industries are recognizing the benefits of implementing and adhering to the Payment Card Industry Data Security Standard (PCI DSS).
Not long ago, audits were a sporadic occurrence for an IT department. While most regulatory mandates included sections that addressed IT controls, these sections were not the initial focus of auditors, so they were largely ignored. In today's security environment, it no longer makes sense to think of each of these audits as a one-off event.
Business process outsourcing (BPO) is a common practice these days, but the benefits of BPO also come with an increase in risk. This requires a new way of looking at data security — as an "inside-out" threat environment - that is, from the data core out and as a problem of insiders that needs to be monitored. Here is a primer for dealing with the security challenges posed by BPO.
Tools to encrypt sensitive data have been with us at least since the reign of Julius Caesar, who used a simple letter-shifting code to communicate with his generals. Encryption now is on the front lines of the war on data theft, tipping the battle in favor of the "good guys."
High-profile data breaches and compliance incidents - such as the recent rogue trading scandal at Societe Generale in France - have given a second meaning to ROI: "Risk of Insiders."
Learning applications that add a layer of multi-dimensional intelligence to DLP can identify what high-business-impact data is, who is using it, who should get it, and how it should go to them.
Data-theft attacks against web applications have expanded in scope—from attempts to extract credit card information from e-commerce sites to scraping entire libraries of valuable information from subscription-based sites.
John Penrod, CISO of The Weather Channel, discusses how the IT pro can manage business risk.
As the experience of one insurance broker proves, securing mobile devices requires a two-pronged approach.
Contracted third parties and other insiders create a bevy of risks for companies looking to secure data.
Some retailers are slow to embrace the new objectives required by the payment card industry.
Attacks on the firmware that sits within computers and enterprise networks is closer than you think.
Are multifactor solutions enough to protect today's financial customers?
Information security pros are increasingly confronted by cybercriminals trawling their corporate networks for customers' private data. More than 80 percent of the respondants to the SC Magazine/MXI Security survey say guarding against data breaches is the focus of current security initiatives, reports SC Magazine Editor-In-Chief Illena Armstrong.
A recent survey of 100 IT managers and CIOs from the financial services, health care, retail, manufacturing and government business sectors shows that despite a torrent of bad press on data-security breaches involving FTP (file-transfer protocol), its use is prevalent and growing.
Welcome to the first Group Test reviews of 2008. Appropriately, we start this year with two important groups: identity management and multifactor authentication products
On the hunt for more innovative solutions to holistically safeguard organizations' growing networks, Peter Stephenson pinpoints the product categories and solutions you might consider next year.
The end of yet another year sees in this final 2007 edition of SC Magazine our annual roundup of top thinkers, interesting happenings, business developments and criminal acts.
The top cybersecurity events of the year.
We handed out crystal balls to several analysts, consultants, professors and CSOs and asked them to answer questions about next year.
This is a very special issue to me and the team at SC Labs because it is based on a year of seeing the good and the not so good. We actually saw almost no bad products, so it was a pretty good year overall. It is special for you because it helps answer the question, "If we are going to buy security tools in the next 12 to 18 months, what should we be looking at?"
Preston Wood is one CISO on top of the integration of enterprise security and networking operations, says Jim Carr.
Nominations are now open for the 2008 SC Magazine Awards, so cast your ballot in any of 20 Reader Trust categories.
Access control is the order of the day for this issue. All of our reviews focus on aspects of access control and management. This, of course, is a key aspect of enforcing the security of the enterprise. We address the topic with two First Looks and two Group Test reviews.
The reality of the security market has brought new demands for any business dealing with large financial institutions. No matter how large or small, or whether public or private, if a partner is handling bank information theyll be subject to the same measure of security as their customers.
In this special section, we look at how the IT security industry works to protect banks and financial institutions and keeps up with the rise of online transactions.
What began as a frantic effort to meet federally mandated personal authentication guidelines for online banking has morphed into a drive to boost the bottom line for a large number of financial services companies.
Recent headlines illustrate that data breaches continue to occur across all industries. The Privacy Rights Clearinghouse reports that more than 155 million records including sensitive information have been involved in security breaches to date.
Banks and financial institutions are targets not only because, in the words of bank-robber Willy Sutton, thats where the money is, but because they are also depositories of vast amounts of data, worth perhaps even more than gold to interested parties.
Like many businesses, Depository Trust and Clearing Corporation (DTCC) depends on its application developers to drive value for its organization. As the primary clearing agency in the United States responsible for clearing and settling securities transactions for a wide range of exchanges — including equities, corporate and municipal bonds, and government and mortgage-backed securities — DTCC handles approximately $5.5 trillion in transactions a day through its systems. These transactions are primarily routed through hundreds of applications built in-house.
Harry hack A hacker named Gabriel claimed to have breached the networks of the UKs Bloomsbury Publishing, uncovering the ending of Harry Potter and the Deathly Hallows prior to its release. Experts contended that the claim, posted on hacker websites, was likely a sham, saying that if accurate more evidence would otherwise have been offered.
Here is an update from the IT security industrys boardrooms.
By blood-and-guts standards, Cary, N.C. is as safe a suburb as there is in the nation. The 121,000-person bedroom community regularly ranks near the statistical bottom of all the major crime categories, including murders, aggravated assaults and robberies.
Just a week after taking home the Rookie Security Company of the Year prize at the 2007 SC Magazine Awards Gala, The 41st Parameter landed an unexpected meeting with an industry heavyweight. Ori Eisen, founder and chief innovation officer at the Scottsdale, Ariz.-based anti-fraud firm, says executives from Oracle who attended the annual awards ceremony were impressed with The 41st Parameter and wanted to learn more about the company after seeing it win.
Campus exploit Hackers exploited an unpatched flaw and a disabled firewall to infiltrate a server at the University of Colorado, Boulder, compromising the personal information of nearly 45,000 students. Attackers exploited a flaw in Symantecs Norton AntiVirus to launch a worm into the server of the College of Arts and Sciences Academic Advising Center, making off with student info.
Here are the latest happenings from the boardrooms of the IT security world.
How do you explain your job to non-technical people?I'd say that I'm the person where the "buck stops here." My semi-official role is to be risk mitigator of a network that contains sensitive information. In that role I try to also influence my industry and peers to do a better job. In the past, I've been chair of the Technology Committee of the California CPA Society, and used my time to educate fellow certified public accountants on the risk of running systems with full administrative rights. I set up the website threatcode.com to help educate fellow technical CPAs and assist in getting vendors to change their ways.
Never mind the Fourth of July, New Year's Eve or even his birthday. The occasion George Dolicker celebrated most merrily last year was International Computer Security Day. After all, the 19-year-old annual event marked the day that Dolicker, chief information security officer of computer maker Lenovo, unveiled the company's first home-grown information security program, complete with a comprehensive user education component.
Fed breach lawA federal ID theft task force backed a breach notification law on government use of personal information. The President's Identity Task Force, co-chaired by Federal Trade Commission Chairwoman Deborah Platt Majoras and Attorney General Alberto Gonzales, urged lawmakers to educate customers, as well as back a federal ID-theft law.
If you felt the floor shake after the feds helped indict the owners of e-gold on money laundering charges, it might be attributable to an underground fraudster community in panic mode.
Recently, there has been a lot of focus in the financial, security and merchant world on a few high-profile breaches of data security. The TJX breach alone has evolved to become the largest data breach ever, affecting 46 million credit card holders, and multiple brands in different geographic regions. There are a lot of lessons to be learned.
The Internet Security Alliance, a nonprofit forum for information sharing, has appointed Larry Clinton president. Since 2002, Clinton had served as deputy executive director and COO of the alliance. Prior to joining the group, he was vice president at the U.S. Telecom Association.
A vulnerability on the website of former New York City Mayor Rudy Giuliani could have allowed SQL injection attacks and expose confidential information. Meanwhile, the MySpace page of U.S. Sen. John McCain, R-Ariz., was altered by Mike Davidson, who was upset the campaign had used his design templates and imagery without permission.
Here is a roundup of the latest IT security news included in April's SC Magazine:
The heyday of massive salaries, extravagant raises and unrestrained bonuses that this industry experienced at the start of the 21st century has long since passed by the information security professional.
As Oracle's Wynn White strolled the floor during this year's RSA Conference, he noticed something odd: No longer was he only surrounded by techies, researchers, product salespeople and security pros.
Here are the latest corporate happenings in the IT security industry:
Here are the latest happenings in IT securitys boardrooms.
Another buySymantec announced its intention to acquire enterprise management software provider Altiris in an $830 million deal. The purchase, intended to better Symantec's standing in the endpoint-management market, came as Symantec representatives said that endpoint security and management markets were converging.
Send your comments, praise or criticisms to scfeedbackUS@haymarketmedia.com. We reserve the right to edit letters.
When the University of California, Los Angeles (UCLA) recently announced that hackers had compromised a database of more than 800,000 people associated with the university, perhaps one of the most shocking aspects of the event was how long the bad guys had gone undetected. The hackers accessed information for over a year before security personnel at UCLA suspected any malfeasance.
The new Speaker of the House Nancy Pelosi represents a district not far from Silicon Valley. Freshly minted Chairman of the House Financial Services Committee Barney Frank says past legislation doesn't go far enough to protect consumer data. And Senate Majority Leader Harry Reid is himself a victim of identity theft.
HIPAA was introduced 10 years ago. In this special section, we look at the effects of the controversial legislation has had on the IT security industry.
Ten years after its ratification, there's little doubt that the Health Information Portability and Accountability Act (HIPAA) has provided a strong framework for protecting patients' sensitive medical information against data security threats. What's just as certain, however, is the dramatic way in which HIPAA has changed the lives of the IT professionals in health care organizations charged with implementing the technology supporting the federal legislation.
If you think what you don't know won't hurt you, then you probably shouldn't be running a website. With literally hundreds of hidden security-related vulnerabilities showing up in web applications weekly, it's not really a matter of if but when someone finds an unknown flaw in your site and exploits it.
2006 will be recorded as the year that security breaches reached the consciousness and awareness of the mainstream consumer. Breaches are certainly not a new phenomena, especially to security professionals. Although events in 2005 all made the headlines, such as the ChoicePoint identification theft that affected 163,000 records, the stolen laptop at the University of California, Berkeley, with more than 98,000 records, and the Boeing stolen laptop with Social Security numbers and bank account information of 161,000 people, the data breach incidents in 2006 occurred at an astounding, costly rate and gained much more media attention.
As part of SC Magazine's year-end roundup, the U.S. editorial team compiled lists of the most memorable - and sometimes most outrageous - news to cross your screen this year.
Banks usually tout putting money away for rainy days. They may encourage savvy budgeting so that times ahead can be comfortable. Insurance companies promote planning ahead, while lenders suggest ways of repaying loans in a timely fashion.
The new amendments to the Federal Rules of Civil Procedure, which took effect Dec. 1, govern the role of electronic discovery in cases of civil litigation.
Hearing news about yet another lost or stolen laptop and exposure of personal information is almost like having seen too many horror flicks. Shock has shifted to disbelief - plus numb outrage at the apparent inability of corporations and government to protect our private personal data.
Financial institutions that meet the FFIEC's year-end compliance guidance for stronger customer data and transaction protection will be wise not to declare victory. This is not Y2K and there are no permanent one-time fixes. Fraud is not going away: it morphs, and it will exist as long as customers have money that can be stolen with little risk of apprehension and prosecution.
Shake-up at McAfee An internal McAfee probe spurred by Securities and Exchange Commission inquiries has led to a shake-up at the security giant. George Samenuk retired as chairman and CEO, while Kevin Weiss was fired. Board of Director Dale Fuller took over as interim president and CEO, while Charles Robel, another board member, was named chairman. A special committee's investigation determined insiders were participating in a questionable stock options practice known as backdating. News of the departures led some analysts to conclude that McAfee is ripe for acquisition. Fuller said: "All options are on the table."
Everyone knows that losing customers impacts the bottom line, whatever the cause may be. However, losing customers to security breaches and mistrust can be devastating. Consider the following research from Ponemon Institute. Nearly 58 percent of respondents to a national survey of more than 1,000 victims of personal data security breaches said a breach had decreased their sense of trust and confidence in the organization reporting the incident. More than 70 percent of respondents said that two data breaches in the same company would be sufficient grounds for them to take their business elsewhere.
The mobile, wireless world in which we now live has created a shift in the focus of venture capital investments in security technology. Today's investors tend to target technology that directly protects people and information, a marked change from a few years ago when the focus was the protection of corporate computer systems as a whole.
Should federal agencies be held to the same standards as the private sector?