Features Bank on it: Attacks on financial institutions

Bank on it: Attacks on financial institutions

Risk is with us, whether physical or online, says Doug Johnson, American Bankers Association. James Hale reports.

Features Paying dividends: Financial Services Roundtable

Paying dividends: Financial Services Roundtable

While the financial services industry traditionally has been quicker to embrace cybersecurity than other verticals, the challenges it faces, like meeting compliance and deterring fraud, never let up.

Features Cutting the red tape: SC Roundtable

Cutting the red tape: SC Roundtable

As agencies are forced to do more with less, government security pros at a recent SC Magazine Roundtable discussion said they are being challenged to fight emerging threats and secure new technologies.

Features Ashwin Altekar security risk manager, Heartland Payment Systems

Ashwin Altekar security risk manager, Heartland Payment Systems

Ashwin Altekar, security risk manager at Heartland Payment Systems, says he must first understand the level of risk that technologies create for customers, and then implement controls that manage that risk so it is invisible to customers.

Features Me and my job: Fares Alraie of Royal Bank of Canada

Me and my job: Fares Alraie of Royal Bank of Canada

Development teams often ignore application security requirements in order to meet all their hard-pressed deadlines and requirements, says Fares Alraie software security specialist at the Royal Bank of Canada.

Features Me and My Job: Steven Jones, Synovus Financial Corp.

Me and My Job: Steven Jones, Synovus Financial Corp.

A monthly Q&A with an IT security professional.

Features Law enforcement of cybercrime: Bringing justice

Law enforcement of cybercrime: Bringing justice

Gary Warner of the University of Alabama at Birmingham wants to pursue small-time cybercriminals through a new partnership teaming university researchers and local and state authorities.

Features Reducing compliance workloads

Reducing compliance workloads

Security is not compliance, and compliance is not security.

Features Financial vertical: An economic dissection

Financial vertical: An economic dissection

As more regulators scrutinize the business practices of financial services companies, IT security pros must advance their data processes and safeguards, reports Illena Armstrong.

Features SC Magazine Financial Roundtable: Across the board

SC Magazine Financial Roundtable: Across the board

During an SC Magazine Financial Services Roundtable, leading information security pros discussed how they are refining IT security tactics, and more, reports Illena Armstrong.

Finance

In the vault

When it comes to protecting financial info, IT security professionals can never rest on their laurels, reports Jean Thilmany.

Features IT-GRC: Agiliance

IT-GRC: Agiliance

And so we reach the end of this year's batch of innovators. But, as we look at this subcategory, we find that it wraps the whole shebang into a neat package, defining what needs to be done to secure the enterprise (and prove it) and why.

Features Policy management: LanDesk (Avocent)

Policy management: LanDesk (Avocent)

All of us old-timers remember LanDesk from its days as part of Intel. It always was a solid suite of products. Now that it is part of Avocent, its promise as a hybrid of network and security policy management is being realized. The notion of managing the desktop and evolving that into security policy management makes a lot of sense.

Features Content management: Finjan

Content management: Finjan

The views of the visionary I spoke with from this veteran anti-malware company took the conversation in directions I had not expected. He started out by asking, "Why, if I have done everything I can to secure my enterprise, is my data still being compromised?"

Features Data leakage/extrusion prevention: Trend Micro

Data leakage/extrusion prevention: Trend Micro

I don't recall the first time I heard the term "extrusion prevention system." It was, I think, an effort on the part of some marketer to tie the notion of preventing data from unauthorized exit (extrusion) from the enterprise to the notion of unauthorized entry (intrusion). Very clever.

Features Encryption: PGP

Encryption: PGP

No matter how much things change, they stay the same. As I have pointed out, there have been massive changes in security drivers over the past 12 months. The changes have generated a new set of challenges, but, even though our encryption innovator has done a first-rate job of addressing them over the past year, the new issues are generating a sort of déjà vu picture of the encryption market.

Features Email security: Tumbleweed Communications (Axway)

Email security: Tumbleweed Communications (Axway)

The big question I had for Tumbleweed was, "What is email security?" Over the past two years, as we have passed products through SC Labs, I have noticed that the vendor public relations folks who we talk to seem to have a hard time differentiating between the many aspects of threats associated with email.

Features Wireless Security: AirMagnet

Wireless Security: AirMagnet

Wireless, is it? Everything is going wireless - well almost everything. That, in itself, poses a challenge for a wireless security company, such as this innovator. It also offers big opportunities and AirMagnet has identified and addressed them.

Features IPS: Top Layer Security

IPS: Top Layer Security

If you thought the UTM market was crowded, take a look at the intrusion prevention systems (IPS) market. We bluntly asked our innovator in this product space why they thought that they were innovators in such a commoditized market. The answer was immediate and unambiguous: "When a product category becomes mainstream, there are big opportunities, but you must innovate to take advantage of them."

Features UTM: Global DataGuard

UTM: Global DataGuard

Sometimes a different approach is needed. The notion of the UTM was developed from the need to consolidate point solutions. There are a lot of problems, of course. They cost more to buy and manage, they use more power and they need a sophisticated staff to manage them.

Features Forensic tools: Mandiant

Forensic tools: Mandiant

Sometimes you run across a company that just deserves to be selected as an innova­tor. You look them over and won­der why you didn't pick up on them before. Mandiant is one of those companies. There is a reason, of course. Mandiant started as a services company providing forensics, litigation support and incident response. So if you were in the product purchasing mood, you would not have run across these folks.

Features SIEM: ArcSight

SIEM: ArcSight

ArcSight gets a lot of play among security experts in the security event management (SEM)/security information manager (SIM) game.

Features Threat analysis: NitroSecurity

Threat analysis: NitroSecurity

How do you differentiate a product that keeps getting mixed up with a commod­itized market, but really doesn't belong there? What differentiators do you look for that can keep you from being included in a herd where you don't belong?

Features Penetration testing: Core Security

Penetration testing: Core Security

I just love these folks. Take the best open source pen testing tool you can think of, put it on steroids, give it a user interface that makes it simple and fast to pen test in a production environ­ment without losing the granularity of manual testing if you need it, and you have Core Impact. Well, almost. Every year I say that I am going to find a better tool, and I actually do comb the market -- unsuccessfully.

Features Vulnerability analysis: Mu Dynamics

Vulnerability analysis: Mu Dynamics

When your price starts at $50,000 and you are unique in your marketplace, you'd better have a good product. For Mu Dynamics, that is just where the story starts. When I first met the Mu folks, they were Mu Security. A new name later, they still are the innovators they were a couple of years ago. My conversation with a Mu visionary was an eye-opener.

Features Access magagement: AppGate Network Security

Access magagement: AppGate Network Security

This Swedish company will, I predict, set the benchmark here in the United States for how access to applications should be controlled. AppGate has helped shape the direction of network infrastructure security in Europe for some years, and now this innovator is bringing its unique thoughts to the States.

Features Multifactor authentication:TriCipher

Multifactor authentication:TriCipher

What sets these guys apart from the multifactor herd? In a word, vision. From the start, TriCipher has had the vision of evolving into a full identity management provider. That is a pretty heady ambition for a developer of multifactor authentication tools. So how does this innovator plan to make the trip from providing a piece of the puzzle to offering the whole thing, already assembled, framed and hung on the wall?

Features Identity management: Fischer International

Identity management: Fischer International

Start with the recognition that identity management is just too hard to do, cre­ate a solution for that problem and then morph it into a successful service and you have the recipe for a real innovator.

Features Credential management: Passlogix

Credential management: Passlogix

Here is another vendor that we see a lot of in our labs. Passlogix knows who it is and concentrates on doing what it does as well as it can be done. And what they do is credential management.

Features NAC: Bradford Networks

NAC: Bradford Networks

Bradford Networks is no stranger to these pages. An innovator from last year, Bradford has been reviewed a num­ber of times over the years, always doing well. This year we asked them how well their crystal ball last year worked as 2008 unfolded.

Features Bank on it: An end to anti-virus

Bank on it: An end to anti-virus

A bank replaced its anti-virus when it found it could more effectively guard its systems with anti-malware, reports Greg Masters.

Features Into the breach

Into the breach

The inaugural SC World Congress takes place December 9-10 in New York City's Javits Convention Center.

Features A more secure union

A more secure union

Integrating the networking and IT security staffs delivers operational benefits, but comes with challenges, reports Jim Carr.

Finance Responding to a financial security breach

Responding to a financial security breach

Financial institutions should be prepared to deal with security incidents involving physical facilities, network infrastructures, systems, applications, and most importantly, data, says Inno Eroraha, president of NetSecurity Corporation.

Finance

Global security challenges

Global companies face a significant cultural and legal challenge when dealing with security across international borders, says James Ritchie, former principal auditor, Integralis.

Finance

First party fraud

As long as there has been credit granting there have been customers committing first party fraud, says Jasbir Anand, Actimize, Inc.

Finance Easing PCI Compliance

Easing PCI Compliance

A growing number of organizations in the retail and financial services industries are recognizing the benefits of implementing and adhering to the Payment Card Industry Data Security Standard (PCI DSS).

Features Changing a mindset: Audits are no longer one-off events

Changing a mindset: Audits are no longer one-off events

Not long ago, audits were a sporadic occurrence for an IT department. While most regulatory mandates included sections that addressed IT controls, these sections were not the initial focus of auditors, so they were largely ignored. In today's security environment, it no longer makes sense to think of each of these audits as a one-off event.

Finance Data Security and Outsourcing: Oxymoron?

Data Security and Outsourcing: Oxymoron?

Business process outsourcing (BPO) is a common practice these days, but the benefits of BPO also come with an increase in risk. This requires a new way of looking at data security — as an "inside-out" threat environment - that is, from the data core out and as a problem of insiders that needs to be monitored. Here is a primer for dealing with the security challenges posed by BPO.

Features Encryption: Why now?

Encryption: Why now?

Tools to encrypt sensitive data have been with us at least since the reign of Julius Caesar, who used a simple letter-shifting code to communicate with his generals. Encryption now is on the front lines of the war on data theft, tipping the battle in favor of the "good guys."

Features New meaning for ROI: "Risk of Insiders"

New meaning for ROI: "Risk of Insiders"

High-profile data breaches and compliance incidents - such as the recent rogue trading scandal at Societe Generale in France - have given a second meaning to ROI: "Risk of Insiders."

Features

Learning applications: Revolutionizing data loss prevention

Learning applications that add a layer of multi-dimensional intelligence to DLP can identify what high-business-impact data is, who is using it, who should get it, and how it should go to them.

Features Scraping: Data theft is scaling up

Scraping: Data theft is scaling up

Data-theft attacks against web applications have expanded in scope—from attempts to extract credit card information from e-commerce sites to scraping entire libraries of valuable information from subscription-based sites.

Features Vulnerability management: weathering the storm

Vulnerability management: weathering the storm

John Penrod, CISO of The Weather Channel, discusses how the IT pro can manage business risk.

Features Portable device security: mobile madness

Portable device security: mobile madness

As the experience of one insurance broker proves, securing mobile devices requires a two-pronged approach.

Features

Data theft: the in crowd

Contracted third parties and other insiders create a bevy of risks for companies looking to secure data.

Features Compliance: PCI's growing pains

Compliance: PCI's growing pains

Some retailers are slow to embrace the new objectives required by the payment card industry.

Features Firmware: hacking the chip

Firmware: hacking the chip

Attacks on the firmware that sits within computers and enterprise networks is closer than you think.

Features Two-factor authentication: ask the right questions

Two-factor authentication: ask the right questions

Are multifactor solutions enough to protect today's financial customers?

Features

Survey 2008: Guarding against a data breach

Information security pros are increasingly confronted by cybercriminals trawling their corporate networks for customers' private data. More than 80 percent of the respondants to the SC Magazine/MXI Security survey say guarding against data breaches is the focus of current security initiatives, reports SC Magazine Editor-In-Chief Illena Armstrong.

Features

Survey: 80 percent of financial security chiefs rely on FTP transfers despite data breaches

A recent survey of 100 IT managers and CIOs from the financial services, health care, retail, manufacturing and government business sectors shows that despite a torrent of bad press on data-security breaches involving FTP (file-transfer protocol), its use is prevalent and growing.

Features Product section: Managing access - first line of enterprise defense

Product section: Managing access - first line of enterprise defense

Welcome to the first Group Test reviews of 2008. Appropriately, we start this year with two important groups: identity management and multifactor authentication products

Features

Look ahead: Search for pioneers

On the hunt for more innovative solutions to holistically safeguard organizations' growing networks, Peter Stephenson pinpoints the product categories and solutions you might consider next year.

Features

IT Security Reboot 2007

The end of yet another year sees in this final 2007 edition of SC Magazine our annual roundup of top thinkers, interesting happenings, business developments and criminal acts.

Features Roundup 2007: The year's top fives

Roundup 2007: The year's top fives

The top cybersecurity events of the year.

Features Roundup 2007: Gazing into the crystal ball

Roundup 2007: Gazing into the crystal ball

We handed out crystal balls to several analysts, consultants, professors and CSOs and asked them to answer questions about next year.

2006 Awards Product section: Our 2007 industry innovators

Product section: Our 2007 industry innovators

This is a very special issue to me and the team at SC Labs because it is based on a year of seeing the good and the not so good. We actually saw almost no bad products, so it was a pretty good year overall. It is special for you because it helps answer the question, "If we are going to buy security tools in the next 12 to 18 months, what should we be looking at?"

Features In the driver's seat: the integration of enterprise security and networking operations

In the driver's seat: the integration of enterprise security and networking operations

Preston Wood is one CISO on top of the integration of enterprise security and networking operations, says Jim Carr.

Features The polls are open - cast your ballot for the 2008 SC Magazine Awards

The polls are open - cast your ballot for the 2008 SC Magazine Awards

Nominations are now open for the 2008 SC Magazine Awards, so cast your ballot in any of 20 Reader Trust categories.

Features Product section: Meeting the challenge of managing access

Product section: Meeting the challenge of managing access

Access control is the order of the day for this issue. All of our reviews focus on aspects of access control and management. This, of course, is a key aspect of enforcing the security of the enterprise. We address the topic with two First Looks and two Group Test reviews.

Features

Debt Exchange improves security with scanning service

The reality of the security market has brought new demands for any business dealing with large financial institutions. No matter how large or small, or whether public or private, if a partner is handling bank information theyll be subject to the same measure of security as their customers.

Features

Special section: IT security and the financial vertical

In this special section, we look at how the IT security industry works to protect banks and financial institutions and keeps up with the rise of online transactions.

Features

FFIEC guidelines mandate financial services security upgrades

What began as a frantic effort to meet federally mandated personal authentication guidelines for online banking has morphed into a drive to boost the bottom line for a large number of financial services companies.

Features

The financial vertical: Five ways to protect data and IP

Recent headlines illustrate that data breaches continue to occur across all industries. The Privacy Rights Clearinghouse reports that more than 155 million records including sensitive information have been involved in security breaches to date.

Features

The financial vertical: How institutions protect data - from unaware employees and outsiders

Banks and financial institutions are targets not only because, in the words of bank-robber Willy Sutton, thats where the money is, but because they are also depositories of vast amounts of data, worth perhaps even more than gold to interested parties.

Features

Robust web application security builds trust for DTCC

Like many businesses, Depository Trust and Clearing Corporation (DTCC) depends on its application developers to drive value for its organization. As the primary clearing agency in the United States responsible for clearing and settling securities transactions for a wide range of exchanges — including equities, corporate and municipal bonds, and government and mortgage-backed securities — DTCC handles approximately $5.5 trillion in transactions a day through its systems. These transactions are primarily routed through hundreds of applications built in-house.

News

News briefs

Harry hack A hacker named Gabriel claimed to have breached the networks of the UKs Bloomsbury Publishing, uncovering the ending of Harry Potter and the Deathly Hallows prior to its release. Experts contended that the claim, posted on hacker websites, was likely a sham, saying that if accurate more evidence would otherwise have been offered.

News

Company news

Here is an update from the IT security industrys boardrooms.

Features

Law and order: A national computer forensic center takes shape

By blood-and-guts standards, Cary, N.C. is as safe a suburb as there is in the nation. The 121,000-person bedroom community regularly ranks near the statistical bottom of all the major crime categories, including murders, aggravated assaults and robberies.

Features

The SC Magazine Awards - be great in 08

Just a week after taking home the Rookie Security Company of the Year prize at the 2007 SC Magazine Awards Gala, The 41st Parameter landed an unexpected meeting with an industry heavyweight. Ori Eisen, founder and chief innovation officer at the Scottsdale, Ariz.-based anti-fraud firm, says executives from Oracle who attended the annual awards ceremony were impressed with The 41st Parameter and wanted to learn more about the company after seeing it win.

News

News briefs

Campus exploit Hackers exploited an unpatched flaw and a disabled firewall to infiltrate a server at the University of Colorado, Boulder, compromising the personal information of nearly 45,000 students. Attackers exploited a flaw in Symantecs Norton AntiVirus to launch a worm into the server of the College of Arts and Sciences Academic Advising Center, making off with student info.

News

Company news

Here are the latest happenings from the boardrooms of the IT security world.

Opinions

Me and my job

How do you explain your job to non-technical people?I'd say that I'm the person where the "buck stops here." My semi-official role is to be risk mitigator of a network that contains sensitive information. In that role I try to also influence my industry and peers to do a better job. In the past, I've been chair of the Technology Committee of the California CPA Society, and used my time to educate fellow certified public accountants on the risk of running systems with full administrative rights. I set up the website threatcode.com to help educate fellow technical CPAs and assist in getting vendors to change their ways.

Features

Educating the masses for IT security

Never mind the Fourth of July, New Year's Eve or even his birthday. The occasion George Dolicker celebrated most merrily last year was International Computer Security Day. After all, the 19-year-old annual event marked the day that Dolicker, chief information security officer of computer maker Lenovo, unveiled the company's first home-grown information security program, complete with a comprehensive user education component.

News

News briefs

Fed breach lawA federal ID theft task force backed a breach notification law on government use of personal information. The President's Identity Task Force, co-chaired by Federal Trade Commission Chairwoman Deborah Platt Majoras and Attorney General Alberto Gonzales, urged lawmakers to educate customers, as well as back a federal ID-theft law.

News

The cost of e-gold falling

If you felt the floor shake after the feds helped indict the owners of e-gold on money laundering charges, it might be attributable to an underground fraudster community in panic mode.

Opinions

Strengthen the PCI Data Security Standard

Recently, there has been a lot of focus in the financial, security and merchant world on a few high-profile breaches of data security. The TJX breach alone has evolved to become the largest data breach ever, affecting 46 million credit card holders, and multiple brands in different geographic regions. There are a lot of lessons to be learned.

News

Company news

The Internet Security Alliance, a nonprofit forum for information sharing, has appointed Larry Clinton president. Since 2002, Clinton had served as deputy executive director and COO of the alliance. Prior to joining the group, he was vice president at the U.S. Telecom Association.

News

News briefs

A vulnerability on the website of former New York City Mayor Rudy Giuliani could have allowed SQL injection attacks and expose confidential information. Meanwhile, the MySpace page of U.S. Sen. John McCain, R-Ariz., was altered by Mike Davidson, who was upset the campaign had used his design templates and imagery without permission.

News

News briefs

Here is a roundup of the latest IT security news included in April's SC Magazine:

Features

Money matters: SC Magazine/EC-Council Salary Survey 2007

The heyday of massive salaries, extravagant raises and unrestrained bonuses that this industry experienced at the start of the 21st century has long since passed by the information security professional.

Features

Cooperation among departments key to organizational security

As Oracle's Wynn White strolled the floor during this year's RSA Conference, he noticed something odd: No longer was he only surrounded by techies, researchers, product salespeople and security pros.

News

Company news

Here are the latest corporate happenings in the IT security industry:

News

Company news

Here are the latest happenings in IT securitys boardrooms.

News

News briefs

Another buySymantec announced its intention to acquire enterprise management software provider Altiris in an $830 million deal. The purchase, intended to better Symantec's standing in the endpoint-management market, came as Symantec representatives said that endpoint security and management markets were converging.

Opinions

Got something to say?

Send your comments, praise or criticisms to scfeedbackUS@haymarketmedia.com. We reserve the right to edit letters.

Features

Organizations turn to new techniques to fight financially motivated attacks

When the University of California, Los Angeles (UCLA) recently announced that hackers had compromised a database of more than 800,000 people associated with the university, perhaps one of the most shocking aspects of the event was how long the bad guys had gone undetected. The hackers accessed information for over a year before security personnel at UCLA suspected any malfeasance.

Features

What does a new Democratic Congress mean for information security?

The new Speaker of the House Nancy Pelosi represents a district not far from Silicon Valley. Freshly minted Chairman of the House Financial Services Committee Barney Frank says past legislation doesn't go far enough to protect consumer data. And Senate Majority Leader Harry Reid is himself a victim of identity theft.

Features

Special report: IT security and health care

HIPAA was introduced 10 years ago. In this special section, we look at the effects of the controversial legislation has had on the IT security industry.

Features

Health care: Where are the penalties for failing to comply with HIPAA?

Ten years after its ratification, there's little doubt that the Health Information Portability and Accountability Act (HIPAA) has provided a strong framework for protecting patients' sensitive medical information against data security threats. What's just as certain, however, is the dramatic way in which HIPAA has changed the lives of the IT professionals in health care organizations charged with implementing the technology supporting the federal legislation.

Features

Fast growing threats

If you think what you don't know won't hurt you, then you probably shouldn't be running a website. With literally hundreds of hidden security-related vulnerabilities showing up in web applications weekly, it's not really a matter of if but when someone finds an unknown flaw in your site and exploits it.

Features

Encryption a perfect response to the Year of the Breach

2006 will be recorded as the year that security breaches reached the consciousness and awareness of the mainstream consumer. Breaches are certainly not a new phenomena, especially to security professionals. Although events in 2005 all made the headlines, such as the ChoicePoint identification theft that affected 163,000 records, the stolen laptop at the University of California, Berkeley, with more than 98,000 records, and the Boeing stolen laptop with Social Security numbers and bank account information of 161,000 people, the data breach incidents in 2006 occurred at an astounding, costly rate and gained much more media attention.

News

IT security reboot 2006: The year's top news

As part of SC Magazine's year-end roundup, the U.S. editorial team compiled lists of the most memorable - and sometimes most outrageous - news to cross your screen this year.

News

Roundup 2006: Taking it to the bank

Banks usually tout putting money away for rainy days. They may encourage savvy budgeting so that times ahead can be comfortable. Insurance companies promote planning ahead, while lenders suggest ways of repaying loans in a timely fashion.

News

2 minutes on...New focus on e-discovery

The new amendments to the Federal Rules of Civil Procedure, which took effect Dec. 1, govern the role of electronic discovery in cases of civil litigation.

Features

Laptop theft, data exposure the result of poor mobile security management

Hearing news about yet another lost or stolen laptop and exposure of personal information is almost like having seen too many horror flicks. Shock has shifted to disbelief - plus numb outrage at the apparent inability of corporations and government to protect our private personal data.

Features

No time for declarations of victory over compliance deadlines

Financial institutions that meet the FFIEC's year-end compliance guidance for stronger customer data and transaction protection will be wise not to declare victory. This is not Y2K and there are no permanent one-time fixes. Fraud is not going away: it morphs, and it will exist as long as customers have money that can be stolen with little risk of apprehension and prosecution.

News

News briefs

Shake-up at McAfee An internal McAfee probe spurred by Securities and Exchange Commission inquiries has led to a shake-up at the security giant. George Samenuk retired as chairman and CEO, while Kevin Weiss was fired. Board of Director Dale Fuller took over as interim president and CEO, while Charles Robel, another board member, was named chairman. A special committee's investigation determined insiders were participating in a questionable stock options practice known as backdating. News of the departures led some analysts to conclude that McAfee is ripe for acquisition. Fuller said: "All options are on the table."

News

Protecting customer information

Everyone knows that losing customers impacts the bottom line, whatever the cause may be. However, losing customers to security breaches and mistrust can be devastating. Consider the following research from Ponemon Institute. Nearly 58 percent of respondents to a national survey of more than 1,000 victims of personal data security breaches said a breach had decreased their sense of trust and confidence in the organization reporting the incident. More than 70 percent of respondents said that two data breaches in the same company would be sufficient grounds for them to take their business elsewhere.

Features

Mobile security dialing up investment dollars

The mobile, wireless world in which we now live has created a shift in the focus of venture capital investments in security technology. Today's investors tend to target technology that directly protects people and information, a marked change from a few years ago when the focus was the protection of corporate computer systems as a whole.

Sign up to our newsletters

RECENT COMMENTS

FOLLOW US