Higher learning

Higher learning

Advanced degrees in information security are popping up with increasing frequency, but are they worth the time? Cynthia Phillips at Brandeis says yes, reports Dan Kaplan.

2008 Salary and career survey: More than money

2008 Salary and career survey: More than money

Information security pros neither face wage boons nor badlands this year, reports Illena Armstrong.

Patching a sick health care system

Patching a sick health care system

As older generations of non-networked health care machines get replaced with 'smarter' network-integrated versions, the proliferation of embedded operating systems will grow.

Global security challenges

Global companies face a significant cultural and legal challenge when dealing with security across international borders, says James Ritchie, former principal auditor, Integralis.

Worth the upgrade

The TJX data breach has made wireless encryption a priority for retailers and other enterprises. Frank Washkuch Jr. finds out why.

The next generation

The next generation

AIG's CSO Paul DeGraaff says security professionals must gauge the risks of a younger workforce, Dan Kaplan.reports.

Portable device security: mobile madness

Portable device security: mobile madness

As the experience of one insurance broker proves, securing mobile devices requires a two-pronged approach.

RFID/Bluetooth: convenient threats

RFID/Bluetooth: convenient threats

IT pros need to move fast as RFID and Bluetooth threats move from the drawing board to the real world.

Firmware: hacking the chip

Firmware: hacking the chip

Attacks on the firmware that sits within computers and enterprise networks is closer than you think.

Product section: Look ma, no wires, but secure anyway

Product section: Look ma, no wires, but secure anyway

This month our reviews section is unplugged. We look at security for portable devices, as well as security for wireless systems.

Survey 2008: Guarding against a data breach

Information security pros are increasingly confronted by cybercriminals trawling their corporate networks for customers' private data. More than 80 percent of the respondants to the SC Magazine/MXI Security survey say guarding against data breaches is the focus of current security initiatives, reports SC Magazine Editor-In-Chief Illena Armstrong.

Five years and counting: A SOX data security reality check

Time sure does fly. On July 30, 2007, the Sarbanes-Oxley (SOX) Act turned five years old! And while the jury may still be out on the degree that SOX is benefiting the average investor, there's no question that if you're reading this, it's changed your life.

Product section: Our 2007 industry innovators

Product section: Our 2007 industry innovators

This is a very special issue to me and the team at SC Labs because it is based on a year of seeing the good and the not so good. We actually saw almost no bad products, so it was a pretty good year overall. It is special for you because it helps answer the question, "If we are going to buy security tools in the next 12 to 18 months, what should we be looking at?"

Roundup 2007: Gazing into the crystal ball

Roundup 2007: Gazing into the crystal ball

We handed out crystal balls to several analysts, consultants, professors and CSOs and asked them to answer questions about next year.

Roundup 2007: The year's top fives

Roundup 2007: The year's top fives

The top cybersecurity events of the year.

IT Security Reboot 2007

The end of yet another year sees in this final 2007 edition of SC Magazine our annual roundup of top thinkers, interesting happenings, business developments and criminal acts.

Look ahead: Search for pioneers

On the hunt for more innovative solutions to holistically safeguard organizations' growing networks, Peter Stephenson pinpoints the product categories and solutions you might consider next year.

Government vertical: Meeting today's mandates

Government vertical: Meeting today's mandates

The government vertical presents special challenges to IT security vendors, but all agree it is a growing market, reports Greg Masters.

Special section: IT security and government

Special section: IT security and government

All levels of government face critical issues in securing their data - whether shared via the web or through email, USB sticks or IM.

Virtualization - savings not without threats

Karl Hart is one ISO who sees organizations saving big bucks by virtualizing their data centers, but risks loom, reports Dan Kaplan.

Product section: Meeting the challenge of managing access

Product section: Meeting the challenge of managing access

Access control is the order of the day for this issue. All of our reviews focus on aspects of access control and management. This, of course, is a key aspect of enforcing the security of the enterprise. We address the topic with two First Looks and two Group Test reviews.

In the driver's seat: the integration of enterprise security and networking operations

In the driver's seat: the integration of enterprise security and networking operations

Preston Wood is one CISO on top of the integration of enterprise security and networking operations, says Jim Carr.

Moving data securely requires a good tool kit

Moving data securely requires a good tool kit

For decades we have fussed around with how we describe our profession. It started with data security, evolved to computer security, and then took off in several directions. Today most professionals are pretty well satisfied with information security.

Not the same old SOX

Depending on who you ask, the five-year old Sarbanes-Oxley Act is either a costly failure or a stroke of genius, reports Dan Kaplan.

The SIM solution

The value to Kelly Services of a newly deployed SIM tool goes beyond securing its staff and customer data, reports Jim Carr.

A holistic and proactive approach to preventing data theft

Recent high profile data breaches have underscored the need for robust information security within organizations. But with names like Pfizer, TJX and the Department of Veterans Affairs dominating headlines, smaller organizations might infer that they have nothing to fear. Nevertheless, no company — large or small — is immune to a data breach or network intrusion, and the best form of protection is a holistic and proactive approach.

Get familiar with the back door

One of the most common concerns I find when asking security managers about their legacy physical security systems is that, generally, they are not very sure of the level of assurance that exists in their systems, and if they are truly safe from vulnerability or attack. They often dont actually understand their systems ability to withstand attacks from the data network nor do they comprehend what risks they introduce onto the network.

Everyday information security

There is a general belief by end-users and executives that most information security incidents contain a level of extraordinary activity and usually do not occur during a typical work week. The thought is that security events against a corporation are few and far between, so the resources spent on protecting against potential incidents do not provide a good return on investment. The security industry has countered by spending significant time in showing the value of protective investments in hopes of altering the belief that security does not equate to an effective ROI.

Understand risk analysis

It appears that today, business contingency, disaster recovery, and compliance are the hot phrases in information technology circles. Risk analysis in particular, is grossly misunderstood by IT professionals. It is bandied about by executives who, due to no fault of their own, do not have a clear concept as to what the phrase really means. That is primarily because the calculation of risk is not something for which an IT professional has traditionally been responsible, not to mention trained. Also, the derivation of risk analysis requires a different level of thinking as opposed to understanding Active Directory or voice over internet protocol (VoIP).

Company news

Here is an update from the IT security industrys boardrooms.

News briefs

Harry hack A hacker named Gabriel claimed to have breached the networks of the UKs Bloomsbury Publishing, uncovering the ending of Harry Potter and the Deathly Hallows prior to its release. Experts contended that the claim, posted on hacker websites, was likely a sham, saying that if accurate more evidence would otherwise have been offered.

Special section: IT security and the financial vertical

In this special section, we look at how the IT security industry works to protect banks and financial institutions and keeps up with the rise of online transactions.

Developers of Web 2.0 apps must build in security from the start

When notice of a widespread phishing attack against MySpace members was posted in a June Google security blog, Colin Whittaker, a Google anti-phishing team member (who posted the blog), thought it noteworthy that this phishing attack spread through MySpace itself, not email or IM links.

Me and my job

Five questions for Prabhakar Chandrasekaran, ISO of Spartanburg Regional Healthcare System.

Dangerous liaisons, new threats

Back in May, on our Michigan.gov website, we experienced a cyber sit-in. Parents were encouraged to protest possible Medicaid cuts by teaming-up with a group calling themselves the Electronic Disturbance Theater (ECD).

What to do when an employee goes bad

Short of locking every user out of the network, there aren't any definitive ways to prevent insider threats. Observation is key as the majority of fraud-related issues are discovered through anonymous tips or by accident. Our objective then is to increase the rate by which we "happen" to identify when issues are occurring. Changes surrounding an individual can be the first sign of bad activity.

News briefs

Campus exploit Hackers exploited an unpatched flaw and a disabled firewall to infiltrate a server at the University of Colorado, Boulder, compromising the personal information of nearly 45,000 students. Attackers exploited a flaw in Symantecs Norton AntiVirus to launch a worm into the server of the College of Arts and Sciences Academic Advising Center, making off with student info.

The SC Magazine Awards - be great in 08

Just a week after taking home the Rookie Security Company of the Year prize at the 2007 SC Magazine Awards Gala, The 41st Parameter landed an unexpected meeting with an industry heavyweight. Ori Eisen, founder and chief innovation officer at the Scottsdale, Ariz.-based anti-fraud firm, says executives from Oracle who attended the annual awards ceremony were impressed with The 41st Parameter and wanted to learn more about the company after seeing it win.

The hard sell: which key performance indicators to use in reports

The skill set required for the modern IT security professional is constantly changing — the moxie of malware authors, phishers and online scam artists ensures that. Employees working to keep networks and data safe increasingly need another trait they cant learn in a certification course or training session, say consultants and analysts. The IT security pro is now expected to be a great communicator, especially when using metrics and other statistics to explain a corporate IT strategy — and its results and shortcomings, to superiors.

Law and order: A national computer forensic center takes shape

By blood-and-guts standards, Cary, N.C. is as safe a suburb as there is in the nation. The 121,000-person bedroom community regularly ranks near the statistical bottom of all the major crime categories, including murders, aggravated assaults and robberies.

Measures, metrics and management

Why is it that two restaurateurs can take the same basic ingredients, but create dishes that invoke such opposing reactions from customers: one dish bland and so unappealing that our appetite disappears; the other tastes terrific and is presented perfectly.

Secure the whole business

A natural way of achieving security is to focus on the business basics: identifying your customers; ensuring that they can do everything they need to do; managing customers' actions in a simple way; and generating reports telling you who did what.

Educating the masses for IT security

Never mind the Fourth of July, New Year's Eve or even his birthday. The occasion George Dolicker celebrated most merrily last year was International Computer Security Day. After all, the 19-year-old annual event marked the day that Dolicker, chief information security officer of computer maker Lenovo, unveiled the company's first home-grown information security program, complete with a comprehensive user education component.

Me and my job

How do you explain your job to non-technical people?I'd say that I'm the person where the "buck stops here." My semi-official role is to be risk mitigator of a network that contains sensitive information. In that role I try to also influence my industry and peers to do a better job. In the past, I've been chair of the Technology Committee of the California CPA Society, and used my time to educate fellow certified public accountants on the risk of running systems with full administrative rights. I set up the website threatcode.com to help educate fellow technical CPAs and assist in getting vendors to change their ways.

Got something to say?

Send your comments, praise or criticisms to scfeedbackus@haymarketmedia.com. We reserve the right to edit letters.

Work with other departments outside of the IT tower

During my discussions with other CISOs, the common thread among the truly successful is an ability to communicate with non-IT department heads. By seeking the views of your fellow department heads, the CISO can develop a complete information security strategy and establish security champions throughout the company. Security is the responsibility of all users in the enterprise, and by engaging the functional department heads, the CISO can begin to create a deeper awareness around security issues.

Go beyond checkbox security

There seems to be a disturbing trend growing in popularity called DROP (distributed responsibility of protection).

Me and my job

What's your favorite part of your job?All of my job for the most part; making a difference with faculty, staff and constituents is always fulfilling. I enjoy working with our BITS (Berry Information Technology Students) especially. I enjoy the way we get along as a department. And there are also the day-to-day IT challenges — where would we be without that?

IT security and education: Schools around the country find the right technology to protect networks

If you want to learn something about security, who better to talk with than an IT professional at an educational institution? After all, they deal with most, if not all, of the challenges their colleagues in enterprises face, and more — much more.

Special section: IT security and education

Barely had the first week in 2007 been kicked off when news of a hacker gaining access to a college's network, and perhaps employees' private details, came to light.

2 minutes on...secure code certifications

As the hacker community's penchant grows for exploiting easy-to-discover web application vulnerabilities, the SANS Institute is leading a charge to educate software programmers before they hit the workforce.

News briefs

Here is a roundup of the latest IT security news included in April's SC Magazine:

Avoid the rearview mirror

Is your organization protecting yesterday's infrastructure from yesterday's threats? Vulnerability evolves not only in response to external drivers like viruses, but also network change. The challenge is that few IT executives have the dollars to scan and update their entire environment. This forces them to manage vulnerability in the rearview mirror.

Me and my job

Mark Adams, corporate security officer, BlueCross-BlueShield of Nebraska, answers some quick questions about his job.

SC Magazine 2007 Awards

There were no red carpets or stretch limos, but like the Oscars, the 10th annual SC Magazine Awards honored the industry's best.

CSOs on the state of the industry

With each passing day, the role of information security chief becomes increasingly complex and critical to an organization's success. Decisions these leaders make on a daily basis stretch far beyond the rows of servers and routers that dot the IT departments in today's enterprises. They impact each and every end-user, customer and partner. With the maturation of compliance regulations, the sophistication of cybercrooks and the increasing value companies place on data, the IT security and business realms are colliding. For many organizations, risk is now expressed in terms of how secure they are.

Cooperation among departments key to organizational security

As Oracle's Wynn White strolled the floor during this year's RSA Conference, he noticed something odd: No longer was he only surrounded by techies, researchers, product salespeople and security pros.

Cover story: Some enterprises benefiting from the convergence of physical and information security assets

The most mature information security programs cant always protect against theft of information if the perpetrator has access to the server room. Without the proper physical controls over the data centers and facilities which contain the information technology hardware, it is easy enough for an imposter to steal assets the old-fashioned way — with the five-finger discount.

Money matters: SC Magazine/EC-Council Salary Survey 2007

The heyday of massive salaries, extravagant raises and unrestrained bonuses that this industry experienced at the start of the 21st century has long since passed by the information security professional.

Enlist a phased, proactive roadmap

Security practitioners are constantly faced with making choices. These choices swing from enforcing a complete lockdown to placing full trust in the users.

Social networking sites a dangerous part of 'the college experience'

Social networking sites have become a great way to connect to friends at other colleges and post your ideas for the day or join groups for common interests. These sites have also become a focus of controversy.

Why organizations need software training

Organizations must invest in training their IT staff on security to help avoid security flaws and decrease risks.

Me and my job

SC Magazine asks Nikk Gilbert, IT security and telecom director, Alstom Transport, about his job.

Debate

Are digital rights management an effective method to protect intellectual property?

News briefs

Another buySymantec announced its intention to acquire enterprise management software provider Altiris in an $830 million deal. The purchase, intended to better Symantec's standing in the endpoint-management market, came as Symantec representatives said that endpoint security and management markets were converging.

Product section: SC Lab takes a look at email content filtering, policy management products

The theme in the labs this month was policy, policy and more policy. Lab manager Mike Stephenson looked at email content filtering, which depends on policies for its success, while reviewer Justin Peltier evaluated policy management products. In these two areas, policy determines success, but the two views are quite different.

With mergers and acquisitions taking hold, get used to ownership changes

Not long after IBM acquired Internet Security Systems (ISS) for $1.3 billion in one of the landmark deals of 2006, McAfee did its best David versus Goliath impression to try and pluck away some of ISS's more than 26,000 customers.

Digital certificates and PKI have made a comeback

Most security veterans can remember a time not too long ago when the mere mention of digital certificates and public key infrastructure (PKI) could prompt protracted groans from skeptics familiar with long and often failed PKI test deployments.

How C-level executives can keep intellectual property out of the wrong hands

For years the US has complained that other countries are stealing trade secrets, leaving companies and their products vulnerable to knock-offs and counterfeiting. How can companies ensure that their intellectual property is safe and doesn't get into the wrong hands?

Web content filtering, identity management products trend toward maturity

This was an interesting month in the SC Lab.We looked at two different types of products: web content filtering and identity management. The results were enlightening. These two product groups show additional examples of the maturing of the security products marketplace.

IT pros, developers and end users must ally to fend off emerging Web 2.0 threats

Good luck using the internet these days at Royal Food Service, an Atlanta-based wholesale produce distribution company. Only the company's high-level executives have access to the web's full offerings.

Organizations turn to new techniques to fight financially motivated attacks

When the University of California, Los Angeles (UCLA) recently announced that hackers had compromised a database of more than 800,000 people associated with the university, perhaps one of the most shocking aspects of the event was how long the bad guys had gone undetected. The hackers accessed information for over a year before security personnel at UCLA suspected any malfeasance.

10 ways to a solid ROI

Ever since the arrival of the first anti-virus software in the mid-1980s, accountants have been battling with IT managers to control and quantify the efficiency of IT security software.

Fast growing threats

If you think what you don't know won't hurt you, then you probably shouldn't be running a website. With literally hundreds of hidden security-related vulnerabilities showing up in web applications weekly, it's not really a matter of if but when someone finds an unknown flaw in your site and exploits it.

Sweet sixteen

The way the organizers of this year's RSA Conference see it, thanks to the advent of the internet, Americans are living in the modern day Renaissance.

Hot or Not: Web application vulnerabilities

There's no doubt that web applications have become the attackers' target of choice. In September, Mitre Corp.'s Common Vulnerabilities and Exposures list - a tally of publicly disclosed vulnerabilities - ranked cross-site scripting in the number one slot. In fact, cross-site scripting attacks surpassed buffer overflow vulnerabilities. And four of the top five reported vulnerabilities proved to be within web applications.

IT security reboot 2006: The year's top news

As part of SC Magazine's year-end roundup, the U.S. editorial team compiled lists of the most memorable - and sometimes most outrageous - news to cross your screen this year.

IT security reboot 2006: Top 5 influential security thinkers

In SC Magazine's annual year-end roundup, the U.S. editorial team - with insight from our Editorial Advisory Board members - revisits the marketplace's most inspiring and influential luminaries, leading industry happenings, notorious criminal minds, and top business developments. We also take a look at how the IT security landscape is looking in major vertical markets and unearth, based on recent research, just how the CISO's roll may evolve in the coming year. In short this is our reboot of the year, its major goings-on, and the pros who sign off another year's work done.

Roundup 2006: Get smart

If lapses in U.S. government security controls don't scare you, perhaps this will: The federal government is in the throes of deploying one of the largest — if not the largest — public key infrastructure (PKI) environments known.

Roundup 2006: Do CISOs matter?

Those of us who follow the security industry understand that enterprise security has evolved over the past few years from a minor border skirmish to an all out war. In this conflict escalation, no one is more visible than the chief information security officer who acts as the general in charge of all equipment and troops. The question remains however: Do CISOs really add value or are they simply overpaid firewall administrators with no political clout or budget dollars?

It's time to reboot all our systems

In this our end-of-the-year issue we decided to move beyond our top five listing of thought leaders who helped to drive various areas of IT security forward over the last 12 months. We wanted to revisit the events, the corporate happenings and all the people playing their parts in how this year shaped up for the marketplace.

Review your information security program

The following thoughts are offered as a mental checklist, as we too often get buried in goals, objectives and processes that are narrowly scoped. And isolated technology adventures often don't integrate to our enterprise requirements.

Preempting today's cyberattacks

Despite the efforts of many technology companies to make networks and products more secure, the number of vulnerabilities found on computer systems has proliferated in the five years since September 11, 2001. According to the Computer Emergency Response Team (CERT) Coordination Center, the number of known vulnerabilities climbed from roughly 2,000 in 2001 to nearly 6,000 in 2005.

Email security techniques we wish would work, but just don't

At the height of its hype cycle, XML was supposed to solve the "interoperability problem," but in the end, only had a marginal level of success that was better than any other file format. In much the same way, many legacy spam detection techniques promised to rid us of much or all spam. Instead, they fell short of their promise and, in many cases, just did not work.

Training to nullify the insider threat

In the last decade, the security of your information on your networks has been focused on protecting the integrity of data from outsiders. Much of the effort has been based on perimeter security - from outsiders trying to break into the network.

A network security strategy for the age of terrorism

Just as bacteria evolve around the technological barriers we put in their place, so too do the tactics and strategies employed by computer attackers. When a security measure is put in place, our enemies immediately set out to exploit its weakness. When they are repelled, they adapt their tactics and strategies, regroup and come back yet again.

Hot or not: Network embedded device security threats

Hot: Expect attackers to increasingly target networked, multifunction devices, such as high-end printers, scanners and fax machines, as these devices continue to grow more sophisticated and move away from proprietary operating systems and software.

Laptop theft, data exposure the result of poor mobile security management

Hearing news about yet another lost or stolen laptop and exposure of personal information is almost like having seen too many horror flicks. Shock has shifted to disbelief - plus numb outrage at the apparent inability of corporations and government to protect our private personal data.

Industry views: Who's stealing your brand name?

It has been estimated that there are $50 billion of illegal counterfeit and gray market goods sold on the internet annually - and with the amazing growth in popularity of online auction sites and business-to-business (B2B) exchanges, all indications are that this trend is going to get worse before it gets better.

Debate

Should enterprises deploy a multi-engine anti-virus approach to combat malware?

News briefs

Shake-up at McAfee An internal McAfee probe spurred by Securities and Exchange Commission inquiries has led to a shake-up at the security giant. George Samenuk retired as chairman and CEO, while Kevin Weiss was fired. Board of Director Dale Fuller took over as interim president and CEO, while Charles Robel, another board member, was named chairman. A special committee's investigation determined insiders were participating in a questionable stock options practice known as backdating. News of the departures led some analysts to conclude that McAfee is ripe for acquisition. Fuller said: "All options are on the table."

Me and my job

How do you describe your job to average people? I try to find ways to help our students, faculty and staff to do their jobs better by utilizing technology. We do this through infrastructure, support and value-added applications that allow faculty and students to be more creative and productive on a day-to-day basis.

Adapting physical forensics

Digital forensics is a fairly new field, especially when compared with traditional "physical" forensics. While there isn't a common set of protocols, many of the methods used to investigate physical crimes can be adapted to the digital domain.

Why incident post mortems?

A recent discussion in the cybercrime investigation course I teach at my university got me thinking about the use of post incident root cause analysis, often called incident post mortems. Some organizations do not find them valuable, their logic being that the job of the information security professional is protecting the network rather than chasing bad guys. Now that point of view may be arguable, but it really is not the issue. The issue is finding out what happened and why when an incident occurs.

It pays to do some homework

One of the ongoing complaints I hear regularly is that it is difficult to cost justify security spend. Preaching "FUD" (fear, uncertainty and doubt) is certainly not the way. While FUD may help you get funding one time, anyone running a business will quickly ask how much the money spent last time has reduced their risk profile — and why do they now need to spend more. We need to be able to answer those questions clearly and in business terms.

Sweet charity

When Jim Thie showed up in Americus, Ga. one day last year to interview for the chief information officer job at Habitat for Humanity International, he quickly figured out he was a long way from the corporate world.

SOX it to me

A front-page story about an enterprise being caught falsifying financial records. Hefty fines levied by government agencies. Investors leaving firms in droves. The CEO hauled off in handcuffs in front of waiting television cameras.

MSSP M&A

Like any group in the security world, managed security service providers (MSSPs) have long been affected by the process of industry consolidation. But in the last year or so, the tenor of endless mergers and acquisition activity has changed.

The human factor

International consultancy IDC recently completed the 2006 Global Information Security Workforce Study, sponsored by (ISC)2, to provide comprehensive insight into the trends and opportunities being felt by today's information security professionals. The third annual study, which polled 4,019 respondents across businesses of all sizes, touches on topics such as how organizations are viewing the importance of security, what solutions are being used to secure organizations, how much security pros are being paid, and what the future of education will focus on.

Using proper standards for organizational security

In the last couple of years, the role of the information security function in many organizations has achieved recognition as an important component of the organization's overall risk management strategy.

Sign up to our newsletters

POLL