Advanced degrees in information security are popping up with increasing frequency, but are they worth the time? Cynthia Phillips at Brandeis says yes, reports Dan Kaplan.
Information security pros neither face wage boons nor badlands this year, reports Illena Armstrong.
As older generations of non-networked health care machines get replaced with 'smarter' network-integrated versions, the proliferation of embedded operating systems will grow.
Global companies face a significant cultural and legal challenge when dealing with security across international borders, says James Ritchie, former principal auditor, Integralis.
The TJX data breach has made wireless encryption a priority for retailers and other enterprises. Frank Washkuch Jr. finds out why.
AIG's CSO Paul DeGraaff says security professionals must gauge the risks of a younger workforce, Dan Kaplan.reports.
As the experience of one insurance broker proves, securing mobile devices requires a two-pronged approach.
IT pros need to move fast as RFID and Bluetooth threats move from the drawing board to the real world.
Attacks on the firmware that sits within computers and enterprise networks is closer than you think.
This month our reviews section is unplugged. We look at security for portable devices, as well as security for wireless systems.
Information security pros are increasingly confronted by cybercriminals trawling their corporate networks for customers' private data. More than 80 percent of the respondants to the SC Magazine/MXI Security survey say guarding against data breaches is the focus of current security initiatives, reports SC Magazine Editor-In-Chief Illena Armstrong.
Time sure does fly. On July 30, 2007, the Sarbanes-Oxley (SOX) Act turned five years old! And while the jury may still be out on the degree that SOX is benefiting the average investor, there's no question that if you're reading this, it's changed your life.
This is a very special issue to me and the team at SC Labs because it is based on a year of seeing the good and the not so good. We actually saw almost no bad products, so it was a pretty good year overall. It is special for you because it helps answer the question, "If we are going to buy security tools in the next 12 to 18 months, what should we be looking at?"
We handed out crystal balls to several analysts, consultants, professors and CSOs and asked them to answer questions about next year.
The top cybersecurity events of the year.
The end of yet another year sees in this final 2007 edition of SC Magazine our annual roundup of top thinkers, interesting happenings, business developments and criminal acts.
On the hunt for more innovative solutions to holistically safeguard organizations' growing networks, Peter Stephenson pinpoints the product categories and solutions you might consider next year.
The government vertical presents special challenges to IT security vendors, but all agree it is a growing market, reports Greg Masters.
All levels of government face critical issues in securing their data - whether shared via the web or through email, USB sticks or IM.
Karl Hart is one ISO who sees organizations saving big bucks by virtualizing their data centers, but risks loom, reports Dan Kaplan.
Access control is the order of the day for this issue. All of our reviews focus on aspects of access control and management. This, of course, is a key aspect of enforcing the security of the enterprise. We address the topic with two First Looks and two Group Test reviews.
Preston Wood is one CISO on top of the integration of enterprise security and networking operations, says Jim Carr.
For decades we have fussed around with how we describe our profession. It started with data security, evolved to computer security, and then took off in several directions. Today most professionals are pretty well satisfied with information security.
Depending on who you ask, the five-year old Sarbanes-Oxley Act is either a costly failure or a stroke of genius, reports Dan Kaplan.
The value to Kelly Services of a newly deployed SIM tool goes beyond securing its staff and customer data, reports Jim Carr.
Recent high profile data breaches have underscored the need for robust information security within organizations. But with names like Pfizer, TJX and the Department of Veterans Affairs dominating headlines, smaller organizations might infer that they have nothing to fear. Nevertheless, no company — large or small — is immune to a data breach or network intrusion, and the best form of protection is a holistic and proactive approach.
One of the most common concerns I find when asking security managers about their legacy physical security systems is that, generally, they are not very sure of the level of assurance that exists in their systems, and if they are truly safe from vulnerability or attack. They often dont actually understand their systems ability to withstand attacks from the data network nor do they comprehend what risks they introduce onto the network.
There is a general belief by end-users and executives that most information security incidents contain a level of extraordinary activity and usually do not occur during a typical work week. The thought is that security events against a corporation are few and far between, so the resources spent on protecting against potential incidents do not provide a good return on investment. The security industry has countered by spending significant time in showing the value of protective investments in hopes of altering the belief that security does not equate to an effective ROI.
It appears that today, business contingency, disaster recovery, and compliance are the hot phrases in information technology circles. Risk analysis in particular, is grossly misunderstood by IT professionals. It is bandied about by executives who, due to no fault of their own, do not have a clear concept as to what the phrase really means. That is primarily because the calculation of risk is not something for which an IT professional has traditionally been responsible, not to mention trained. Also, the derivation of risk analysis requires a different level of thinking as opposed to understanding Active Directory or voice over internet protocol (VoIP).
Here is an update from the IT security industrys boardrooms.
Harry hack A hacker named Gabriel claimed to have breached the networks of the UKs Bloomsbury Publishing, uncovering the ending of Harry Potter and the Deathly Hallows prior to its release. Experts contended that the claim, posted on hacker websites, was likely a sham, saying that if accurate more evidence would otherwise have been offered.
In this special section, we look at how the IT security industry works to protect banks and financial institutions and keeps up with the rise of online transactions.
When notice of a widespread phishing attack against MySpace members was posted in a June Google security blog, Colin Whittaker, a Google anti-phishing team member (who posted the blog), thought it noteworthy that this phishing attack spread through MySpace itself, not email or IM links.
Five questions for Prabhakar Chandrasekaran, ISO of Spartanburg Regional Healthcare System.
Back in May, on our Michigan.gov website, we experienced a cyber sit-in. Parents were encouraged to protest possible Medicaid cuts by teaming-up with a group calling themselves the Electronic Disturbance Theater (ECD).
Short of locking every user out of the network, there aren't any definitive ways to prevent insider threats. Observation is key as the majority of fraud-related issues are discovered through anonymous tips or by accident. Our objective then is to increase the rate by which we "happen" to identify when issues are occurring. Changes surrounding an individual can be the first sign of bad activity.
Campus exploit Hackers exploited an unpatched flaw and a disabled firewall to infiltrate a server at the University of Colorado, Boulder, compromising the personal information of nearly 45,000 students. Attackers exploited a flaw in Symantecs Norton AntiVirus to launch a worm into the server of the College of Arts and Sciences Academic Advising Center, making off with student info.
Just a week after taking home the Rookie Security Company of the Year prize at the 2007 SC Magazine Awards Gala, The 41st Parameter landed an unexpected meeting with an industry heavyweight. Ori Eisen, founder and chief innovation officer at the Scottsdale, Ariz.-based anti-fraud firm, says executives from Oracle who attended the annual awards ceremony were impressed with The 41st Parameter and wanted to learn more about the company after seeing it win.
The skill set required for the modern IT security professional is constantly changing — the moxie of malware authors, phishers and online scam artists ensures that. Employees working to keep networks and data safe increasingly need another trait they cant learn in a certification course or training session, say consultants and analysts. The IT security pro is now expected to be a great communicator, especially when using metrics and other statistics to explain a corporate IT strategy — and its results and shortcomings, to superiors.
By blood-and-guts standards, Cary, N.C. is as safe a suburb as there is in the nation. The 121,000-person bedroom community regularly ranks near the statistical bottom of all the major crime categories, including murders, aggravated assaults and robberies.
Why is it that two restaurateurs can take the same basic ingredients, but create dishes that invoke such opposing reactions from customers: one dish bland and so unappealing that our appetite disappears; the other tastes terrific and is presented perfectly.
A natural way of achieving security is to focus on the business basics: identifying your customers; ensuring that they can do everything they need to do; managing customers' actions in a simple way; and generating reports telling you who did what.
Never mind the Fourth of July, New Year's Eve or even his birthday. The occasion George Dolicker celebrated most merrily last year was International Computer Security Day. After all, the 19-year-old annual event marked the day that Dolicker, chief information security officer of computer maker Lenovo, unveiled the company's first home-grown information security program, complete with a comprehensive user education component.
How do you explain your job to non-technical people?I'd say that I'm the person where the "buck stops here." My semi-official role is to be risk mitigator of a network that contains sensitive information. In that role I try to also influence my industry and peers to do a better job. In the past, I've been chair of the Technology Committee of the California CPA Society, and used my time to educate fellow certified public accountants on the risk of running systems with full administrative rights. I set up the website threatcode.com to help educate fellow technical CPAs and assist in getting vendors to change their ways.
Send your comments, praise or criticisms to firstname.lastname@example.org. We reserve the right to edit letters.
During my discussions with other CISOs, the common thread among the truly successful is an ability to communicate with non-IT department heads. By seeking the views of your fellow department heads, the CISO can develop a complete information security strategy and establish security champions throughout the company. Security is the responsibility of all users in the enterprise, and by engaging the functional department heads, the CISO can begin to create a deeper awareness around security issues.
There seems to be a disturbing trend growing in popularity called DROP (distributed responsibility of protection).
What's your favorite part of your job?All of my job for the most part; making a difference with faculty, staff and constituents is always fulfilling. I enjoy working with our BITS (Berry Information Technology Students) especially. I enjoy the way we get along as a department. And there are also the day-to-day IT challenges — where would we be without that?
If you want to learn something about security, who better to talk with than an IT professional at an educational institution? After all, they deal with most, if not all, of the challenges their colleagues in enterprises face, and more — much more.
Barely had the first week in 2007 been kicked off when news of a hacker gaining access to a college's network, and perhaps employees' private details, came to light.
As the hacker community's penchant grows for exploiting easy-to-discover web application vulnerabilities, the SANS Institute is leading a charge to educate software programmers before they hit the workforce.
Here is a roundup of the latest IT security news included in April's SC Magazine:
Is your organization protecting yesterday's infrastructure from yesterday's threats? Vulnerability evolves not only in response to external drivers like viruses, but also network change. The challenge is that few IT executives have the dollars to scan and update their entire environment. This forces them to manage vulnerability in the rearview mirror.
Mark Adams, corporate security officer, BlueCross-BlueShield of Nebraska, answers some quick questions about his job.
There were no red carpets or stretch limos, but like the Oscars, the 10th annual SC Magazine Awards honored the industry's best.
With each passing day, the role of information security chief becomes increasingly complex and critical to an organization's success. Decisions these leaders make on a daily basis stretch far beyond the rows of servers and routers that dot the IT departments in today's enterprises. They impact each and every end-user, customer and partner. With the maturation of compliance regulations, the sophistication of cybercrooks and the increasing value companies place on data, the IT security and business realms are colliding. For many organizations, risk is now expressed in terms of how secure they are.
As Oracle's Wynn White strolled the floor during this year's RSA Conference, he noticed something odd: No longer was he only surrounded by techies, researchers, product salespeople and security pros.
Cover story: Some enterprises benefiting from the convergence of physical and information security assets
The most mature information security programs cant always protect against theft of information if the perpetrator has access to the server room. Without the proper physical controls over the data centers and facilities which contain the information technology hardware, it is easy enough for an imposter to steal assets the old-fashioned way — with the five-finger discount.
The heyday of massive salaries, extravagant raises and unrestrained bonuses that this industry experienced at the start of the 21st century has long since passed by the information security professional.
Security practitioners are constantly faced with making choices. These choices swing from enforcing a complete lockdown to placing full trust in the users.
Social networking sites have become a great way to connect to friends at other colleges and post your ideas for the day or join groups for common interests. These sites have also become a focus of controversy.
Organizations must invest in training their IT staff on security to help avoid security flaws and decrease risks.
SC Magazine asks Nikk Gilbert, IT security and telecom director, Alstom Transport, about his job.
Are digital rights management an effective method to protect intellectual property?
Another buySymantec announced its intention to acquire enterprise management software provider Altiris in an $830 million deal. The purchase, intended to better Symantec's standing in the endpoint-management market, came as Symantec representatives said that endpoint security and management markets were converging.
The theme in the labs this month was policy, policy and more policy. Lab manager Mike Stephenson looked at email content filtering, which depends on policies for its success, while reviewer Justin Peltier evaluated policy management products. In these two areas, policy determines success, but the two views are quite different.
Not long after IBM acquired Internet Security Systems (ISS) for $1.3 billion in one of the landmark deals of 2006, McAfee did its best David versus Goliath impression to try and pluck away some of ISS's more than 26,000 customers.
Most security veterans can remember a time not too long ago when the mere mention of digital certificates and public key infrastructure (PKI) could prompt protracted groans from skeptics familiar with long and often failed PKI test deployments.
For years the US has complained that other countries are stealing trade secrets, leaving companies and their products vulnerable to knock-offs and counterfeiting. How can companies ensure that their intellectual property is safe and doesn't get into the wrong hands?
This was an interesting month in the SC Lab.We looked at two different types of products: web content filtering and identity management. The results were enlightening. These two product groups show additional examples of the maturing of the security products marketplace.
Good luck using the internet these days at Royal Food Service, an Atlanta-based wholesale produce distribution company. Only the company's high-level executives have access to the web's full offerings.
When the University of California, Los Angeles (UCLA) recently announced that hackers had compromised a database of more than 800,000 people associated with the university, perhaps one of the most shocking aspects of the event was how long the bad guys had gone undetected. The hackers accessed information for over a year before security personnel at UCLA suspected any malfeasance.
Ever since the arrival of the first anti-virus software in the mid-1980s, accountants have been battling with IT managers to control and quantify the efficiency of IT security software.
If you think what you don't know won't hurt you, then you probably shouldn't be running a website. With literally hundreds of hidden security-related vulnerabilities showing up in web applications weekly, it's not really a matter of if but when someone finds an unknown flaw in your site and exploits it.
The way the organizers of this year's RSA Conference see it, thanks to the advent of the internet, Americans are living in the modern day Renaissance.
There's no doubt that web applications have become the attackers' target of choice. In September, Mitre Corp.'s Common Vulnerabilities and Exposures list - a tally of publicly disclosed vulnerabilities - ranked cross-site scripting in the number one slot. In fact, cross-site scripting attacks surpassed buffer overflow vulnerabilities. And four of the top five reported vulnerabilities proved to be within web applications.
As part of SC Magazine's year-end roundup, the U.S. editorial team compiled lists of the most memorable - and sometimes most outrageous - news to cross your screen this year.
In SC Magazine's annual year-end roundup, the U.S. editorial team - with insight from our Editorial Advisory Board members - revisits the marketplace's most inspiring and influential luminaries, leading industry happenings, notorious criminal minds, and top business developments. We also take a look at how the IT security landscape is looking in major vertical markets and unearth, based on recent research, just how the CISO's roll may evolve in the coming year. In short this is our reboot of the year, its major goings-on, and the pros who sign off another year's work done.
If lapses in U.S. government security controls don't scare you, perhaps this will: The federal government is in the throes of deploying one of the largest — if not the largest — public key infrastructure (PKI) environments known.
Those of us who follow the security industry understand that enterprise security has evolved over the past few years from a minor border skirmish to an all out war. In this conflict escalation, no one is more visible than the chief information security officer who acts as the general in charge of all equipment and troops. The question remains however: Do CISOs really add value or are they simply overpaid firewall administrators with no political clout or budget dollars?
In this our end-of-the-year issue we decided to move beyond our top five listing of thought leaders who helped to drive various areas of IT security forward over the last 12 months. We wanted to revisit the events, the corporate happenings and all the people playing their parts in how this year shaped up for the marketplace.
The following thoughts are offered as a mental checklist, as we too often get buried in goals, objectives and processes that are narrowly scoped. And isolated technology adventures often don't integrate to our enterprise requirements.
Despite the efforts of many technology companies to make networks and products more secure, the number of vulnerabilities found on computer systems has proliferated in the five years since September 11, 2001. According to the Computer Emergency Response Team (CERT) Coordination Center, the number of known vulnerabilities climbed from roughly 2,000 in 2001 to nearly 6,000 in 2005.
At the height of its hype cycle, XML was supposed to solve the "interoperability problem," but in the end, only had a marginal level of success that was better than any other file format. In much the same way, many legacy spam detection techniques promised to rid us of much or all spam. Instead, they fell short of their promise and, in many cases, just did not work.
In the last decade, the security of your information on your networks has been focused on protecting the integrity of data from outsiders. Much of the effort has been based on perimeter security - from outsiders trying to break into the network.
Just as bacteria evolve around the technological barriers we put in their place, so too do the tactics and strategies employed by computer attackers. When a security measure is put in place, our enemies immediately set out to exploit its weakness. When they are repelled, they adapt their tactics and strategies, regroup and come back yet again.
Hot: Expect attackers to increasingly target networked, multifunction devices, such as high-end printers, scanners and fax machines, as these devices continue to grow more sophisticated and move away from proprietary operating systems and software.
Hearing news about yet another lost or stolen laptop and exposure of personal information is almost like having seen too many horror flicks. Shock has shifted to disbelief - plus numb outrage at the apparent inability of corporations and government to protect our private personal data.
It has been estimated that there are $50 billion of illegal counterfeit and gray market goods sold on the internet annually - and with the amazing growth in popularity of online auction sites and business-to-business (B2B) exchanges, all indications are that this trend is going to get worse before it gets better.
Should enterprises deploy a multi-engine anti-virus approach to combat malware?
Shake-up at McAfee An internal McAfee probe spurred by Securities and Exchange Commission inquiries has led to a shake-up at the security giant. George Samenuk retired as chairman and CEO, while Kevin Weiss was fired. Board of Director Dale Fuller took over as interim president and CEO, while Charles Robel, another board member, was named chairman. A special committee's investigation determined insiders were participating in a questionable stock options practice known as backdating. News of the departures led some analysts to conclude that McAfee is ripe for acquisition. Fuller said: "All options are on the table."
How do you describe your job to average people? I try to find ways to help our students, faculty and staff to do their jobs better by utilizing technology. We do this through infrastructure, support and value-added applications that allow faculty and students to be more creative and productive on a day-to-day basis.
Digital forensics is a fairly new field, especially when compared with traditional "physical" forensics. While there isn't a common set of protocols, many of the methods used to investigate physical crimes can be adapted to the digital domain.
A recent discussion in the cybercrime investigation course I teach at my university got me thinking about the use of post incident root cause analysis, often called incident post mortems. Some organizations do not find them valuable, their logic being that the job of the information security professional is protecting the network rather than chasing bad guys. Now that point of view may be arguable, but it really is not the issue. The issue is finding out what happened and why when an incident occurs.
One of the ongoing complaints I hear regularly is that it is difficult to cost justify security spend. Preaching "FUD" (fear, uncertainty and doubt) is certainly not the way. While FUD may help you get funding one time, anyone running a business will quickly ask how much the money spent last time has reduced their risk profile — and why do they now need to spend more. We need to be able to answer those questions clearly and in business terms.
When Jim Thie showed up in Americus, Ga. one day last year to interview for the chief information officer job at Habitat for Humanity International, he quickly figured out he was a long way from the corporate world.
A front-page story about an enterprise being caught falsifying financial records. Hefty fines levied by government agencies. Investors leaving firms in droves. The CEO hauled off in handcuffs in front of waiting television cameras.
Like any group in the security world, managed security service providers (MSSPs) have long been affected by the process of industry consolidation. But in the last year or so, the tenor of endless mergers and acquisition activity has changed.
International consultancy IDC recently completed the 2006 Global Information Security Workforce Study, sponsored by (ISC)2, to provide comprehensive insight into the trends and opportunities being felt by today's information security professionals. The third annual study, which polled 4,019 respondents across businesses of all sizes, touches on topics such as how organizations are viewing the importance of security, what solutions are being used to secure organizations, how much security pros are being paid, and what the future of education will focus on.
In the last couple of years, the role of the information security function in many organizations has achieved recognition as an important component of the organization's overall risk management strategy.
SC Magazine Articles
- Some U.S. Bancorp workers' W-2 info exposed in ADP data breach
- Spearphishing attack nets $495K from investment firm
- Updated: Gmail, Yahoo email credentials among millions found on the dark web
- Report: Ransomware feeds off poor endpoint security
- Organizations need formal vendor risk management programs, study
- 2.5K Twitter accounts hacked to spread links to adult content
- Study: Federal agencies still lack strong cyber hygiene practices
- Petya and Mischa - the Ransomware Twins (sort of)
- Bad guys update ransomware DMA Locker with version 4.0
- Lieu, Hurd urge colleagues to use encryption, improve cyber hygiene