Get up-to-the-minute news and opinions, plus access to a wide assortment of IT security resources that will keep you current and informed.

Keep me logged in Forgot your password?

Please wait...

Please wait...

Another one bites the dust

April 15, 2008

Mapping the tragedy of the Hannaford breach in a post-mortem sense should be just as important to the grocery chain as the upgrade of the system.
 

Real-world approaches to a complex problem

April 10, 2008

Before embarking on a role management project, take time to consider your business objectives and project scope, says Jackie Gilbert, founder and VP of marketing, SailPoint.
 

Closing a tough security gap

April 10, 2008

When does seemingly harmless recreational surfing turn into something a lot more dangerous?
 

Hot or Not: Virtualization Security

April 01, 2008

What are the potential security implications of virtualization? The answer is: they are considerable.
 

Practical Role Management: Real-World Approaches to a Complex Problem

March 25, 2008

Before embarking on a role management project, take time to consider your business objectives and project scope. The road to role management is littered with stalled or failed projects. Learn to recognize common pitfalls and how best practices can pave the way to solving real business problems.
 

City IT chief's wish list: "Virtual" resources, more watchdogs, and a certificate management infrastructure

February 05, 2008

The top security administrator of a major U.S. city provides a list of the top five improvements he would like to see in public-sector IT security - including "virtualized" resources that will prevent user desktops from being converted into remote-controlled bots.
 

Getting into the swing of change

February 01, 2008

In conversations with industry contacts this past week, I heard the same thing: in many companies, information security is being absorbed into various business units.
 

Me and my job: Bert Talley

February 01, 2008

What are the occupational likes and gripes of security pro Bert Talley?
 

Security vs. privacy

February 01, 2008

Does anyone today really believe that they can keep their personal information entirely confidential? While some people have personal preferences about how much personal information they are forced to reveal, functioning within society requires some exposure.
 

Governing changing data

February 01, 2008

Smart companies are looking more intently at what it takes to better control their policies around data management, not only today, but five or even 15 years into the future.
 

How to avoid security program failures

February 01, 2008

Focusing your security program on achieving true network visibility is critical.
 

Building security into your software-development lifecycle

January 30, 2008

Security vulnerabilities often are introduced into software during the development process. What hasn't been well understood is the solution to the problem.
 

Get ahead of new web applications

January 22, 2008

Consumer peer-to-peer (p2p) internet applications are growing at a blistering pace. Evidence is everywhere: worldwide, users send more than 10 billion instant messages every day.
 

Awareness combats profit-driven attacks

January 02, 2008

Without a doubt, the malware industry is booming. Every day, computer users are bombarded with news of severe data breaches, the rapid growth of online fraud and identity theft, and spyware that compromises security.
 

Editorial: Critical data protection grows up

January 01, 2008

It seems information security is getting to the front line of business imperatives. More than ever before, executives are giving IT security and data protection initiatives the attention they've required for some time
 
 
 

Opinion: Can we plan security strategically?

January 01, 2008

Another year and another set of new resolutions. But can we plan cybersecurity strategically? Some colleagues say no. They insist events are moving too fast.
 

Know what is the board's responsibility

January 01, 2008

Several bills are expected to be introduced in Congress soon that would have significant impact on how businesses are required to protect confidential information, as well as when and how they must notify the public in the event of a breach.
 

Protecting customers = teamwork

January 01, 2008

While estimates vary on the volume of phishing emails sent around the world everyday, there is no debating the fact that they have become a modern day scourge. At their most innocuous, phishing emails are annoying, but if criminals manage to con you into disclosing your private financial information they're downright dangerous.
 

Letters: Got something to say?

January 01, 2008

Send your comments, praise or criticisms to scfeedbackUS@haymarketmedia.com. We reserve the right to edit letters.
 

Last word: Make the FISMA grade meaningful

January 01, 2008

FISMA lays a good foundation for securing info assets, says Christopher Fountain.
 

Eight New Year's security resolutions for 2008

December 18, 2007

2008 will usher in more security issues whose challenges can only be met by an array of security solutions. Now is the time to start thinking about your 2008 New Year's security resolutions.
 

A holistic view of data-driven security

December 05, 2007

For too many enterprises, securing data is a never-ending frenzied effort to stay one step ahead of regulatory requirements, emerging threats, hack attacks, insider malfeasance...the list gets longer every day.
 

PCI compliance: Driving force to better network security

December 05, 2007

The Payment Card Industry (PCI) Data Security Standard is unique compared to other security standards, as PCI provides strong guidance as to how merchants can actually comply with its requirements.
 

Letters: Got something to say?

December 01, 2007

Send your comments, praise or criticisms to scfeedbackUS@haymarketmedia.com. We reserve the right to edit letters.
 

An academic look forward

December 01, 2007

Now, as we close the calendar year and take a break from our academics for the holidays, I find time to think about what it really means to be a student of information assurance.
 

Me and my job

December 01, 2007

Of what are you most proud?Professionally, I'm most proud of where our project is today, considering where it was four years ago. It's not an easy thing to consolidate the IT systems of three police departments, each with their own set of policies, procedures, regulations, beliefs and opinions. I'm proud of the willingness of these departments to embrace the idea and their patience and persistence in pulling it off.
 

Editorial: Catching that end-of-year moment of silence

December 01, 2007

Hurtling into our annual Reboot edition, I became conscious of the break-neck speed at which 2007 has come to its end.
 

Hot or not: VoIP attacks

November 08, 2007

As the number of VoIP-enabled phones rise, the motives increase for attackers to infiltrate these systems for fun and profit.
 

Rightsizing your compliance data gathering

November 07, 2007

Poor implementation planning and a lack of real understanding of compliance requirements doom many companies to compliance project lifecycles of unrealistic expectations, expensive implementations and disappointment in the results.
 

Social networks: To ban or not to ban?

November 07, 2007

Blocking employee access to social networking sites may seem like a sensible corporate strategy, but imposing a blanket ban could turn out to be counter-productive.
 

The end of 'fear factor' marketing nowhere in sight

November 06, 2007

The screaming headlines have been running for years. Whether they're in press releases about cybercrime exceeding international drug profits or the billions of dollars lost to breach disclosures or videos highlighting the meltdown of power generators due to a myriad of vulnerabilities, the anti-malware industry has long relied on fear to move their products.
 

How corporate security guys in the trenches made my DefCon visit a success

November 01, 2007

Now that DefCon 15 has passed, I'm feeling the need to have a really good reason to dredge up people's happy, but increasingly distant memories of the industry's beloved Dionysian hacker-fest held in August.
 

Merging security and privacy roles

November 01, 2007

The responsibilities of the chief security officer keep growing. Years ago, personnel in the position fulfilled a very technical role and didn't have to really interact with the suits. However, over the years the role has changed. Today the CSO is responsible for a variety of very technical programs, such as intrusion detection, as well as some very non-technical programs, such as business continuity planning (BCP).
 

Identity theft after death

November 01, 2007

Recent reports indicate that identity thieves are reaching out beyond the grave and stealing the identity of the newly departed.
 

Burying heads in the sand on data breaches

November 01, 2007

Deloitte Touche Tohmatsu's recently released security survey revealed that 37 percent of the top 100 global financial services organizations don't have a security strategy, and only 10 percent see security as important enough to involve top-line leaders.
 

Me and my job

November 01, 2007

Rick Lawhorn, principle, information security and compliance, Dataline, tells us what he likes about his job.
 

Debate

November 01, 2007

Is continuous testing of applications more vital than testing at the initial code level?
 

Presidential candidates must fight cyberattacks

November 01, 2007

When the likes of Barack Obama and Mitt Romney announced their intentions to run for president back in February, it seemed a bit too early to ponder the attributes of the many contenders hoping to lead the U.S. government. After all, none of us will cast votes in our primary elections or caucuses until early next year.
 

The past, present and future of Network Access Control

October 23, 2007

Protecting the average corporate network from attacks is incredibly complicated and expensive. By the mid 1990s, complex toolkits had been supplanted by pre-built firewall software packages and intrusion detection systems. As performance and usability requirements increased, software moved to hardware, and by 2000, the number of companies buying and deploying perimeter security skyrocketed.
 

Weighing the options for securing backup data

October 17, 2007

With the looming threats of publicly exposed personal data breaches, mishandled confidential partner information and lost intellectual property assets, an increasing number of enterprises are investigating options for securing data stored on both tape- and disk-based media.
 

Protecting IP in a world of offshoring

October 17, 2007

For years, organizations have complained that other countries are stealing their trade secrets, leaving companies and products vulnerable to knock-offs and counterfeits. How can companies ensure that their intellectual property is safe and doesn't get into the wrong hands?
 

Whitelisting - White horse or white lie?

October 03, 2007

Some people are talking about a technique called “whitelisting” as if it were the knight on a white horse that is going to save the world. It is...in the fantasy novels.
 

How is data lost?

October 03, 2007

When enterprise data met email and IM, important data began leaking out of corporations unnoticed and it spawned a new security problem called data leakage.
 

Is today's network easier to secure?

October 01, 2007

The fundamental values of security should be baked into vendor solutions, says Anton Grashion.
 

Got something to say?

October 01, 2007

Send your comments, praise or criticisms to SCfeedbackUS@haymarketmedia.com. We reserve the right to edit letters.
 

Back to basics for securing the human factor

October 01, 2007

We are becoming quite adept at dealing with technology threats and vulnerabilities. We spend a lot of time, effort and money on software, hardware and inter-related systems. These are important. I have been in this industry for over 30 years and, in addition to these things, I still go back to the basics that I learned in the beginning. People make security work and people make it break.
 

The other integrity is at risk, as well

October 01, 2007

Back on July 30, the Wall Street Journal published an article entitled, “Ten Things Your IT Department Won’t Tell You.” From getting around web filters to downloading unauthorized software, tips were provided. Thousands of blogs immediately lit up across the country both to support and denounce the article.
 

Where are all the CISOs?

October 01, 2007

(CISO). Some companies are further empowering this somewhat new role with expansive powers and responsibilities that range from incident response to IT compliance to customer data privacy. Meanwhile other companies are eliminating the role altogether.
 

Debate

October 01, 2007

Is monitoring internet usage a company's responsibility?
 

The real convergence

October 01, 2007

The Infosecurity event in NY this year again was coupled with a large physical security show. But the question is: Why?
 

The security challenges of life in the fast lane

September 25, 2007

Its now recognized as a standard. Its quickly becoming more affordable. And, its adoption by enterprises and carriers is exploding. Its 10-Gigabit Ethernet — the ultra-fast, ultra-high-capacity network technology thats giving new meaning to the phrase life in the fast lane.
 

The failure of URL filtering in an increasingly dangerous web world

September 19, 2007

The web is a big place — and thanks to the dynamic nature of Web 2.0 applications and user-contributed content it grows bigger by the minute. According to Netcrafts latest survey, there are over 127 million active websites.
 

Hot or not: AJAX vulnerabilities

September 19, 2007

AJAX is hot, and many companies are developing new or porting legacy applications to AJAX to deliver a richer, more vibrant web experience. The risk: AJAX is complex, and security pros need to be aware how the development technique can increase the attack surface of their websites.
 

Tackling the security issues of Web 2.0

September 10, 2007

Web 2.0 is one of the hottest buzzwords in the internet community, allowing a growing number of users to interact, upload and exchange content, and generally have a lot more fun. But there is a darker side to this brave new internet world, explains Yuval Ben-Itzhak, CTO at Finjan.
 

Beyond the firewall: Securing your internal network

September 05, 2007

According to the most recent CSI/FBI Computer Crime and Security Survey, 98 percent of companies have firewall defenses in place and 97 percent have anti-virus software. Yet 52 percent of companies reported some type of security breach.
 

CISO, talk to your DBA: Barriers to database security

September 05, 2007

Database breaches are on the rise. Maybe they were always there but not reported as much, or maybe they are actually increasing, but one thing is certain: Sensitive commercial and personal data is being unnecessarily exposed, stolen, bought and sold. It is damaging to businesses, costing them real dollars in breach notification and bad publicity, scaring away their customers, and jeopardizing the privacy of millions of individuals.
 

Best practices for todays CSO

September 01, 2007

By aggregating information, executives can ease regulatory burdens, says Pravin Kothari.
 

Got something to say?

September 01, 2007

Send your comments, praise or criticisms to scfeedbackUS@haymarketmedia.com. We reserve the right to edit letters.
 

How to make training an incentive for employees to stick around

September 01, 2007

A colleague was lamenting the other day that she had just lost another one of her best security engineers, someone she had been training and grooming for over two years.
 

Getting ready for a new academic year

September 01, 2007

As we in academe prepare for a school year, we look forward to our bright and shiny first-year students ready to code another set of rings around Saturn...or so they had hoped.
 

The not so secure PDA

September 01, 2007

The Gartner Group predicted that malware would be crippling PDAs by the end of 2001.
 

Me and my job

September 01, 2007

John DeBenedette describes his job for SC Magazine.
 

Weighing the options for securing back-up data

August 14, 2007

With the looming threats of publicly exposed personal data breaches, mishandled confidential partner information and lost intellectual property assets, an increasing number of enterprises are investigating options for securing data stored on both tape- and disk-based media. Since tape cartridges are most often exposed outside the physical security of the data center while in transit and in storage, they are most often the first point of attention for storage security projects.
 

LAN security and NAC checklist

August 02, 2007

Knowing whos on the LAN. Providing guest access. Limiting contractors. Controlling what users can do on the LAN. Segmenting the LAN. Documenting and auditing user activities.
 

Anatomy of a data breach from the inside out

July 18, 2007

Its a sunny day somewhere thousands of miles away from your data center. A savvy hacker sits in front of his monitor. He checks the current black market rates for U.S. Social Security and credit card numbers then runs down his list of potential targets — a major university, a financial services company, two retail chains and an energy company.
 

Market your security competencies

July 18, 2007

Historically, IT security has been a business cost center. However, with the scope and scale of recent data breaches, including the TJ Maxx fiasco, consumers are becoming very weary of doing business with organizations that dont adequately protect personal and financial information.
 

Practice what you preach, even at a security conference

July 03, 2007

Webster defines security as, the quality or state of being free from risk of loss and that measures [are] taken to guard against espionage or sabotage, crime, attack or escape.
 

Visualize behavior to stop insider threats

July 02, 2007

Doing business in a connected world requires employees, partners and customers to have access to an ever increasing range of information channels. Along with the benefits this access provides, the risk of insider security threats increases. Network complexity, a dissolved perimeter, and the proliferation of alternative communications channels (instant messaging, VoIP, removable media, etc.) all make it more difficult for IT and security managers to detect, control and prevent behaviors that violate policies or create risk.
 

UTM or flexible security platform?

June 20, 2007

The unified threat management bucket is starting to show signs of age. So many products and vendors have been jammed into that bucket that you have the strange situation of hardware platform vendors sharing the same space with Frankenstein monster collections of security applications bundled into Linux platforms. It is time to rethink the actual directions that the gateway security space is taking.
 

The evolving role of the CIO

June 06, 2007

IT security has the potential to impact a business at every level. Few other business areas, if any, have the potential to damage customer relations, disrupt supplier dealings, lower employee productivity, lose revenue and even lead to the arrest of the CEO.
 

Using industry best practices for effective security training

June 04, 2007

Growing IT security threats, coupled with regulatory mandates to protect information and ensure privacy, are generating a renewed focus on security awareness training programs, which can heighten security awareness, improve application and infrastructure security, and enhance security incident handling and response. Such programs not only benefit IT security staff and application developers, but they benefit the enterprise workforce at large.
 

Go from 'visibly victimized' to 'silently competent'

May 16, 2007

When Dr. Gene Spafford and I wrote the original version of the Tripwire software program in 1992, it was to help solve the security problem of how to restore systems to a known good state after they have been compromised. But since then, my area of passion has moved from computer security to IT operations.
 

Training for quick privacy wins

May 02, 2007

A survey of privacy managers at an Open Compliance and Ethics Group (OCEG) event in January revealed that more than two-thirds are seeing moderate to material increases in external scrutiny - with almost half reporting material increases.
 

Is an IT risk management program strategic or tactical?

April 18, 2007

The duties of CIOs, CTOs and CISOs are morphing from mainly managing a vast network of IT assets to being more strategic and transformational. Until recently, the computing systems being managed have been viewed not only as an essential resource, but also as an operating cost needing to be controlled. Today technology is increasingly being recognized as a vital tool in corporate strategy.
 

Encryption is the last defense for data in a digital world

April 04, 2007

We used to live in an analog world. We played records, radio stations had static interference, we flattened out dollar bills to work in vending machines and we anguished over hanging chads. Sure, everything was converted into bits and bytes in the end, but the world we interacted with was a physical one.
 

The what, where and how of protecting IP

April 04, 2007

Intellectual property (IP) is the life blood of many organizations, the thing that distinguishes them from their competitors, that gives them an edge in the market place, and that enables them to charge a premium for their products.
 

Layered defenses thriving in a post-Service Pack 2 world

March 28, 2007

In August 2004, Microsoft released Microsoft XP Service Pack 2 (SP2). This marked a significant date in the network security world. The largest software provider in the world had released a version of their operating system (OS) that had built in security turned on by default. The next several weeks and months were interesting as many dependant software applications "broke" when the security features were tightened up. But all things said and done, it was a great milestone in security, and although it was a rough road, it was a long time in coming.
 

How to protect against Web 2.0 threats

March 21, 2007

Time Magazine recently bestowed its prestigious Person of the Year honor on You, recognizing the growing social importance of community and collaboration on the web. YouTube, MySpace, Wikipedia, Bebo and hundreds of other websites that rely on user-contributed content and which are broadly referred to as Web 2.0 have officially become mainstream.
 

Hot or not: Reverse code engineering

March 16, 2007

Hot: Its one of the primary methods that malicious hackers use to find new application and operating system vulnerabilities. And its also a powerful tool that professionals use to analyze the security strength of their applications. Were talking about reverse code engineering.
 

Training for security beyond the PC and network

March 07, 2007

Threats to information security are appearing more frequently and are of greater magnitude than ever before. They can come both internally and externally and can be online or local, accidental or malicious. A company's most sensitive business information can be exposed to unauthorized use, disclosure, modification or total loss.
 

Six simple steps to managing privileged passwords

March 07, 2007

One of today's biggest IT headaches is managing privileged passwords, the super-powerful codes such as administrator on a Windows server, Root on a UNIX server, Cisco Enable on a Cisco device, as well as embedded passwords found in applications and scripts.
 

Evolution of employee monitoring stretches far beyond email

February 21, 2007

The concept of organizations keeping a watchful eye on employees during company hours is nothing new. From the introduction of the time card 120 years ago, which required employees to clock in at the beginning and end of the work day, employee monitoring has evolved from simple confirmation that individuals are present and accounted for, to more detailed insight into employee activities taking place while "on the clock."
 

Train employees - your best defense - for security awareness

February 21, 2007

With so many security threats on the horizon, it may be comforting to know the strongest security asset is already inside the company employees.
 

Simple steps for ensuring software license compliance

February 14, 2007

Here's a very common scenario: someone in the office buys a copy of a software program such as Adobe Photoshop and before you know it, everyone has installed it. It all seems so innocuous. The problem is, it's not legal. Your company is now out of compliance with the software program's licensing agreement and can face stiff audit-related fines (up to $150,000 per infraction according to Automation Access). What can you do to protect your organization and ensure software license compliance? Here are three simple steps to get you started.
 

Pretexting - white lies that can damage your company

February 14, 2007

In the wake of recent news at HP, pretexting has become the hot topic in the business world, and its sudden rise to fame broaches numerous questions including: What exactly is pretexting? How are companies liable for it? What are companies doing that is considered pretexting and how can they protect themselves from becoming the next HP?
 

In an age of professionalism

February 01, 2007

Like thousands of practitioners in our field, I refer to myself as an information security professional. But what does this really mean in terms of my status, professionalism and trustworthiness?
 

Me and my job

February 01, 2007

Bob Wilcox, CISO at FiServ, talks about his job - and his likes and gripes.
 

Hot or Not: Remote access breaches

January 24, 2007

Just like the detectives do on weekly television crime dramas, put yourself in the mind of the bad guy. Pretend that you're the criminal who brokers stolen personal information with organized crime syndicates overseas. Put yourself behind the eyes of the malicious hacker who plans to breach merchant networks and compromise wholesale volumes of consumer payment card information, the kind of information that can be bartered within the internet's dark underbelly.
 

Protecting your company's good name outside of the network

January 17, 2007

Over the last several years, many well-known organizations have faced the consequences of highly publicized data breaches. These breaches directly impact an organization's most valuable asset - their customers.
 

Train to prevent social media attacks

January 17, 2007

If there is one certainty in the security business, it is that security professionals and hackers are in a constant battle to protect and exploit vulnerabilities.
 

The security implications of Web 2.0

January 17, 2007

A car that has less options has fewer things that can break. Power steering, power locks, power seats, seat warmers, and the myriad of other car features provide a better experience, but they also have more items that require maintenance.
 

Match your company policies with your solutions

January 03, 2007

The headlines are scary for both CIOs and the companies they work for. "Stolen Computer Holds Information of 16,000 Driver's License Holders," "Vulnerability Auctions Killing Responsible Disclosure," "Hacking for Dollars: Is The Botnet Battle Already Lost?" "Online Brokerage Account 'Incursions' Worry SEC."
 

Consider trust and reputation risks

January 01, 2007

I recently read an excellent study about the impact of security and privacy on brand reputation and customer loyalty. I was looking for some solid analytical data to prove my strong belief that security can be a "competitive advantage or differentiator." This study, "Secure the Trust of Your Brand," published by The CMO [chief marketing officer] Council, corroborates my convictions regarding the importance of security. It is worth downloading and showing all executives (www.cmocouncil.org).
 

It's all about the hierarchy

January 01, 2007

Everyone's talking about their preferred security organization of the future. Whether you're a CSO, CISO, director, manager, security specialist, or whatever, you have an opinion about where the top person in the security group should report. I happen to think this is an essential factor in determining success for information security programs. Getting this right may even be more important than the number of CISSP-certified professionals your company boasts. Contrary to popular opinion, I think we should leave information security under the chief information officer (CIO).
 

Me and my job

January 01, 2007

Of what are you most proud in your job? I'm most proud of the employees of Arlington County who have adopted "common sense" cybersecurity thinking and made it a part of the way to perform their day-to-day assignments. The success of the security practice here in ARLCO is in no small measure the result of this intentional commitment by the employees to do what is best for the general government workforce.
 

Start some good habits this new year

January 01, 2007

New Year's resolutions frequently center on starting a good habit or stopping a bad one. Such oaths should be no different for the corporate world.
 

Put on your consulting hat

January 01, 2007

Despite increasing government data regulations to guard against information leaks and cyberattacks, security pros can no longer simply lock down corporate IT systems. Nor can security pros let business leaders or employees pick and choose security procedures without understanding the implications.
 
Popular Topics
4G-war Account Information Advanced Persistent Threat Anonymous Apple Threats Botnets Cyber Attacks Cyber Crime Data Breach Data Breaches Encryption Hackers Hacktivism Health Care IT Security Java Malware Mobile Devices Phishing Risk Management Social Security Numbers Stolen Information Survey Trojans Vulnerabilities & Flaws