Mobile device control: Get to yes

Mobile device control: Get to yes

If you aren't already trying to figure out your mobile device security strategy, you soon will be, says Vicky Ames, former information system security officer at a federal medical research agency.

Smart mobile app development

Smart mobile app development

Mobile threats will soon be used to gain access to personal and business devices, says Sean Martin.

Slurping the USB port

Slurping the USB port

Portable media devices are being used to lift corporate data, but there are tools to defend against this practice, reports Deb Radcliff.

Why not telework?

Why not telework?

The growth in telework is not as robust as most people think, as managing remote workers and security are big problems. But "secure telework" is possible.

Worth the upgrade

The TJX data breach has made wireless encryption a priority for retailers and other enterprises. Frank Washkuch Jr. finds out why.

Vulnerability management: weathering the storm

Vulnerability management: weathering the storm

John Penrod, CISO of The Weather Channel, discusses how the IT pro can manage business risk.

Portable device security: mobile madness

Portable device security: mobile madness

As the experience of one insurance broker proves, securing mobile devices requires a two-pronged approach.

RFID/Bluetooth: convenient threats

RFID/Bluetooth: convenient threats

IT pros need to move fast as RFID and Bluetooth threats move from the drawing board to the real world.

Compliance: PCI's growing pains

Compliance: PCI's growing pains

Some retailers are slow to embrace the new objectives required by the payment card industry.

Firmware: hacking the chip

Firmware: hacking the chip

Attacks on the firmware that sits within computers and enterprise networks is closer than you think.

Two-factor authentication: ask the right questions

Two-factor authentication: ask the right questions

Are multifactor solutions enough to protect today's financial customers?

Product section: Look ma, no wires, but secure anyway

Product section: Look ma, no wires, but secure anyway

This month our reviews section is unplugged. We look at security for portable devices, as well as security for wireless systems.

Survey: 80 percent of financial security chiefs rely on FTP transfers despite data breaches

A recent survey of 100 IT managers and CIOs from the financial services, health care, retail, manufacturing and government business sectors shows that despite a torrent of bad press on data-security breaches involving FTP (file-transfer protocol), its use is prevalent and growing.

Product section: Our 2007 industry innovators

Product section: Our 2007 industry innovators

This is a very special issue to me and the team at SC Labs because it is based on a year of seeing the good and the not so good. We actually saw almost no bad products, so it was a pretty good year overall. It is special for you because it helps answer the question, "If we are going to buy security tools in the next 12 to 18 months, what should we be looking at?"

Roundup 2007: Gazing into the crystal ball

Roundup 2007: Gazing into the crystal ball

We handed out crystal balls to several analysts, consultants, professors and CSOs and asked them to answer questions about next year.

Roundup 2007: The year's top fives

Roundup 2007: The year's top fives

The top cybersecurity events of the year.

IT Security Reboot 2007

The end of yet another year sees in this final 2007 edition of SC Magazine our annual roundup of top thinkers, interesting happenings, business developments and criminal acts.

Look ahead: Search for pioneers

On the hunt for more innovative solutions to holistically safeguard organizations' growing networks, Peter Stephenson pinpoints the product categories and solutions you might consider next year.

Industry innovators 2007: Access control

Of the classifications we looked at, access control is among the most multidimensional. We defined access control fairly broadly as including identification, authentication and authorization. Network access control — NAC — is a very hot topic at the moment.

Special section: IT security and government

Special section: IT security and government

All levels of government face critical issues in securing their data - whether shared via the web or through email, USB sticks or IM.

How one retailer fights insider theft with fingerprint readers

How one retailer fights insider theft with fingerprint readers

As biometric technologies gain further acceptance, one retailer fights insider theft with fingerprint readers, reports Jim Carr.

Product section: Meeting the challenge of managing access

Product section: Meeting the challenge of managing access

Access control is the order of the day for this issue. All of our reviews focus on aspects of access control and management. This, of course, is a key aspect of enforcing the security of the enterprise. We address the topic with two First Looks and two Group Test reviews.

How to get more intelligent about smartphones

Organizations must catch on to the growing risks of smartphones, PDAs and other mobile devices before it is too late, reports Dan Kaplan.

Company news

Here is an update from the IT security industrys boardrooms.

News briefs

Harry hack A hacker named Gabriel claimed to have breached the networks of the UKs Bloomsbury Publishing, uncovering the ending of Harry Potter and the Deathly Hallows prior to its release. Experts contended that the claim, posted on hacker websites, was likely a sham, saying that if accurate more evidence would otherwise have been offered.

Special section: IT security and the financial vertical

In this special section, we look at how the IT security industry works to protect banks and financial institutions and keeps up with the rise of online transactions.

News briefs

Campus exploit Hackers exploited an unpatched flaw and a disabled firewall to infiltrate a server at the University of Colorado, Boulder, compromising the personal information of nearly 45,000 students. Attackers exploited a flaw in Symantecs Norton AntiVirus to launch a worm into the server of the College of Arts and Sciences Academic Advising Center, making off with student info.

The SC Magazine Awards - be great in 08

Just a week after taking home the Rookie Security Company of the Year prize at the 2007 SC Magazine Awards Gala, The 41st Parameter landed an unexpected meeting with an industry heavyweight. Ori Eisen, founder and chief innovation officer at the Scottsdale, Ariz.-based anti-fraud firm, says executives from Oracle who attended the annual awards ceremony were impressed with The 41st Parameter and wanted to learn more about the company after seeing it win.

How IT departments are securing instant messaging

Once considered a peripheral communication tool used primarily by only some workers, instant messaging (IM) is now feared by many as a security hazard. For many enterprises, the simple solution was to block IM and force employees to use existing email, phone and fax resources. But the evolution of communication channels is leaving that model in the dust.

Are your IT security and physical security teams working well together?

Years ago, a friend's e-commerce company took a major hit when customer credit card information was stolen from the company database. Everyone initially assumed it was a network security breach — someone had hacked into the database and stolen the numbers. In fact, when the dust settled it was a far simpler heist — a former employee had walked into the server room and lifted the server.

Debate

Is endpoint security a more complete solution for corporations than NAC?

Google Apps has its advantages, but is it secure?

Can Google guarantee safe, secure online word processing and spreadsheet collaboration applications to enterprises? While only time will tell, the short answer appears to be yes. Google's new Google Apps Premier Edition — which offers enterprise-focused versions of Gmail, Google Talk instant messenger, Google Calendar, Docs & Spreadsheets, Page Creator, and Start Page via the Web — is really nothing more than software as a service (SaaS), or on-demand offering, popularized by Salesforce.com and others.

Educating the masses for IT security

Never mind the Fourth of July, New Year's Eve or even his birthday. The occasion George Dolicker celebrated most merrily last year was International Computer Security Day. After all, the 19-year-old annual event marked the day that Dolicker, chief information security officer of computer maker Lenovo, unveiled the company's first home-grown information security program, complete with a comprehensive user education component.

IT security and education: Wireless IT should focus on secure communications rather than secure networks

When you're responsible for securing a wireless network connecting staff and over 23,000 students to resources at a major university — like I am — you see that traditional "hard perimeter" security models no longer apply in today's wireless network.

Debate

Is SSL VPN a better choice for mobile email than proprietary solutions?

Product section: USB security and wireless security management

This month, we continued to see innovative approaches to security in the labs. We concentrated on two areas: reviewer Justin Peltier ran several wireless security products through the test procedures, while Lab Manager Mike Stephenson and I worked on USB security. What we found in both cases was that technologies we thought had matured still are breaking some new ground.

IT security and education: One high-profile public school district adds a focus on data security

When two 17-year-old Washington, D.C. students used school computers to plan a sexual tryst two summers ago, little did they know a cutting-edge security solution was watching their every keystroke.

News briefs

Here is a roundup of the latest IT security news included in April's SC Magazine:

USB devices — the lean, mean and portable threat

The hotel you're staying in is great. It even has a computer center for you to surf the internet or tweak the last of the network diagrams for your meeting in the morning. You open the document on your USB pen drive and within minutes you've completed what you deem to be absolute perfection. A quick print and a save and you're done for the night.

Money matters: SC Magazine/EC-Council Salary Survey 2007

The heyday of massive salaries, extravagant raises and unrestrained bonuses that this industry experienced at the start of the 21st century has long since passed by the information security professional.

Until all users are security-savvy, encryption is a sensible solution

Laptop computers get lost and stolen in almost every imaginable, and some not so imaginable, ways. Following many well-publicized losses of laptop computers and calculating the costs to mitigate an event, encryption is a logical and uncomplicated decision.

News briefs

Another buySymantec announced its intention to acquire enterprise management software provider Altiris in an $830 million deal. The purchase, intended to better Symantec's standing in the endpoint-management market, came as Symantec representatives said that endpoint security and management markets were converging.

IT pros, developers and end users must ally to fend off emerging Web 2.0 threats

Good luck using the internet these days at Royal Food Service, an Atlanta-based wholesale produce distribution company. Only the company's high-level executives have access to the web's full offerings.

Guarding the exit

When Verdasys co-founder and CEO Seth Birnbaum was heading up engineering at NeoGenesis Pharmaceuticals, three employees thought they had a foolproof plan to steal drug formula secrets in hopes of forming their own company. "We wouldn't have known anything about it if they didn't order CD-ROMs through our IT purchasing department on the same day," he recalls of the incident, which happened about four years ago. "That's the only reason we interdicted that. We had never even thought this kind of thing could happen."

Encryption a perfect response to the Year of the Breach

2006 will be recorded as the year that security breaches reached the consciousness and awareness of the mainstream consumer. Breaches are certainly not a new phenomena, especially to security professionals. Although events in 2005 all made the headlines, such as the ChoicePoint identification theft that affected 163,000 records, the stolen laptop at the University of California, Berkeley, with more than 98,000 records, and the Boeing stolen laptop with Social Security numbers and bank account information of 161,000 people, the data breach incidents in 2006 occurred at an astounding, costly rate and gained much more media attention.

Training to secure your virtualized network

Virtualization is the Great Hope of data centers and consolidated infrastructures. As software is moved into virtual machines and other exotic vehicles the efficiencies will be massive, enabling greater application density, more flexible server configurations and the ability to cook a turkey at the same time. Consequently, the notion that virtualization might have a role in wireless networks - essentially edge systems - seems counterintuitive and positively turkey-like.

Tailor your mobile security plan for the iPod generation

Ever since the emergence of iPod back in 2004, GFI and other experts including Gartner analysts, Ruggero Contu and John Girard have been warning that iPods are a potential danger to the corporate network. Yet, nearly one-third of medium-sized companies remain unconcerned about leaking sensitive data through devices that are highly portable with large storage capacities, according to Osterman Research.

IT security reboot 2006: The year's top news

As part of SC Magazine's year-end roundup, the U.S. editorial team compiled lists of the most memorable - and sometimes most outrageous - news to cross your screen this year.

Debate

Is implementing network access control enough to secure a LAN?

Vista validates encryption for mobile and endpoint security

Long viewed as a major vector for incoming threats such as viruses, malware and worms, organizations are also increasingly viewing laptops as a primary weakness in the fight against the theft, loss and misuse of information. The trouble with mobile devices is they make your data mobile too, which is the last thing you want for data security. Every night critical, sensitive data leaves the confines of an organization, crossing the firewall and network defenses on the hard drives of laptops stashed in briefcases.

Make sure your end users are in compliance

With the ubiquity of the internet, Wi-Fi hotspots and USB devices, the possibilities for unauthorized software on company PCs now seem endless. You are likely plagued by incidents around the clock: spyware such as keyloggers, adware, viruses, trojans, worms, non-licensed software, vulnerable applications and user-downloaded software (sometimes inadvertently). The list goes on and on. Even with the proliferation of anti-virus and anti-spyware solutions, desktops and laptops have become the weakest link in enterprise networks.

Laptop theft, data exposure the result of poor mobile security management

Hearing news about yet another lost or stolen laptop and exposure of personal information is almost like having seen too many horror flicks. Shock has shifted to disbelief - plus numb outrage at the apparent inability of corporations and government to protect our private personal data.

News briefs

Shake-up at McAfee An internal McAfee probe spurred by Securities and Exchange Commission inquiries has led to a shake-up at the security giant. George Samenuk retired as chairman and CEO, while Kevin Weiss was fired. Board of Director Dale Fuller took over as interim president and CEO, while Charles Robel, another board member, was named chairman. A special committee's investigation determined insiders were participating in a questionable stock options practice known as backdating. News of the departures led some analysts to conclude that McAfee is ripe for acquisition. Fuller said: "All options are on the table."

Industry views: Encryption certainly not going anywhere

No one questions that email is universally adopted. It is in the mainstream. And despite the huge advantages of personal and corporate productivity, the open nature of the internet has made email vulnerable to interception and even alteration by malicious parties. As the risks to the privacy and security of email messaging have grown, so have efforts to protect it.

Clearing the hurdles to improved endpoint security

Today's workforce is more efficient than ever, utilizing communications and storage devices that make the transfer of information fast and convenient. However, the time these tools save can be lost as a result of the data security risks the devices pose for the companies that use them.

Hot or not: Wireless card attacks

The recent controversy at this year's Black Hat conference highlighted a growing trend in vulnerability research and reporting — the inability of some to make a distinction between technically interesting, novelty attacks versus real threats.

Mobile security dialing up investment dollars

The mobile, wireless world in which we now live has created a shift in the focus of venture capital investments in security technology. Today's investors tend to target technology that directly protects people and information, a marked change from a few years ago when the focus was the protection of corporate computer systems as a whole.

WLANS: A growing risk

San Francisco. Houston. Philadelphia. Annapolis. Step into any of these cities in the near future and you should be able to check your email, chat with friends, or surf the web wirelessly. But how safe will your experience be with municipal wireless local-access networks (WLANs) as you connect to the web in a car, office building or the middle of a park?

Means to an end(point)

At the Pacific Northwest National Laboratory (PNNL), the name of the game is discovery. This Department of Energy multidisciplinary lab in Richland, Wash., has scientists working in an open environment on projects that range from mathematics to physics to genetics.

For endpoint security, 'neighborhood watch' must be formed

A big part of what we do here in the research group at Exploit Prevention Labs involves studying the behavior and distribution of malicious websites, and it's really interesting, as we poke around the web, to see different patterns come to light.

News briefs

Feds: Improve security Federal agencies worked against an August deadline to implement improved security controls designed to better protect the private information of U.S. citizens in the hands of government officials. A memo on the sweeping changes was sent out in late June by the White House's Office of Management and Budget. OMB said it will work with inspectors to ensure agencies are in compliance. "We intend to work with the general community to review these items to ensure we are properly safeguarding the information the American taxpayer has entrusted to us," OMB Deputy Director Clay Johnson III said in a memo.

The coming storm

Ask IT security experts to forecast the future of mobile device security, and their crystal ball might become a little murky — possibly because of looming storms on the horizon.

House advantage

Nothing says "good fortune" louder than the clatter of coins cascading into the winner's tray of a slot machine. But these days that jangle is nothing more than set dressing. Instead of bucketfuls of quarters, lucky gamblers are rewarded with the pre-recorded sound of falling coins and a printed voucher for their booty.

CISOs are only part of the plan

Can CISOs and CSOs make a difference in the companies for which they work? Can they shape a successful IT security program that promotes a flourishing, trusted and respected business? And, in the end, does it really matter if a company has a lead professional in place to oversee and usher in IT security practices, or can a company do without yet still maintain a strong IT security posture that begets consumer and investor confidence?

Missing laptop, missing policy

A dedicated federal civil servant took work home. Unfortunately, the federal agency he worked for had not taken easy steps to make that practice safe and secure. Thus, when a neighborhood gang of thieves broke into his house and stole the laptop, identity information about millions of veterans and members of the armed forces was potentially compromised. It was a typical Washington story, typical because no one suggested doing anything to solve the real problem revealed by the incident. It reminded me of the two giant paintings in the piazza in Sienna, Italy. One image is of dysfunctional Bad Government, the other of progressive Good Government.

The switch is on

Tarron Weir and Joseph Raquel might well be "poster boys" for the Secure Sockets Layer (SSL) virtual private network (VPN) movement. In fact, their experience with the latest in secure remote-access technology more or less epitomizes what's going on in the VPN marketplace right now.

Controlling the endpoint

There's yet another IT security bandwagon onto which any number of vendors are jumping. And, whether companies refer to it as network access management (NAM), network access control (NAC), or network access protection (NAP), the main question is: Who has the real deal?

Locking down WLANs

If I say the word security to you, what comes to mind? Do you think of the access card keys that allow you into your buildings; firewalls to protect your IT infrastructure; or cameras to monitor facilities? Perhaps you think of how to protect the data on your laptop if it is stolen.

Risks and rewards of a wireless LAN

Wireless local area network (WLAN) technology was deployed at Mount Allison University to enhance on-the-go productivity of our students, faculty, staff and administrators. Whether it's conducting research, exchanging ideas or gaining access to useful operational information, campus users can now perform such functions in real-time without breaking stride from their daily routines.

Sign up to our newsletters

POLL