Video: 2011 and cyber crime

Digital adversaries have lots going for them: financial incentives, easy-to-access tools and ubiquitous access points thanks to the pervasive nature of the internet. And defenders have lots working against them, as they try to do more with less. But in this video, Rapid7 CEO Mike Tuchen offers suggestions of how organizations can harden their networks, from poking at their own infrastructure to prioritizing their risk posture.

In this interview, Harry Sverdlove, CTO of Bit9, describes to SC Magazine Executive Editor Dan Kaplan what the bring-your-own-device revolution means for organizations, and how they should best address the threat posed by endpoints such as the Android.

SC Magazine Managing Editor Greg Masters chats with Carl Herberger, vice president of security solutions at Radware, about the risk posed by politically and ideologically motivated attacks, known as hacktivism.

Andrew Lee, CEO of ESET North America, sits down with SC Magazine Executive Editor Dan Kaplan to discuss why security education needs to make its way into school curricula. This will allow students to become better protectors of their personal critical infrastructure -- their homes -- and prepare them to be security conscious employees once they enter the working world.

SC Magazine Executive Editor Dan Kaplan sits down with a Juniper security executive to learn why the trend of mobility and data migration should be a top concern for security professionals, and how they can institute best practices to deal with the new risk.

Security researcher Dillon Beresford speaks to the press at the Black Hat conference in Las Vegas following his presentation which demonstrated how to hack into Siemens industrial control systems. Beresford specifically uncovered "replay attack" vulnerabilities in programmable logic controllers, or PLCs, which are used in organizations such as power plants to automate processes. He told the media that part of his motivation for the research was to debunk conventional thinking that SCADA attacks require deep pockets. This week, ICS-CERT issued an advisory warning of the bugs in the Berlin-based Siemens products.

While McAfee's recently released "Shady RAT" report concentrated on the victims of a mass cyberespionage ring, another researcher has decided to focus his attention on the adversaries behind such attacks. In a video recorded last week at the Black Hat conference in Las Vegas, Joe Stewart of Dell SecureWorks explains how he was able to trace 60 families of custom malware thanks to error messages yielded by a "connection bouncer" tool used by the hackers to hide their tracks, but which inadvertently pointed back to about a dozen command-and-control centers hosted by ISPs in China. Two of the malware families are known to have been used in the RSA SecurID breach. "It gives you a better line on attribution," Stewart told SCMagazineUS.com.

A host of high-profile breaches have defined 2011, from HBGary to Epsilon to Sony to RSA to Lockheed Martin. The motives for each attack have been different, but they all share something in common: The perpetrators wanted access to the database, where the company's crown jewels lie. Phil Neray, vice president of data security strategy at IBM, discusses why organizations must implement protections at the database level to both catch the adversaries in action and trace their footsteps for the forensic investigation.

In an interview with SC Magazine Managing Editor Greg Masters, David Koretz, CEO of web application security start-up Mykonos Software, explains why the industry needs a rethink. He says security products traditionally have produced too much data, which leads to stress on customers and too many false positives. And even with this preponderance of information, solutions still are missing threats, as evidenced by zero-day attacks that evade malware detection technology. Koretz explains why a shift in focus, plus increased education for college students, may make all the difference.

As virtualization becomes more mainstream, even in small and midsize organizations, security professionals must consider the risks of managing this emerging technology. Threats such as VM sprawl, in which IT departments lose visibility of their virtual assets, creates the potential of unpatched and vulnerable machines. Rob Juncker, VP of technology at Shavlik, sits down with SC Magazine Executive Editor Dan Kaplan to explain why organizations must apply the same security principles to their virtual machines as they do for their traditional computing systems.

SPONSORED VIDEO: Dave Asprey chats with SC Magazine Executive Editor Dan Kaplan on the RSA Conference showroom floor in San Francisco. Asprey explains that as cloud and virtualization technology gain traction with senior-level executives, enterprises are taking the time to build security into these projects. He also talks about the benefits of encryption in the cloud and how virtual machine density can be increased simply by running proper security products.

SPONSORED VIDEO: Michelle Cobb of Skybox Security chats with SC Magazine Editor-in-Chief Illena Armstrong on the RSA Conference showroom floor in San Francisco. Cobb discusses the importance of next-generation firewalls to protect systems from attack and reveals what organizations should prioritize in 2011, including identifying risks proactive, operationalizing security and automating controls.

Couldn't attend the 2011 SC Awards? Were you there and want to relive memories of the IT security industry's biggest - and most glamorous - night? Check out this video, which recaps all the pageantry of the event, where we honor those professionals, companies and solutions that represent the best of the information security marketplace.

Bruce Schneier, chief security technology officer of BT, discusses his forthcoming book, which examines "the why of security." In particular, by drawing on economic and behavioral theory and more, Schneier seeks to learn: Why does security exist and how can more closely examining this question result in better solutions? Schneier, who recently blogged about the book idea, spoke with SC Magazine Executive Editor Dan Kaplan at the RSA Conference in San Francisco.

Mikko Hypponen, chief research officer of F-Secure, distinguishes among cyberwar and everything else, explains why the anti-virus industry failed when it came to detecting and preventing Stuxnet, discusses why critical infrastructure is at major risk to attack and reveals how he tracked down the authors of the first PC virus, which turns 25 years old this year. SC Magazine Executive Editor Dan Kaplan spoke with Hypponen following a media luncheon at the RSA Conference in San Francisco.

Joe Lobianco, senior director of information security and risk management at CIBC, a major bank in Canada, breaks down the mobile application threat. He discusses security from the perspective of CIBC, which recently rolled out its mobile banking application, and delves into whether the mobile computing space will prompt the same risks as the traditional desktop environment.

Ann Cavoukian, privacy commissioner of Ontario, discusses how privacy risks must be considered as smart meters are deployed to homes throughout North America. Many utilities, she says, are overlooking the privacy dangers, such as third-parties gaining access to homeowners' electrical usage patterns, but that mindset must change.

SC Magazine Deputy Editor sits down with Laura Mather, founder of SilverTail Systems and a former fraud prevention expert at eBay, to discuss why back-end controls that sniff out fraudulent web activity may be just as important to organizations as front-end solutions, such as authentication.

SC Magazine reporter Angela Moscaritolo asks JR Smith, CEO of anti-virus firm AVG, for his thoughts on National Cyber Security Awareness Month, which kicked off this week. Smith also offers his suggestions on how organizations can best implement a culture of education around security best practices.

SC Magazine's Angela Moscaritolo recently traveled to Orlando, Fla. to the PCI Security Standard Council's annual North American Community Meeting to learn about the latest changes to the payment security standard and what merchants can expect in the form of additional guidance to reduce their compliance scope. During her trip, she sat down with Jeremy King, who heads the PCI Council's European operations, to discuss the developments.

SC Magazine reporter Angela Moscaritolo sits down with Chester Wisniewski of Sophos to hear about the latest social engineering efforts that attackers are leveraging to work their way into organizations. He also sounds off on what security professionals must do to lock down their networks and how law enforcement is working to stem the tide of cybercrime.

In a conversation with SC Magazine Deputy Editor Dan Kaplan, Amichai Shulman, co-founder and CTO of Imperva, introduces a new research initiative underway and addresses the automated methods now used by attackers to compromise legitimate websites.

SC Magazine's Angela Moscaritolo chats with Christian Renaud, CEO of Palisade Systems, who discusses the unique security challenges facing small and midsize businesses and offers up some best practices they can put to use to protect themselves in today's threat landscape.

SC Magazine Managing Editor Greg Masters sits down with Patricia Titus, the former CISO at the Transportation Security Administration and current CISO at IT firm Unisys, to discuss how organizations should handle the threat posed by employees who seek to connect remotely and use mobile devices for work-related functions.

Alex Stamos of iSEC partners offers his take on the usefulness of incentive programs that encourage researchers to privately report vulnerabilities to vendors, in exchange for cash. While the initiatives might fatten the wallets of bug hunters, some believe it taints the mission of white-hat hackers.

Ivan Ristic, director of engineering at Qualys, provides an overview of his Black Hat 2010 talk, in which he presented a plethora of research findings into the state of SSL on the internet. As Ristic notes, websites are succeeding in some areas and falling short in others when it comes to deployment of SSL encryption.

Ben Feinstein, director of research at SecureWorks, reveals the inner workings of Russian cybercrime gang that leveraged botnets, VPN tunnels, social engineering and money mules to create a $9 million check counterfeiting scheme. Details of the racket were announced last week at the Black Hat conference in Las Vegas.

Mikko Hypponen, chief research officer at F-Secure, speaks with SC Magazine's Angela Moscaritolo after his Black Hat 2010 presentation, "You will be billed $90,000 for this call," which examined how hackers can secretly attack a smartphone to make long-distance calls — on your dime.

Barnaby Jack, director of security research at IOActive Labs, fields questions from the press shortly after wowing the Black Hat 2010 crowd with a talk about ATM vulnerabilities, both remote and local, that can allow attackers to retrieve free cash from the machines. In the press conference, Jack describes how he perpetrated the exploits. He references "Dillinger," an attack tool named after the infamous 1930s bank robber that he used to exploit one of the vulnerabilities — an issue in the remote monitoring authentication process, which is turned on by default in most machines made by manufacturer Tranax.

SC Magazine Deputy Editor Dan Kaplan sits down with Tripwire's Michael Thelander to learn whether compliance remains a driver for organizations, especially as new regulations pop up and existing mandates become more stringent. Thelander also touches on compliance in the cloud, and whether it can be achieved.

Paul Smith, CEO of PacketMotion, maker of network segmentation and compliance solutions, tells SC Magazine's Angela Moscaritolo how organizations can best guard against trusted insiders stealing company assets and intellectual property.

Glenn Hazard, CEO of identity and access management provider Xceedium, tells SC Magazine's Angela Moscaritolo what is driving this security industry sector and how it is morphing to keep up with the increasing mobile workforce.

SC Magazine reporter Angela Moscaritolo discusses the bustling M&A landscape with Gary Steele, CEO of Proofpoint, to learn what has prompted a recent flurry of activity and how security buyers should react when considering a solution.

SC Magazine's Angela Moscaritolo learns from Application Security Inc.'s Thom VanHorn of the latest trends around database security. A majority of the attacks come from insiders, but external attacks are quite prevalent as well. For example, government databases undergo constant "probing" from adversaries.

SC Magazine Deputy Editor Dan Kaplan sits down with Websense's vice president of product management to discuss today's web threats facing businesses of all sizes.

Bob Carr, CEO of Heartland Payment Systems, which suffered a record-breaking breach in 2008, has rolled out a new payment solution to its merchants that offers end-to-end encryption of sensitive transaction data. In an interview with SC Magazine's Deputy Editor Dan Kaplan, Carr discusses the new offering and offers an update on the company's recovery 18 months after it announced the breach, which exposed some 130 million records.

Chris Mark of ProPay discusses how some small- and mid-size businesses are falling victim to ACH fraud due to poor authentication.