Speaking of Security, the RSA Blog and Podcast

Big Bank Does Well Financially—Really!

blog@rsa.com (Satchit Dokras ) — Fri, 21 Nov 2008 00:00:00 GMT

What a refreshing conversation it was—a Global 100 bank’s senior IT executive was gushing on how he was in the money. No, really! And even better, amidst today’s financial fiascos, he had selected to tell me about how he was financially ahead by deploying some state-of-art security solutions.

Fraudsters Have Had a Rough Month

blog@rsa.com (Uri Rivner) — Tue, 18 Nov 2008 00:00:00 GMT

I attended RSA Conference Europe late last month, which – as always – is an amazing event. The theme of the Conference was focused on Alan Turing, who is often called the father of modern computer science. One particular perk at the venue was the public display of the Enigma machine – believed by the German forces during WWII to be impenetrable.

PCI Compliance: Visa Announces Global Deadlines

blog@rsa.com (Brad Davenport) — Tue, 18 Nov 2008 00:00:00 GMT

In response to the complex and global threats faced by the cardholder ecosystem, Visa Inc recently announced worldwide deadlines for PCI DSS Compliance. "Compliance with PCI DSS is vital to ensuring the integrity of the global payments system," said Eduardo Perez, head of global data security, Visa Inc. "Aligning compliance programs across the Visa regions is the latest step in our commitment to safeguarding cardholder data."

Speaking of Security Podcast #129

blog@rsa.com (Podcast Producers) — Mon, 17 Nov 2008 00:00:00 GMT

Click to Download/Listen (07:52)

This week's Speaking of Security podcast features an on-the-scene report from the Gartner Identity and Access Management Summit, one of the key shows on the security event calendar. The Summit was held last week in Orlando, Florida.

Events per Second – the difference between a target and an assurance

blog@rsa.com (Paul Stamp) — Mon, 17 Nov 2008 00:00:00 GMT

We’ve been getting a good few questions recently about how many Events Per Second a SIEM product support. Well, that depends on a few factors:

The transport – processing Syslog events takes up a heck of a lot less processing power than collecting from a Windows box. Same with collecting data over an ODBC connection.

RSA® BSAFE® — Security A Billion Times Over

blog@rsa.com (Satchit Dokras) — Sun, 16 Nov 2008 00:00:00 GMT

RSA has marked a McDonald’s-like landmark, quietly— over one billion applications and devices are now embedded with RSA ® BSAFE® security software. No numbers changed under ubiquitous golden arches to mark this monumental achievement, but it did get me thinking on how deep an impact RSA BSAFE has had in the broad industry sectors as well as at EMC in particular…

What should we expect from the Obama Administration and the 111th Congress on Cyber Security?

blog@rsa.com (Shannon Kellogg) — Fri, 14 Nov 2008 00:00:00 GMT

Given the seriousness of the financial crisis, growing job losses and the continued meltdown of global stock markets, it’s hard to imagine that the incoming Obama Administration or new U.S. Congress will be able to focus on much else during the first several months of 2009. When they do tackle other issues, healthcare reform, tax policy and energy policy are likely to emerge at the top along with national security priorities. Not to mention that many FY2009 spending bills still need to be approved by Congress and signed by the President as well, although that is expected to happen by March 2009 at the latest.

So where does this leave cyber security issues?

Innovation In Security--Lessons from TelePresence and Cloud

blog@rsa.com (Satchit Dokras) — Wed, 12 Nov 2008 00:00:00 GMT

Innovation in Security is a theme that we at EMC and RSA strongly believe in— it was central to my keynote speech at the NCA Security and Technology Conference in Seattle on the 29th of October. Yet, as the day progressed, I could not help but think of how extensively we need to innovate in our security deployments, to enable vibrant new information exchange capabilities, and to sustain the rapid changes in our information-centric lifestyles.

And are we being hit with Change!
Carlos Dominguez, the SVP at Cisco, spoke to the profound impact of Web 2.0 and TelePresence [TP] technologies on our business and social lifestyles...

Planes, Trains & Automobiles: Some Data Should Just Stay at Work

blog@rsa.com (Will Redfield ) — Wed, 12 Nov 2008 00:00:00 GMT

In recent security briefings, I’m often asked: “Should I protect sensitive information on my laptop by encrypting my laptop?”

My advice is to first ask WHY? Why do you as an employee have the business or security justification to transfer and store sensitive PII: (personally identifiable information) onto your mobile device? (A little of asking who, what, where and when about your information will help here too).

Combating Cyber Threats Around the Globe -- A More Collaborative Approach?

blog@rsa.com (Shannon Kellogg) — Wed, 12 Nov 2008 00:00:00 GMT

Governments and law enforcement agencies from North America and Europe continue to increase cooperation and coordination to combat the growing threats of cyber-crime and e-espionage. That was quite evident at the recent RSA Conference Europe that was held in London as a significant number of representatives from governments participated in panels and other events. I moderated one of those sessions, which was titled “Tackling Cyber-crime and Protecting Critical Information Infrastructure – Public Sector Approaches&rdquo...

Speaking of Security Podcast #128

blog@rsa.com (Podcast Producers) — Tue, 11 Nov 2008 00:00:00 GMT

Click to Download/Listen (07:52)

In today's Speaking of Security Podcast we're talking to RSA customer, Kurt Roussell, Manager, Revenue Protection at We Energies (a subsidiary of Wisconsin Energy). Kurt discusses his strategies for thwarting identity theft at We Energies and his approach to the new FACTA regulations.

Data Loss Prevention Tools: Friend or Foe?

blog@rsa.com (Paul Davilman) — Mon, 10 Nov 2008 00:00:00 GMT

I recently visited a customer and we had an in-depth conversation about the use of DLP in a large corporate environment. The customer agreed that the technology surrounding DLP is great and that it would definitely help identify potential rogue employees. However, the customer also expressed concerns about when is enough…enough.

There's just no helping some people

blog@rsa.com (Andrew Moloney) — Thu, 06 Nov 2008 00:00:00 GMT

Even though we're a technology vendor, we always stress that, when considering the robustness of your information security strategy, technology isn't always the answer. It's upon the effective combination of people, process and technology that we must ultimately rely. That's why it pained me when this story appeared in the UK press last weekend...

Game on!

blog@rsa.com (Sam Curry) — Tue, 04 Nov 2008 00:00:00 GMT

In my last blog, we looked at increasing complexity on the part of both the “good” guys who are building legitimate businesses and on the part of the “bad guys” who are building a “dark network” of sorts that is remarkably like the first. Today, I’d like to dig into that and look at a system for explaining this; and I thought I’d use the phrase we used playing street hockey in my youth in Canada when the cars cleared the road, and the game got serious again: game on!...

Speaking of Security Podcast #127

blog@rsa.com (Podcast Producers) — Tue, 04 Nov 2008 00:00:00 GMT

Click to Download/Listen (07:52)

It's election day in the US, and today's Speaking of Security Podcast focuses on the notorious breach of Sarah Palin's email account on Yahoo. Satchit Dokras, a Director in RSA's EMC Product Security Office, talks about Palin's exposed email and how all of us can better protect our online accounts.

One Sinowal Trojan + One Gang = Hundreds of Thousands of Compromised Accounts

blog@rsa.com (RSA FraudAction Research Lab) — Fri, 31 Oct 2008 00:00:00 GMT

The RSA FraudAction Research Lab would like to share its startling findings based on its tracking and research of the Sinowal Trojan, also known as Torpig and Mebroot. Our findings based on the data we have collected on this Trojan over the course of almost three years – including information regarding its design and its infrastructure – indicate that this may be one of the most pervasive and advanced pieces of crimeware ever created by fraudsters. We recently discovered that, dating back as early as February 2006, the Sinowal Trojan has compromised and stolen login credentials from approximately 300,000 online bank accounts...

Facing Year-End Deadlines for PCI Compliance?

blog@rsa.com (Brad Davenport) — Wed, 29 Oct 2008 00:00:00 GMT

As I was listening to the review of PCI DSS 1.2 at this year’s annual PCI Community Meeting (click here for a recap of the event), a QSA stepped up to one of the many microphones scattered throughout the audience. Rather than asking a question, he explained that many midsized merchants have reasonably large and complex environments, yet lack the internal resources required to evaluate, procure and implement the enterprise-class security controls needed for PCI DSS compliance. The QSA then asked the Council if they would recommend a specific set of actionable technology recommendations to help these organizations in their efforts...

Why there's no logging standard -- it's not our fault, mate

blog@rsa.com (Paul Stamp) — Wed, 29 Oct 2008 00:00:00 GMT

Over the years there have been more attempts at creating a logging standard than I’ve had hot dinners – to borrow a Britishism. No standard has ever really emerged that has caught on. And I bet I’m going to get at least one e-mail that will place the blame squarely at the feet of vendors like us, who make money out of the present chaotic situation.

However, the problem runs much deeper than just a lack of will among ourselves and our peers...

Speaking of Security Podcast #126

blog@rsa.com (Podcast Producers) — Tue, 28 Oct 2008 00:00:00 GMT

Click to Download/Listen (07:52)

At this week's RSA Conferece Europe we released a new survey to track wireless network security in London, Paris and New York. The survey shows strong growth in wireless access points, both corporate and personal, but reveals that many are protected by the now discredited WEP encryption. RSA VP, Sam Curry goes over the numbers in our latest podcast.

The 5 'P's of Security and Compliance

blog@rsa.com (John McDonald) — Fri, 24 Oct 2008 00:00:00 GMT

I have the good fortune to be able to talk to a lot of different customers about their security and compliance efforts, and in the process I learn a lot about what works and what doesn't. I also have the benefit of over 27 years’ experience in the IT industry, which means I've seen (and yes, made) pretty much every kind of mistake that can happen. But the one thing that always strikes me the hardest is that we keep making the most basic mistake over and over again, and, as you would expect, the results are inevitably the same. The mistake I'm referring to is ignoring the 5 'P's - Proper Planning Prevents Poor Performance...

The Lingua Franca of Information Security

blog@rsa.com (Andrew Moloney) — Fri, 24 Oct 2008 00:00:00 GMT

Working across the EMEA region and being employed by an American-headquartered company, I’m fortunate (and occasionally unfortunate!) to encounter the many cultural differences which unite and divide us. Today for example, I’m speaking at our EMC Forum in Moscow, earlier in the week I was in Sweden, and just last week I was with customers and colleagues in the somewhat sunnier climes of Dubai. It’s interesting then to note what changes, but perhaps more importantly the many more things that stay the same as you talk information security strategy throughout the region…...

Speaking of Security Podcast #125

blog@rsa.com (Podcast Producers) — Mon, 20 Oct 2008 15:52:45 GMT

Click to Download/Listen (07:52)

On Monday, October 13 RSA, The Security Division of EMC, released the results of a new insider threat survey. The survey shows that employees are well aware of the restrictions placed upon them by their corporate IT departments, yet many often work around these controls in order to get their jobs done. RSA VP, Sam Curry, digs deeper into the issue in our latest podcast.

The High Cost of Being Wrong: Why Data Detection Matters

blog@rsa.com (Heather Schneider) — Mon, 20 Oct 2008 08:00:00 GMT

Imagine you see a car stopped on some train tracks, and you hear a train coming. How do you react? Do you ignore the sound of the train, thinking it won’t hit the car? In that same vein, not having an accurate data loss prevention (DLP) solution in place within your organization is akin to standing by and watching that train wreck about to happen – all while pretending you can’t see what’s going on even though the train’s horn is blaring.

In my ten years of experience in the search and categorization space, I can tell you that the risk of a DLP software policy allowing false negatives, when sensitive documents are missed by the policy and considered safe, is potentially extremely costly to a company...

DHS Secretary Chertoff discusses cyber security, highlights supply chain security

blog@rsa.com (Shannon Kellogg) — Mon, 20 Oct 2008 00:00:00 GMT

I had not seen the Secretary of Homeland Security, Michael Chertoff, speak on cyber security issues at a public forum since he keynoted the industry-wide RSA Conference in April 2008, so I decided to attend a forum at the U.S. Chamber of Commerce on Tuesday, October 15th where he was scheduled to keynote. Titled “Enhancing Cyber Security as Part of Enterprise Risk Management Planning” and held as part of a series of National Cyber Security Awareness Month events, Secretary Chertoff addressed the group of mostly business community attendees to highlight what he dubbed as “one of the most important initiatives that we have ever undertaken as a department or country”...

Halloween Came a Little Early...

blog@rsa.com (Brian Fitzgerald) — Thu, 16 Oct 2008 00:00:00 GMT

Halloween came a little early for Rob Enderle. Is he right to be very, very afraid..?

Rob Enderle recently attended an EMC conference where, among the speakers, he heard from Uri Rivner regarding the growing sophistication–and mass-production capabilities—of the online fraud industry. In his excellent piece in Dark Reading on the subject entitled “How RSA/EMC Scared Me Half to Death”, Rob admitted to being more than a little scared by what he heard. And among his fears is that, in these tight economic times, companies will not make the investments needed to ensure that they and their customers are secure against these increasingly robust threats...

Infinite Diversity in Infinite Combinations

blog@rsa.com (Sam Curry) — Thu, 16 Oct 2008 00:00:00 GMT

Followers of Star Trek might have noticed the small IDIC symbol Mr. Spock wore in events requiring official Vulcan dress code. IDIC stands for “Infinite Diversity in Infinite Combinations” a remarkable philosophy in spite of its pop origins and an enduring legacy of the late Mr. Roddenberry.

Hello folks: my name is Sam. My first anniversary at RSA just passed, and it seemed like as good a time as any to plunge into the security blog-o-sphere. I sit in a unique position within RSA: in the middle of the customers, the partners, the markets and the technology. In the course of the last year, I’ve met with hundreds of people with whom we do business, with whom we do science and with whom we look to change the way the world works. And, let me tell you this: things are becoming more complex...

Uncommon Assurance With Common Criteria

blog@rsa.com (Satchit Dokras) — Wed, 15 Oct 2008 00:00:00 GMT

Corporations spend millions of dollars in getting their products Common Criteria-certified. It is a validation of being tested per an international security evaluation standard for meeting stated security claims. Yet, the claims made by companies are not mandated to be at rigorous security levels by the Common Criteria standard — it merely advocates thorough testing.

Product Assurance is Top-of-Mind and SAFECode is Making Progress

blog@rsa.com (Shannon Kellogg) — Tue, 14 Oct 2008 00:00:00 GMT

If you are working on information assurance issues and walking the halls of government buildings, you can't go anywhere these days — whether in Washington, D.C. or London, England — and not hear about the importance of "software assurance" or "product assurance". Government buyers nearly everywhere are insisting on more secure products and some level of assurance that the software or hardware that you are selling them is secure. And, of course, they should be doing that.

NERC Critical Infrastructure Protection Will Always Change with the Evolution of Technology

blog@rsa.com (Paul Davilman) — Fri, 10 Oct 2008 00:00:00 GMT

As Stewart Brand once said "Once a new technology rolls over you, if you're not part of the steamroller, you're part of the road". I think this quote describes perfectly the role in which IT departments are playing in implementing security programs, specifically those attributed to the NERC Cyber Security Standards...

"Catch Me, Yes YOU Can": Realized Threats at the Corner Store

blog@rsa.com (Will Redfield) — Fri, 10 Oct 2008 00:00:00 GMT

just returned from the Payment Card Industry's 2008 Members Council Meeting in Orlando, Florida. We had a blast despite the mood being somewhat dampened as a result of the uncertainty of the global financial markets (heartfelt thanks to those wise souls who've been living outside of their means and taking undue personal and commercial financial risk...). Anyhew, I met so many interesting people from both merchants and from the card brands like Visa, MasterCard, American Express, Discover & JCB International Co., Ltd.

North America Recap

blog@rsa.com (Brad Davenport) — Fri, 10 Oct 2008 00:00:00 GMT

I was one of the 650 attendees at the recent annual North American PCI Community Meeting. Held at the Omni Champions Gate resort in Orlando, it was great to speak with many of the merchants, banks and service providers in attendance about the challenges they are facing.

New case study on RSA enVision

blog@rsa.com (Paul Stamp) — Thu, 09 Oct 2008 00:00:00 GMT

The Institute of Applied Network Security released a case study on the implementation of RSA enVision at the Depository Trust Clearing Corporation (DTCC). DTCC is an organization that acts as the back end for Wall Street, processing $1.8 quadrillion in securities transactions in 2007, and thus an essential component in our economy.

Trick or Treat

blog@rsa.com (John McDonald) — Thu, 09 Oct 2008 00:00:00 GMT

October's here, and you can't escape the coming onslaught of Halloween. Children (and quite a few adults) dressed up as vampires, ghosts, goblins and other scary creatures, going around asking people for treats and threatening them with tricks if they don't provide them. A cynical person might boil it down to a a combination of scare tactics and extortion. So what does this have to do with IT security and compliance? Unfortunately, the way security and compliance professionals have traditonally gone about obtaining funds and resources for tools and projects necessary to do their jobs all too closely parallels what happens on Halloween. We frequently use scare tactics such as new threats (the trick) to get management to cough up the funding and resources (the treats) we need to accomplish what we view as our jobs...

Speaking of Security Podcast #124

blog@rsa.com (Podcast Producers) — Tue, 07 Oct 2008 00:00:00 GMT

Art Coviello on Security for Innovation

Speaking of Security co-host, Amanda VanVeen, introduces a new video featuring RSA President, Art Coviello. Art covers new IDC research on the topic of security and business innovation. Forward-thinking security leaders are driving tighter linkages between innovation goals and security strategies.

Perimeter-centric Regulations in an Information-centric World

blog@rsa.com (Andrew Moloney) — Tue, 07 Oct 2008 00:00:00 GMT

Last week I took a trip out to our Executive Briefing Centre in Cork, Ireland. I was there to present to senior IT folk from pretty much all of the UK’s Police Forces as part of a two-day agenda that had been lined up for them by my colleagues from many of EMC’s lines-of-business.

I guess there are few other organisations where the lines between physical and virtual security are brought so sharply into focus than in one where you are dealing – first-hand – with criminals in the way that our police officers must every day of their working lives.

During our conversations we mused on various aspects of keeping information secure in such a fluid and volatile environment...

Be careful what hand you play, and when you play it

blog@rsa.com (Paul Stamp) — Wed, 01 Oct 2008 00:00:00 GMT

Yet another analogy from the credit crunch shows us security folks that even if we changed jobs we probably wouldn't be able to escape our frustrations. The executive branch is currently trying to win over Congress and convince them to hand over a large sum of money, or else something really bad is going to happen. This is a situation I'm sure many security folks have found themselves in, albeit under less extreme circumstances. The people with the check books seldom know anything about what you're doing. Congress is full of politicians, not economists or experts on the banking system. They need to rely on their gut feeling to do the right thing. Same thing with your management, so it's up to you to guide them towards the right decision -- in their language...

RSA Offers new Insights into Security and Innovation

blog@rsa.com (Blog Editor) — Wed, 01 Oct 2008 00:00:00 GMT

Today RSA, The Security Division of EMC, released the latest research and insights from IDC and the Security for Business Innovation Council on the relationship – and disconnect – between security and business innovation. The IDC report centers on the fact that 80 percent of organizations worldwide confirm that security fears are indeed responsible for stifling business innovation.

IDC also found that although 80 percent of CEOs believe their security teams are being held formally accountable for their contributions to business growth and innovation, only 44 percent of security leaders believe they are being measured on their contributions to innovation. This finding points to a surprising lack of alignment between the expectations of C-level management and the priorities of security professionals...

Gov. Palin, Yahoo! Email and Security—A Call To Action?

blog@rsa.com (Satchit Dokras ) — Tue, 30 Sep 2008 00:00:00 GMT

The McCain-Palin campaign has offered a rather muted response to the Yahoo! email account breach of Gov. Palin, and so far, the grand jury has opted not to indict the hacker. Is this the end to this sordid tale? Not quite. I believe that the average citizen has been left with a myriad of questions as to the security in as basic a utility as free email.

What’s going on?

“Rubico”, as the hacker called himself, used an automated password recovery tool where he was asked fairly simple questions to identify himself as Gov. Palin [birthday, zip code, etc.]. Rubico found answers to these within 45 minutes on Google and Wikipedia! Wow! Is it really that easy to hack into email or messaging services that the common person uses globally?...

The Virtues and Dangers of Security and Compliance

blog@rsa.com (Paul Stamp) — Mon, 29 Sep 2008 00:00:00 GMT

Last week I made a flying visit to NYC to appear on a panel at Interop with John Pironti of Getronics, Khalid Kark of Forrester, Jennifer Mack of the PCI Standards Council and Jim Routh of DTCC. The subject was "Security By Compliance - A Discussion of Information Risk Management's Greatest Challenge".

Speaking of Security Podcast #123

blog@rsa.com (Podcast Producers) — Mon, 29 Sep 2008 00:00:00 GMT

Click to Download/Listen (07:03)

Recent updates to the Fair and Accurate Credit Transactions Act (FACTA) of 2003 mandate that U.S. financial institutions and creditors must comply with the Identity Theft Red Flag provisions by November 1, 2008. Amanda Van Veen speaks with EMC's resident FACTA expert, Dennis Mayer from EMC Consulting about the upcoming deadline and what it means to those who must comply.

Massachusetts issues new rules for businesses to protect personally identifiable information, Congress considers FISMA reform

blog@rsa.com (Shannon Kellogg) — Thu, 25 Sep 2008 00:00:00 GMT

As reported in the Boston Globe on September 23rd, the Massachusetts Office of Consumer Affairs and Business Regulation issued regulations earlier this week that will place new requirements on businesses to safeguard personally-identifiable information (PII)...

Google Moves to 3rd Party Processing - The eCrime equivalent

blog@rsa.com (Uri Rivner) — Wed, 24 Sep 2008 00:00:00 GMT

The numbers behind Google's processing are staggering. Indexing over one trillion URLs, the Internet search giant reported in January that it processes 20 Petabytes of data per day.

Turns out a Petabyte is 1000 Terbytes. So Google processes over 20,000 Terabytes of data per day. Supporting all of this impossibly massive data crunching is a huge network of proprietary servers and custom made storage. It's the mythical Google grid.

Google conceals the exact nature of the grid; it's one of their trade secrets.

So, what if I told you Google is abandoning its mythical, proprietary, custom-made processing and storage grid, and is moving to an off-the-shelf third party processing platform?

Any boffin would have choked on this scoop.

OK, relax. Google isn't ditching its proprietary grid. But its eCrime equivalent is certainly doing exactly that.

Speaking of Security Podcast #122

blog@rsa.com (Podcast Producers) — Mon, 22 Sep 2008 20:00:00 GMT

Click to Download/Listen (06:29)

Paul Joyal welcomes back Linda Lynch, RSA® Conference Europe Manager, to talk about the session highlights for the upcoming conference from October 27-29. The early bird registration deadline is fast approaching on September 26. Learn more or register today: www.rsaconference.com/2008/europe.

The Semantics of Identity Assurance

blog@rsa.com (Sean Kline) — Mon, 22 Sep 2008 19:36:00 GMT

Identity Assurance was a hot topic at DigitalIDWorld this year, but as with many terms (such as policy or governance), it means different things to different people.According to the Liberty Alliance Project, “Identity” is “A unique name for single person” [sic] and “Assurance level” is “A degree of certainty that a claimant has presented a credential that refers to the claimant’s identity.” The Identity Assurance Expert Group (IAEG)’s goal is to “provide public and private sector organizations with a uniform means of relying on digital credentials...

Bank Employees become Phish Bait?

blog@rsa.com (Andrew Moloney) — Mon, 22 Sep 2008 00:00:00 GMT

What a week it was in the financial markets! With Lehman Brothers filing for bankruptcy, and Barclays subsequently buying up some of the assets; with Merrill Lynch finding a safe harbour at Bank Of America; and then, closer to home (for me at least) the merger of two of the biggest UK retail banks, HBOS and LloydsTSB.

During this coming period, it is a reasonably safe bet that we may be in for a flurry of phishing attacks targeting the customers of these institutions using ruses like share “windfalls” and the like to tempt individuals into disclosing their credentials. However, in this blog, that’s not what I want to talk about. The implications for the employees of these organisations are, of course, also huge, and the degree of uncertainty and change that will ensue for a period of time will provide ample opportunity for the criminal fraternity to exploit....

A World Becoming "Data Retentive"

blog@rsa.com (Andrew Moloney) — Tue, 16 Sep 2008 00:00:00 GMT

I’ve recently been looking at the implications of the second phase of the EU Data Retention Directive which will shortly be coming into force: as well as requiring telcos to keep call logs of who we called and when, ISPs will also now be required to keep logs of when we logged on and from where. Let’s leave the debate on whether all this logging is an invasion of our privacy or not – and whether that compromise of our personal freedom is justified in the global war on terror – for another time. For now, let’s just have a think about all that log data sitting around, waiting to be called upon...

Breaking Down the Walls of Compliance Challenges

blog@rsa.com (Paul Davilman) — Tue, 16 Sep 2008 00:00:00 GMT

Compliance, Compliance, Compliance. It’s the word that’s on everybody’s lips in the security industry these days. Companies of all shapes & sizes are spending big bucks to ensure compliance, but what are they trying to be compliant to? Regulatory issues, legal issues, internal policies & procedures or all of the above??? Unfortunately, trying to be compliant in any of these areas brings challenges but there are some ways to make it a little easier...

The Buzzword Bandwagon: Lessons learned from a user conference

blog@rsa.com (Paul Stamp) — Tue, 16 Sep 2008 00:00:00 GMT

Last week I was at a conference where security folks get together and vent their spleens about the problems they're facing. On day one, us vendors weren't allowed near the place, but on day two we got to pitch our products to potential buyers, and they got to shoot arrows at us. The highlight of the day for me, though, was the roundtable discussion on log management and SIEM.

Different people in the room talked about some of their experiences with log management and SIEM – some were very positive, others not so much. Either way, though, what struck me was the disparity between what people wanted to do with their SIEM products, and what they were actually managing to do...

Speaking of Security Podcast #121

blog@rsa.com (Podcast Producers) — Mon, 15 Sep 2008 00:00:00 GMT

Click to Download/Listen (05:48)

RSA's reseller community is part of RSA SecurWorld program. In order to help these channel partners become better trained in our solutions and products, RSA host several conferences throughout the year. Listen in to find out how your reseller works hard to become your trusted advisor for IT security.

Security and Virtualization

blog@rsa.com (Rob Sadowski ) — Fri, 12 Sep 2008 00:00:00 GMT

As part of my various duties here at RSA, I get the privilege of speaking with customers on a regular basis about how they can implement an Information Risk Management strategy. One of the most frequently asked questions that follow this discussion is: “how does this process change when I start to virtualize my environment?” So in this guest blog post, I thought I’d answer this question and talk a little about RSA’s collaboration with VMware for securing their virtual infrastructure solutions.

Before we get to security implications, we should start with a basic discussion of what virtualization does to the overall information infrastructure...

RSA enVision and the Security Operations Center

blog@rsa.com (Paul Stamp) — Thu, 11 Sep 2008 00:00:00 GMT

Last week I did a podcast with Glenn Williamson of Canadian MSSP Cyberclix. I put forward what I thought a SOC ought to look like, and then Glenn talked about some of the things he and his team were doing with RSA enVision in his SOC.

We've had some good feedback on the event, and if anyone missed it, it's available here.

PCI vs. SEPA - Friend or Foe?

blog@rsa.com (Andrew Moloney) — Thu, 11 Sep 2008 00:00:00 GMT

I’ve just attended a PCI special interest group meeting for the payments community in Europe, run by one of the key trade associations in that industry over here, Vendorcom. It was an interesting session with a number of different presentations from various vendors, QSAs and a special guest, the Head of IS Governance and Security from one of the UK’s top five retailers on their path to PCI compliance...

Speaking of Security Podcast #120

blog@rsa.com (Podcast Producers) — Tue, 09 Sep 2008 00:00:00 GMT

What's New with PCI

Speaking of Security co-host, Paul Joyal, discusses the latest developments in the Payment Card Industry data security standards with Brad Davenport, Compliance and Solutions Marketing Manager at RSA.

When there's something strange in the neighborhood, who you gonna call?

blog@rsa.com (Will Redfield) — Mon, 08 Sep 2008 14:00:00 GMT

A commentary about the casual hack, phreaking, pretexting, and a new thing called CPNI

So, a company that I met with had a problem. This was not a ginormous problem itself, but rather it was an awakening to a new threat that had not emerged as public enemy number one before. Its employees. It so happens that this company has the best security that King Arthur could buy, but it's not being used right and someone thought it would be pretty clever to crash a database server and see what would happen. Or did they? Or was it the computer playing a practical joke? HAL, anyone?

It turns out this company handles sensitive information about its customers, and yet they don't know WHO DONE IT or WHY?...

PCI Doesn't Scare one FSI

blog@rsa.com (Dave Howell) — Mon, 08 Sep 2008 00:00:00 GMT

While in Australia last week, I had lunch with the risk and compliance manager from a large financial institution. We had a lively discussion centered on compliance (I know, most people don't find compliance that exciting, but this was the right group for this conversation!)

Early in the conversation, the topic of the PCI Data Security Standard arose. This entity is beginning to look at the Standard's implications, and, based on reactions I've seen from other customers, I expected to hear a lot of frustration and annoyance. But, I asked the question anyway: "So, are you concerned about having to deal with the PCI requirements?"...

What's Going on Between Asprox and Rock Phish?

blog@rsa.com (RSA FraudAction Research Lab ) — Thu, 04 Sep 2008 00:00:00 GMT

When a small phishing gang decides to upgrade its infrastructure, it is often done in a quick and dirty fashion. The transition is almost immediate, and often buggy and unprofessional. But what happens when a gang on the scale of the Rock Phish group decides to abandon its old methods and upgrade its botnet infrastructure? It is done slowly, smoothly but most importantly -- professionally. The RSA FraudAction Research Labs recently gathered information that indicates major changes in the tactics employed by the Rock Phish gang. We have reason to believe that the gang is replacing its phishing infrastructure, and upgrading it to an advanced Fast-Flux botnet. We also believe that this new infrastructure belongs to none other than the infamous Asprox Botnet, which has recently been spreading itself using surges of SQL injection attacks...

Planning for a new year

blog@rsa.com (John McDonald ) — Wed, 03 Sep 2008 00:00:00 GMT

October is creeping up on us, and for most of us that means the beginning of the end of 2008, along with the nagging feeling that we should be doing some planning for 2009. This is the perfect opportunity to take stock of your security and compliance programs, and to develop a plan for improving things next year. If you've been following our various blogs here at RSA you probably realize by now that we espouse a security and compliance program based on three core pillars: it's information-centric, risk-driven and framework-based. Our compliance team has spoken with hundreds of customers from all over the world and in every industry segment this year, and we're finding that this approach is gaining acceptance at an ever-increasing rate. Organizations are realizing that they need to discover, manage and control their information assets in order to protect them...

Southeast Asia: Perspectives on Compliance

blog@rsa.com (Dave Howell) — Wed, 03 Sep 2008 00:00:00 GMT

This past weekend, I left Southeast Asia after a week-long trip to Bangkok, Singapore and Manila. The week was spent in back-to-back meetings with customers and our local sales teams, and the majority of our discussions centered on PCI DSS and compliance in general. One clear takeaway: Compliance is one of THE growing areas of concern for businesses in the region.

I found the degree to which customers in the region were concerned about compliance to be a bit of a surprise. I say 'surprise' because I often hear that compliance isn't as much of an issue outside of the U.S. From what we're seeing, though, the regulatory environment in non-U.S. geos, including Southeast Asia, is becoming more complicated...

ISO 27001 Adoption Poll Results are In

blog@rsa.com (Dave Howell) — Thu, 28 Aug 2008 09:00:00 GMT

So, several weeks ago I wrote a piece discussing the "long road to ISO 27001" adoption. A question posed to readers at the end of the piece: "How far off are we from the point at which ISO 27001 certifications in the U.S. are standard operating procedure for businesses -- the exception, rather than the rule?"

Well, the results are in! Our servers nearly crashed thanks to the influx of responses, but, fortunately, that wasn't the case. Here are the results...

If there were gold medals for Data Leakage...

blog@rsa.com (Andrew Moloney) — Thu, 28 Aug 2008 00:00:00 GMT

I've just returned from my summer vacation, somewhat foolishly deciding to spend it under canvas in the south-west of the UK and expecting to get good weather. If my tent had leaked as badly in the last couple of weeks as data seems to have been leaking in the UK during the same period, I'd be in need of an aqualung by now! If it were an Olympic sport, Britain would have beaten China for pole position in the medals table!

It all started with the loss of a memory stick by a UK Government contractor which contained somewhere around 120,000 records, including the details of 10,000 of our nation's most serious criminals. We then heard about a compromise at global hotel chain Best Western...

Speaking of Security Podcast #119

blog@rsa.com (Podcast Producers) — Mon, 25 Aug 2008 00:00:00 GMT

Click to Download/Listen (06:46)

Paul Davilman from RSA’s Compliance and Solutions team sits down with Amanda Van Veen to talk about the North American Electric Reliability Corporation (NERC) Cyber Security Standards and how these standards will impact IT security in the utility industries. Please note that due to the U.S. Labor Day holiday, we'll be back in two weeks (on September 8) with a new show.

PCI Compliance: Reaction to the Summary of Changes

blog@rsa.com (Brad Davenport) — Tue, 19 Aug 2008 00:00:00 GMT

On August 18 the PCI Security Standards Council formally announced (http://www.pcisecuritystandards.org/pdfs/08-18-08_2.pdf) forthcoming changes to the Payment Card Industry's Data Security Standard (PCI DSS) as it moves from version 1.1 to version 1.2 in October 2008. The release represents the first major update since September 2006.

What's my take on the summary of changes? Most merchants will be pleased to see that these are relatively minor changes...

Information risk management, and lessons-learned in the financial industry

blog@rsa.com (Paul Stamp) — Tue, 19 Aug 2008 00:00:00 GMT

Information risk management, and lessons-learned in the financial industry Last week's Economist had a good article entitled "Confessions of a Risk Manager", in which a risk manager from a global bank uses 20-20 hindsight to look at "what went wrong" in the lead-up to the credit crunch and the ensuing fallout. I won't pretend to understand all the ins and outs of financial derivatives, but there were some points raised that anyone in the IT security space can identify with...

Speaking of Security Podcast #118

blog@rsa.com (Podcast Producers) — Mon, 18 Aug 2008 00:00:00 GMT

Click to Download/Listen (11:27)

This week, Amanda Van Veen speaks with analyst Rod Nelsestuen from the TowerGroup. Rod covers key issues affecting several financial industry segments including emerging markets and trend, security, and risk management matters and in this segment, talks with Amanda about the evolution of business continuity planning and security’s increasing role.

Addressing NERC Cyber Security Standards Using a Frameworks-Based Approach

blog@rsa.com (Paul Davilman) — Wed, 13 Aug 2008 00:00:00 GMT

Although the NERC Cyber-Security Standards (http://www.nerc.com/files/CIP-002-1.pdf) are applicable only in the US, I think there's no doubt that cyber security is fast becoming a major concern of electric utility companies worldwide. In addition, other US critical infrastructure industry segments, such as water and chemical companies are also coming under increasing federal pressure to improve their own cyber-security efforts. Still, the NERC Cyber-Security standards have been criticized for being too ambiguous, providing little in the way of guidance, as well as for leaving loopholes for utility companies to beat the rules...

Speaking of Security Podcast #117

blog@rsa.com (Podcast Producers) — Mon, 11 Aug 2008 00:00:00 GMT

Click to Download/Listen (07:47)

In a recent RSA Web Seminar focused on the new FACTA Identify Red Flags provisions, industry analyst, Ken Herbert, with Frost & Sullivan, explained what financial institutions or creditors need to know about the upcoming November 1 FACTA deadline and provided some key recommendations for complying with the regulation. In this week's podcast, we'll share some of the questions and answers from this online event. To learn more, watch the entire webcast replay.

Proactive Education: Remedying the 'Strain' of Compliance

blog@rsa.com (Will Redfield) — Fri, 08 Aug 2008 00:00:00 GMT

A recent survey confirmed that internal threats continue to grow and to represent a challenge to organizations' security postures. It revealed that, in scans of 100,000 PCs and servers in many industries: 12% of infected computers had a missing or disabled anti-virus program, 10.7% had unauthorized personal storage such as USB sticks or external hard drives, 9.1% had unauthorized peer-to-peer (P2P) applications installed, 8.5% had a missing 3rd party desktop agent, 2.6% had unprotected shared folders, 2.2% had unauthorized remote control software, and 2% had missing Microsoft service packs. These results continue to resonate with the conclusions of the CSI FBI survey that reported in 2007 that internal threats have now outpaced viruses in terms of risk to organizations...

Get in the habit of asking: "Is this your biggest issue?"

blog@rsa.com (Paul Stamp) — Thu, 07 Aug 2008 00:00:00 GMT

In previous lives, both as a talking head and implementation guy, I'd get some pretty in-depth questions about subtle security issues -- usually as a result of something someone had read was a "best practice". Sometimes questions were about specific configuration settings for an OS or obscure firewall ports, other times it was a question about some arcane encryption algorithm or key length. Usually, I'd respond by asking, "Is this the biggest issue you have?" Common examples include...

What's Hot and What's Not in Europe This Year...

blog@rsa.com (Andrew Moloney) — Thu, 07 Aug 2008 00:00:00 GMT

Europe is a hotbed of cutting-edge fashion. But why am I telling you guys this? You work in the Information Security business -- the kind of business that draws out the fashionista in all of us... And I guess that's one of the issues with what, in relative terms, is still a pretty young industry: every "season" we eagerly anticipate the new "line" from the next greatest new discovery.

That said, I do think that we're definitely starting to see signs of maturity in the market -- of the emergence of "design classics"...

PCI Compliance: Book 'Em!

blog@rsa.com (Brad Davenport) — Wed, 06 Aug 2008 13:00:00 GMT

On August 5, 2008, federal law enforcement officials announced the indictment of 11 people charged with stealing and selling more than 41 million credit and debit card numbers from nine major US companies.

"This is the single largest and most complex identity theft case ever charged in this country," said US Attorney General Michael Mukasey.

According to officials, the defendants -- three from the United States, one from Estonia, three from Ukraine, two from China, one from Belarus, and one of unknown origin -- tapped into wireless networks and installed programs that captured card numbers, passwords and account information. The stolen data was then hidden around the globe and sold for profit.

This event reflects a growing trend in cyber crime...

Speaking of Security Podcast #116

blog@rsa.com (Podcast Producers) — Wed, 06 Aug 2008 00:00:00 GMT

The Importance of Strong Authentication for Business Continuity

New Speaking of Security co-host, Amanda Van Veen, meets with Jeff Carpenter, Senior Product Marketing Manager at RSA, to discuss how the latest release of RSA Authentication Manager supports organizations focusing on business continuity. When natural or man-made disasters hit, it's important that employees be able to quickly and easily access network resources, but it's equally important to know just who those new remote workers are.

PCI Compliance? Let's Talk!

blog@rsa.com (Brad Davenport) — Thu, 31 Jul 2008 17:35:05 GMT

During a meeting with an RSA customer earlier this week, I was asked a very detailed and pointed question about my interpretation of requirement 3.4. Specifically, the customer was using encryption to render PANs unreadable and wanted to know if their algorithm was indeed classified as "strong cryptography." Really, the customer was interested in making sure this particular encryption algorithm would pass their upcoming PCI audit. While I was happy to voice my opinion, I stressed the critical importance of open and honest communication when it comes to passing an audit and successful PCI compliance in general...

"Off the Peg" Authentication can lead to an ill-fitting suit

blog@rsa.com (Andrew Moloney) — Thu, 31 Jul 2008 00:00:00 GMT

I was interested to read in the papers here that the UK's Association of Private Client Investment Managers and Stockbrokers (Apcims) has raised concerns about changes to existing data security measures which are being imposed by the Financial Services Authority (FSA). The FSA is seeking to mandate strong authentication -- using secret questions (you know the kind of thing -- mother's maiden name, date of birth, name of your favourite Spice Girl, etc, etc) -- before brokers can get on with doing business with their clients by phone. This comes a few months after a city firm was hit with a £77k (~$150k) fine for failing to do just that.

Now, ordinarily, forcing mandatory extra authentication like this you'd think is a good idea, and something that should be applauded...

At last: security metrics for the masses

blog@rsa.com (Paul Stamp) — Wed, 30 Jul 2008 00:00:00 GMT

The folks at NIST have just released a Performance Measurement Guide for Information Security, which is a really good guide for creating a metrics program. Luckily, I've been in enough of a procrastinatory mood to give it the once over. My take?

Speaking of Security Podcast #115

blog@rsa.com (Podcast Producers) — Mon, 28 Jul 2008 00:00:00 GMT

Click to Download/Listen (10:36)

A couple of weeks ago, Paul Joyal interviewed RSA’s Phil Marshall about Knowledge-based Authentication, or KBA. This week, we present a conversation on the same topic that Phil had with Tom Wills, Senior Analyst for Risk, Security & Fraud with Javelin Strategy and Research.

Addressing Cost Issues in the Ever-Changing World of Compliance

blog@rsa.com (Paul Davilman) — Fri, 25 Jul 2008 00:00:00 GMT

We keep hearing from analysts that the cost of compliance should go down each year but unfortunately our customers are telling us the exact opposite. They are continuing to get slammed by new regulations and feel compelled to implement all types of point products & solutions in order to meet immediate needs.

In Security & Compliance, it's all about the 'I'

blog@rsa.com (John McDonald) — Fri, 25 Jul 2008 00:00:00 GMT

Most of us in the security trade work in a group or have a job description that contains (or in some cases, implies) the word 'information' - 'IT Security', 'Information Security', 'Office of the CIO', etc. This naming convention, while a seemingly trivial aspect of our jobs, should really be the primary driver for everything we do. Why? Because virtually everything we do has the ultimate goal of protecting some type of asset that is important to our organization, and that asset is almost always information. This basic truth can be most effectively illustrated by considering what drives the daily requirements of our work - compliance.

The Latest from RSA Labs: The Keys to RFID Privacy

blog@rsa.com (Dr. Ari Juels) — Fri, 25 Jul 2008 00:00:00 GMT

Data-security vendors sometimes get tall orders from customers. Not unheard of are: "I'd like a good digital signature system... with 20-bit keys" and "I want to use one-time pads for encryption... and I need to compress them." But one of the most challenging I've heard was recently offered up by colleagues in the RFID (Radio-Frequency IDentification) industry.

The End of Neosploit?

blog@rsa.com (RSA FraudAction Research Labs) — Thu, 24 Jul 2008 00:00:00 GMT

The first and most important thing when trying to grow a pool of malware-infected PCs is the infection stage. The goal is to infect as many users as possible, as quickly as possible -- and remain undetected for as long as possible.

Neosploit is a brand that could be relied upon to solve that problem rather well. Designed to ease the infection stage, Neosploit is an infection kit which exploits numerous system vulnerabilities and infects PCs worldwide with any type of malware. Neosploit checks "candidate" PCs in order to find vulnerabilities, and once these are found, the PC will be infected with the malware of the criminal's choice.

However, the RSA FraudAction Research Labs recently received information indicating that we may soon see the last of this "Neosploitation".

We're Web 2.0 Crazy Here At RSA

blog@rsa.com (Paul Stamp) — Thu, 24 Jul 2008 00:00:00 GMT

Notwithstanding the fine bloggery that goes on at this site (excluding yours truly of course), there's a bunch of splendid social computing activity going on here at RSA. There's no better example of this than the RSA enVision Intelligence Community.

The Intelligence Community is an online community of RSA enVision customers, partners, systems engineers and product managers. It's getting quite a lot of use too, with interesting new posts around feature requests, tips and tricks and product announcements appearing every day. I was just trawling through it this morning, and I thought I'd pull out a few highlights...

Is More Regulation Always the Way to Go?

blog@rsa.com (Andrew Moloney) — Thu, 24 Jul 2008 00:00:00 GMT

Over in the US, Senator Obama has recently been talking about his stance on Cyber terrorism. While there were many interesting points in his proposals, I wanted to home in on his comments regarding the protection of national infrastructure. You don't need to be a technological genius to have figured out that computers pretty much run every aspect of our daily lives these days -- transportation networks, utilities, broadcast information... you name it. It's fair to say, then, that if you could find a way of compromising those computers you could really mess up everyone's day....

The Long Road Towards an ISO 27001 "Tipping Point" (and a true Reader's Poll!)

blog@rsa.com (Dave Howell) — Tue, 22 Jul 2008 00:00:00 GMT

So, in conversations with customers of late, I've observed a steady increase in talk of plans to soon adopt ISO 27002, or active work to get the standard implemented in some fashion. This isn't necessarily surprising, particularly when you're talking with highly regulated companies or those more apt to understand information risk management, overall (e.g., those in banking, insurance and utilities, or more recently, thanks to PCI DSS, retail). Because, as I suspect most would agree (and speak up if you don't!), 27002 provides an incredibly broad and deep view into the types of security controls an organization should at least consider when building a security and information risk management program.

What has certainly come as more of a surprise, though, is...

Speaking of Security Podcast #114

blog@rsa.com (Podcast Producers) — Mon, 21 Jul 2008 17:00:00 GMT

Click to Download/Listen (05:51)

New co-host Amanda Van Veen interviews Linda Lynch, RSA® Conference Europe Manager, about this year's Conference in October. Learn about the early bird registration special as well as other helpful travel hints and session highlights. Register today: www.rsaconference.com/2008/europe.

Reader Poll: Do you think ISO?

blog@rsa.com (Dave Howell) — Mon, 21 Jul 2008 00:00:00 GMT

A couple of weeks ago I posted on the topic of "defining compliance." One of the suggestions raised was that businesses that identify a common control framework, or combination of frameworks, may have an opportunity to significantly reduce costs and redundancies associated with their compliance program. The idea is that rather than approaching each requirement in a silo, and therefore attacking each related security requirement in isolation, it would be better to ensure that the organization is looking more horizontally at the types of security controls that must be enacted in the context of all the requirements that must be met...

A new version?

blog@rsa.com (Brad Davenport) — Thu, 17 Jul 2008 00:00:00 GMT

Yes folks, the PCI DSS's first major update since version 1.1 was announced in September 2006 is on the horizon. Unveiled in May by the PCI Security Standards Council, the new version, called 1.2, is due out in October. Over the past few weeks, I've received a myriad of inquiries from merchants and figured this would be a good forum to share some of them...

SIEM - anyone got a better name?

blog@rsa.com (Paul Stamp) — Tue, 15 Jul 2008 12:30:30 GMT

So this one's been digging away at me for a while. I just think that the term "Security Information and Event Management" doesn't do the space justice. I'm not talking about the "information" vs "event" debate -- it's the "Security" part of it that I have a bit of a problem with. Log management doesn't really capture the essence of it either, as Greg Shipley pointed out in his recent Network World article, especially since we're dealing with all sorts of asset and vulnerability information too. For a start, labeling these tools solely as security tools sets expectations about what these tools are best at....

A Single Europe for Data Protection?

blog@rsa.com (Andrew Moloney) — Tue, 15 Jul 2008 00:00:00 GMT

Last Friday I spent the morning in the company of a lawyer from a top international law firm. Once we'd marvelled that the sun had finally deemed to make an appearance over the grey skies of London, our conversation turned to the rather weightier subject of data privacy. We've been doing a lot of work around using ISO27002 as a framework best practice in developing and deploying a robust information security strategy. As part of that work, I and my "Evangelist" colleagues have taken a stab at mapping various regulations against this "gold standard" in order to help customers understand where overlaps, or indeed gaps, may occur between these various regs...

Speaking of Security Podcast #113

blog@rsa.com (Podcast Producers) — Mon, 14 Jul 2008 00:00:00 GMT

Click to Download/Listen (11:11)

With users wanting more real-time, self-service options, many organizations have migrated their services to remote channels including the Internet or Call Centers but these services and benefits come with added risks of fraud and identity theft. Knowledge-based authentication (KBA) offers customers the opportunity to benefit from remote interactions with stronger security as well as the added convenience of real-time authentication. Learn more in this week's podcast. In other news, we bid a fond farewell to co-host Matt Buckley.

Virtualization and Authentication

blog@rsa.com (Sean Kline) — Tue, 08 Jul 2008 00:00:00 GMT

Virtualization is one of the most hyped technologies in Information Technology today -- and rightly so. It offers the potential to improve utilization, lower cost of ownership of computers, enhance productivity, ease compliance, increase reliability and potentially improve security. Let's explore the last claim. Without a doubt, there is an impact of virtualization on security, and in particular authentication...

Speaking of Security Podcast #112

blog@rsa.com (Podcast Producers) — Mon, 07 Jul 2008 15:08:00 GMT

Art Coviello Keynote at EMC World

Art Coviello tells a cautionary tale of the future of security and its impact on business innovation at this year's EMC World. Hear how to avoid the perfect storm by integrating security into the platform and using information risk management strategies.

Timing is Everything...

blog@rsa.com (Andrew Moloney) — Mon, 07 Jul 2008 00:00:00 GMT

I don't want to spend all my time on this blog talking about HMRC (otherwise referred to in the UK as "the taxman"), but a colleague just forwarded me a phishing email he'd just received purporting to be from them, asking him to resubmit his personal details as a "new security measure" While in itself there's nothing particularly big or clever about this attack, it's interesting in that it illustrates a couple of key things. Firstly, that sometimes in order for an attack to be successful, timing is everything...

Why I welcome the Hannigan Report

blog@rsa.com (Andrew Moloney) — Thu, 03 Jul 2008 18:00:00 GMT

As an RSA 'Evangelist' with pan-EMEA responsibilities, I obviously take a special interest in what's happening in the information security world that pertains to this region. Last week saw the publication in the UK of the long-awaited Hannigan Report -- detailing the steps that UK Government departments have taken -- and are expected to take -- to mitigate recent data leakage events which have occurred, most notably in the instance of HMRC.

It's a cracking read and one I'd recommend to all insomniacs with an penchant for such topics, but I have to say, I'm actually pretty encouraged by what I read...

Correlation is no silver bullet

blog@rsa.com (Paul Stamp ) — Thu, 03 Jul 2008 17:26:29 GMT

I talk to a lot of security folks about SIEM and log management, and quite often the conversation turns to event correlation. You can spot the people who've never bought a SIEM product, because they start by saying, "Well, I want to know whenever 'x' happens, and then 'y' happens soon after". Admittedly, the situation they cite is a usually real one, and granted, if you do see 'x' and 'y' happening in reasonably quick succession then, chances are, you have a problem. But it's usually not their biggest problem -- in fact, far from it. My favorite is "the guy swiping his badge in Tokyo and then logging on in New York", which I hear time and time again...

Finished? Where should I start?

blog@rsa.com (Brad Davenport) — Tue, 01 Jul 2008 00:00:00 GMT

Many of the merchants I speak with are sharply focused on addressing specific PCI security requirements. While implementing the controls needed to meet the requirements is absolutely critical, I can't stress enough the importance of taking time to aim before firing.

It's no secret that PCI compliance is focused on securing cardholder data and infrastructure. Simply put, you can't secure what you don't manage and you can't manage what you don't know about. Before you go looking for all instances of cardholder data, you must be prepared to find more than expected.

Most merchants are aware of the cardholder data in their database(s). But what about payment applications or payment portals that temporarily store the data? Or customer service reps e-mailing credit card information to confirm or dispute an order?...

Speaking of Security Podcast #111

blog@rsa.com (Podcast Producers) — Mon, 30 Jun 2008 00:00:00 GMT

Click to Download/Listen (07:04)

The fear of data leakage through loss, theft or careless use of USB flash drives is rising dramatically throughout the enterprise. This week we discuss the problem and potential solutions with Dror Todress, Senior Manager, Marketing, for SanDisk Corporation’s Enterprise Division, an RSA Secured Partner.

The SIEM and the SOC -- what's useful and what's not?

blog@rsa.com (Paul Stamp) — Thu, 26 Jun 2008 00:00:00 GMT

So earlier this year, again in my past life as an analyst, I spoke to a bunch of users, vendors and experts hoping to get some best practices about creating a Security Operations Center (SOC). For Forrester customers, I published my findings here.

To be honest, I originally came at this piece of research as a way to define what the place of a SIEM product in a SOC, so I diligently asked everyone I interviewed what technologies they thought were central to a security operations function. The answers I got were pretty unexpected, and normally started with the phrase "Technology? Oh that's an afterthought."

When we think of a SOC, we often have this picture of a big room, full of people in rows staring at a big screen up front, with monitors in front of them...

New RSA Compliance Solutions Bloggers

blog@rsa.com (Speaking of Security Blog Editor) — Wed, 25 Jun 2008 00:00:00 GMT

Please join us in welcoming a new set of RSA Bloggers. The RSA Compliance Solutions team--including Dave Howell and Brad Davenport--will be penning a set of blog entries for "Speaking of Security" around the theme of Simplified Compliance. Please take advantage of the comments field to get answers to your compliance-related security queries!

Defining "Compliance"

blog@rsa.com (Dave Howell) — Wed, 25 Jun 2008 00:00:00 GMT

As part of the RSA Compliance Solutions team I meet with companies all over the world to discuss their security challenges and priorities. Inevitably I spend much of my time discussing ... you guessed it ... compliance.

It is eye-opening to see how differently our customers and partners, as well as folks within RSA, define compliance. From what I've seen, most will immediately gravitate towards the notion of meeting the stated or implied security requirements within governmental mandates, such as Sarbanes-Oxley and HIPAA. In addition, "compliance" certainly conjures up images of the PCI Data Security Standard, which isn't surprising considering how many organizations these requirements impact. What we don't tend to see initially is a broader view of compliance...

The "E" word

blog@rsa.com (Brad Davenport) — Tue, 24 Jun 2008 00:00:00 GMT

I met with a merchant this morning to talk PCI compliance. Like many of the conversations I've had with merchants, things got a bit more interesting when the discussion focused on cardholder data protection. They joked that the new rev of the PCI Standard, version 1.2 -- due out in October -- would eliminate the data protection requirements. All joking aside, the truth is that data protection isn't going anywhere when it comes to the PCI DSS. While there are other alternatives, such as hashed indexes, truncation and...