For a mere 30 smackers, the U3S6 card gives you two USB 3.0 ports and two SATA 6.0 ports in a PCI-E card. The card has three primary components...For a mere 30 smackers, the U3S6 card gives you two USB 3.0 ports and two SATA 6.0... more
The seeming inconsistency between the perception of being immune from data breach risks with the rapid growth in data breach incidents, led us to think about whether organizations can actually quantify their level of breach risk. We were somewhat surprised that there is not much available to organizations to help them in scoring their vulnerability.The seeming inconsistency between the perception of being immune from data breach... more
In Estonia the State Department has arranged for a series of meetings/lectures and discussions for Mr. Clinton. In addition to visiting the NATO Center Mr. Clinton will meet with representatives of the Estonian government, private sector entities, law enforcement, university and primary education professionals.In Estonia the State Department has arranged for a series of meetings/lectures and... more
Infected users are often spreading additional malware by having infected Web sites posted on their Webpage without their knowledge. Friends are then more apt to click on these sites since they appear to be endorsed by their contacts. Tips on avoiding these tactics…Infected users are often spreading additional malware by having infected Web sites... more
ISAlliance President Larry Clinton, in Estonia by request of the US State Department; Critical Infrastructure Protection (CIP) Congress; ISAlliance/CyLab Webinar; CMU Software Engineering Institute one day course: Creating a Computer Security Incident Response Team; ISAlliance/AIA Webinar; NIST 5th Annual IT Security Automation Conference; Illinois Institute of Technology 5th Annual VoIP Conference & Expo…ISAlliance President Larry Clinton, in Estonia by request of the US State Department;... more
Thursday, September 24 at 2 Eastern: ISAlliance & AIA are pleased to offer an exciting FREE webinar: The Financial Impact of Cyber Risk. Virtually every company has calculated the benefits of electronic business into its business plans. Unfortunately, companies often fail to account for the financial downside that may result from cyber security attacks.Thursday, September 24 at 2 Eastern: ISAlliance & AIA are pleased to offer an exciting... more
This is the first part of my Black Hat interview with Andrew D. Hayter, Anti-Malcode Program Manager for ICSA Labs. In this installment, Mr. Hayter highlights the challenges businesses face in mitigating malware-related risks.This is the first part of my Black Hat interview with Andrew D. Hayter, Anti-Malcode... more
ANSI Identity Theft Standards Panel webinar “Lessons from the Data Breach at Heartland” by Bob Carr, CEO of Heartland Payment Systems; Carnegie Mellon University Software Engineering Institute Insider Threat Workshop; U.S. Department of Homeland Security Critical Infrastructure and Key Resources; ISAlliance/NIST/DHS VoIP & Unified Communications Automated Security and Assurance Project; IT Sector Coordinating Council Protective Programs and Research and Development (PPRD)…ANSI Identity Theft Standards Panel webinar “Lessons from the Data Breach at... more
The RFI is classified, but in general terms, it seeks information on prospective technical, end-to-end solutions that will help to protect the federal (.gov) cyber domain, and to facilitate cybersecurity improvements affecting the private sector. Registration will remain open until July 22, 2009.The RFI is classified, but in general terms, it seeks information on prospective... more
ISA has been designated to lead the development of industry based SCAP checklists for these key technologies.
OMB has already mandated to federal CIO’s that “Information technology providers must use S-CAP validated tools, as they become available, to certify their products do not alter the Federal Desktop Core Configurations, and agencies must use these tools when monitoring use of these configurations.”ISA has been designated to lead the development of industry based SCAP checklists for... more
Auditors definitely need to be more exacting and tougher when evaluating a company’s adherence to the specification. But an audit is a point-in-time event that says “as of today” your security level and change and control processes are at an acceptable state.
If Savvis did a poor job of auditing CardSystems and issued a PCI certificate when that company was not really compliant, Savvis is at fault for issuing the certificate.
But what about the many companies who are compliant with PCI DSS with a point-in-time audit only to be breached a month later?Auditors definitely need to be more exacting and tougher when evaluating a company’s... more
The decision to outsource information security isn’t the right approach for every business; the choice of provider and which services to farm out to a 3rd party are unique to each organization and set of circumstances.
Furthermore, while the responsibility for information security’s daily care and feeding can be outsourced, the accountability for compliance, information protection, and assurance will still reside within the organization usually in the CISO’s office.
There are several things the CISO will need to focus on and ways to not only influence the security outsourcing decision but also take ownership of assessing the risk inherent in the outsourcing relationship...The decision to outsource information security isn’t the right approach for every... more
Having been an active participant in the mobile industry for roughly ten years, I often get asked what I believe is the most difficult challenge to overcome when considering mobile device management.
The question is a simple one, and the answer is simple too - it depends.
When I receive this question from engineering, it’s usually with the purpose of determine which feature to add or not add in the next version of the product. When it’s from sales, the objective is to find a compelling argument to further an opportunity in the sales cycle. And when it’s from customers, it’s usually about creating policies or best practices to avoid pitfalls that they may encounter. With that in mind…Having been an active participant in the mobile industry for roughly ten years, I... more
The rules and requirements for auditors reveal a number of potential conflicts of interest that could arise between an auditor and the entity it’s assessing. For example, many security auditors also make security products. The rules state that a security company will not use its status as auditor to market its products to companies it audits, but if the auditor should happen to find that the client would benefit from its product, it must also tell the client about competing products.The rules and requirements for auditors reveal a number of potential conflicts of... more
By Kevin M. Nixon, Information-Security-Resources.com Security Editor
I served on the Executive Board of Directors for the Internet Security Alliance (2001 - 2004) and supported the creation of the Department of Homeland Security. I continue to make the rounds on Capitol Hill meeting with US Senators and Representatives and their Congressional Staffs as a subject matter expert on all types of IT Security, Data Privacy, Cybersecurity and GRC issues to provide our elected officials with a real worldview into the impact their legislative actions can have, both positive and negative.By Kevin M. Nixon, Information-Security-Resources.com Security Editor
I served on... more
Google identifies the ten domains responsible for compromising the most number of sites on the internet. In response to a recent surge in websites being infected with malware, Google has revealed the top ten most popular malware sites in the last couple of months.Google identifies the ten domains responsible for compromising the most number of... more
The malware logs the magnetic-stripe data and personal identification number of cards used at an infected machine and provides an intuitive interface for retrieving the information using the ATM’s receipt printer, according to analysts from Spider Labs, the research arm of security firm Trustwave. Since late 2007 or so, there have been at least 16 updates to the software, an indication that the authors are working hard to perfect their tool.The malware logs the magnetic-stripe data and personal identification number of cards... more
“Protecting our nation’s computing systems that control critical cyberinfrastructure is crucial,” Fred Chang, lead investigator and director of the CIAS, said in a statement.“Protecting our nation’s computing systems that control critical... more
There are many efforts to create meaningful security metrics, which is a worthy goal. After benchmarking over 1000 IT operations and security organizations in the past four years, I’ve formed some very strong conclusions and opinions, some of which goes against security common wisdom.There are many efforts to create meaningful security metrics, which is a worthy goal.... more
“Centralizing our cybersecurity efforts under Phil’s leadership will help create a unified DHS as we continue to adapt to an ever-changing array of threats. Together, Phil, Bruce and Greg will guide the Department’s efforts to prevent cyber attacks and protect the nation’s critical information systems and networks.”“Centralizing our cybersecurity efforts under Phil’s leadership will help create a... more
