Counterfeiters, Pirates and Organized Crime

July 2, 2009 · Comment

By Richard Power and Christopher Burgess

There is a threat difficult to quantify or even detect, one that has not yet grabbed the headlines or captured the imagination, and yet is relentlessly and efficiently looting, pillaging and plundering the U.S. and global economies of their magic ingredient — trade secrets.

Stiennon Talks to SecureLexicon’s Steven Fox

July 1, 2009 · Comment

By Richard Stiennon, Chief Research Analyst, IT-Harvest

Listen to the podcast as Steven asks me about “Knowing thy enemy”, “lessons learned”, “crowd sourcing attacks”, “understanding environmental and cultural context”, “Iranian cyber war”, and “political goals”.

Multi-Platform Enterprise Mobility Solutions

June 30, 2009 · Comment

Britt Womelsdorf, Principal Systems Consultant, Sybase iAnywhere

There are products out there claiming to be “Enterprise Solutions” that only support a single mobile operating system, or, worse yet, a single version of a single operating system. While these products may do an admirable job managing the subset of devices that run that OS, what about the rest?

Heartland (HPY) Implements E2EE System

June 30, 2009 · Comment

From Heartland Payment Systems

“Monday’s successful test involved Zones 1, 2, 3 and 4,” detailed Steven M. Elefant, Heartland’s executive director of end-to-end encryption. “We believe that protecting data in these zones alone will significantly impact the protection of cardholder data.

Making PCI Stand For Coordination & Impact

June 29, 2009 · Comment

Daniel Wallace, Information Security Consultant

It will be no small task in terms of cost and effort for many of the impacted companies to make the transition from self-assessment to onsite 3rd party assessment. However, there are ways to lessen the burden and actually drive business-value from the engagement.

Audits and the Change Management Process

June 29, 2009 · Comment

By Gene Kim, CTO of Tripwire and co-founder of the IT Process Institute

If the auditor observes that no one is showing up to the change management meetings, authorizations are rubber stamped without any real evaluation, unauthorized changes and unplanned outages are occurring regularly, then she will likely flag this as a potential high risk area.

Sun Tzu and The Art of CIO Success

June 28, 2009 · Comment

By Steven Fox, Founder of SecureLexicon

The CIO is a “General”. Generals are not concerned with how the weapons function or how the rank-and-file are performing. This is the job of the lieutenants. The General focuses on the strategic application of resources on the battlefield.

Model Employees May Be The Insider Threat

June 28, 2009 · Comment

By Rachel James, Author and Cybercrime Authority at ID Experts

It is important to realize that insider threats are not just a people problem, but a technical problem as well. There are certain controls and best practices that you can follow to help identify and address threats and minimize your organizations risk.

Inside the Due Diligence Value Proposition

June 28, 2009 · Comment

By Greg George, Managing Partner of GTI Advisors

Due Diligence can be categorized as a fraud management tool, an information gathering exercise or just a shield that will provide some value in case something goes wrong. It is important to undertake a DD for all transaction irrespective of the value. You cannot evaluate it in terms of ROI. Consider it as a cost just like a premium paid for insurance.

Cyber Security Week In Review: June 27th

June 27, 2009 · 1 Comment

From The Internet Security Alliance and Information Security Resources

Exploits of unpatched Windows bug will jump, says Symantec; Mozilla tackles XSS vulnerabilities with new technology; New Facebook blog: We can hack into your profile; Red Condor’s Spam Trip Wire detects new virus; Adobe Releases Update for Shockwave Player; Gates Creates Cyber-Defense Command; Google clamps down on ‘malvertising’; Hacked high-profile Twitter accounts still spreading malicious links; Spam, Phishing, and Malicious Code Related to Recent Celebrity Deaths.

On Communications Sector Cyber Security

June 26, 2009 · Comment

From The Internet Security Alliance

From an “all hazards” approach, we worry about the overall architecture of the system. If there were a major incident in one facility, will we and our customers have what they need to survive a major hit?

Sensitive Data and the Pharmacy Industry

June 26, 2009 · Comment

By Kat Sanders of Pharmacy Technician Certification

There is a surfeit of Information today, and although we have come up with ways and means to store them for eternity, we are still not able to ensure their security. Information is valuable only as long as it remains protected, and once in the hands of people who are likely to misuse it, it turns into a recipe for disaster.

State Entities Targeting Intellectual Property

June 25, 2009 · 1 Comment

By Richard Power and Christopher Burgess

Why do nation states engage in economic espionage and intellectual property theft? Primarily, to acquire technology to advance a military program, or to advance the economic competitiveness of the nation’s industrial base, or simply to ensure that the major companies and contributors to the nation’s GDP continue to make that contribution.

Can Your iPhone Really Be Made Secure?

June 25, 2009 · Comment

Britt Womelsdorf, Principal Systems Consultant, Sybase iAnywhere

Anyone in the security field will tell you that information security is affected and addressed at multiple layers within a solution. As part of the evaluation process for an enterprise business solution, particularly one that enables the transport of potentially sensitive data outside the corporate network, a risk analysis should be conducted.

PCI SSC Seeks Input on Security Standards

June 24, 2009 · Comment

From the PCI Security Standard Council

During phase two of the lifecycle process, between July 1 and November 1, 2009, merchants, processors, financial institutions and other key stakeholders have the opportunity to provide detailed and actionable feedback in an effort to revise future editions of the Council’s standards to improve payment data security.

Enhancing Value Propositions with IT Security

June 23, 2009 · 1 Comment

By Steven Fox, Founder of SecureLexicon

Rather than struggle with existing processes and culture, security professionals must strive to design solutions that leverage these elements… If information security professionals discuss security within this framework, they can communicate the business value of a given set of solutions. By speaking the language of business they can get the attention of those in control of the budget.

Internet Security Alliance Updates 6-23-09

June 23, 2009 · Comment

From The Internet Security Alliance

“Nine-Ball” mass injection attack compromised 40,000 sites; Apple accepts Mac’s vulnerability to malware; Google’s online security helps fight malware; Microsoft’s free antimalware beta on the way; Introducing the ISAlliance Information Security Resources News Feed.

(Never) Always Set Up QA Before Production

June 23, 2009 · Comment

By Gene Kim, CTO of Tripwire and co-founder of the IT Process Institute

And then the code is then deployed into production, which then fails spectacularly. Now the problem isn’t that the QA schedule is slipping. Now the problem is that a potentially mission-critical service is down, and we have a potential Sev 1 outage, requiring the best Ops, QA and Development people to figure out how to restore service.

The Cyber Shot Twittered Around the World

June 22, 2009 · Comment

By Richard Stiennon, Chief Research Analyst, IT-Harvest

Unlike Russia, who to this day has successfully denied participation in cyber attacks on Estonia, Lithuanian, and Georgia; or China who vehemently denies their massive cyber espionage activities, the US has pretty much lent its support to a communication vehicle that is writing a new chapter in the history of cyber warfare.

Security Information Event Management

June 22, 2009 · Comment

By Bozidar Spirovski, CISSP, MCSA, MCP

Banking, Telecommunications, Power and Energy - anyone and everyone is under internal audit and regulator scrutiny to implement a Security Information Event Management system. But most Security Information Event Management implementations are rushed and placed only to shut up the auditors and to go on as usual. Since it’s a compliance requirement, the Security Information Event Management salespeople very rarely address whether the customer makes proper use of the solution, and whether this solution brings benefits to the company.

Secrets Stolen, Fortunes Lost: Part I

June 21, 2009 · Comment

By Richard Power and Christopher Burgess

There is a compelling lesson in this fact. A decade ago, such stories rarely made it onto the news wire or into the courts. Today, they are commonplace. Unfortunately, the awareness and defenses required to thwart such damaging activities, although economical and effective, are far from commonplace. Our hope is to change that.

Internet Security Alliance Updates 6-19-09

June 19, 2009 · 1 Comment

From The Internet Security Alliance

Introducing the ISAlliance Information Security Resources News Feed: In our continued effort to provide membership with access to the latest developments and relevant issues being addressed by compliance, IT and security professionals today, the ISAlliance would like to introduce the addition of the Information Security Resources News Feed to our website selections; BKIS – Deep Freeze application fails to detect new Chinese worm; Hackers to release Apple iPhone OS 3.0 software jailbreak; ‘Golden Cash’ botnet-leasing network uncovered.

Legal Issues are Hazy for Cloud Computing

June 17, 2009 · 2 Comments

By John Watkins, Attorney with Chorey, Taylor & Feil

From a legal standpoint, cloud computing appears to raise a host of essentially contractual issues to be addressed by the parties’ contract or licensing arrangements. There are also potential regulatory issues (ranging from privacy to export control issues), potential e-discovery issues, and certainly other issues that have not yet crossed my mind.

Internet Security Alliance Updates 6-17-09

June 17, 2009 · Comment

From The Internet Security Alliance

Busted: international telephone hacking conspiracy. Apple patches Java flaws, at last. Locating VoIP callers in emergencies. ISAlliance/NIST/DHS VOIP SECURITY PROGRAM - CALL TO PARTICIPATE.

A Guide for Full Field Background Checks

June 16, 2009 · 1 Comment

By Greg George, Managing Partner of GTI Advisors

Regarding background research on principals prior to investment, joint venture, merger, acquisition, a new partnership opportunity; a key management, scientific or fiscal candidate prior to hiring, my recommended research criteria varies depending on the specific industry. However, here is what I suggest as a common baseline that is comprehensive yet cost effective – a hedge that can save you much aggravation and money later…

Security Tales from an IT Road Warrior

June 16, 2009 · Comment

By Dwayne Melancon, Tripwire’s VP of Corporate and Business Development

To net it out, there is a lot going on – some converging, some diverging. Choosing from different solutions to the same problems is what our jobs as business and IT practitioners are about. That’s why we get paid the industry-adjusted, median bucks.

Sun Tzu and The Art of Information Security

June 15, 2009 · 1 Comment

By Steven Fox, Founder of SecureLexicon

“Invincibility is in oneself, vulnerability is in the opponent” - Sun Tzu. Dictionary.com defines invincibility as being “incapable of being conquered, defeated, or subdued.” In the context of The Art of War, this is accomplished through self-defense. Individual self-defense requires awareness of one’s tactical and strategic strengths and vulnerabilities. Once this awareness is developed, one projects the image that reduces the risks created by potential opponents. While different in scope, this model is applicable to a corporation.

Internet Security Alliance Updates 6-15-09

June 15, 2009 · Comment

From The Internet Security Alliance

More scamming and spamming on Twitter. Symantec warns of wireless keyboard security threat. Chrome update completes busy browser patch week. Microsoft to launch Morro antivirus ‘soon.’ The Department of Homeland Security (DHS) Office of Cybersecurity and Communications (CS&C) National Cyber Security Division (NCSD), the Department of Defense (DoD) and National Institute for Standards and Technology (NIST) Information Technology Laboratory will host the Software Assurance Forum and Working Group Sessions…

Distributed By

Reuters

USA Today

Gannett

McGraw-Hill

FoxNews

Internet Broadcasting

Rodale

Houston Chronicle

Express-News

American-Statesman
Scoop NZ

Advocacy
- Electronic Frontier Foundation
- Internet Security Alliance
Business Technology
- BizTech - The Wall Street Journal
- Geekfluence
- Information Week
- InfoWorld - Business Tech & IT
- TechPitch
- TechWeb
Class Action Litigation Resources
- Class Action News Wire
- Class Action World
- Stanford Law Class Action Clearinghouse
Education Infosec
- Educational Security Incidents (ESI)
Financial InfoSec
- A.E. Feldman Blog
- Bank Info Security
Financial Watch
- Bear Market Investments
- BusinessWeek BX
- Footnoted.org - The Fine Print
- MarketWatch
- SeekingAlpha Investor Analysis
- Silicon Investor
- Telegraph UK
- The Deal Economy
- The Mess That Greenspan Made
- The Oxen Group
Government
- Compliance Online
- Federal Computer Week
- Government Computer News
- Government Contracting News Wire
- Government Technology
- GovernmentSecurity.Org
- Homeland Security Watch
- N.I.S.T. Resources
- Obama’s Security Strategy
- Telegraph UK
- US - CERT
Identity Theft News
- I’ve Been Mugged
- ID Experts Blog
- Identity Theft Assistance Center
- Identity Theft Info
- Identity Theft Resource Center
IDG Network
- CIO Online
- ComputerWorld
- CSO Online
- IDG Connect
- InfoWorld
- ITWorld - An Open Exchange
- MacWorld
- NetworkWorld
- PCWorld
- The Industry Standard
InfoSec
- Armit Williams Blog
- Best of Security News
- Bruce Schneier on Security
- C.E.R.I.A.S.
- CIO Forum - South Africa
- Cyber Security Institute
- Cyber Strategies
- Didier Stevens Blog
- FireEye Malware Intelligence Lab
- Graves Concerns - Subjunctive Blog
- Hack in the Box
- HowUnSecure
- IIA Security Portal - Australia
- Information Security Short Takes
- Insecure Realities
- Laptop Security Blog
- Last In - First Out
- Mu Dynamics Blog
- SecuObs - L’observatoire
- Securosis
- TaoSecurity
- The Breach Blog - Evan Francen
- The DarkNet UK
- The InfoSec Blog
- The Tech Herald - Security
- Threat Post
- ThreatChaos - Richard Stiennon
Mortgage Industry
- Housing Doom
- Mortgage Lender Implode
Payments Industry
- Merchant Bill Of Rights
- Payment Systems Blog
- Payments News
- Pin Payments Blog - HomeATM
- Society of Payment Security Pros
- StorefrontBacktalk
Privacy Rights Issues
- Emergent Chaos
- Info/Law - Harvard
- Pogo Was Right - Privacy News
- Privacy Camp
- Privacy Rights Clearing House
- PrivacyLaw.org
- The Cutting Edge News
Security Breach Aggregators
- Open Security Foundation
Technology and Law
- Computer Crime Research Center
- CTF Legal Blog
- Cyber Crime & Doing Time
- Tech Law Forum
- Technology & Marketing Law
- The Complex Litigator
- Tsibouris & Associates Law Blog
Technology News
- Ars Technica
- Current Tech
- H-Plus Magazine
- Rob the Geek - New Zealand
- TechBlips
Is Hardware Superior to Software PIN Security?
ISR News Feed
- Counterfeiters, Pirates and Organized Crime
  By Richard Power and Christopher Burgess There is a threat difficult to quantify or even detect, one that has not yet grabbed the headlines or captured the imagination, and yet is relentlessly and efficiently looting, pillaging and plundering the U.S. and global economies of their magic ingredient — trade secrets.
- Stiennon Talks to SecureLexicon’s Steven Fox
  By Richard Stiennon, Chief Research Analyst, IT-Harvest Listen to the podcast as Steven asks me about “Knowing thy enemy”, “lessons learned”, “crowd sourcing attacks”, “understanding environmental and cultural context”, “Iranian cyber war”, and “political goals”.
- Multi-Platform Enterprise Mobility Solutions
  Britt Womelsdorf, Principal Systems Consultant, Sybase iAnywhere There are products out there claiming to be “Enterprise Solutions” that only support a single mobile operating system, or, worse yet, a single version of a single operating system. While these products may do an admirable job managing the subset of devices that run that OS, what about the rest?
- Heartland (HPY) Implements E2EE System
  From Heartland Payment Systems “Monday’s successful test involved Zones 1, 2, 3 and 4,” detailed Steven M. Elefant, Heartland’s executive director of end-to-end encryption. “We believe that protecting data in these zones alone will significantly impact the protection of cardholder data.
- Making PCI Stand For Coordination & Impact
  Daniel Wallace, Information Security Consultant It will be no small task in terms of cost and effort for many of the impacted companies to make the transition from self-assessment to onsite 3rd party assessment. However, there are ways to lessen the burden and actually drive business-value from the engagement.
- Audits and the Change Management Process
  By Gene Kim, CTO of Tripwire and co-founder of the IT Process Institute If the auditor observes that no one is showing up to the change management meetings, authorizations are rubber stamped without any real evaluation, unauthorized changes and unplanned outages are occurring regularly, then she will likely flag this as a potential high risk area.
- Sun Tzu and The Art of CIO Success
  By Steven Fox, Founder of SecureLexicon The CIO is a “General”. Generals are not concerned with how the weapons function or how the rank-and-file are performing. This is the job of the lieutenants. The General focuses on the strategic application of resources on the battlefield.
- Model Employees May Be The Insider Threat
  By Rachel James, Author and Cybercrime Authority at ID Experts It is important to realize that insider threats are not just a people problem, but a technical problem as well. There are certain controls and best practices that you can follow to help identify and address threats and minimize your organizations risk.
- Inside the Due Diligence Value Proposition
  By Greg George, Managing Partner of GTI Advisors Due Diligence can be categorized as a fraud management tool, an information gathering exercise or just a shield that will provide some value in case something goes wrong. It is important to undertake a DD for all transaction irrespective of the value. You cannot evaluate it in terms of ROI. Consider it as a cost just like a premium paid for insurance.
- Cyber Security Week In Review: June 27th
  From The Internet Security Alliance and Information Security Resources Exploits of unpatched Windows bug will jump, says Symantec; Mozilla tackles XSS vulnerabilities with new technology; New Facebook blog: We can hack into your profile; Red Condor’s Spam Trip Wire detects new virus; Adobe Releases Update for Shockwave Player; Gates Creates Cyber-Defense Command; Google clamps down on ‘malvertising'; Hacked high-profile Twitter accounts still spreading malicious links; Spam, Phishing, and Malicious Code Related to Recent Celebrity Deaths.
- On Communications Sector Cyber Security
  From The Internet Security Alliance From an “all hazards” approach, we worry about the overall architecture of the system. If there were a major incident in one facility, will we and our customers have what they need to survive a major hit?
- Sensitive Data and the Pharmacy Industry
  By Kat Sanders of Pharmacy Technician Certification There is a surfeit of Information today, and although we have come up with ways and means to store them for eternity, we are still not able to ensure their security. Information is valuable only as long as it remains protected, and once in the hands of people who are likely to misuse it, it turns into a recipe for disaster.
- State Entities Targeting Intellectual Property
  By Richard Power and Christopher Burgess Why do nation states engage in economic espionage and intellectual property theft? Primarily, to acquire technology to advance a military program, or to advance the economic competitiveness of the nation’s industrial base, or simply to ensure that the major companies and contributors to the nation’s GDP continue to make that contribution.
- Can Your iPhone Really Be Made Secure?
  Britt Womelsdorf, Principal Systems Consultant, Sybase iAnywhere Anyone in the security field will tell you that information security is affected and addressed at multiple layers within a solution. As part of the evaluation process for an enterprise business solution, particularly one that enables the transport of potentially sensitive data outside the corporate network, a risk analysis should be conducted.
- PCI SSC Seeks Input on Security Standards
  From the PCI Security Standard Council During phase two of the lifecycle process, between July 1 and November 1, 2009, merchants, processors, financial institutions and other key stakeholders have the opportunity to provide detailed and actionable feedback in an effort to revise future editions of the Council’s standards to improve payment data security.
- Enhancing Value Propositions with IT Security
  By Steven Fox, Founder of SecureLexicon Rather than struggle with existing processes and culture, security professionals must strive to design solutions that leverage these elements... If information security professionals discuss security within this framework, they can communicate the business value of a given set of solutions. By speaking the language of business they can get the attention of those in control of the budget.
- Internet Security Alliance Updates 6-23-09
  From The Internet Security Alliance “Nine-Ball” mass injection attack compromised 40,000 sites; Apple accepts Mac’s vulnerability to malware; Google’s online security helps fight malware; Microsoft’s free antimalware beta on the way; Introducing the ISAlliance Information Security Resources News Feed.
- (Never) Always Set Up QA Before Production
  By Gene Kim, CTO of Tripwire and co-founder of the IT Process Institute And then the code is then deployed into production, which then fails spectacularly. Now the problem isn’t that the QA schedule is slipping. Now the problem is that a potentially mission-critical service is down, and we have a potential Sev 1 outage, requiring the best Ops, QA and Development people to figure out how to restore service.
- The Cyber Shot Twittered Around the World
  By Richard Stiennon, Chief Research Analyst, IT-Harvest Unlike Russia, who to this day has successfully denied participation in cyber attacks on Estonia, Lithuanian, and Georgia; or China who vehemently denies their massive cyber espionage activities, the US has pretty much lent its support to a communication vehicle that is writing a new chapter in the history of cyber warfare.
- Security Information Event Management
  By Bozidar Spirovski, CISSP, MCSA, MCP Banking, Telecommunications, Power and Energy - anyone and everyone is under internal audit and regulator scrutiny to implement a Security Information Event Management system. But most Security Information Event Management implementations are rushed and placed only to shut up the auditors and to go on as usual. Since it's a compliance requirement, the Security Information Event Management salespeople very rarely address whether the customer makes proper use of the solution, and whether this solution brings benefits to the company.
Feedback
- Allan Kirsch on A Guide for Full Field Background Checks
- Cyber Security Week In Review: June 27th | IT News on Cyber Security Week In Review: June 27th
- Can Security Policy live in a Business World? | Rob the Geek on Enhancing Value Propositions with IT Security
- Bob Wells on State Entities Targeting Intellectual Property
- Posts about Computer Security as of June 19, 2009 — nuke it dot org on Internet Security Alliance Updates 6-19-09
- David Rice on Legal Issues are Hazy for Cloud Computing
- Legal Issues are Hazy for Cloud Computing : Information Security … on Legal Issues are Hazy for Cloud Computing
- Ben on Sun Tzu and The Art of Information Security
- George Bollhorst on 20% of IT Managers Admit to Cheating
- Joe Corporate on Does PCI DSS Expose Risk Or Create It?
Which Fund Has the Real Crisis?

Distributed By

Advocacy

Business Technology

Class Action Litigation Resources

Education Infosec

Financial InfoSec

Financial Watch

Government

Identity Theft News

IDG Network

InfoSec

Mortgage Industry

Payments Industry

Privacy Rights Issues

Security Breach Aggregators

Technology and Law

Technology News

Is Hardware Superior to Software PIN Security?

ISR News Feed

Feedback