Security is Golden

By Gideon T. Rasmussen
(IN)SECURE Magazine

The PCI Data Security Standard mandates foundational controls, most of which are information security best practices. It is a one-size-fits-all standard meant to address all business and technological environments that store, process or transmit payment card data. Minimum compliance with PCI standards may not adequately protect card data. Therefore, it is necessary to conduct a risk assessment in accordance with PCI requirements.

Read more: Click to access the related article.

Schwartz and Ballen LLP Memorandum

Re: State Security Breach Laws

This memorandum summarizes state legislation requiring notification to consumers of unauthorized disclosures of their personal information. To date, forty-six states, the District of Columbia, Puerto Rico, and the U.S. Virgin Islands have enacted legislation addressing security breaches. Most recently, Mississippi enacted security breach legislation, and Washington amended its law.

Read more: Click to access the Memorandum and the Security Breach Chart.

The EU ‘cyber security’ Agency ENISA, i.e. the European Network and Information Security Agency, launched a new report on barriers to and incentives for cyber security information sharing. The report shows e.g. that the economic incentives are much more important for practitioners than what academic literature indicate.

The importance of information sharing for the Critical Information Infrastructure Protection –CIIP-is widely acknowledged by policy-makers, technical and practitioner communities alike. The Agency has researched peer-to-peer groups, e.g. Information Exchanges (IEs) and Information Sharing Analysis Centres (ISACs). The report identifies the most important barriers and incentives in day-to-day practice in IEs and ISACs for CIIP. This research differs from other reports by being focused on the practitioners’ experiences. The material stems from three sources, literature analysis, interviews, and a two-round ‘Delphi’ exercise with security professionals. The report is launched in conjunction with the NIS Summer School, taking place 13-17 September, in Crete.

Read more: Click to access the related article.

By David Wells
TechNewsWorld

For an enterprise concerned about security, which most are, addressing the risks posed by threats hidden within encrypted SSL traffic is clearly not something that can be ignored. If SSL were being used for no purpose, then the problem could be solved by simply avoiding or preventing the use of SSL. However, the reality is that SSL is used to provide much-needed security for a wide range of network applications.

Today, most enterprises have a number of network security appliances that provide protection against attacks aimed at enterprise computing resources, as well as prevent the loss of sensitive enterprise data due to deliberate or unintentional leakage. These security appliances work by matching network traffic with threat signatures or tracking application state as a means to detect suspicious behavior.

Read more: Click to access the related article.

By Kim S. Nash
CIO

In Cyber War: The Next Threat to National Security and What to Do About It, you write about how vulnerable America is to electronic attack. Is it possible to create an effective deterrence policy against cyberwar, as was done for nuclear war?

That doesn’t work in cyberspace for lots of reasons. In the nuclear era, there were more than 2,000 tests worldwide. Nations demonstrated they could do damage. It’s hard to demonstrate cyberweapons in advance. In a nuclear war, you see missiles. In cyberwar, it’s not clear who’s attacking. People can pretend to be other people.

Read more: Click to access the related article.

Going beyond Visa’s best practices guide

By Ericka Chickowski
DarkReading

With Visa releasing its tokenization best practices guide earlier this summer, security professionals and encryption vendors have debated the strengths and weaknesses of the guide. As one of the most debated topics in encryption-land, tokenization still has a long way to go before it achieves any kind of true standardization of best practices.

Read more: Click to access the related article.

Larry Dietz talks to Richard Power about critical infrastructure and how businesses should think about digital conflict

By Richard Power
CSO Online

All around the world, governments declare they are gearing up for cyber war. I know, I know, to anyone who has been at this for any significant length of time, many of the news stories we are reading today could have, or should have, been written a decade ago, or more. The term “Cyber war” seems to be on everyone’s lips again. (Cue the theme music for “Groundhog Day” – again!) In one way, it is hard to take it seriously anymore; in another way, it is incredible that so many governments sound like they are just getting started, again. Nevertheless, even though the chest-beating seems to be a redux, and much of the blustering rhetoric seems to be recycled, the reality on the virtual ground in cyber space is that the capabilities (the offensive ones, at least) have evolved over the last decade, and so have the opportunities. Furthermore, the appetite to use them seems to have grown apace.

Read more: Click to access the related article.

Many vendors fail to develop further signatures to guard against different exploits that use the same vulnerability

By Jeremy Kirk
Network World

A majority of security software suites still fail to detect attacks on PCs even after the style of attack has been known for some time, underscoring how cybercriminals still have the upper hand.

NSS Labs, which conducts tests of security software suites, tested how security packages from 10 major companies detect so-called “client-side exploits.” In such incidents a hacker attacks a vulnerability in software such as Web browsers, browser plug-ins or desktop applications such as Adobe Acrobat and Flash.

Read more: Click to access the related article.

The right network design can protect against hidden threats from embedded systems and rogue access points

By John Sawyer, Contributing Writer
DarkReading

Insider attacks might have doubled during the past year, according to new case data from the U.S. Secret Service included in the recent Verizon Data Breach Investigations Report, but external attacks are still the major threat and account for the most records stolen — indicating companies still are not securing their networks and data properly.

Proactive security controls and secure network design can play an important part in preventing attacks both from the inside and outside. Unfortunately, without proper network segmentation and access control, once the attacker gains access to the victim’s internal network, it’s often game over: Sensitive servers are sitting there, just waiting to be pillaged.

Read more: Click to access the related article.

We all know perimeter firewalls are necessary but not sufficient. But what’s the right strategy for building additional layers of security? Greg Machler dives in.

By Greg Machler
CSO Online

As an executive, do you ever get worried wondering if your corporate brand is properly protected from a lack of technological integrity? Corporations today have sensitive HR data, financial data, and often consumer data. If this data is compromised, often the outside world finds out about it, lawsuits are initiated and the corporate brand is tarnished. This could lead to consumers thinking twice about purchasing your products or services.

Read more: Click to access the related article.

By Kenneth Corbin
Datamation.com

WASHINGTON — Looking ahead to the next major global conflict, the more appropriate question might be to ask whether the United States will be able to defend against a major cyberattack, rather than if one will occur.

Students of information warfare point out that physical attacks rarely, if ever, transpire any longer without a cyber component, and that assaults on digital systems such as the electrical grid or telecommunications networks are quickly becoming the face of modern combat.

“This revolution is so profound that the whole history of warfare is now going to look very different,” said Scott Borg, director of the U.S. Cyber Consequences Unit, a nonprofit group that works closely with the government to evaluate the effects of potential cyberattacks. (“It’s our job to figure out how to destroy America and its allies,” Borg says of his organization.)

Read more: Click to access the related article.

By Andreas M. Antonopoulos
Network World

If your business manages personal information about health or finances, a security breach can cost millions. HITECH and other regulations not only apply fines, but they require disclosure and notification of those affected. In some cases, companies must pay for free credit reports too. These costs can range from $80 to $200 per compromised record. The problem for many companies is the sheer volume of information that can be compromised in a single breach. If you lose 5,000, 50,000 or 500,000 records, the math may mean bankruptcy. Fortunately, you can now get insurance to cover these risks.

Read more: Click to access the related article.