Thursday, October 29, 2009

Chip and PIN adoption serves lesson for U.S. payment industry

Fresh off the SearchSecurity press:

"First Data Corp. and RSA, the security division of EMC Corp., are the latest major companies working together to encrypt credit card data at the point-of-sale device. This early encryption approach, also offered by other vendors, including ProPay Inc. and Merchant Warehouse, can lower the technical costs of Payment Card Industry Data Security Standard (PCI DSS) compliance, as well as the legal risk of disclosure notifications and the risk of mass information loss. It is a proactive approach that retailers should be evaluating" ...

Tuesday, October 27, 2009

Lumension adds AV to endpoint security offering

Lumension continues to put together the critical pieces of an endpoint security solution. In addition to patching vulnerabilities to reduce the risk of an exploit and application whitelisting with device control to reduce the risk of an attack modifying software, Lumension now adds an attack-centric AV layer to eradicate known threats. Defense in depth only really works if each layer adds a unique complementary technology approach. That way, whatever threat one approach might miss, the next approach is likely to catch. The addition of AV to patching and applicatino whitelisting is a good approach that should work well for Lumension's customers.

I supported Lumension's release activity with the following quote:

Eric Ogren, Principal Analyst, Ogren Group
“As the explosion of viruses and data-stealing crimeware continues to wreak havoc on corporate networks, IT administrators need to take an increasingly more proactive and blended approach to endpoint protection. Lumension now offers solution layers that close system vulnerabilities, identify and remove attacks, and protect against malware from Web 2.0 threats. Organizations that adopt such a coordinated defense will be better-suited to protect against threats, keeping their network, endpoints, and business resistant to the daily influx of newborn malware.”

Wednesday, October 21, 2009

DLP technology challenges security costs

New to SearchSecurity:

"Vendors have blurred the functional boundaries between data leakage prevention, digital rights management and even endpoint device control, to the extent that IT should reset expectations for DLP deployments. The recent Burton Group report on DLP summarizes the market from a vendor offerings point of view, with heavy emphasis in vendor rankings given to companies with large market shares and marketing budgets. DLP can be a powerful weapon for security teams balancing threat protection with data protection and acceptable use policies, but only in well-defined business scenarios." ...

Friday, October 16, 2009

Phishing protection begins with training, antiphishing evangelist

Newly posted on SearchSecurity:

Law enforcement has demonstrated that it's serious about cracking down on phishers, spammers and other nefarious cybercriminal activity, but now is the time for security organizations to launch an antiphishing program to protect customers and employees from the upcoming wave of attacks that will most certainly mark the holiday season.

Phishing is a nagging social problem that preys on users' trust of established brands and confidence in the Internet. The classic phishing scam consists of a plausibly written email message containing a link to a phish website that looks like the real thing, but is designed to steal passwords and account numbers when the unsuspecting user authenticates. While law enforcement is part of the solution to breaking up phishing rings, IT needs to continuously focus on social countermeasures to fight the strength of phishing attacks.

Tuesday, October 6, 2009

Mitigating zero-day vulnerabilities in customers' environments

Posted today at SearchSecurityChannel:

"Zero-day exploits -- attacks in the wild that are too new for signature checkers to recognize -- present a serious challenge to security solution providers who are expected to protect client endpoints, hosted websites, application services and Web communications. However, there may be opportunities for service providers to differentiate, or offer revenue generating services, with services that help clients recover from a zero-day infection."

Monday, October 5, 2009

Feds push cybersecurity jobs, PCI DSS changes ahead

Posted to TechTarget today:

"In a significant sign of the government's commitment to improving its cybersecurity profile, the Department of Homeland Security said it could hire 1000 security professionals over the next three years. This is welcome news for those seeking cybersecurity jobs. A longer-term view of the problem of securing the national technical infrastructure would have DHS allocating more of its $40 billion total budget authority to cybersecurity educational programs. We've heard reports about the problem of filling and retaining professionals in government information security jobs. In addition to existing degree programs at a few universities, perhaps cybersecurity can also be featured in Reserve Officers Training Candidate programs to develop military leadership well-versed in cybersecurity skills. Presently, neither the Army ROTC nor the Air Force ROTC shows cybersecurity as a career choice..."