Security News

The RSA FraudAction Research Lab would like to share its startling findings based on its tracking and research of the Sinowal Trojan, also known as Torpig and Mebroot. Our findings based on the data we have collected on this Trojan over the course of almost three years – including information regarding its design and its infrastructure – indicate that this may be one of the most pervasive and advanced pieces of crimeware ever created by fraudsters.

We recently discovered that, dating back as early as February 2006, the Sinowal Trojan has compromised and stolen login credentials from approximately 300,000 online bank accounts…

As I was listening to the review of PCI DSS 1.2 at this year’s annual PCI Community Meeting (click here for a recap of the event), a QSA stepped up to one of the many microphones scattered throughout the audience.  Rather than asking a question, he explained that many midsized merchants have reasonably large and complex environments, yet lack the internal resources required to evaluate, procure and implement the enterprise-class security controls needed for PCI DSS compliance.  The QSA then asked the Council if they would recommend a specific set of actionable technology recommendations to help these organizations in their efforts…

Over the years there have been more attempts at creating a logging standard than I’ve had hot dinners – to borrow a Britishism. No standard has ever really emerged that has caught on. And I bet I’m going to get at least one e-mail that will place the blame squarely at the feet of vendors like us, who make money out of the present chaotic situation.

However, the problem runs much deeper than just a lack of will among ourselves and our peers…

Click to Download/Listen (07:52)

At this week’s RSA Conferece Europe we released a new survey to track wireless network security in London, Paris and New York. The survey shows strong growth in wireless access points, both corporate and personal, but reveals that many are protected by the now discredited WEP encryption. RSA VP, Sam Curry goes over the numbers in our latest podcast.

I have the good fortune to be able to talk to a lot of different customers about their security and compliance efforts, and in the process I learn a lot about what works and what doesn’t. I also have the benefit of over 27 years’ experience in the IT industry, which means I’ve seen (and yes, made) pretty much every kind of mistake that can happen. But the one thing that always strikes me the hardest is that we keep making the most basic mistake over and over again, and, as you would expect, the results are inevitably the same. The mistake I’m referring to is ignoring the 5 ‘P’s – Proper Planning Prevents Poor Performance…

Working across the EMEA region and being employed by an American-headquartered company, I’m fortunate (and occasionally unfortunate!) to encounter the many cultural differences which unite and divide us. Today for example, I’m speaking at our EMC Forum in Moscow, earlier in the week I was in Sweden, and just last week I was with customers and colleagues in the somewhat sunnier climes of Dubai. It’s interesting then to note what changes, but perhaps more importantly the many more things that stay the same as you talk information security strategy throughout the region……

Click to Download/Listen (07:52)

On Monday, October 13 RSA, The Security Division of EMC, released the results of a new insider threat survey. The survey shows that employees are well aware of the restrictions placed upon them by their corporate IT departments, yet many often work around these controls in order to get their jobs done. RSA VP, Sam Curry, digs deeper into the issue in our latest podcast.

Imagine you see a car stopped on some train tracks, and you hear a train coming. How do you react? Do you ignore the sound of the train, thinking it won’t hit the car? In that same vein, not having an accurate data loss prevention (DLP) solution in place within your organization is akin to standing by and watching that train wreck about to happen – all while pretending you can’t see what’s going on even though the train’s horn is blaring.

In my ten years of experience in the search and categorization space, I can tell you that the risk of a DLP software policy allowing false negatives, when sensitive documents are missed by the policy and considered safe, is potentially extremely costly to a company…

I had not seen the Secretary of Homeland Security, Michael Chertoff, speak on cyber security issues at a public forum since he keynoted the industry-wide RSA Conference in April 2008, so I decided to attend a forum at the U.S. Chamber of Commerce on Tuesday, October 15th where he was scheduled to keynote. Titled “Enhancing Cyber Security as Part of Enterprise Risk Management Planning” and held as part of a series of National Cyber Security Awareness Month events, Secretary Chertoff addressed the group of mostly business community attendees to highlight what he dubbed as “one of the most important initiatives that we have ever undertaken as a department or country”…

Followers of Star Trek might have noticed the small IDIC symbol Mr. Spock wore in events requiring official Vulcan dress code.  IDIC stands for “Infinite Diversity in Infinite Combinations” a remarkable philosophy in spite of its pop origins and an enduring legacy of the late Mr. Roddenberry.

Hello folks: my name is Sam.  My first anniversary at RSA just passed, and it seemed like as good a time as any to plunge into the security blog-o-sphere. I sit in a unique position within RSA: in the middle of the customers, the partners, the markets and the technology. In the course of the last year, I’ve met with hundreds of people with whom we do business, with whom we do science and with whom we look to change the way the world works. And, let me tell you this: things are becoming more complex…

Halloween came a little early for Rob Enderle. Is he right to be very, very afraid..?

Rob Enderle recently attended an EMC conference where, among the speakers, he heard from Uri Rivner regarding the growing sophistication–and mass-production capabilities—of the online fraud industry. In his excellent piece in Dark Reading on the subject entitled “How RSA/EMC Scared Me Half to Death”, Rob admitted to being more than a little scared by what he heard. And among his fears is that, in these tight economic times, companies will not make the investments needed to ensure that they and their customers are secure against these increasingly robust threats…

Corporations spend millions of dollars in getting their products Common Criteria-certified. It is a validation of being tested per an international security evaluation standard for meeting stated security claims. Yet, the claims made by companies are not mandated to be at rigorous security levels by the Common Criteria standard — it merely advocates thorough testing.

If you are working on information assurance issues and walking the halls of government buildings, you can’t go anywhere these days — whether in Washington, D.C. or London, England — and not hear about the importance of “software assurance” or “product assurance”. Government buyers nearly everywhere are insisting on more secure products and some level of assurance that the software or hardware that you are selling them is secure. And, of course, they should be doing that.

just returned from the Payment Card Industry’s 2008 Members Council Meeting in Orlando, Florida. We had a blast despite the mood being somewhat dampened as a result of the uncertainty of the global financial markets (heartfelt thanks to those wise souls who’ve been living outside of their means and taking undue personal and commercial financial risk…). Anyhew, I met so many interesting people from both merchants and from the card brands like Visa, MasterCard, American Express, Discover & JCB International Co., Ltd.

I was one of the 650 attendees at the recent annual North American PCI Community Meeting. Held at the Omni Champions Gate resort in Orlando, it was great to speak with many of the merchants, banks and service providers in attendance about the challenges they are facing.

As Stewart Brand once said “Once a new technology rolls over you, if you’re not part of the steamroller, you’re part of the road”.

I think this quote describes perfectly the role in which IT departments are playing in implementing security programs, specifically those attributed to the NERC Cyber Security Standards…

The Institute of Applied Network Security released a case study on the implementation of RSA enVision at the Depository Trust Clearing Corporation (DTCC). DTCC is an organization that acts as the back end for Wall Street, processing $1.8 quadrillion in securities transactions in 2007, and thus an essential component in our economy.

October’s here, and you can’t escape the coming onslaught of Halloween. Children (and quite a few adults) dressed up as vampires, ghosts, goblins and other scary creatures, going around asking people for treats and threatening them with tricks if they don’t provide them. A cynical person might boil it down to a a combination of scare tactics and extortion. So what does this have to do with IT security and compliance? Unfortunately, the way security and compliance professionals have traditonally gone about obtaining funds and resources for tools and projects necessary to do their jobs all too closely parallels what happens on Halloween. We frequently use scare tactics such as new threats (the trick) to get management to cough up the funding and resources (the treats) we need to accomplish what we view as our jobs…

Last week I took a trip out to our Executive Briefing Centre in Cork, Ireland. I was there to present to senior IT folk from pretty much all of the UK’s Police Forces as part of a two-day agenda that had been lined up for them by my colleagues from many of EMC’s lines-of-business.

I guess there are few other organisations where the lines between physical and virtual security are brought so sharply into focus than in one where you are dealing – first-hand – with criminals in the way that our police officers must every day of their working lives.

During our conversations we mused on various aspects of keeping information secure in such a fluid and volatile environment…