Security News

When dealing with Data Loss Prevention (DLP) issues, much has been made of the
very real importance of true positives and false positives. As important as
these are, less quantifiable is the status of false negatives, or those elements
that should have been caught by software, but for some reason or another are
not. This false negative element exists in all fields of knowledge work: it’s
the element “not considered.” Or, to paraphrase a former Secretary
of Defense, it’s the “we don’t know what we don’t know.”

There are two big parts to a SIEM or log management system. Both are really important
– but most people choosing a SIEM have a tendency to look carefully at one
while giving the other scant attention.

Click to Download/Listen (9:38)

Ari Juels from RSA Labs has written a new suspense novel that presents a collision between ideas in the world of cryptology and the world of ancient Greece. Hear all about it on this week’s Speaking of Security podcast.

Mac OS X research warns of stealthier attacks


>> Advertisement <<

Can you answer the ERP quiz?

These 10 questions determine if your
Enterprise RP rollout gets an A+.

http://www.findtechinfo.com/as/acs?pl=781&ca=909

Free On-Demand WebinarProviding remote access to your mobile workforce increases risks to your organization, which can create a “mobile blind spot” that can wreak havoc on your data networ…

Click to Download/Listen (10:08)

This week’s Speaking of Security podcast features a discussion on data protection and security event management issues with a principal from Deloitte & Touche, one of RSA’s key alliance partners.

Too often we vendors go to clients and talk about compliance, and then throw
up a slide showing an alphabet soup of regulations and standards, with no context
about what they mean or how their product can help. Not only is it confusing,
it shows a lack of understanding to customers, who are generally well educated
about what these regulations and standards mean. I know this is basic stuff,
but it’s useful to recap once in a while.

This Web site was created to be a clearing house for technical IT security queries, and we are still fielding quite a few of those. But we continue to receive a broad variety of fascinating questions …

On-Demand Webinar >Watch it now!SPONSORED BY: GoToMeeting CorporateLearn to reduce your costs and carbon footprint, while driving greater revenue using the latest online meeting alternatives and so…

Yesterday morning, the RSA FraudAction Research Lab discovered a social engineering
scam designed to lure people, via an email spam attack, to a fake
news website designed to look like CNN.com. This “Cease-Fire Trojan
Attack” attempts to bait readers leveraging recent news and “graphic
and striking” images regarding the Israel-Hamas conflict in Gaza. Today,
RSA is initiating the shutdown process to take down this attack.

Over the past few weeks multiple merchants, banks and service providers have
asked me the following three questions.  Since there seems to be some
confusion, I figured I’d post a short FAQ…

Click to Download/Listen (10:26)

The first Speaking of Security podcast of 2009 features Jon Oltsik from the Enterprise Strategy Group. Jon shares his perspective on trends in information security for the new year.

The economic lifecycle of the underground fraud community functions very similarly
to the world of legitimate business. Online fraudsters have supply chains,
third-party outsourcers, vendors, and online forums where people with skills
and people with opportunities to commit fraud can find each other. The underground
fraud supply chain is becoming more technically and operationally sophisticated,
and we’ve coined this “Fraud-as-a-Service” or “FaaS”.
FaaS consists of services for advanced hosting, Trojan infection kits and cashout
services – all for sale within the fraudster underground.

Encryption is one security control that’s showing up a lot more frequently
these days; in many cases the choice to implement encryption isn’t optional.
PCI requires it, state PII protection laws are starting to demand it, and
many other government and industry regulations imply it as a requirement.
The other thing that’s changing the way we look at encryption is that it’s
becoming ubiquitous – many of the hardware and software products we buy that
touch information now have encryption built in. All of these factors are
combining to make encryption one of the fastest growing areas of security.
So what’s the downside?

Well, it’s that time of year again: lots of prognosticators making predictions for 2009
as they take a look at 2008 in the rearview mirror and try to figure out what’s
in front of us in the New Year. So, I’ll join the legions of IT experts
guessing what may be in store in the coming months as we raise our glasses
to 08 and toast 09 with anticipation, hope and given the current economic climate,
with consternation as well. Since I am a creature of Washington and have the
opportunity to work with the U.S. Congress, I’ll focus on what steps
we might expect our national legislature to take in 2009 as it relates to information
security and privacy issues.

The New Year has just arrived and I’m reminded how, globally, we are all connected
in ways that would have been impossible 20 years ago: it’s almost hackneyed
to say it again, but thanks to an amazing combination of infrastructure and
technology, we can live, work and play from Mumbai to London and from Tokyo
to New York City as one world in real-time. Of course, a lot of this is dependent
on some of the basic building blocks we use being sound, and in the last few
days one of these building blocks has come under attack: MD5 is on its last
legs as a tool in the cryptographic toolbox.