SC World Congress

This month, we get a chance to take a peek into the future, as well as viewing the current state of information assurance (IA) practice.. This month, we get a chance to take a peek into the future, as well as viewing the current state of information assurance (IA) practice. The future comes to us in the form of a closer look at the participants in the Security Innovators Throwdown, which took place at the 2010 SC World Congress in New York. The current state is focused on web content management, arguably one of the most important IA functions in our enterprises. We take that notion a step further in our First Look for this month as we examine trusted browsing for the banking industry.Web content management is a key piece of our security infrastructures because today virtually everything comes into our enterprise through web browsers. A vendor with whom I was speaking recently estimated that more than 80 percent of all malware enters the enterprise through the web browser. Certainly the

We kick off the year with strong authentication as our theme. That includes multifactor and biometric authentication.. Welcome back from the holidays. It is time to get back to work after the very successful SC World Congress, SC Congress Canada and our annual Innovators issue. It is good to see that innovation in our field has returned to a healthy state. We kick off the year with strong authentication as our theme. That includes multifactor and biometric authentication.

Our two gatherings - the third annual SC World Congress in New York and inaugural SC Congress Canada in Toronto - illustrated the vitality of the security industry.. Judging by the response from attendees, our two November Congress events ? SC World Congress in New York and SC Congress Canada in Toronto ? were both unqualified successes. The quality of programming and speakers, the relevance of topics and several other aspects of the two gatherings received high marks from respondents to our exit poll.

With people out of work, insider threats spike and budgets often plummet, says Illena Armstrong.. With people out of work, insider threats spike and budgets often plummett, says Illena Armstrong.

Much of the software that the U.S. government is running can be successfully exploited, said Dan Shoemaker, professor at the University of Detroit Mercy, at SC World Congress last week.. The nation is in a crisis ? and it's not what might first come to mind in these turbulent economic times.

The rise of cloud computing, the smart grid and social media is prompting a new wave of cybersecurity innovation, an SC World Congress speaker said Thursday.. The rise of cloud computing, the smart grid and social media is prompting a new wave of cybersecurity innovation, an SC World Congress speaker said during a panel discussion Thursday.Elad Yoran, CEO of Security Growth Partners, which advises security companies on growth strategies, said that following roughly a decade of limited innovation due to a compliance-driven marketplace, a number of emerging technologies are now forcing vendors to create leading-edge solutions."I never really liked the world of checklist-based security," said Yoran, who founded managed security services provider RipTech before selling it to Symantec in 2002 for $145 million.But if history is any guide, these innovative firms quickly will be scooped up by cash-rich tech companies and systems integrators. This year has seen 133 security-related deals, said

The third annual SC World Congress concluded Thursday following two days of content-rich sessions and keynotes. Now the attention turns to SC Congress Canada, which kicks off Tuesday.. The third annual SC World Congress concluded Thursday following two days of content-rich sessions and keynotes.Hundreds of attendees packed the presentations, led by 60 high-quality speakers, who focused their talks on a wide range of topics that security professionals confront on a daily basis, from emerging threats to mobile devices penetrating the enterprise to the rise of cloud computing to neat tools that can be used in the cybercrime fight.Arguably the most buzz, though, was generated by the "12 Hours to Network Meltdown" keynote, a real-time hacking simulation, proctored by the U.S. military and SC Magazine's lab team, that pitted "Blue Team" versus "Red Team" and encouraged audience participation via Twitter.In addition to the sessions and keynotes, which included addresses from Rep. Yvette Clark

A lot of threats already seen on PCs and laptops will move to mobile systems, a panelist said at SC World Congress in New York.. Mobile systems may soon encounter the same threats already seen on laptops and desktops, a panelist said last week at SC World Congress in New York.

Security awareness training programs should be an essential part of information security endeavors, a security professional said Thursday at SC World Congress in New York.. Security awareness training programs should be an essential part of information security endeavors because technology cannot stop all threats, a security professional said Thursday at SC World Congress in New York. Most people make mistakes because they don't know what they are doing is wrong, said Dennis Devlin, CISO of Brandeis University in Massachusetts. IT staff must not only train employees about information security but educate them as to why it is important, he said. Education persists longer than training and allows individuals to apply their knowledge to new situations. ?We need to get to the point where it's more natural for people to do things the right way then the wrong way,? Devlin said. A security awareness training program should be like a marketing effort, he said. Choose a message and brand it, th

The debate lingers on the role of internet service providers play in protecting users from malware, a security expert said Thursday at SC World Congress in New York.. The debate lingers on the role internet service providers play in protecting users from malware, a security expert said Thursday at SC World Congress in New York.The session examined many of the latest issues facing both users and the carriers. "Is the ISP a pipe or conduit or should it be responsible for fixing problems?" asked Craig Spiezle, executive director of Online Trust Alliance, a nonprofit that seeks to enhance the security of e-commerce and online services.While he admitted he did not have an answer, Spiezle said much progress is being made on self-regulation. "Roles are quickly evolving," he said.He pointed to a few aspects that he believes need further development, particularly email authentication, extended-validaton SSL certificates, password management and privacy policies. Further, he said that for consum

With the number of vulnerabilities rising, solid patch management is essential, a panel said Thursday at SC World Congress in New York.. With the number of vulnerabilities rising, particularly across client-side applications, organizations must implement a robust patch management program, a panel said Thursday at SC World Congress in New York.Drawing on data culled from 80 million scans of IP addresses, Jason Falciola, technical account manager at vulnerability management firm Qualys, said the half-life of vulnerabilities has remained steady at around 30 days for the past six years.Half-life refers to the average time between a flaw being disclosed and the time when half of its occurrences have been eradicated in an enterprise. Those statistics, combined with the fact that one security bug arises from every 1,000 lines of code, means organizations are facing an uphill climb, Falciola said.The risks augment further considering the rise of the commercial exploit business, where individua

The likelihood of a crippling cyberattack against the U.S. electric gird is 100 percent, a congresswoman said Wednesday at SC World Congress in New York.. The likelihood of a crippling cyberattack against the U.S. electric gird is 100 percent, a congresswoman said Wednesday at SC World Congress in New York. People should no longer question whether such an incident could happen but recognize that it is inevitable, said Rep. Yvette Clarke, D-N.Y., during an evening keynote. "The likelihood of a cyberattack bringing down our grid is 100 percent," Clarke said. The Northeast blackout of 2003 knocked out power to approximately 50 million people, caused 11 deaths and $6 billion in damages all in less than 48 hours. Imagine the type of damage that would result from a nationwide blackout lasting for weeks, she said. Clarke, a member of the House Committee on Homeland Security and Chair of the Subcommittee on Emerging Threats, Cybersecurity, Science and Technology, said progress has been made to

SC World Congress attendees were introduced to MAEC, a standardized language that seeks to improve how industry describes malware and botnet behavior and attack patterns.. Focusing on the attributes and behavior of malicious code, not necessarily which malware family it comes from, can help researchers communicate better and respond quicker to threats, an SC World Congress speaker said Wednesday.Bob Martin, principal engineer at the nonprofit MITRE Corp., discussed his group's Malware Attribute Enumerization and Characterization initiative (MAEC).Pronounced "Mike", the MAEC schema identifies which registry keys the malware is affecting, what file actions it is making and which vulnerability it is going after, Martin explained. Using this information, a researcher can equate the findings to the behavior and motivation of the attack.Many times, security professionals will find that seemingly disparate pieces of malware will have the same level of threat and mitigation and should be treat

Attackers are no longer going after the obvious software targets because there are too many ripe options available in the form of third-party applications, a panelist said at SC World Congress.. The threat environment has evolved from the era of script kiddies out for personal fame to its current iteration where specialists develop codes offered for sale on underground markets, according to a presentation on endpoint security at SC World Congress on Wednesday."Cybercrime now is all about profit or politics," said Stefan Frei, research analyst director at Secunia, a vulnerability management and tracking firm.m In one recent study he cited, 100 percent of enterprises analyzed had bot infections. The cause, he said, was unpatched programs. "A perfectly patched world is far, far away," he said.Attackers are no longer going after the obvious targets, such as Microsoft software, he said, because there are too many ripe options available in the form of third-party applications.A process is ne

According to an SC World Congress speaker, cybercriminals have over the past year grown more innovative and relied heavily on opportunistic, targeted and blended attacks.. Cybercriminals have over the past year grown more innovative and relied heavily on opportunistic, targeted and blended attacks, a security researcher said Wednesday at SC World Congress in New York. Some of the most prevalent threats of the year have included attacks such as poisoned search results, rogue anti-virus, social networking malware and malicious advertisements, Chester Wisniewski, senior security researcher at anti-virus firm Sophos, said during a session that examined the changing threat landscape. Also, blended attacks, which use a combination of threat vectors, have been a favorite among cybercriminals this year. The latest variants of the data-stealing malware Zeus, for example, contain built-in instant messaging clients, which are used to notify botmasters when a user has logged in to his or her onlin

An increasingly fragmented workforce should be empowered to use mobile devices, Nick Edwards of Cisco said during an SC World Congress keynote.. As the workforce becomes more distributed and the traditional network perimeter continues to erode, an security's professional's first reaction might be to block devices such as iPhones from connecting to the corporate network.That is the wrong approach, said Nick Edwards, director of product management at Cisco, in a lunch keynote Wednesday at SC World Congress.Forcing workers to use legacy systems to access business data will slow them down and thus hurt business, he said. And even if restrictions are in place, workers will find ways to use their personal devices in the workplace.A recent Cisco survey of 500 IT security professionals globally found that 41 percent of the respondents have determined that employees have been using unsupported devices, and more than one-third of that number said they have had a breach or loss of information due

Former Pennsylvania CISO Bob Maley describes hurdles he had to climb during his tenure in the Keystone State.. The trials and tribulations of a CISO working on the state level were discussed at a morning session at SC World Congress Wednesday. Bob Maley, former CISO of the state of Pennsylvanian who founded consultancy Strategic CISO, reviewed some of the major projects he undertook while CISO of the Keystone State, something he was forbidden to disclose while under restrictions to not discuss state matters. Unshackled from those edicts, he told the crowd of a number of projects he accomplished while there, beginning with a determination that anti-virus, firewalls and compliance checklists were insufficient to secure the state network.One of the biggest challenges he faced was needing to justify expenses by proving cost savings. Otherwise, he said, projects would not continue to be funded.Another impediment he found, despite urgency in protecting systems, implementations could take two

Is the advanced persistent threat really something new?. The advanced persistent threat, which rose to prominence earlier this year when Google revealed that its corporate systems were raided by well-funded attackers, is really no different than prolific crimeware that organizations have been facing for years.This is the opinion of Jerry Dixon, director of analysis at Team Cymru, a nonprofit internet security research firm. Dixon spoke in a session Wednesday morning at SC World Congress in New York.As such, he said, organizations should treat state-sponsored threats in the same vein as they would attacks targeting bank account credentials or credit card information. Dixon, the former director of the National Cyber Security Division at the U.S. Department of Homeland Security, said many security vendors have picked up and ran with the APT term to pitch products.But the attacks that targeted Google and a number of other high-profile companies to steal intellectual property contain the sa

Security veteran Howard Schmidt and Lt. Gen. Robert Elder are set to speak at next month's SC World Congress, it was announced Friday.. Two of the nation's most prominent and accomplished cybersecurity thinkers are now confirmed to speak Nov. 11 at SC World Congress Data Security Conference and Expo in New York.Howard Schmidt, special assistant to the president and White House cybersecurity coordinator, and retired U.S. Air Force Lt. Gen. Robert Elder are set to delver separate keynotes on the conference's final day, it was announced Friday.In his talk, Schmidt, who was appointed to his current position last December, will offer a progress overview of the nation's cybersecurity efforts and discuss future plans around implementing the president's strategy. Among other topics, Schmidt, the former CEO of the Information Security Forum and CISO at eBay and Microsoft, also will focus on the private sector's role in keeping the nation's critical infrastructure protected.Elder, meanwhile, wil

Another era of security innovation is upon us, but first we must clear some barriers that could deter a new wave of imagination.. The information security industry has evolved through a complete cycle of innovation and stagnation over the last 15 years, but now we are entering the second golden age of IT security. Still, there are forces at work that are inhibiting the current wave of security innovation that we must pay attention to and keep under control. Failing this, our wave will not develop its full potential and we'll all be worse off as a result. Remember the 1990s? Al Gore had just invented the internet. Start-up capital was free (dogfood.com anyone?). Business people were America's heroes, and entrepreneurs were even more revered. New business models promised to change everything. ?Bricks and mortars? were so 20th century, revenue was irrelevant, portals were the future and it was all about eyeballs. This Wild West era of the internet, though, also fostered the golden age of