Speaking of Security, the RSA Blog and Podcast

Information risk management, and lessons-learned in the financial industry

blog@rsa.com (Paul Stamp) — Tue, 19 Aug 2008 00:00:00 GMT

Information risk management, and lessons-learned in the financial industry Last week's Economist had a good article entitled "Confessions of a Risk Manager", in which a risk manager from a global bank uses 20-20 hindsight to look at "what went wrong" in the lead-up to the credit crunch and the ensuing fallout. I won't pretend to understand all the ins and outs of financial derivatives, but there were some points raised that anyone in the IT security space can identify with...

PCI Compliance: Reaction to the Summary of Changes

blog@rsa.com (Brad Davenport) — Tue, 19 Aug 2008 00:00:00 GMT

On August 18 the PCI Security Standards Council formally announced (http://www.pcisecuritystandards.org/pdfs/08-18-08_2.pdf) forthcoming changes to the Payment Card Industry's Data Security Standard (PCI DSS) as it moves from version 1.1 to version 1.2 in October 2008. The release represents the first major update since September 2006.

What's my take on the summary of changes? Most merchants will be pleased to see that these are relatively minor changes...

Speaking of Security Podcast #118

blog@rsa.com (Podcast Producers) — Mon, 18 Aug 2008 00:00:00 GMT

Click to Download/Listen (11:27)

This week, Amanda Van Veen speaks with analyst Rod Nelsestuen from the TowerGroup. Rod covers key issues affecting several financial industry segments including emerging markets and trend, security, and risk management matters and in this segment, talks with Amanda about the evolution of business continuity planning and security’s increasing role.

Addressing NERC Cyber Security Standards Using a Frameworks-Based Approach

blog@rsa.com (Paul Davilman) — Wed, 13 Aug 2008 00:00:00 GMT

Although the NERC Cyber-Security Standards (http://www.nerc.com/files/CIP-002-1.pdf) are applicable only in the US, I think there's no doubt that cyber security is fast becoming a major concern of electric utility companies worldwide. In addition, other US critical infrastructure industry segments, such as water and chemical companies are also coming under increasing federal pressure to improve their own cyber-security efforts. Still, the NERC Cyber-Security standards have been criticized for being too ambiguous, providing little in the way of guidance, as well as for leaving loopholes for utility companies to beat the rules...

Speaking of Security Podcast #117

blog@rsa.com (Podcast Producers) — Mon, 11 Aug 2008 00:00:00 GMT

Click to Download/Listen (07:47)

In a recent RSA Web Seminar focused on the new FACTA Identify Red Flags provisions, industry analyst, Ken Herbert, with Frost & Sullivan, explained what financial institutions or creditors need to know about the upcoming November 1 FACTA deadline and provided some key recommendations for complying with the regulation. In this week's podcast, we'll share some of the questions and answers from this online event. To learn more, watch the entire webcast replay.

Proactive Education: Remedying the 'Strain' of Compliance

blog@rsa.com (Will Redfield) — Fri, 08 Aug 2008 00:00:00 GMT

A recent survey confirmed that internal threats continue to grow and to represent a challenge to organizations' security postures. It revealed that, in scans of 100,000 PCs and servers in many industries: 12% of infected computers had a missing or disabled anti-virus program, 10.7% had unauthorized personal storage such as USB sticks or external hard drives, 9.1% had unauthorized peer-to-peer (P2P) applications installed, 8.5% had a missing 3rd party desktop agent, 2.6% had unprotected shared folders, 2.2% had unauthorized remote control software, and 2% had missing Microsoft service packs. These results continue to resonate with the conclusions of the CSI FBI survey that reported in 2007 that internal threats have now outpaced viruses in terms of risk to organizations...

Get in the habit of asking: "Is this your biggest issue?"

blog@rsa.com (Paul Stamp) — Thu, 07 Aug 2008 00:00:00 GMT

In previous lives, both as a talking head and implementation guy, I'd get some pretty in-depth questions about subtle security issues -- usually as a result of something someone had read was a "best practice". Sometimes questions were about specific configuration settings for an OS or obscure firewall ports, other times it was a question about some arcane encryption algorithm or key length. Usually, I'd respond by asking, "Is this the biggest issue you have?" Common examples include...

What's Hot and What's Not in Europe This Year...

blog@rsa.com (Andrew Moloney) — Thu, 07 Aug 2008 00:00:00 GMT

Europe is a hotbed of cutting-edge fashion. But why am I telling you guys this? You work in the Information Security business -- the kind of business that draws out the fashionista in all of us... And I guess that's one of the issues with what, in relative terms, is still a pretty young industry: every "season" we eagerly anticipate the new "line" from the next greatest new discovery.

That said, I do think that we're definitely starting to see signs of maturity in the market -- of the emergence of "design classics"...

PCI Compliance: Book 'Em!

blog@rsa.com (Brad Davenport) — Wed, 06 Aug 2008 13:00:00 GMT

On August 5, 2008, federal law enforcement officials announced the indictment of 11 people charged with stealing and selling more than 41 million credit and debit card numbers from nine major US companies.

"This is the single largest and most complex identity theft case ever charged in this country," said US Attorney General Michael Mukasey.

According to officials, the defendants -- three from the United States, one from Estonia, three from Ukraine, two from China, one from Belarus, and one of unknown origin -- tapped into wireless networks and installed programs that captured card numbers, passwords and account information. The stolen data was then hidden around the globe and sold for profit.

This event reflects a growing trend in cyber crime...

Speaking of Security Podcast #116

blog@rsa.com (Podcast Producers) — Wed, 06 Aug 2008 00:00:00 GMT

The Importance of Strong Authentication for Business Continuity

New Speaking of Security co-host, Amanda VanVeen, meets with Jeff Carpenter, Senior Product Marketing Manager at RSA, to discuss how the latest release of RSA Authentication Manager supports organizations focusing on business continuity. When natural or man-made disasters hit, it's important that employees be able to quickly and easily access network resources, but it's equally important to know just who those new remote workers are.

PCI Compliance? Let's Talk!

blog@rsa.com (Brad Davenport) — Thu, 31 Jul 2008 17:35:05 GMT

During a meeting with an RSA customer earlier this week, I was asked a very detailed and pointed question about my interpretation of requirement 3.4. Specifically, the customer was using encryption to render PANs unreadable and wanted to know if their algorithm was indeed classified as "strong cryptography." Really, the customer was interested in making sure this particular encryption algorithm would pass their upcoming PCI audit. While I was happy to voice my opinion, I stressed the critical importance of open and honest communication when it comes to passing an audit and successful PCI compliance in general...

"Off the Peg" Authentication can lead to an ill-fitting suit

blog@rsa.com (Andrew Moloney) — Thu, 31 Jul 2008 00:00:00 GMT

I was interested to read in the papers here that the UK's Association of Private Client Investment Managers and Stockbrokers (Apcims) has raised concerns about changes to existing data security measures which are being imposed by the Financial Services Authority (FSA). The FSA is seeking to mandate strong authentication -- using secret questions (you know the kind of thing -- mother's maiden name, date of birth, name of your favourite Spice Girl, etc, etc) -- before brokers can get on with doing business with their clients by phone. This comes a few months after a city firm was hit with a £77k (~$150k) fine for failing to do just that.

Now, ordinarily, forcing mandatory extra authentication like this you'd think is a good idea, and something that should be applauded...

At last: security metrics for the masses

blog@rsa.com (Paul Stamp) — Wed, 30 Jul 2008 00:00:00 GMT

The folks at NIST have just released a Performance Measurement Guide for Information Security, which is a really good guide for creating a metrics program. Luckily, I've been in enough of a procrastinatory mood to give it the once over. My take?

Speaking of Security Podcast #115

blog@rsa.com (Podcast Producers) — Mon, 28 Jul 2008 00:00:00 GMT

Click to Download/Listen (10:36)

A couple of weeks ago, Paul Joyal interviewed RSA’s Phil Marshall about Knowledge-based Authentication, or KBA. This week, we present a conversation on the same topic that Phil had with Tom Wills, Senior Analyst for Risk, Security & Fraud with Javelin Strategy and Research.

In Security & Compliance, it's all about the 'I'

blog@rsa.com (John McDonald) — Fri, 25 Jul 2008 00:00:00 GMT

Most of us in the security trade work in a group or have a job description that contains (or in some cases, implies) the word 'information' - 'IT Security', 'Information Security', 'Office of the CIO', etc. This naming convention, while a seemingly trivial aspect of our jobs, should really be the primary driver for everything we do. Why? Because virtually everything we do has the ultimate goal of protecting some type of asset that is important to our organization, and that asset is almost always information. This basic truth can be most effectively illustrated by considering what drives the daily requirements of our work - compliance.

Addressing Cost Issues in the Ever-Changing World of Compliance

blog@rsa.com (Paul Davilman) — Fri, 25 Jul 2008 00:00:00 GMT

We keep hearing from analysts that the cost of compliance should go down each year but unfortunately our customers are telling us the exact opposite. They are continuing to get slammed by new regulations and feel compelled to implement all types of point products & solutions in order to meet immediate needs.

The Latest from RSA Labs: The Keys to RFID Privacy

blog@rsa.com (Dr. Ari Juels) — Fri, 25 Jul 2008 00:00:00 GMT

Data-security vendors sometimes get tall orders from customers. Not unheard of are: "I'd like a good digital signature system... with 20-bit keys" and "I want to use one-time pads for encryption... and I need to compress them." But one of the most challenging I've heard was recently offered up by colleagues in the RFID (Radio-Frequency IDentification) industry.

The End of Neosploit?

blog@rsa.com (RSA FraudAction Research Labs) — Thu, 24 Jul 2008 00:00:00 GMT

The first and most important thing when trying to grow a pool of malware-infected PCs is the infection stage. The goal is to infect as many users as possible, as quickly as possible -- and remain undetected for as long as possible.

Neosploit is a brand that could be relied upon to solve that problem rather well. Designed to ease the infection stage, Neosploit is an infection kit which exploits numerous system vulnerabilities and infects PCs worldwide with any type of malware. Neosploit checks "candidate" PCs in order to find vulnerabilities, and once these are found, the PC will be infected with the malware of the criminal's choice.

However, the RSA FraudAction Research Labs recently received information indicating that we may soon see the last of this "Neosploitation".

Is More Regulation Always the Way to Go?

blog@rsa.com (Andrew Moloney) — Thu, 24 Jul 2008 00:00:00 GMT

Over in the US, Senator Obama has recently been talking about his stance on Cyber terrorism. While there were many interesting points in his proposals, I wanted to home in on his comments regarding the protection of national infrastructure. You don't need to be a technological genius to have figured out that computers pretty much run every aspect of our daily lives these days -- transportation networks, utilities, broadcast information... you name it. It's fair to say, then, that if you could find a way of compromising those computers you could really mess up everyone's day....

We're Web 2.0 Crazy Here At RSA

blog@rsa.com (Paul Stamp) — Thu, 24 Jul 2008 00:00:00 GMT

Notwithstanding the fine bloggery that goes on at this site (excluding yours truly of course), there's a bunch of splendid social computing activity going on here at RSA. There's no better example of this than the RSA enVision Intelligence Community.

The Intelligence Community is an online community of RSA enVision customers, partners, systems engineers and product managers. It's getting quite a lot of use too, with interesting new posts around feature requests, tips and tricks and product announcements appearing every day. I was just trawling through it this morning, and I thought I'd pull out a few highlights...

The Long Road Towards an ISO 27001 "Tipping Point" (and a true Reader's Poll!)

blog@rsa.com (Dave Howell) — Tue, 22 Jul 2008 00:00:00 GMT

So, in conversations with customers of late, I've observed a steady increase in talk of plans to soon adopt ISO 27002, or active work to get the standard implemented in some fashion. This isn't necessarily surprising, particularly when you're talking with highly regulated companies or those more apt to understand information risk management, overall (e.g., those in banking, insurance and utilities, or more recently, thanks to PCI DSS, retail). Because, as I suspect most would agree (and speak up if you don't!), 27002 provides an incredibly broad and deep view into the types of security controls an organization should at least consider when building a security and information risk management program.

What has certainly come as more of a surprise, though, is...

Speaking of Security Podcast #114

blog@rsa.com (Podcast Producers) — Mon, 21 Jul 2008 17:00:00 GMT

Click to Download/Listen (05:51)

New co-host Amanda Van Veen interviews Linda Lynch, RSA® Conference Europe Manager, about this year's Conference in October. Learn about the early bird registration special as well as other helpful travel hints and session highlights. Register today: www.rsaconference.com/2008/europe.

Reader Poll: Do you think ISO?

blog@rsa.com (Dave Howell) — Mon, 21 Jul 2008 00:00:00 GMT

A couple of weeks ago I posted on the topic of "defining compliance." One of the suggestions raised was that businesses that identify a common control framework, or combination of frameworks, may have an opportunity to significantly reduce costs and redundancies associated with their compliance program. The idea is that rather than approaching each requirement in a silo, and therefore attacking each related security requirement in isolation, it would be better to ensure that the organization is looking more horizontally at the types of security controls that must be enacted in the context of all the requirements that must be met...

A new version?

blog@rsa.com (Brad Davenport) — Thu, 17 Jul 2008 00:00:00 GMT

Yes folks, the PCI DSS's first major update since version 1.1 was announced in September 2006 is on the horizon. Unveiled in May by the PCI Security Standards Council, the new version, called 1.2, is due out in October. Over the past few weeks, I've received a myriad of inquiries from merchants and figured this would be a good forum to share some of them...

SIEM - anyone got a better name?

blog@rsa.com (Paul Stamp) — Tue, 15 Jul 2008 12:30:30 GMT

So this one's been digging away at me for a while. I just think that the term "Security Information and Event Management" doesn't do the space justice. I'm not talking about the "information" vs "event" debate -- it's the "Security" part of it that I have a bit of a problem with. Log management doesn't really capture the essence of it either, as Greg Shipley pointed out in his recent Network World article, especially since we're dealing with all sorts of asset and vulnerability information too. For a start, labeling these tools solely as security tools sets expectations about what these tools are best at....

A Single Europe for Data Protection?

blog@rsa.com (Andrew Moloney) — Tue, 15 Jul 2008 00:00:00 GMT

Last Friday I spent the morning in the company of a lawyer from a top international law firm. Once we'd marvelled that the sun had finally deemed to make an appearance over the grey skies of London, our conversation turned to the rather weightier subject of data privacy. We've been doing a lot of work around using ISO27002 as a framework best practice in developing and deploying a robust information security strategy. As part of that work, I and my "Evangelist" colleagues have taken a stab at mapping various regulations against this "gold standard" in order to help customers understand where overlaps, or indeed gaps, may occur between these various regs...

Speaking of Security Podcast #113

blog@rsa.com (Podcast Producers) — Mon, 14 Jul 2008 00:00:00 GMT

Click to Download/Listen (11:11)

With users wanting more real-time, self-service options, many organizations have migrated their services to remote channels including the Internet or Call Centers but these services and benefits come with added risks of fraud and identity theft. Knowledge-based authentication (KBA) offers customers the opportunity to benefit from remote interactions with stronger security as well as the added convenience of real-time authentication. Learn more in this week's podcast. In other news, we bid a fond farewell to co-host Matt Buckley.

Virtualization and Authentication

blog@rsa.com (Sean Kline) — Tue, 08 Jul 2008 00:00:00 GMT

Virtualization is one of the most hyped technologies in Information Technology today -- and rightly so. It offers the potential to improve utilization, lower cost of ownership of computers, enhance productivity, ease compliance, increase reliability and potentially improve security. Let's explore the last claim. Without a doubt, there is an impact of virtualization on security, and in particular authentication...

Speaking of Security Podcast #112

blog@rsa.com (Podcast Producers) — Mon, 07 Jul 2008 15:08:00 GMT

Art Coviello Keynote at EMC World

Art Coviello tells a cautionary tale of the future of security and its impact on business innovation at this year's EMC World. Hear how to avoid the perfect storm by integrating security into the platform and using information risk management strategies.

Timing is Everything...

blog@rsa.com (Andrew Moloney) — Mon, 07 Jul 2008 00:00:00 GMT

I don't want to spend all my time on this blog talking about HMRC (otherwise referred to in the UK as "the taxman"), but a colleague just forwarded me a phishing email he'd just received purporting to be from them, asking him to resubmit his personal details as a "new security measure" While in itself there's nothing particularly big or clever about this attack, it's interesting in that it illustrates a couple of key things. Firstly, that sometimes in order for an attack to be successful, timing is everything...

Why I welcome the Hannigan Report

blog@rsa.com (Andrew Moloney) — Thu, 03 Jul 2008 18:00:00 GMT

As an RSA 'Evangelist' with pan-EMEA responsibilities, I obviously take a special interest in what's happening in the information security world that pertains to this region. Last week saw the publication in the UK of the long-awaited Hannigan Report -- detailing the steps that UK Government departments have taken -- and are expected to take -- to mitigate recent data leakage events which have occurred, most notably in the instance of HMRC.

It's a cracking read and one I'd recommend to all insomniacs with an penchant for such topics, but I have to say, I'm actually pretty encouraged by what I read...

Correlation is no silver bullet

blog@rsa.com (Paul Stamp ) — Thu, 03 Jul 2008 17:26:29 GMT

I talk to a lot of security folks about SIEM and log management, and quite often the conversation turns to event correlation. You can spot the people who've never bought a SIEM product, because they start by saying, "Well, I want to know whenever 'x' happens, and then 'y' happens soon after". Admittedly, the situation they cite is a usually real one, and granted, if you do see 'x' and 'y' happening in reasonably quick succession then, chances are, you have a problem. But it's usually not their biggest problem -- in fact, far from it. My favorite is "the guy swiping his badge in Tokyo and then logging on in New York", which I hear time and time again...

Finished? Where should I start?

blog@rsa.com (Brad Davenport) — Tue, 01 Jul 2008 00:00:00 GMT

Many of the merchants I speak with are sharply focused on addressing specific PCI security requirements. While implementing the controls needed to meet the requirements is absolutely critical, I can't stress enough the importance of taking time to aim before firing.

It's no secret that PCI compliance is focused on securing cardholder data and infrastructure. Simply put, you can't secure what you don't manage and you can't manage what you don't know about. Before you go looking for all instances of cardholder data, you must be prepared to find more than expected.

Most merchants are aware of the cardholder data in their database(s). But what about payment applications or payment portals that temporarily store the data? Or customer service reps e-mailing credit card information to confirm or dispute an order?...

Speaking of Security Podcast #111

blog@rsa.com (Podcast Producers) — Mon, 30 Jun 2008 00:00:00 GMT

Click to Download/Listen (07:04)

The fear of data leakage through loss, theft or careless use of USB flash drives is rising dramatically throughout the enterprise. This week we discuss the problem and potential solutions with Dror Todress, Senior Manager, Marketing, for SanDisk Corporation’s Enterprise Division, an RSA Secured Partner.

The SIEM and the SOC -- what's useful and what's not?

blog@rsa.com (Paul Stamp) — Thu, 26 Jun 2008 00:00:00 GMT

So earlier this year, again in my past life as an analyst, I spoke to a bunch of users, vendors and experts hoping to get some best practices about creating a Security Operations Center (SOC). For Forrester customers, I published my findings here.

To be honest, I originally came at this piece of research as a way to define what the place of a SIEM product in a SOC, so I diligently asked everyone I interviewed what technologies they thought were central to a security operations function. The answers I got were pretty unexpected, and normally started with the phrase "Technology? Oh that's an afterthought."

When we think of a SOC, we often have this picture of a big room, full of people in rows staring at a big screen up front, with monitors in front of them...

Defining "Compliance"

blog@rsa.com (Dave Howell) — Wed, 25 Jun 2008 00:00:00 GMT

As part of the RSA Compliance Solutions team I meet with companies all over the world to discuss their security challenges and priorities. Inevitably I spend much of my time discussing ... you guessed it ... compliance.

It is eye-opening to see how differently our customers and partners, as well as folks within RSA, define compliance. From what I've seen, most will immediately gravitate towards the notion of meeting the stated or implied security requirements within governmental mandates, such as Sarbanes-Oxley and HIPAA. In addition, "compliance" certainly conjures up images of the PCI Data Security Standard, which isn't surprising considering how many organizations these requirements impact. What we don't tend to see initially is a broader view of compliance...

New RSA Compliance Solutions Bloggers

blog@rsa.com (Speaking of Security Blog Editor) — Wed, 25 Jun 2008 00:00:00 GMT

Please join us in welcoming a new set of RSA Bloggers. The RSA Compliance Solutions team--including Dave Howell and Brad Davenport--will be penning a set of blog entries for "Speaking of Security" around the theme of Simplified Compliance. Please take advantage of the comments field to get answers to your compliance-related security queries!

The "E" word

blog@rsa.com (Brad Davenport) — Tue, 24 Jun 2008 00:00:00 GMT

I met with a merchant this morning to talk PCI compliance. Like many of the conversations I've had with merchants, things got a bit more interesting when the discussion focused on cardholder data protection. They joked that the new rev of the PCI Standard, version 1.2 -- due out in October -- would eliminate the data protection requirements. All joking aside, the truth is that data protection isn't going anywhere when it comes to the PCI DSS. While there are other alternatives, such as hashed indexes, truncation and...

Speaking of Security Podcast #110

blog@rsa.com (Podcast Producers) — Mon, 23 Jun 2008 00:00:00 GMT

Click to Download/Listen (12:39)

Both Gartner and Forrester, two of the leading independent technology and market research firms, recently evaluated data loss prevention (or DLP) vendors in their annual reports on this market. RSA's Data Loss Prevention Suite was named as a leader by both of these firms. Paul Joyal talks about these reports with Tom Corn, Vice President of Products for RSA's Data Security Group. And we continue with another giveaway for Podcast Listener Appreciation Month for all responders to our Authentication Poll! Listen to this week's podcast for the secret word!

Musings of a former analyst

blog@rsa.com (Paul Stamp) — Thu, 19 Jun 2008 00:00:00 GMT

Morning all, Welcome to my new blog, where I'll be musing upon the weird and occasionally fascinating world of security information and event management (SIEM). Before we start, though, people might have a few questions that I'll try to answer right now.

Didn't you used to be an analyst? Yep, I used to cover the SIEM space for Forrester, as well as a bunch of data security and architecture topics. However, all good things must come to an end - I was certainly approaching the end of my shelf life in that world. It was a privilege, though, as I got to spend a huge amount of time talking to people about their security priorities and looking at how that translated into requirements for new tools and ways of doing things. Now I get to help turn these conversations and ideas into something tangible...

Speaking of Security Podcast #109

blog@rsa.com (Podcast Producers) — Mon, 16 Jun 2008 00:00:00 GMT

Click to Download/Listen (05:48)

Last week's headline: "RSA, The Security Division of EMC, Expands Identity Assurance Portfolio with Flexible Card-Shaped Authenticator to Provide Convenient Online Security" is the topic of this week's interview with RSA's Rachael Stockton. And we continue with another giveaway for Podcast Listener Appreciation Month for all responders to our Authentication Poll! Listen to this week's podcast for the secret word!

Speaking of Security Podcast #108

blog@rsa.com (Podcast Producers) — Mon, 09 Jun 2008 00:00:00 GMT

Click to Download/Listen (08:24)

We continue June with another giveaway for Podcast Listener Appreciation Month! Listen all month long for chances to WIN fabulous prizes... Details are in the podcast for this week's contest. In this episode, Matt Buckley interviews one of our new Speaking of Security Bloggers, Paul Stamp, formerly of Forrester Research who is now a Senior Manager, Product Marketing, in RSA's Information and Event Management Group. Speaking of SIEM, RSA is positioned in the Leaders quadrant within Gartner's Q12008 Magic Quadrant for SIEM.

RSA DLP Suite Riding the Forrester Wave™

blog@rsa.com (Katie Curtin-Mestre) — Fri, 06 Jun 2008 17:22:32 GMT

So the weekend is approaching and you decide to go to the movies. If you are like me, you probably check your trusted source for movie reviews and then think twice about going if the review is less than favorable. In the IT industry, the opinions of Forrester and other lead analysts carry even greater weight in the eyes of customers than Siskel and Ebert in their heyday. So, we are very pleased indeed to see the June 2008 Forrester Wave™: Data Leak Prevention, Q2 2008 which cited RSA as a leader in the Data Loss Prevention (DLP) product category with our RSA DLP Suite. Some highlights from the report include...

What does 'PCI Compliance' Really Mean?

blog@rsa.com (Brad Davenport) — Fri, 06 Jun 2008 00:00:00 GMT

I've just returned from EMC's annual user conference, EMC World. The attendance at the PCI sessions and the related discussion between many of the 9,000 customers and partners in attendance really underscored the progress that's being made with respect to cardholder data security. One of the issues that came up in nearly every conversation I had, in some form or another, was: "What does PCI compliance really mean?" This question brings up two very important concepts....

Speaking of Security Podcast #107

blog@rsa.com (Podcast Producers) — Mon, 02 Jun 2008 00:00:00 GMT

Click to Dowload/Listen (08:24)

June is Podcast Listener Appreciation Month! Listen all month long for chances to WIN fabulous prizes... Details are in the podcast for this week's contest. This episode also includes an encryption Q&A with Rich Mogull, founder of Securosis.com and formerly of Gartner. Earlier this week he presented "How Encryption and Key Management Solutions Fit into an Overall Information Risk Management Strategy" during part 1 of a 2-part RSA web seminar series on encryption. Watch the full replay here and/or sign up for next week's part 2 here.

Password Expiration: Like Margarine and Water?

blog@rsa.com (Dr. Ari Juels) — Thu, 29 May 2008 00:00:00 GMT

We often swallow ideas that we needn't or shouldn't. Take the onetime urging of nutritionists to substitute margarine for butter in the cause of cardiovascular health. When this advice was first circulating, most margarines contained high quantities of trans fats, concoctions that have turned out to be so harmful - to the heart, among other things - that they are now banned in restaurants in NYC. Similar dogma applies to the advice to drink eight eight-ounce glasses of water a day for overall good health. Everyone knows the advice. But no one seems to know where the 8x8 rule comes from or if it is good or bad. So what pieces of conventional wisdom in computer security are like margarine and the 8x8 water doctrine? I'd hold forth password expiration as a prime candidate.

Speaking of Security Podcast #106

blog@rsa.com (Podcast Producers) — Mon, 26 May 2008 00:00:00 GMT

Click to Dowload/Listen (07:13)

Paul Joyal interviews RSA's Rachael Stockton and Phil Darringer about how the RSA SecurID software token for BlackBerry and other mobile and portable devices can be used to authenticate to network and online resources. For more information on this technology, visit www.rsa.com and/or download our solution brief, "RSA SecurID® Authentication Solutions for BlackBerry® Devices."

Key Congressional Committee Strongly Criticizes Efforts to Mitigate Electric Grid Cyber Security Vulnerabilities

blog@rsa.com (Shannon Kellogg) — Wed, 21 May 2008 00:00:00 GMT

Today's hearing on the security of the United States' critical infrastructure was as spirited of a Congressional hearing on cyber security issues that I have seen during my career, and it's clear that key Members of Congress from both political parties are running out of patience and want to see immediately cyber vulnerabilities taken more seriously in the bulk power industry in particular. In a scathing opening statement, U.S. Representative Jim Langevin (D-RI), Chairman of the Subcommittee on Emerging Threats, Cybersecurity, and Science & Technology, said that "I think we could search far and wide and not find a more disorganized, ineffective response to an issue of national security."...

Speaking of Security Podcast #105

blog@rsa.com (Podcast Producers) — Tue, 20 May 2008 00:00:00 GMT

A Framework-Based Approach to Regulatory Compliance

In Speaking of Security's 105th security podcast we talk to Dave Howell, Senior Manager Solutions Marketing, about how organizations are turning to a framework-based approach to manage ever-expanding and overlapping regulatory requirements.

UK's Information Commissioner gets expanded powers in Criminal Justice and Immigration Act -- will be able to impose steep fines on organizations

blog@rsa.com (Shannon Kellogg) — Thu, 15 May 2008 00:00:00 GMT

The United Kingdom's Information Commissioner's Office received new authority to levy fines on organizations that "deliberately" or "recklessly" violate the U.K.'s "Data Protection Act", or DPA, of 1998. In a little noticed amendment to the Criminal Justice and Immigration Act of 2008, the 1998 DPA was updated to enable the Information Commissioner to impose serious fines on organizations. This change in the UK's data protection law was spurred by a string of high-profile breaches of personally-identifiable information in the U.K. over the last year, including the large-scale data breach at Her Majesty's Revenue and Customs agency...

Follow-up on RSA Conference

blog@rsa.com (Sean Kline) — Tue, 13 May 2008 00:00:00 GMT

It was another great RSA Conference this year, with interesting workshops, great exhibitor activity, informative sessions and lots of time to network with customers, partners and fellow employees. My flight was cancelled on Sunday, so I missed the Concordia Workshop on Monday, but the Liberty Alliance Workshop was very interesting. Geisinger Health System had a very nice presentation on how they are using federation to provide improved information to health care providers to improve patient care, particularly in emergency room visits. RSA also made a number of exciting announcements...

Speaking of Security Podcast #104

blog@rsa.com (Podcast Producers) — Mon, 12 May 2008 00:00:00 GMT

Click to Listen/Download (10:14)

Paul Joyal interview's the President of Corporate Integrity, Michael Rasmussen, about "Developing a Sustainable and Cost Effective IT Compliance Program." For the companion white paper, click here. Other RSA resources on this approach can be found at www.rsa.com/compliance.

Speaking of Security Podcast #103

blog@rsa.com (Podcast Producers) — Mon, 05 May 2008 00:00:00 GMT

EMC PowerPath Encryption with RSA

Happy Cinco de Mayo and welcome to the latest Speaking of Security video podcast. Today Host Paul Joyal speaks with Colin Bailey of EMC and Katie Curtin-Mestre of RSA, The Security Division of EMC, about this new scalable solution that leverages RSA Key Manager for the Datacenter.

Is it safer to fly or drive? (and why you can't do one without the other)

blog@rsa.com (Kevin Bowers) — Thu, 01 May 2008 00:00:00 GMT

Kevin Bowers is a Research Scientist at RSA Laboratories. Here are his views on the controversy surrounding REAL ID. What do you think?

I'm getting married this summer and my family will be traveling to the wedding. In order to make the trip, my parents recently renewed their passports. Not because I'm getting married at an exotic destination, but because they live in Montana and have to fly to the wedding. Like several other states, Montana has refused to comply with the requirements of the REAL ID Act of 2005. The Department of Homeland Security (DHS) had threatened to prevent residents from those states from using their state-issued driver's licenses as identification at airport security, effective May 11th. As it happens, the DHS recently granted all states an extension to the May 11th deadline, allowing them additional time to become REAL ID compliant.

Speaking of Security Podcast #102

blog@rsa.com (Podcast Producers) — Mon, 28 Apr 2008 00:00:00 GMT

Click to listen or download (6:39)

Paul Joyal interview's RSA's Paul Davilman on What is Sarbanes-Oxley & How is it Applicable to IT Security? For additional information on SOX and IT Security, read more here.

U.S. Congress should pass cyber-crime legislation this year -- when will the House of Representatives finally act?

blog@rsa.com (Shannon Kellogg) — Wed, 23 Apr 2008 00:00:00 GMT

As I mentioned in a blog post in late October 2007, the IT industry and other stakeholders have been calling for the U.S. Congress to pass legislation that would help empower law enforcement to more effectively investigate and prosecute cyber criminals -- while updating penalties in U.S. criminal code so that the punishment fits the crime. It's stunning to me that the Congress has not yet sent legislation to the President for his signature to address this important issue...

Speaking of Security Podcast #101

blog@rsa.com (Podcast Producers) — Tue, 22 Apr 2008 00:00:00 GMT

Click here to download/listen (11:23).

In a recent RSA Web Seminar, Juniper Networks' Smitha Murthy and RSA's John Masotta discussed the benefits of an SSL VPN and how best to secure its access with strong authentication. Hear a snippet in this week's podcast or check out the entire replay of the event.

Older and wiser

blog@rsa.com (Uriel Maimon) — Mon, 21 Apr 2008 00:00:00 GMT

Today (the date I'm writing this entry) is my birthday. Birthdays are a time of quiet contemplation for me (and quiet desperation for my mother). As I think about the past year and the progress I've made (things are looking good for my long-term goal of spending my old age miserable and alone), I keep thinking of change and how people and things advance. The past year has shown much progress. Women have rejected me, technology products have been launched, iPhones were purchased and even the world of financial crime has not been silent. The Rock Phish group is a phishing gang believed to be based out of Russia -- and, by some accounts, is responsible for roughly 50% of phishing attacks by volume...

RSA Conference 2008 - A Week to Remember

blog@rsa.com (Shannon Kellogg) — Thu, 17 Apr 2008 00:00:00 GMT

I have been attending RSA Conferences since early this decade. The U.S. version of the Conference has been around since 1991 and it's grown from 50 attendees (all cryptologists) to around 17,000 participants annually from the private and public sectors including security professionals, business executives, lawyers, academics, privacy advocates, regulators, and journalists. For the first-time attendee it can be absolutely overwhelming because there are so many speakers, so many issues, so many events during the week, and if you go to the show floor, literally hundreds of organizations showing their wares.

Well, being a veteran RSA Conference attendee, I thought I was ready for another busy but ultimately manageable week despite the multiple commitments and responsibilities that I had to balance. Well, that theory was turned on its head, starting on Sunday...

Speaking of Security Podcast #100!

blog@rsa.com (Podcast Producers) — Wed, 16 Apr 2008 00:00:00 GMT

The Challenges of Identity Assurance with Marc Gaffan

In Speaking of Security's blockbuster 100th security podcast we talk to Marc Gaffan, Director Product Marketing, about Identity Assurance and its importance to enterprise-level security and compliance.

Your Suggestions to Transform Security from a Roadblock to a Catalyst for Business Innovation

blog@rsa.com (Blog Editor) — Wed, 09 Apr 2008 00:00:00 GMT

Yesterday at the RSA Conference Art Coviello addressed how security fears have stifled innovation at organizations large and small around the world. IDG Research reports that 80 percent of IT, security, and business executives surveyed admit that their organizations have shied away from business innovation opportunities because of information security concerns.

RSA is committed to countering this trend by starting an industry-wide conversation about smart ways to manage information risk. As we mentioned in yesterday's blog posting, we were able to pick the brains of 10 top security executives from global enterprises in a variety of industries and get THEIR suggestions. But we'd like to hear from you...

Secretary Michael Chertoff, Department of Homeland Security to Speak at RSA Conference Today

blog@rsa.com (Blog Editors) — Tue, 08 Apr 2008 08:00:00 GMT

His keynote will begin at 11:30 AM. Let us know if you're going to be there and leave us your impressions.

Art Coviello on "Thinking Security"

blog@rsa.com (Blog Editor) — Tue, 08 Apr 2008 00:00:00 GMT

This morning at Art Coviello, Executive Vice President, EMC Corporation and President, RSA, The Security Division of EMC, gave his yearly keynote at the RSA Conference in San Francisco. Art uses this venue each year to present a "state of the industry"--reviewing major security developments--and to share his ideas on where security is going in the coming year.

Here is a transcript of the talk: http://www.rsa.com/innovation/docs/coviellokeynote2008.pdf

It's a good read, with a lot of interesting insights...

Speaking of Security Podcast #99

blog@rsa.com (Podcast Producers) — Mon, 31 Mar 2008 00:00:00 GMT

Click here to download/listen (11:15).

Part 2: Paul Joyal speaks with award-winning USA Today journalists, Byron Acohido and Jon Swartz. They are the co-authors of Zero Day Threat: The Shocking Truth of How Banks and Credit Bureaus Help Cyber Crooks Steal Your Money and Identity, which is scheduled for an April 2008 release. Byron and Jon talk about the inspiration for their book and more in part two of this two-part interview. See Byron, Jon and Paul next week at the RSA® Conference 2008, registrations are still being accepted!

The New Wave In Virtual Private Network Authentication

blog@rsa.com (Sean Kline) — Fri, 28 Mar 2008 00:00:00 GMT

While RSA, The Security Division of EMC has evolved into a broad organization focusing on Information-Centric Security through Information Risk Management, securing Virtual Private Networks (VPNs) is still a significant portion of our business. The main use case for RSA SecurID, in its various forms, continues to be supporting the needs of the mobile workforce. As organizations mature, they are now extending beyond the VPN power user to additional (and often very large) populations ...

Speaking of Security Podcast #98

blog@rsa.com (Podcast Producers) — Mon, 24 Mar 2008 00:00:00 GMT

Click here to download/listen (10:35).

Part 1: Paul Joyal speaks with award-winning USA Today journalists, Byron Acohido and Jon Swartz. They are the co-authors of Zero Day Threat: The Shocking Truth of How Banks and Credit Bureaus Help Cyber Crooks Steal Your Money and Identity, which is scheduled for an April 2008 release. Byron and Jon talk about the inspiration for their book, the state of cybercrime, and more in part one of this two-part interview. Tune in next week for part two!

Bush Administration to set up national cyber security center; taps Silicon Valley entrepreneur to lead the group

blog@rsa.com (Shannon Kellogg) — Thu, 20 Mar 2008 00:00:00 GMT

Another announcement related to the Bush Administration's Cyber Security Initiative is expected in the next day or so and it is likely that an entrepreneur from Silicon Valley will head a new interagency group that will coordinate cyber defenses across the federal government. As reported today by Brian Krebs of the Washington Post, "...Sources in the government contracting community said that the White House is expected to announce as early as today the selection of Rod A. Beckstrom as a top level adviser to be based in the Department of Homeland Security."

View Krebs' entire article.

The Bush Administration has been ratcheting up its focus on information security over the past year, but is starting to roll out its cyber security initiative...

Speaking of Security Podcast #97

blog@rsa.com (Podcast Producers) — Mon, 17 Mar 2008 00:00:00 GMT

Click here to download/listen (04:13).

Tim Mather, Chief Security Strategist for RSA Conferences, talks about the role of the Chief Security Officer and how that role might evolve in the years to come. RSA® Conference 2008 is where you can hear more from leading information security professionals at the world's largest industry conference and expo when it comes to San Francisco, CA, April 7-11. For a free RSA Conference 2008 Expo Pass, courtesy of RSA, The Security Division of EMC, email podcast@rsa.com with your request before April 4 and we'll send you a special registration code.

Speaking of Security Podcast #96

blog@rsa.com (Podcast Producers) — Mon, 10 Mar 2008 00:00:00 GMT

Click here to download/listen (06:01).

What's the Buzz? RSA® Conference 2008 is the world's largest information security industry conference and expo and it comes to San Francisco, CA, April 7-11. Paul Joyal talks to Sandra Toms LaPedis, Area Vice President and General Manager of RSA Conferences, about what makes this event so special and what's new for this year's attendees. AND for a free RSA Conference 2008 Expo Pass, courtesy of RSA, The Security Division of EMC, email podcast@rsa.com with your request before April 4 and we'll send you a special registration code.

Speaking of Security Podcast #95

blog@rsa.com (Podcast Producers) — Wed, 05 Mar 2008 00:00:00 GMT

New Developments in Online Fraud with Joram Borenstein

In Speaking of Security's newest video podcast we talk to Joram Borenstein, Senior Product Manager, about the latest strategies of online fraudsters.

Speaking of Security Podcast #94

blog@rsa.com (Podcast Producers) — Mon, 25 Feb 2008 00:00:00 GMT

Click here to download/listen (07:52).

RSA, The Security Division of EMC, RSA is pleased to invite you to our first global technical user conference hosted at EMC World 2008 in Las Vegas, May 19-22, 2008. RSA Xchange brings together a rich community of like-minded security professionals with an interest in learning from each other, partners and RSA product and engineering experts. Cathy Long joins Paul Joyal to talk about this new and unique opportunity.

Speaking of Security Podcast #93

blog@rsa.com (Podcast Producers) — Mon, 11 Feb 2008 00:00:00 GMT

Click here to download/listen (07:54).

UPEK® Inc., a leading brand of secure biometric fingerprint solutions, recently announced a joint technology solution combining the convenience and security of biometrics in millions of existing notebook computers with the market-leading strong authentication solution from RSA. Matt Buckley talks with Brian DeGonia from UPEK about this solution.

Please note, we'll be taking a short winter break next week in honor of President's Day - but watch for our next episode on February 25.

Speaking of Security Podcast #92

blog@rsa.com (Video Podcast Producers) — Tue, 05 Feb 2008 00:00:00 GMT

RSA Channel Strategy with Joe Gabriel

In Speaking of Security's second video podcast we talk to Joe Gabriel, Manager, Channel Marketing, about RSA's strategy for channel enablement.

Borderline Security

blog@rsa.com (Dr. Ari Juels) — Tue, 29 Jan 2008 00:00:00 GMT

The U.S. Passport card or PASS (People Access Security Service) card, a new travel document, is slated for issue by the federal government in the spring of this year. A poor cousin to the standard passport, it's more compact and less expensive, but valid only at land and sea points of border entry into the United States, not for air travel. The PASS card emerged as part of the Western Hemisphere Travel Initiative (WHTI), which phases out drivers' licenses as border-crossing documents for the U.S.

I've heard two starkly contrasting opinions on the security of the PASS card...

Speaking of Security Podcast #91

blog@rsa.com (Podcast Producers) — Mon, 28 Jan 2008 00:00:00 GMT

Click here to download/listen (07:55).

Speaking of Security Blogger Sean Kline talks with Paul Joyal about his top 5 intriguing ideas for authentication for 2008.

How to fraudulently elect a president

blog@rsa.com (Sean Kline) — Wed, 23 Jan 2008 00:00:00 GMT

As most know, the United States is in the midst of primary elections for presidential candidates. I live in New Hampshire, so woke at around 5:00am a couple of Tuesdays ago eager to participate in the democratic process (I went early because I had a flight the same day to Germany...more on that later). After getting to the front of the line, the pleasant elderly volunteer proceeded to authenticate me so that I could vote. The authentication method she used was name and address. She had a three ring binder with everyone's name printed in an easily readable large font size. The only problem was that she exposed the credential type, the name and the address for me to misuse as I pleased! Now I know that I am not the first to bring this up or write about it. Even so, it boggles my mind that after having to go to the Supreme Court the last time we went through this exercise to select our president, we would not take more care with the voting process...

Speaking of Security Podcast #90

blog@rsa.com (Podcast Producers) — Mon, 21 Jan 2008 00:00:00 GMT

Click here to download/listen (08:52).

Matt Buckley interviews Jon Oltsik, Senior Analyst, Enterprise Strategy Group, about his paper and thoughts on an information-centric security architecture.

Speaking of Security Podcast #89

blog@rsa.com (Podcast Producers) — Mon, 14 Jan 2008 00:00:00 GMT

Click here to listen/download (09:40).

Speaking of Security Blogger Shannon Kellogg talks with Matt Buckley about the state of information security from a Washington, D.C. point of view.

Speaking of Security Podcast #88

blog@rsa.com (Video Podcast Producers) — Mon, 07 Jan 2008 00:00:00 GMT

Welcome to a new year of RSA's Speaking of Security Podcast. Today we introduce our first Video Podcast!

This week RSA Compliance Specialist, Dave Howell, offers his view on the future of the Payment Card Industry Data Security Standard and the evolution of online fraud.

Speaking of Security Podcast #87

blog@rsa.com (Podcast Producers) — Wed, 19 Dec 2007 00:00:00 GMT

Click here to listen/download (11:15).

This is our final broadcast for 2007. This week's topic is Information Risk Management, an information-centric strategy that provides the most effective means of recognizing, assessing and mitigating the risk that information is exposed to throughout its lifecycle. Hear from a recent RSA Web Seminar conducted in collaboration with TowerGroup, on how financial institutions can leverage a sound IRM strategy. A companion white paper on the subject is also available.

Federal Information Security and Management Act -- Five Years On

blog@rsa.com (Shannon Kellogg) — Tue, 18 Dec 2007 02:00:00 GMT

An anniversary recently passed amid a heightened focus in Washington, D.C. on the status of federal information security: the Federal Information Security and Management Act (FISMA) just completed its fifth year on the books as a federal law.

As the follow up to the Government Information Security Act of 2000, FISMA established an updated legal framework for federal information security, including baseline security standards for federal agencies. I remember that the information security community was excited about FISMA and its promise.

So, what's the verdict five years later? In my opinion it's a mixed bag. On one hand, FISMA has arguably increased awareness of, and focus on, federal information security...

She could totally be mine...

blog@rsa.com (Uriel Maimon) — Tue, 18 Dec 2007 00:00:00 GMT

I was sitting with my friend R. in a bar. My friend was completely ignoring me (a rather stimulating treatise on how my failure with women is caused by millions of years of human evolution. I've entitled this thesis "Nature or nurture, culture or genes: Pick any one -- or all of the above"), and was focusing on a girl on the other side of the bar.

"She could be your daughter," I told R. He continued ignoring me, and said, "She could totally be mine..."

"Perhaps, but she won't," I said. "You're 38, you have a girlfriend and you were telling me the other day you were thinking of proposing to her."...

In response to "Soft tokens aren't tokens at all"

blog@rsa.com (Sean Kline) — Tue, 11 Dec 2007 00:00:00 GMT

This blog entry is in response to this post in the Securology blog.

You raise some interesting points on which I would like to comment. First, RSA believes that there are always tradeoffs between strength of security, cost and ease of use. The key (no pun intended) is matching the right means of authentication to the right level of risk. This is why we have such a broad range of authentication types and form factors.

To some of your specific points, RSA SecurID hardware and software authenticators are both forms of multi-factor authentication. In the case of hardware authenticators, they are based on something you have (the physical authenticator) and something you know (your password or Personal Identification Number). Software authenticators work the same way depending on the form factor and can include other factors....

Speaking of Security Podcast #86

blog@rsa.com (Podcast Producers) — Mon, 10 Dec 2007 17:00:00 GMT

Click here to listen/download (08:39).

This week Paul Joyal speaks with Tom Corn, Vice President of Data Security Products for RSA, about Data Loss/Leakage Prevention (DLP) and RSA's approach to the issue along with how it differs from other players.

Top Five Intriguing Ideas for Authentication in 2008

blog@rsa.com (Sean Kline) — Mon, 10 Dec 2007 00:00:00 GMT

Controls as part of a broader strategy
Organizations still make decisions on how to authenticate requests (often users) based on individual applications, infrastructure deployments or regulatory requirements. This is one of the contributors to a "quilt of security doilies", to paraphrase the CTO of a top bank who I met recently. Point security solutions have proliferated throughout organizations making it very difficult and costly to manage. In 2008, organizations will increasingly adopt frameworks like Information Risk Management to assess which threats to mitigate, inventory the types of controls (including authentication) that they need and take a more holistic approach to implementing their strategy...

Speaking of Security Podcast #85

blog@rsa.com (Podcast Producers) — Mon, 03 Dec 2007 00:00:00 GMT

Click here to listen/download (07:15).

This week, hear from Ari Juels, Speaking of Security blogger and Chief Scientist for RSA Laboratories. Ari tells us about some projects that his team is working on including "Proofs of Retrievability" and the WARP token for wireless authentication.

Massive data loss by key U.K. government agency could affect millions of British citizens

blog@rsa.com (Shannon Kellogg) — Mon, 26 Nov 2007 00:00:00 GMT

Not since the infamous U.S. Veterans Administration breach, when a laptop containing information on 26.5 million veterans was stolen in 2006, have we seen a breach of sensitive data like the one that occurred in the United Kingdom last week. According to news reports, two disks containing the records of 7.25 million families and around 25 million people were lost by Her Majesty's Revenue and Customs agency as they were being transferred to the UK's National Audit Office.

Is the Bush Administration Getting Serious About Information Security?

blog@rsa.com (Shannon Kellogg) — Fri, 16 Nov 2007 00:00:00 GMT

Earlier this month, President Bush requested $154 million in FY2008 funding for expanding cyber security initiatives at the Department of Homeland Security (DHS) and other federal agencies. The majority of the initial budget request (which would shift current government fiscal year money from other projects) will reportedly be focused on expanding DHS's "Einstein" program, which is run by the U.S. Computer Emergency Readiness Team. See this Federal Computer Week story by Jason Miller titled White House officials ask for $154 million in new cybersecurity spending for more background.

Focus on software assurance increases in U.S., U.K. and other markets

blog@rsa.com (Shannon Kellogg) — Thu, 15 Nov 2007 00:00:00 GMT

I traveled quite a bit during the month of October - which was National Cyber Security Awareness month here in the U.S. - and there was one issue that came up frequently during my various business trips to locations around the U.S. and one to London: software assurance. It's really a continuation of a theme that I have come across during the course of the last couple of years: as breaches of information security have become more and more frequent - whether perpetrated by cyber-criminals looking to make a fast buck; or by nefarious actors breaking into systems to commit espionage; or in the case of entire countries (e.g. Estonia) that have seen their critical infrastructure attacked via cyberspace - governments have become increasingly focused on product security. The issue of security within products that are integral parts of systems or networks is clearly gaining the attention of government decision makers around the world...

Speaking of Security Podcast #84

blog@rsa.com (Podcast Producers) — Mon, 12 Nov 2007 00:00:00 GMT

Click here to listen/download (07:27).

Paul Joyal speaks with Dan Wilson, Vice President and Co-Founder of Accuvant, one of RSA's key channel partners about their business, their information-centric strategy for security, and a recent award that they received. Please note that we will be taking a short break for the U.S. Thanksgiving holiday, but will be back with another podcast for the week of December 3, 2007.

Speaking of Security Podcast #83

blog@rsa.com (Podcast Producers) — Mon, 05 Nov 2007 00:00:00 GMT

Click here to listen/download (09:56).

Matt Buckley speaks with EMC Vice President of Technology Alliances, Chuck Hollis, about Security and Virtualization. Read more from Chuck at chucksblog.emc.com.

Fish, Subprime Mortgages, and Data Storage

blog@rsa.com (Ari Juels) — Fri, 02 Nov 2007 00:00:00 GMT

In his Histories, Herodotus tells the story of Polykrates, overlord of the island of Samos. The king of Egypt counseled Polykrates to throw away some possession of great value, lest a surplus of good fortune bring him tragedy. Heeding this advice, Polykrates pitched his most prized possession, an emerald ring, into the sea. Several days later, a fisherman brought Polykrates a fish as tribute. When the fish was cut open, it was discovered to contain the fatal ring. (Polykrates was, of course, brutally murdered soon afterward.) Herodotus's story (and book) was crafted as a parable about hubris. It is also a good parable about banking--and more generally about risk...

Smart Cards and Risk

blog@rsa.com (Sean Kline) — Mon, 29 Oct 2007 00:00:00 GMT

One of the concepts that RSA and EMC are starting to focus on more is risk. For some, risk has a negative connotation, such as the chance of suffering some type of loss or damage. From a finance perspective, risk is perhaps a more neutral term in that with increased risks (there is a relationship to volatility), one expects a greater return. This has relevance in information-centric security as well...

Speaking of Security Podcast #82

blog@rsa.com (Podcast Producers) — Mon, 29 Oct 2007 00:00:00 GMT

Click here to listen/download (08:07).

Last week's RSA Conference Europe is over but you can hear from some of last week's expert speakers, like Marika Konings, Director of European Affairs for the Cyber Security Industry Alliance, in the Conference Podcasts section of www.rsaconference.com/2007/europe. Paul gets an event recap from the Conference Manager, Linda Lynch, and we share part of an interview with Marika from the show floor in this week's podcast.

Hey, do I know you?

blog@rsa.com (Uriel Maimon) — Mon, 22 Oct 2007 00:00:00 GMT

My friends have gotten tired of hearing me talk about how dreadful it is to be single. One of my friends S. (who has four children and a mortgage) suggested that I take over looking after his kids while *he* wakes up with a hangover next to a half-empty bottle of Jack Daniels and photos of a wild party and the younger sister of one of my work colleagues (Hi M!). Another friend, R, asked me why I don't frequent the singles bar scene. I replied that I'm looking for a sun-drenched wind-swept Ingrid Bergman kiss, a heart touching romance and a soul companion -- not some sordid meaningless fling. He sagely nodded his head and voiced his hopes that I enjoy the rest of my long life looking forward to dying alone...

Speaking of Security Podcast #81

blog@rsa.com (Podcast Producers) — Mon, 22 Oct 2007 00:00:00 GMT

Click here to listen/download (07:07).

This week we revisit a recent RSA web seminar held in late September. Nick Selby, Security Research Director from the analyst firm, The 451 Group, shares some key tips for securing web portals, by providing the right protection and level of access to information for trusted identities. To review the entire 9/25 webcast replay, visit www.rsa.com/webseminars.

U.S. House Passes Resolution on Cyber Security

blog@rsa.com (Shannon Kellogg) — Fri, 19 Oct 2007 00:00:00 GMT

As issues around cyber security continue to heat up in the wake of several high profile data security breaches in the public sector -- and with increasing concern about cyber vulnerabilities in our nation's critical infrastructures, the U.S. House of Representatives passed a resolution this week recognizing the importance of the issue. The resolution, H. RES. 716, was introduced by Congressman Jim Langevin (D-RI) with strong bi-partisan support. The purpose of the Resolution was for: "Expressing the sense of Congress with respect to raising awareness and enhancing the state of computer security in the United States, and supporting the goals and ideals of National Cyber Security Month."...

IT Industry to Congress: Help Needed to Fight Cyber-crime

blog@rsa.com (Shannon Kellogg) — Tue, 16 Oct 2007 00:00:00 GMT

On October 16th, in the bowels of the U.S. Capitol Building, the Business Software Alliance organized a briefing on cyber-crime issues that was attended by congressional staff members, industry experts and media representatives. Art Coviello, President of RSA, The Security Division of EMC, delivered the industry keynote; U.S. Representative Steve Chabot (R-OH) provided remarks from a congressional perspective. Congressman Chabot is a co-sponsor of H.R. 2290, the Cyber Security and Enhancement Act of 2007, along with U.S. Representative Adam Schiff (D-CA). H.R. 2290, if passed, would include changes to law that would: criminalize malicious botnet attacks...

Speaking of Security Podcast #80

blog@rsa.com (Podcast Producers) — Fri, 12 Oct 2007 00:00:00 GMT