CareersInfoSecurity.com RSS Syndication

Breaches: The Investigation Challenges

Tracking a Payments Breach Can Take Months, Investigator Says
Why are breaches in the payments arena so difficult to trace and investigate? Verizon breach investigator Dave Ostertag offers insights about the forensics complexities of a processor breach.

Breach Info Sharing Tool Enhanced

Consortium Offers Free Framework for Vulnerability Reporting
The Industry Consortium for Advancement of Security on the Internet has introduced an enhanced version of its free security vulnerability reporting framework designed to ease the sharing of breach information.

Tips for Contracting Cloud Services

What Organizations Need to Consider Choosing a Vendor
Cloud services contracts often provide little to no wiggle room. What steps do organizations need to take before signing any contract? IT security lawyer Françoise Gilbert offers some key strategies.

Privacy Group to Host Summit

ONC's Mostashari Will Keynote Patient Privacy Rights Event
Farzad Mostashari, who heads the Office of the National Coordinator for Health IT, will be the keynote speaker at a June 6-7 conference organized by consumer advocacy group Patient Privacy Rights.

2012 Cloud Security Agenda: Expert Insights on Security and Privacy in the Cloud

What are organizations' top cloud security concerns, and how are security leaders addressing these concerns through policy, technology and improved vendor management?

This is the key question posed by the 2012 Cloud Security Survey.

No longer just an emerging technology practice, cloud computing today is embraced globally as a means of gaining efficient access to critical applications, processes and storage. It's now common for organizations to rely on cloud service providers for functions and business applications such as customer relationship management, messaging or storage via a public, private or hybrid cloud. Further, industry-specific cloud-based applications such as electronic health records or mobile banking and payment applications are emerging at an unprecedented pace.

But these engagements come with questions about risks:

What are your cloud service provider's security and privacy measures, and have they been audited?
Where geographically is cloud data being stored, and how do operational practices comply with government, industry and organizational privacy regulations?
How is a multi-tenant cloud environment managed, and in the event of system compromise - what will be the incident response escalation process?

Yes, cloud computing is about efficiencies and new technologies, but it's also about security, privacy and an organization's reputation.

The 2012 Cloud Security Survey was crafted with assistance from leading experts in cloud computing, security and privacy, with a mission to:

Chart the latest cloud trends, including types of cloud implementations most common by industry and region;
Gauge organizations' top cloud security concerns, from vendor security to data governance and breach preparedness;
Predict the top areas of investment for organizations most concerned about cloud security.

This webinar will draw upon survey results and expert insight from a special roundtable panel to discuss:

Top Security Concerns - Are organizations more concerned about where their data is stored, or whether a malicious insider might be a threat to it?
Success Factors - On a scale with cost savings and availability of services, how does security now rank among elements critical to a successful cloud computing implementation?
Protective Measures - What are some of the practices organizations are employing, from instituting more stringent contracts to enforcing third-party audits and even participating in mock security exercises with cloud service providers?

Hacktivists, BotNets and More: Top Security Trends and Threats from the HP Enterprise Security 2011 Cyber Risk Report

Organizations have been under security attacks for the past decade, but the security events in 2011 have created a ripple effect that will be felt for years to come and will actually start to shift the way enterprise organizations view security. For example, 2011 saw a significant increase in activity from "hacktivist" groups Anonymous and Lulz Security (LulzSec). The motivation for these groups' organized, systematic attacks on businesses or individuals - retaliation for perceived wrongdoing - brings new visibility to a security threat that has been looming for years and highlights a new era of security risk that must be addressed. In addition, highly publicized attacks on major corporations such as Sony, RSA, and the United States Postal Service demonstrated the significant financial loss that can result from a vulnerable system.

Because unplugging the business from the Internet is not a viable security option, the question becomes: What is the best way to minimize risk to the most critical assets of the organization without interrupting or impeding business operations? Prioritization of assets and risk is essential, but so is prioritizing how and where to deploy security protection.

In the 2011 top cyber security risks report, HP Enterprise Security provides a broad view of the vulnerability threat landscape, as well as in-depth research and analysis on security attacks and trends. The aim of this report is to highlight the biggest risks that enterprise organizations face today - and to help prioritize mitigation strategies. Key findings from this report include the following:

Continued decline of new, disclosed vulnerabilities in commercial applications The report notes the decline in commercial vulnerability reporting, and it discusses the key trends in the vulnerability disclosure market that may be hiding a deeper issue. The report also highlights the growing market for private sharing of vulnerabilities, the increased expertise required to uncover complex vulnerabilities, and the price these can fetch in various markets. Data from HP Fortify will also highlight the increasing number of vulnerabilities that are being discovered in custom applications - vulnerabilities that can be devastating to the security posture of an organization.
Changes in attack motivation are increasing security risk While security attackers have always sought glory and/or financial gain from their activities, the formation of hacktivist groups, like Anonymous, has added not only a purpose behind security attacks, but a level of organization as well. This shift in motivation and subsequent organization has given rise to newer and more severe security attacks. This report will highlight the motivations of today's security attack community - and the implications for security defense techniques.
Increase in the number of attacks against a "smaller" set of known vulnerabilities Despite the shrinking number of known vulnerabilities in commercial applications, the report will use real data - pulled from the HP TippingPoint Intrusion Prevention System (IPS) and HP Fortify - to highlight an increase in severe attacks against both client/server and Web applications. The data is broken down by attacks, vulnerability category, source information, and severity to provide a snapshot of the attack landscape. This section also features an actual case study of the Web application risks at one large corporation.
Improved techniques for executing security attacks While many targeted attacks leverage zero-day vulnerabilities, the average cyber criminal generally exploits existing vulnerabilities. Data from the report breaks down several techniques, including obfuscation, used to successfully exploit existing vulnerabilities. The report also includes an in-depth look at the Blackhole exploit toolkit, which uses many of the techniques highlighted.

2012 Faces of Fraud Survey: Complying with the FFIEC Guidance

A follow-up to ISMG's 2011 Faces of Fraud Survey, this webinar looks not only at the latest fraud trends and how institutions are fighting back, but also at their progress in putting together layered security controls in conformance with the FFIEC Authentication Guidance.

Given the persistence of fraud threats and the demands of the FFIEC Authentication Guidance, the 2012 Faces of Fraud Survey is crafted with assistance from leading experts in fraud detection and prevention, with a mission to:

Chart the latest fraud trends, including account takeover, skimming and payment card breaches;
Gauge institutions' preparedness to conform to the FFIEC Authentication Guidance, including where they are prioritizing their efforts;
Predict the top areas of focus for 2012, from real-time fraud monitoring tools to new layered security controls.

Breach Prevention 2012 & Beyond: Fend Off Malicious Attacks

Your institution houses private information for your clients, but what would happen if that information fell into the wrong hands? An information breach not only affects the clients whose information is leaked, but diminishes the integrity of your institution.

Understanding all the threats to your information security is the first step in protecting it. Hackers and malicious individuals exist in many guises from recreational, to organized crime rings, to disgruntled ex-employees, the list goes on. You need to ensure that not only your electronic systems are adequately secure, but that your employees are properly trained.

In this session Tyler Leet will discuss:

Breach statistics;
Common findings and benefits of security testing;
Social engineering tactics, findings and prevention methods.

Five Application Security Tips

Many organizations aren't devoting enough resources to ensure that applications for mobile devices are secure, says security expert Jeff Williams. He offers five tips for adequately addressing mobile application security.

Understanding Electronically Stored Info

For years, David Matthews, Deputy CISO of the City of Seattle, has been immersed in securing electronically stored information. Now he's written the book on the topic. What are the key themes addressed?

Why Boards of Directors Don't Get It

IT risk management, cyber insurance, privacy - these are hot topics for security leaders, but not for their boards of directors. Why do senior executives still fail to see IT risks as business risks?

How to Respond to Hacktivism

Hacktivist attacks will increase, and researcher Gregory Nowak says organizations can take proactive steps to reduce exposure and protect brand reputation. Why, then, are many organizations failing?

Fighting Hackers With Public Relations

Understanding Hacktivists' Goals is Key to Thwarting Attacks
By understanding the motivations behind hacktivism, organizations can learn why good public relations can play an important role in thwarting attacks or minimizing their impact.

The Facts on Occupational Fraud

How to Detect and Prevent Insider Crime
The statistics revealed in the ACFE's new 2012 Report on Occupational Fraud and Abuse are all very real. Here are my insights on occupational fraud and steps leaders can take to detect these crimes.

The Business Case for Continuity Planning

Small, Mid-Size Enterprises Especially Need to Develop Strategy
Why do so many small and mid-sized enterprises continue to believe that business continuity planning is just for the big guys? And how do we go about convincing them otherwise? Here are some tips.

Measuring the Immeasurable: IT Security

A Year After Its Debut, Index of Cybersecurity Rises by 30 Percent
Factors driving up the index vary from month to monthly, but the clear takeaway of the survey of IT security practitioners is that they're getting more apprehensive about safeguarding IT.