Trustwave TrustedNews

Security Not Just a Board-Level Issue Its Personal

Wed, 15 May 2013 10:30:00 UT

Corporate board members and other senior executives don’t start their day thinking about targeted cyber-attacks, but the same isn’t true for malicious hackers. Through stealthy and extremely targeted campaigns, these attackers can go after every document, spreadsheet and presentation on an executive’s computer - sending highly confidential data and corporate secrets to an attacker’s computer in a matter of seconds.
In a new article published by Corporate Board Member, Trustwave’s Nicholas Percoco highlights the real-life risk hackers can pose to executives, identifies what to watch out for, and discusses the ways corporations can help protect their senior execs.
Corporate Board Member, an NYSE Euronext company, is the leading information and education resource for senior officers and directors of publicly traded corporations, large private companies, and Global 1000 firms.
Read the article here.

From ETA 2013 Were in this together

Wed, 1 May 2013 08:00:00 UT

As we started planning Trustwave’s presence at the ETA (Electronic Transactions Association) 2013 Annual Meeting Expo in New Orleans we asked ourselves what “we’re in this together” really means.
To our team attending the show, this means we’re here to solve data security and compliance challenges, with our payments market expertise and turnkey merchant programs. And, that this is what the evolving payments industry expects from Trustwave.
“We look forward to talking to ETA members about the fast-moving evolutions of payments,” noted Doug Klotnia, Executive Vice President of Compliance Risk at Trustwave.
As we discussed the spirit of the ETA Community, we knew that wasn’t all that we’re here to do. We truly feel that we are part of a strong community that faces every challenge together as partners.
That’s why Trustwave is making a contribution to the New Orleans community while they host us for the 2013 ETA Annual Meeting and Expo. We’ll be donating $5,000 to The Epworth Project, an organization that is still working to repair the more than 40,000 homes damaged by Hurricane Katrina.
If you’re at the show, stop by Trustwave Booth #934 and have your conference badge scanned and we’ll donate an additional $5 to The Epworth Project. While you’re at the booth, please grab a drink and a snack, and ask us about our Compliance Risk Management Solutions.
Because we’re in this together.
See you in NOLA!

Trustwave Launches New Mobile Security Practice

Wed, 1 May 2013 05:15:00 UT

CHICAGO - May 1, 2013 -Trustwave today unveiled a new mobile security practice designed to help businesses embrace mobility and “Bring-Your-Own-Device” (BYOD) programs while maintaining compliance, managing emerging security risks and protecting corporate networks and data.
Trustwave’s new mobile security practice offers enterprise compliance and risk services to address the challenges and complexities of mobility, as well as an integrated, technology suite aimed at protecting networks, data, and devices from malware and data loss. The practice also includes Trustwave SpiderLabs services, delivered by an experienced team of ethical hackers, designed to expose vulnerabilities and threats on mobile devices, systems and applications.
Malware, policy violations, data loss, unsupported and insecure mobile applications are creating new security risks, making them a top priority for businesses that are implementing BYOD programs, delivering mobile applications to customers and users, or using mobile payment systems that include point-of-sale systems. Industry analyst firm 451 Research notes, “The combined effects of IT consumerization and the ‘bring your own device’ trends have driven mobile device security to take over the top slot as the key pain point for security managers in 2012,*” while the 2013 Trustwave Global Security Report noted a 400 percent increase in mobile malware last year.
"Mobility and BYOD are no longer theoretical — even for enterprises that think they've banned them — and the risk isn't confined to the devices themselves," said Wendy Nather, research director for the Enterprise Security Practice at 451 Research. "They affect the entire organization from the standpoints of security and compliance. Trustwave understands this, and treats mobility not as an exception, but as the new business rule."
Trustwave’s new mobile security practice includes:

Enterprise Mobility Assessment Services - An experienced team of compliance and risk management experts helps businesses identify gaps and potential risk exposure and establish that pragmatic balance of productivity and security through customizable professional services, including risk assessment, policy development, architecture review and security awareness education.
BYOD “Self-Sealing” Network Protection - With the integration of key enterprise security technologies - Network Access Control, Secure Web Gateway, Data Loss Prevention, Security Information and Event Management - Trustwave now provides businesses with the ability to identify mobile devices on the network, enforce BYOD and data access policies, decrease operational costs and reduce risks by intelligently “self-sealing” the network from malware, the loss of sensitive data, and network threats. For example, if a mobile user on the network browses to a malicious link or violates established policy, Trustwave can immediately identify and quarantine the user, stop malware from spreading, automate response to proactively mitigate threats, and alert security teams of the violation.
Trustwave SpiderLabs Services for Mobile - Trustwave SpiderLabs, a team of threat researchers, forensic investigators and ethical hackers, offers a comprehensive suite of testing services specifically for mobile devices, applications and systems. These services are designed to help businesses test security and identify vulnerabilities in BYOD deployments, mobile applications and mobile point-of-sale systems. Backed by experience performing thousands of penetration tests each year, the Trustwave SpiderLabs team enables businesses to proactively improve security posture and reduce the threats that are inherent to mobility.

“Our new mobile security practice allows us to serve as a trusted advisor to our customers as they create a more holistic approach to mobility that includes risk assessments and proven technologies that enable them to improve their risk and compliance posture, deploy secure mobile applications to their customers, and protect their network from emerging vulnerabilities and threats,” said Leo Cole, General Manager of Security Solutions at Trustwave.
The Trustwave Enterprise Mobility Assessment Services, Trustwave BYOD Network Protection, and Trustwave SpiderLabs Services for Mobile are currently available.
For more information, visit: https://www.trustwave.com/mobilesecurity.

* Source: Wave 15 Information Security Study; Published: August 30, 2012; Analyst: Daniel Kennedy, 451 Research

Fox 32 News Cracking your online passwords Easy as 1-2-3

Fri, 26 Apr 2013 11:32:00 UT

You can't get very far these days without a password. Whether you're checking your email or doing some online banking, passwords get you in, and supposedly keep criminals out. But, just how much protection do you get from your password?
Hackers and other online criminals have become increasingly sophisticated when it comes to what's called "cracking" passwords - and often with little effort and in a matter of minutes. Will that password with your pet’s or sister’s name really foil a determined criminal with password cracking software? Find out if your password strategy beats the “two minute cracking test” by watching this Fox 32 News story.
In the story Trustwave’s Nicholas Percoco talks about password trends from the 2013 Trustwave Global Security Report, poor password practices and tips on how to bolster their effectiveness. Watch the full clip here.

Infographic The High Cost of BYOD

Tue, 16 Apr 2013 12:05:00 UT

Businesses today are embracing BYOD, and mobile applications are becoming the preferred platform for users and customers to access data and even conduct transactions. In fact, 75% of businesses let employees use their own devices to access the network. What threats are lurking behind this mobile revolution? View our new infographic to find out what BYOD could be costing you. Download PDF

Trustwave Acquires SecureConnect Expands Managed Security Services Leadership

Wed, 3 Apr 2013 06:59:00 UT

CHICAGO - April 3, 2013 - Trustwave today announced the acquisition of SecureConnect, a privately-held managed security provider, based in Eden Prairie, Minn., with services tailored to franchisee and multi-site organizations.
SecureConnect has built a strong presence in the hospitality industry by providing PCI compliance and network security solutions to quick-serve restaurant locations for brands such as Dairy Queen, Culver’s, Hungry Howie’s, Mellow Mushroom and Smoothie King. The acquisition of SecureConnect further strengthens Trustwave’s leadership in the hospitality industry by adding thousands of new customers in the United States. SecureConnect can now help customers shore up defenses with compliance and security technologies and services available only from Trustwave.
“Hospitality organizations are continually expanding their remote business operations and extending their brand into new markets,” said Robert J. McCullen, Chairman, Chief Executive Officer, and President, Trustwave. “This requires that they not only find ways to efficiently and cost-effectively manage compliance and regulatory demands, but keep sensitive data protected across all operations, even as the threat landscape grows more hostile. SecureConnect customers now have access to Trustwave’s undisputed PCI expertise as well as broader access to the information security technologies and services that help them effectively manage compliance, secure sensitive data, and protect their businesses and brands.”
With the acquisition, SecureConnect customers now have access to:

A broader set of technologies and services to help them address critical security requirements of and beyond Payment Card Industry (PCI) compliance both at headquarters and at their remote site locations
Global services delivery capability and customer support to help them expand remote site and operator locations domestically and internationally through Trustwave’s global presence
Trustwave TrustKeeper®, the industry’s leading cloud compliance and information security platform with more than 2.5 million business subscribers
Advanced compliance and security consulting services from Trustwave Qualified Security Assessors and experts within Trustwave SpiderLabs who provide application security, incident response, penetration testing, physical security and other security services.

For more information about Trustwave’s acquisition of SecureConnect, visit: www.trustwave.com/acquisition.

The Wall Street Journal Companies Hire Ethical Hackers to Dupe Employees Crutches as Props

Wed, 27 Mar 2013 08:58:00 UT

In a front page story in today’s Wall Street Journal, Trustwave’s Practice Manager for Physical Security and Social Engineering Ryan Jones discusses tactics ethical hackers use to demonstrate to companies how cybercriminals may break into their systems. Jones has more than 15 years of experience in network and physical security. In the story, which also includes a photograph of Jones in one of his many undercover uniforms, Jones reveals how he has successfully gained access to data centers, warehouses and executive suites. The article states:

“Mr. Jones' devices contain software that takes over computers, hijacking built-in cameras to snap photos of the employees. To identify security weaknesses, his arsenal includes in-person breaches, in which he bluffs his way into offices for access to sensitive systems. Mr. Jones keeps a closetful of costumes, including package deliverymen and fire marshal. He has successfully used crutches to persuade sympathetic people to open locked doors.”

The story also mentions how Jones studies sleight-of-hand magicians and con men to learn about new tactics cybercriminals may use to steal valuable information.
Read the full Wall Street Journal article here.

Now an iBook 2013 Trustwave Global Security Report

Tue, 26 Mar 2013 08:50:00 UT

The 2013 Trustwave Global Security Report is now available as an iBook.The report reveals eye-opening findings about global data breaches and security trends. Throughout 2012, Trustwave compiled data from 450 global data breach investigations, more than 2,500 penetration tests, as well as extensive research and analysis of zero-day security threats, Web application attacks, network and vulnerability scans, and malicious websites. Check out the new iBook.

Trustwave Channel Partner Program Receives 5-Star Rating from CRN

Mon, 25 Mar 2013 05:15:00 UT

CHICAGO - March 25, 2013 -Trustwave today announced that its channel partner program has been given a 5-Star Rating in the 2013 CRN Partner Program Guide.
“Receiving a CRN 5-Star Rating for our Trustwave PartnerFocus Program highlights our efforts to expand and refine the Trustwave partner program to help our channel partners grow their security business profitably,” said Michael Bartlett, Senior Vice President of Sales at Trustwave. “Trustwave channel partners now have access to one of the industry’s most comprehensive and award-winning technology and services portfolios, along with partner tools, education and other resources, they can use to help their clients with their IT security and compliance needs.”
The Trustwave PartnerFocus™ Program delivers attractive margins and comprehensive enablement including dedicated sales, marketing and technical support, education and training tools as well as attractive rewards that enable Trustwave business partners to drive business opportunities and meet their customers’ evolving security and compliance challenges.
“The companies listed in CRN’s 2013 Partner Program Guide represent a comprehensive list of the best channel programs in the market today,” said Kelley Damore, Senior Vice President and Editorial Director, for UBM Tech Channel’s CRN. “The 5-star award is reserved for vendors that understand that a successful partnership does not rely solely on the technology. By offering their partners tools, education and regular updates, vendors on this list go above and beyond traditional support to ensure a mutually beneficial partnership.”
Trustwave introduced the Trustwave PartnerFocus Channel Partner Program in 2012, following the acquisition of M86 Security. Trustwave adopted the best features of the M86 Security Channel Partner Program and rolled it into a new program, demonstrating Trustwave’s commitment to the channel with a new global partner portal and more than 500 new tools and resources to support channel partner success.
“As the global information security and compliance industry continues to evolve and change, Trustwave plans to continue its commitment to its channel partners by delivering deep industry expertise, unified solution-driven technologies and services, sustainable revenue opportunities, sales and marketing tools and training, and best-in-class account support,” added Bartlett.
The CRN Partner Program Guide is the definitive listing of manufacturers and software publishers that service solution providers or provide products to the IT Channel. The guide recognizes those vendors who have channel programs and derive a portion of their sales through the indirect IT Channel. The 5-Star Partner Program rating recognizes an elite subset of Partner Program Guide vendors who give solution providers the best partnering elements in their channel programs.
The list methodology is based on objective criteria that takes into account each vendor’s investments in program offerings, partner profitability, partner training, education and support, marketing programs and resources, sales support and communication.
The 2013 Partner Program Guide will be featured on CRN.com and the 5-Star Partners listing will be highlighted in the March 2013 issue of CRN.
Learn more about Trustwave PartnerFocus by visiting: https://www.trustwave.com/partners/.

ABC Technology and Games Cybersecurity starts with your own employees

Fri, 22 Mar 2013 09:31:00 UT

In this ABC Technology and Games article, Trustwave Managing Consultant Marc Bown discusses how employees are the first line of defense when it comes to cybersecurity in the workplace. Bown offers tips to employees and employers regarding easy steps they can take to protect themselves from cybercriminals.
Bown kicks off the article:
“Maintaining your organisation's cybersecurity is an extremely complex process and the threats are rapidly evolving. As fast as businesses and organisations work to counter threats and protect against attacks, hackers and cybercriminals develop new attack vectors and systems. Our recent report found that in 2012 nearly every industry, country and type of data was involved in a cybersecurity breach. Nobody can afford to be lax about cybersecurity. In order to protect their data and reputation, all organisations must be vigilant about maintaining robust cybersecurity procedures and policies. The first, and most important, thing to remember in regards to maintaining cybersecurity is that it starts with your own employees.”
Read the full ABC Technology and Games article here.

Infographic Keep the Bad Stuff Out Keep the Good Stuff In

Fri, 22 Mar 2013 02:00:00 UT

During the past year, 90% of organizations experienced the loss of sensitive or confidential documents, whether through a breach, or through a compromised or careless employee. And customer records made up 98% of the data exposed - everything from credit card numbers to personally identifiable information. Do you have data worth stealing? Check out this new infographic and find out why it’s so important to secure and control your sensitive data - like we say here at Trustwave, it’s all about keeping the bad stuff out and keeping the good stuff in. Download PDF

Trustwaves Christopher Pogue Discusses Cyber Security In Government Security News Article

Tue, 19 Mar 2013 11:15:00 UT

Trustwave Director of Digital Forensics and Incident Response Christopher Pogue discusses why cybercriminals could potentially target government agencies in this Government Security News article. Pogue leads the Trustwave SpiderLabs team that performs Incident Response and Forensic Investigations. He works with a wide variety of engagements including unauthorized access, data breaches, credit card theft/fraud, mobile device forensics, and enterprise incident response. Pogue also provides forensic and incident response training to corporate security teams as well as law enforcement agencies at all levels.
Pogue states in the article:
“Many industry experts believe that the Advanced Persistent Threat (APT), any group or foreign government that persistently and effectively targets a specific victim, is the primary enemy of the U.S. Government when it comes to cyber-attacks.
While this may be true to the extent to which specific, targeted data has value to state-sponsored efforts, it is by no means the only threat. Organized cyber-criminals have caused billions of dollars in fraud losses to the U.S. alone, and all indicators show that cyber-criminals are advancing their technology and re-doubling their efforts to breach American financial systems and steal valuable information through ways government employees may not expect, such as finding out where they ate their lunch or where they bought a can of shaving cream.”
Read the full Government Security News article here.

Threat Trends Webinars Highlight Latest Security Research

Thu, 14 Mar 2013 09:36:00 UT

It’s clear from the customer conversations we’ve been having so far in 2013 that IT and security organizations around the world are really getting things into high gear - rolling up their sleeves and getting ready to evaluate or implement the technology solutions that will help them better secure their organizations in 2013. Do you and your teams need a little help in understanding and preparing for the security and compliance risks your business will be facing in 2013? Our Trustwave SpiderLabs threat intelligence experts will be hosting a series of webinars next week covering the key points from the 2013 Trustwave Global Security Report. The webinars will be highlighting the latest research and providing pragmatic and action-oriented recommendations around:

Application security
Mobile security
Web and mail security
Threat landscape by industry
Threat landscape by geography

Click here to register: March 19 | 1:00 PM CDT (Chicago) Additional sessions will be held in the following time zones: EuropeMarch 19 | 10:30 AM GMT (London) Asia PacificMarch 19 |3:30 PM EDT (Sydney) | 12:30 PM SGT (Singapore) | 10:00 AM IST (New Delhi) Latin America (presented in Spanish)March 19 | 10:00 AM Mexico City | 11:00 AM Bogota |12:00 PM Santiago Latin America (presented in Portuguese)March 19 | 3:00 PM Brazil

Trustwave Network Access Control Wins Prestigious Industry Accolade

Wed, 6 Mar 2013 11:35:00 UT

CHICAGO - March 6, 2013 - Trustwave, a leading provider of cloud-based compliance and information security solutions, won the SC Magazine award for Best NAC (Network Access Control) product at a ceremony held in conjunction with the RSA Conference in San Francisco last week.
“This is one of the most watched award categories, as winners have to demonstrate a combination of functionality, manageability, ease of-use and scalability, as well as exemplary customer service and support to secure the vote of our readers,” said Illena Armstrong, VP of editorial, SC Magazine. “Congratulations to Trustwave for representing industry leadership, not only to the SC Magazine editors but also to our readers.”
Trustwave NAC enables granular control over network access and continuous monitoring of corporate-sanctioned and bring-your-own-device (BYOD) endpoints to help prevent the spread of malware and other threats that can harm infrastructure and leave organizations vulnerable to attack and data loss. Trustwave NAC includes seamless integration with any wired or wireless network, detection and control of managed, unmanaged and unmanageable assets on the network and prevention of malicious malware download when users browse the Web over their personal device. Trustwave offers NAC through software and appliances and as a managed service.
Hundreds of vendors who offer a product for the commercial, government, educational, nonprofit or other industries entered the Reader Trust Award category. Trustwave NAC was selected by a panel representing a cross-section of SC Magazine readership, comprised of large, medium and small enterprises from all major vertical markets, including financial services, health care, government, retail, education and other sectors.
Trustwave also won Best NAC product at the SC Congress Canada 2012, Canada’s largest and most prestigious event for information security leaders. Trustwave NAC also received a 5-Star Rating from SC Magazine in 2011.
The SC Awards, now in its 16th year, is the premier recognition for information-technology security professionals and products that fend off the myriad security threats in today’s corporate world. The annual awards showcase the best solutions, services and professionals while recognizing achievement and technical excellence. SC Magazine distinguishes the achievements of the security professionals in the field, the innovations happening in the vendor and service provider communities and the fervent work of government, commercial and nonprofits. For more information and a detailed list of categories and winners, please visit www.scmagazineus.com/awards.
For more information about Trustwave NAC, visit: https://www.trustwave.com/network-access-control/.

CHICAGO - March 6, 2013 - Trustwave, a leading provider of cloud-based compliance and information security solutions, won the SC Magazine award for Best NAC (Network Access Control) product at a ceremony held in conjunction with the RSA Conference in San Francisco last week.

“This is one of the most watched award categories, as winners have to demonstrate a combination of functionality, manageability, ease of-use and scalability, as well as exemplary customer service and support to secure the vote of our readers,” said Illena Armstrong, VP of editorial, SC Magazine. “Congratulations to Trustwave for representing industry leadership, not only to the SC Magazine editors but also to our readers.”

Trustwave NAC enables granular control over network access and continuous monitoring of corporate-sanctioned and bring-your-own-device (BYOD) endpoints to help prevent the spread of malware and other threats that can harm infrastructure and leave organizations vulnerable to attack and data loss. Trustwave NAC include seamless integration with any wired or wireless network, detection and control of managed, unmanaged and unmanageable assets on the network and prevention of malicious malware download when users browse the Web over their personal device. Trustwave offers NAC through software and appliances and as a managed service.

Hundreds of vendors who offer a product for the commercial, government, educational, nonprofit or other industries entered the Reader Trust Award category. Trustwave NAC was selected by a panel representing a cross-section of SC Magazine readership, comprised of large, medium and small enterprises from all major vertical markets, including financial services, health care, government, retail, education and other sectors.

Trustwave also won Best NAC product at the SC Congress Canada 2012, Canada’s largest and most prestigious event for information security leaders. Trustwave NAC also received a 5-Star Rating from SC Magazine in 2011.

The SC Awards, now in its 16th year, is the premier recognition for information-technology security professionals and products that fend off the myriad security threats in today’s corporate world. The annual awards showcase the best solutions, services and professionals while recognizing achievement and technical excellence. SC Magazine distinguishes the achievements of the security professionals in the field, the innovations happening in the vendor and service provider communities and the fervent work of government, commercial and nonprofits. For more information and a detailed list of categories and winners, please visit www.scmagazineus.com/awards.

For more information about Trustwave NAC, visit: https://www.trustwave.com/network-access-control/.

CHICAGO - March 6, 2013 - Trustwave, a leading provider of cloud-based compliance and information security solutions, won the SC Magazine award for Best NAC (Network Access Control) product at a ceremony held in conjunction with the RSA Conference in San Francisco last week.

“This is one of the most watched award categories, as winners have to demonstrate a combination of functionality, manageability, ease of-use and scalability, as well as exemplary customer service and support to secure the vote of our readers,” said Illena Armstrong, VP of editorial, SC Magazine. “Congratulations to Trustwave for representing industry leadership, not only to the SC Magazine editors but also to our readers.”

Trustwave NAC enables granular control over network access and continuous monitoring of corporate-sanctioned and bring-your-own-device (BYOD) endpoints to help prevent the spread of malware and other threats that can harm infrastructure and leave organizations vulnerable to attack and data loss. Trustwave NAC include seamless integration with any wired or wireless network, detection and control of managed, unmanaged and unmanageable assets on the network and prevention of malicious malware download when users browse the Web over their personal device. Trustwave offers NAC through software and appliances and as a managed service.

Hundreds of vendors who offer a product for the commercial, government, educational, nonprofit or other industries entered the Reader Trust Award category. Trustwave NAC was selected by a panel representing a cross-section of SC Magazine readership, comprised of large, medium and small enterprises from all major vertical markets, including financial services, health care, government, retail, education and other sectors.

Trustwave also won Best NAC product at the SC Congress Canada 2012, Canada’s largest and most prestigious event for information security leaders. Trustwave NAC also received a 5-Star Rating from SC Magazine in 2011.

The SC Awards, now in its 16th year, is the premier recognition for information-technology security professionals and products that fend off the myriad security threats in today’s corporate world. The annual awards showcase the best solutions, services and professionals while recognizing achievement and technical excellence. SC Magazine distinguishes the achievements of the security professionals in the field, the innovations happening in the vendor and service provider communities and the fervent work of government, commercial and nonprofits. For more information and a detailed list of categories and winners, please visit www.scmagazineus.com/awards.

For more information about Trustwave NAC, visit: https://www.trustwave.com/network-access-control/.

Trustwave Opens Security Operations Center in Asia Pacific

Wed, 6 Mar 2013 05:15:00 UT

MANILA, PHILIPPINES - March 6, 2013 - Trustwave, a leading provider of cloud-based compliance and information security solutions, has opened a new Security Operations Center (SOC) in Manila, the capital of the Philippines, to meet client needs and support the growth of Trustwave’s Managed Security Services. The new Security Operations Center enhances Trustwave’s ability to serve clients headquartered in Asia Pacific, in addition to large, multinational businesses with operations in the region.
Security Operations Centers are “mission control” centers through which Trustwave delivers Managed Security Services. The new, secure Manila facility houses the infrastructure and staff necessary to deliver customer service, threat monitoring and device management to Trustwave clients. Trustwave now operates four Security Operations Centers worldwide - in Chicago, Denver, Manila and Warsaw.
“Adding a Security Operations Center in the Asia Pacific region was a logical next step in the growth and evolution of Trustwave Managed Security Services,” said Michael Petitti, Executive Vice President of Asia Pacific at Trustwave. “Our Asia Pacific expansion allows us to bridge geographical gaps and language barriers, while delivering high-value Managed Security Services and security expertise to our clients. Manila was an ideal location due to the wide variety of languages used throughout the city and country. From this Security Operations Center, our team can assist clients in English, Filipino, Japanese, Korean and Mandarin.”
Industry analyst firm Gartner anticipates that the Asia Pacific market for Managed Security Services will continue to grow from 28 percent to 33 percent annually through 2015[1].
Trustwave has successfully expanded its Managed Security Services offerings beyond traditional security services. While traditional services like managed firewalls, log monitoring, unified threat management and secure email continue to be essential layers of protection, they don’t always keep up with the latest threats to the network, applications or data. Trustwave goes beyond the basics with more advanced offerings - managed by Trustwave Security Operations Centers worldwide using the latest Trustwave SIEM technology combined with threat intelligence and security research by Trustwave SpiderLabs.
Trustwave Managed Security Services have received global recognition including recently being a finalist for the SC Magazine Europe award for Best Integrated Security Solution. Trustwave was also named a “Leader” in the March 2012 “Forrester Wave™: Managed Security Services: North America, Q1 2012” and was one of the top vendors “that matter most” that Forrester invited to participate in its evaluation to assess the state of the managed security services provider market.
To learn more about Trustwave Managed Security Services, visit: https://www.trustwave.com/managed-security-services/.
[1] Source: MarketScope for Managed Security Services in Asia/Pacific, 2012 Published: 9 October 2012, Analyst: Andrew Walls, p7

Trustwave TrustKeeper PCI Scan Notification - Phishing ALERT

Thu, 21 Feb 2013 10:33:00 UT

Over the last few hours, Trustwave has received multiple reports of individuals receiving fake emails purported to be from Trustwave.
These emails did not originate from Trustwave. Recipients should immediately delete the emails and not follow any links presented in them.
These emails indicate they are being sent as part of a “TrustKeeper PCI Scan Notification” and are alerting the recipient to login to a portal to respond to an issue related to a vulnerability scan of their network.
Early analysis has shown these emails are being sent from many variations of fake Trustwave email addresses and redirecting users to multiple non-Trustwave URLs. Visiting these URLs might introduce malware onto your systems.
Below is a screenshot of a fake email:

2013 Trustwave Global Security Report Now Available

Thu, 21 Feb 2013 06:30:00 UT

The 2013 Trustwave Global Security Report is now available. The greport reveals eye-opening findings about global data breaches and security trends. Throughout 2012, Trustwave compiled data from 450 global data breach investigations, more than 2,500 penetration tests, more than nine million Web application attacks, more than two million network and vulnerability scans, more than five million malicious websites, more than 20 billion emails as well as extensive research and analysis of zero-day security threats.
Sign up to download the 2013 Trustwave Global Security Report.
Some of the highlights from the report include:

50% of users, especially employees, are still using easily-guessed passwords, the most common being Password1. Unknowingly through easy passwords and social media, employees leave the door open for further attacks.
For the first time in three years, the retail industry is the top target for cyber-criminals, specifically the e-commerce industry.
64% of organizations attacked took more than 90 days to detect an intrusion with the average time for detection being 210 days.
There was a 400% increase in mobile malware particularly found on Android.

Sign up to download the 2013 Trustwave Global Security Report.

Trustwave Security Expert to Keynote at RSA Conference

Wed, 20 Feb 2013 05:15:00 UT

CHICAGO - February 20, 2013 - Trustwave Senior Vice President Nicholas J. Percoco and U.S. Secret Service Special Agent Erik Rasmussen will lead a keynote address on Thursday, February 28, at the 2013 RSA Conference in San Francisco. In “The Lifecycle of Cybercrime,” they will highlight cybercrime trends from forensic investigations compiled in the 2013 Trustwave Global Security Report. Percoco and Rasmussen will uncover the lifecycle of attacks including criminal motivations behind attacks, techniques used to infiltrate organizations, data aggregation methods, data exfiltration techniques and financial impact.
Percoco leads a global team of security experts at Trustwave. He and his team have performed more than 1,500 computer incident response and forensic investigations, run thousands of ethical hacking and application security tests for clients and conducted research around emerging and zero-day threats. Rasmussen is currently assigned to the United States Secret Service Criminal Investigative Division, Cyber Intelligence Section. He began working as a Special Agent in 2004. He has also worked on the Electronic Crimes Task Forces for the Los Angeles and Seattle Field Offices.
Additional Trustwave presentations include:

February 26, 1:10PM PST, Room 305: Trustwave’s Percoco and Senior Security Research Manager Steve Ocepek will present “Cloudy with a Chance of Sploits.” The cloud is here to stay, but like any new technology it has its own unique set of security concerns. This presentation includes real-world findings uncovered by Trustwave that demonstrate how the cloud changes everything, especially when things go wrong.

February 27, 1PM PST, Room 124: Trustwave’s Director of Application Security Services Charles Henderson will present “Application Security: One Size Doesn’t Fit All.” Every Web project has a unique set of requirements so one size does not fit all when it comes to a development toolset. Complete with real-world examples, this presentation will focus on the relative benefits of different testing approaches, what lifecycle stage the application is in, who wrote the application and what types of testing have been performed in the past.

February 28, 10:40am PST, Room 120: Trustwave’s Security Researchers Daniel Chechik and Anat Davidi present “Exploitation of Attackers’ PHP Systems.” Chechik and Davidi will discuss how end-user machines could get into attackers' PHP-based infrastructures. They will cover advanced techniques of PHP vulnerability discovery and exploitation, as well as provide real-life examples of known attacker PHP-based infrastructures and new vulnerabilities discovered in them.

Trustwave will also officially present the 2013 Trustwave Global Security Report at the RSA Conference, revealing the top vulnerabilities and threats that could potentially harm large and small businesses and government agencies worldwide.
Visitors are welcome to visit the Trustwave booth, #1324, where security experts will be on-hand to answer questions about the report and explain key findings.

Forbes Is Your Mobile App Safe

Wed, 20 Feb 2013 01:39:00 UT

Trustwave Director of Application Security Services Charles Henderson offers his take on mobile app security in this Forbes article. He's one of the folks at Trustwave SpiderLabs who tests mobile application security on behalf of clients.
Henderson kicks off the article:

The history of mobile application security is a case of “two steps forward, one step back.” The rush of companies and developers into the mobile software market has led to shortcuts that have repeated many security problems already solved in older technology platforms. Mobile has been fraught with issues of caching sensitive data, incomplete encryption and simple mistakes in coding. The extreme portability of mobile devices and the relative ease of obtaining physical access pose a significantly new risk - which is why a top-of-the-line, soup-to-nuts data security plan is crucial when it comes to protecting sensitive information.

Read the full Forbes article here.

Trustwave Reveals Increase in Cyber Attacks Targeting Retailers Mobile Devices and E-Commerce

Wed, 13 Feb 2013 05:15:00 UT

CHICAGO - February 13, 2013 - Trustwave, a leading provider of cloud-based compliance and information security solutions, today unveiled key results from the 2013 Trustwave Global Security Report. The report highlights details and trends from more than 450 global data breach investigations, more than 2,500 penetration tests, more than nine million Web application attacks, more than two million network and vulnerability scans, more than five million malicious websites, more than 20 billion emails as well as extensive research and analysis of zero-day security threats. All of the information is Trustwave’s own data collected and analyzed by Trustwave security experts—not surveys. Throughout 2012, Trustwave tested, analyzed and discovered the top vulnerabilities and threats that have the most potential to negatively impact multi-national corporations, merchants and government entities.
This year’s findings revealed the retail industry is now the top target for cybercriminals. For the first time, the retail industry made up 45 percent of Trustwave data breach investigations (a 15 percent increase from 2011) with e-commerce attacks emerging as a growing trend surpassing the amount of point-of-sales attacks. Additionally, mobile malware increased 400 percent, with malware found on Android devices growing from 50,000 to more than 200,000 samples. The report also revealed that out of three million user passwords analyzed, 50 percent of business users are still using easily-guessed passwords—the most common being “Password1” because it often meets the minimum standard for acceptable passwords. The findings indicated that in 2012, nearly every industry, country and type of data was involved in a breach of some kind with cybersecurity threats increasing as quickly as businesses can implement measures against them.
“Cybercriminals will never stop trying to compromise systems to obtain valuable information such as customer and private user data, corporate trade secrets and payment card information,” said Robert J. McCullen, Chairman, Chief Executive Officer and President of Trustwave. “This year’s Global Security Report pulls back the curtain revealing how breaches happen and how potential victims around the world can protect themselves so that they stay one step ahead and eliminate potential security threats. After reading this report, businesses and government agencies will be one step closer to building a comprehensive security strategy to reduce risk, protect data and safeguard their reputation.”
Other Key Report Findings

Applications emerged as the most popular attack vector. E-commerce sites were the number one targeted asset accounting for 48 percent of all investigations.
64 percent of organizations attacked took more than 90 days to detect an intrusion with the average time for detection being 210 days -- 35 days longer than in 2011; 5 percent took more than three years to identify the criminal activity. Most victim organizations still rely on third parties, customers, law enforcement or a regulatory body to notify them a breach has occurred - a worldwide security problem.
Employees leave the door open to further attacks. Whether due to lack of education or policy enforcement, employees pick weak passwords, click on phishing links and share company information on social and public platforms.
Attacks were discovered in 29 different countries. The largest percentage, 34.4 percent, originated in Romania.
Spam volume shrank in 2012 but still represents 75.2 percent of a typical organization’s inbound email and roughly 10 percent of spam messages are malicious.
Businesses seem to be rapidly adopting an outsourced, third-party information technology operations model. 63 percent of investigations revealed a third party responsible for system support, development or maintenance, introduced security deficiencies easily exploited by hackers.
The two most noteworthy methods of intrusion, SQL injection and remote access, made up 73 percent of the infiltration methods used by criminals in 2012.
Out of the 450 cases investigated in 2012, about 40 variations of malware were found. Trustwave attributed the 40 unique types of malware to six criminal groups. Three criminal teams caused the majority of payment of service credit card breaches. Russia and the U.S. are the largest contributors when it comes to malware attacks making up 39.4 percent and 19.7 percent of hosted malware, respectively.

“Businesses should take a step back and re-evaluate their security posture,” added McCullen. “All developers, particularly in the e-commerce industry, should implement a full lifecycle security plan that includes thoroughly educating themselves and their employees, equipping themselves with the best tools to protect themselves against attacks and making sure they are using the most reliable resources for zero day detection."
Top Security Recommendations for 2013
To improve security posture, Trustwave recommends six focus areas for organizations in 2013:

Educate employees. Employees are the first line of defense against attackers. Organizations should conduct security awareness training on a regular basis for all existing and new employees.
Identify Users. Every user-initiated action should be tagged to a specific person, whether in a physical or digital environment. Every year, a significant number of data breaches occur as the result of an attacker obtaining access to a user’s account.
Register Assets. With the increase of bring-your-own-device (BYOD), it is more important than ever to have a complete inventory or registry of valid devices. A device should never be allowed access to a controlled environment unless it’s registered and known. In addition, the patch levels and vulnerabilities should be assessed on a regular basis not only to work to improve the security of those in the environment but also to understand what risks exist when issues can’t be resolved in the short term.
Protect Data. Attacks are more sophisticated than ever, and keeping cybercriminals out requires a multi-faceted approach. Businesses should implement a “more than technology” approach to security that includes team training and education, secure code review, and periodic penetration and vulnerability testing for e-commerce Web applications, as well as a data lifecycle methodology that governs data from creation to destruction. They should also create resiliency in systems by layering proven technologies such as a powerful secure Web gateway and a Web application firewall that can be deployed to improve protection and performance of business-critical applications, with virtual patching capabilities that combat threats in real-time.
Unify Activity Logs. Most businesses today treat physical and information security controls separately. Badge systems, HR records, and even loss prevention are not typically tied to the same team that monitors firewalls, intrusion detection and other security technology. Businesses should employ technology like security information and event management (SIEM) to take over the processing of these logs.
Visualize Events. The ultimate goal for organizations should be to develop an environment in which security threats are discovered innately-by both responsible security professionals and others in the organization. Security event visualization allows businesses to identify patterns, emerging vulnerabilities and attacks, and respond quickly and decisively across the organization when an attack does occur. Using the right data sources, advanced SIEM analytics, and data modeling, security event visualization prepares businesses to effectively mitigate current and future threats.

“There is no ‘if’ you will be attacked, only ‘when’ which is why it is crucial for organizations to follow security best practices and recommendations,” said Chris Christiansen, Program Vice President Security Products and Services, IDC. “Cyber-attacks are increasing with little sign of abatement. Every business contains valuable information about themselves and/or their partners, channels, suppliers, and customers. By learning from other people's experiences and considering the suggestions outlined in this report, enterprises can build stronger and more responsive security programs that protect their businesses, employees, partners, suppliers, and customers.”
The 2013 Trustwave Global Security Report will be available to the public prior to the RSA Conference in San Francisco, February 25. Sign up to receive a complimentary digital copy of the report when it becomes generally available here: https://www.trustwave.com/2013GSR