COLUMN

Feds push cybersecurity jobs, PCI DSS changes ahead.

By Eric Ogren 05 Oct 2009 | SearchSecurity.com Security Wire Daily News Digg This!     StumbleUpon     Del.icio.us

There were interesting events on the security radar screen last week. Rather than drilling into a particular announcement or event, this week's column highlights events that were particularly thought-provoking.

SearchSecurity.com: To get security news and tips delivered to your inbox, click here to sign up for our free newsletter.

In a significant sign of the government's commitment to improving its cybersecurity profile, the Department of Homeland Security said it could hire 1000 security professionals over the next three years. This is welcome news for those seeking cybersecurity jobs. A longer-term view of the problem of securing the national technical infrastructure would have DHS allocating more of its $40 billion total budget authority to cybersecurity educational programs. We've heard reports about the problem of filling and retaining professionals in government information security jobs. In addition to existing degree programs at a few universities, perhaps cybersecurity can also be featured in Reserve Officers Training Candidate programs to develop military leadership well-versed in cybersecurity skills. Presently, neither the Army ROTC nor the Air Force ROTC shows cybersecurity as a career choice.

Eric Ogren's recent security columns: Whitelists, SaaS modify traditional security, tackle flaws It is time for IT professionals to transform security into a capability that is as dynamic as the attack landscape, says security expert Eric Ogren of the Ogren Group. Secure virtual desktop software enables remote client security: Virtual desktops control endpoints and cut costs for an Atlanta-based financial company. The setup helps IT control core essentials and enforce acceptable use policy.  Security vendors can learn from ConSentry Networks demise The switch-oriented NAC vendor serves as a sad reminder that security often only has niche appeal, says security expert Eric Ogren.

In a move that was long overdue, the payment card industry is moving closer to defining requirements for virtualization infrastructure. Most businesses have virtualization in the data center and many are looking at virtualization for desktops and applications. The PCI Virtualization Special Interest Group is looking at the security impact of virtual terminals. Two payment processors are also focusing on end-to-end crypto and tokenization. The first two technologies would remove machine-readable credit card information from personal computers and point-of-sale devices; tokenization would replace duplicate copies of credit card numbers in databases with internal token identifiers that would be meaningless to an outsider. These mechanisms of changing the way credit card data is handled are examples of more promising approaches to reducing the risk of data theft, the ultimate goal of PCI DSS.

In other news, while major antivirus vendors scoff that "you get what you pay for," there can be no doubt that Microsoft Security Essentials, the free endpoint security package made widely available last week, will have a competitive impact on the consumer markets. Microsoft has made MSE free for consumers in an attempt to assure ubiquitous AV protection against viruses, spyware and other threats. Service providers should quickly be closing deals with Microsoft about distributing MSE to their consumer clients or at least use the threat of MSE to negotiate better terms with established AV vendors. Comcast Corp. presently distributes McAfee Inc. for free to its Internet subscribers. We do not know about the strength of MSE, but it has to be more effective than no AV at all.

SearchSecurity radio:

While on the topic of free AV, AVG is releasing version 9.0 with a smarter algorithm which promises to substantially improve scanning performance by half. There is a lot written about AV effectiveness, including the latest Anti-Virus Comparative report; however, most consumers purchase endpoint security based on brand and then deactivate the product for performance. Consumers with limited IT budgets run on older machines that are sensitive to noticeable performance degradation during system boot, system scans and real-time security inspections. Given that a system scan could touch roughly 400,000 objects, the latest version of AVG is an improvement that could shave 30 minutes off the system scan time. The Anti-Virus Comparative has some data ranking Avast Corp. and Symantec Corp. highly for full system scans (kudos to Symantec for big performance improvements). Let's hope that future editions do a more thorough job of measuring full system scan performance, as well as including latency introduced into boot times, installation time and time to effectively remove an AV product to switch vendors.

Tags: Information Security Jobs and Training,  PCI Data Security Standard,  VIEW ALL TAGS

Digg This!     StumbleUpon     Del.icio.us

RELATED CONTENT Information Security Jobs and Training Despite recession, information security certification pay continues to climb Bruce Schneier on outsourcing, awareness training Creating a personal brand in information security Feds announce 1,000 new security jobs Some IT security certifications are overvalued, analyst says How to prepare for an information security job interview Security industry remains resilient to tough economy Top social networking sites to boost your information security career Q2 2009 data shows IT security certification pay still climbing Why doesn't the CISSP cover information assurance and DIACAP? PCI Data Security Standard Chip and PIN adoption Chip and PIN adoption serves lesson for U.S. payment industry Heartland CIO is critical of First Data's credit card tokenization plan Heartland CIO on end-to-end encryption, credit card tokenization Heartland CIO on PCI, E3 project Wireless network guidelines for PCI DSS compliance Visa probes tokens, encryption for PCI card data protection Voltage, RSA spar over tokenization, data protection Experts, vendors search for PCI's holy grail The search for PCI's holy grail

RELATED GLOSSARY TERMS Terms from Whatis.com − the technology online dictionary Cisco Certified Security Professional (CCSP)  (SearchSecurity.com) CSO  (SearchSecurity.com) security clearance  (SearchSecurity.com)

RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary