News

News

• October 01, 2013 01 Oct'13

  Security education: Cyber Defense Competitions a major hit on campus

  Iowa State University recruits industry professionals and hackers to provide students with "real-world" security education.

• October 01, 2013 01 Oct'13

  A call to action for technology risk management professionals

  In his inaugural Security Economics column, Peter Lindstrom looks at technology risk management, and how to make the hard decisions pay off.

• September 27, 2013 27 Sep'13

  Fortune 1000 companies keep their mouths closed, Willis says

  Ran across the Fortune 1000 Cyber Disclosure Report, published earlier this month by Willis North America, a unit of Willis Group Holdings. The report found that among the Fortune 501-1,000, 22% ...

• September 27, 2013 27 Sep'13

  At 2013 PCI annual meeting, hot topics include POS security, EMV chips

  PCI Community Meeting attendees this week discussed POS security and EMV; officials say feedback will influence more changes in the final PCI DSS 3.0.

• September 27, 2013 27 Sep'13

  Open source intelligence can drive proactive defense, panel says

  As enterprises try to turn toward more proactive defense measures, open source intelligence could prove to be a valuable tool, an expert panel said.

• September 26, 2013 26 Sep'13

  Mobile risk management: Data-centric approach key to success

  At the 2013 (ISC)2 Security Congress, experts highlighted why a data-centric approach is necessary for an effective mobile risk management program.

• September 26, 2013 26 Sep'13

  'Information Security' readers have voted ...

  We've tallied the votes in our Readers' Choice Awards 2013. Find out the best security products of the year.

• September 25, 2013 25 Sep'13

  Researcher: Exploit kits revolutionize automated malware production

  A researcher at the 2013 (ISC)2 Security Congress said exploit kits have revolutionized malware creation, even lowering the bar for targeted attacks.

• September 23, 2013 23 Sep'13

  Are business associates taking the HIPAA Omnibus Rule seriously?

  All covered entities must comply with the HIPAA Omnibus Rule by September 23, but one expert questions whether business associates care enough.

• September 20, 2013 20 Sep'13

  HP introduces 'self-healing' BIOS protection with SureStart

  HP's new SureStart feature detects and 'heals' corrupted BIOS code.

• September 20, 2013 20 Sep'13

  Is Apple's Touch ID tapping at the window of a biometric future?

  If users readily embrace Apple's new Touch ID fingerprint reader, experts say it could press enterprise biometric adoption forward.

• September 18, 2013 18 Sep'13

  Microsoft offers temporary fix for Internet Explorer zero-day

  Microsoft provides an Internet Explorer fix after confirming a vulnerability affecting all versions of the Web browser is being actively exploited.

• September 17, 2013 17 Sep'13

  Symantec: 'Hidden Lynx' behind cyberattacks against Bit9 and others

  Symantec has linked a China-based hacking group, dubbed 'Hidden Lynx,' with several recent, large-scale cyberattacks, including one against Bit9.

• September 10, 2013 10 Sep'13

  Patch Tuesday September 2013: Critical bulletins for Office, SharePoint, IE

  The September 2013 Patch Tuesday releases included 13 bulletins from Microsoft, four deemed critical.

• September 10, 2013 10 Sep'13

  Opinion: Software [in]security -- software flaws in application architecture

  Many defects aren't found with code review. Gary McGraw and Jim DelGrosso think architectural risk analysis is a must to uncover software flaws.

• September 05, 2013 05 Sep'13

  Damballa adds HTTP request profiling to its ATP platform

  Damballa is adding HTTP request profiling to its advanced threat protection platform to detect malware that bypasses traditional security approaches.

• September 03, 2013 03 Sep'13

  Attack security literacy with brute force

  Forget the slogans. Reset your security awareness program with actionable information.

• September 03, 2013 03 Sep'13

  Converting to cloud: Ranum Q&A with Lee Heath

  Not down with Dropbox? Lee Heath embraced shadow IT and improved his company's data security practices in the process.

• September 03, 2013 03 Sep'13

  Cybersecurity and global risk assessment enter the boardroom

  Analysts expect security concerns to drive global risk management, but executives may need convincing.

• August 28, 2013 28 Aug'13

  CounterTack to defend endpoints in South Korea

  U.S.-based CounterTack in agreement to protect South Korean security firm SK Infosec's endpoints from increasingly stealthy cyberattacks.

• August 26, 2013 26 Aug'13

  VMware unveils next-gen NSX, teams up with security players

  At VMworld 2013, VMware unveiled its next-gen network virtualization platform, NSX, and an ecosystem partnership with the security industry.

• August 15, 2013 15 Aug'13

  IBM acquires Trusteer, forms cybersecurity software lab in Israel

  IBM acquires Trusteer, a software company known for its expertise in enterprise endpoint defense and advanced malware protection.

• August 15, 2013 15 Aug'13

  PCI DSS 3.0 preview highlights passwords, providers, payment data flow

  The proposed PCI DSS 3.0 standard would emphasize in-house vulnerability assessments, add password flexibility and highlight provider compliance.

• August 13, 2013 13 Aug'13

  Is it time for cyber liability insurance?

  Cyber liability insurance can provide a new layer of security in data breach or exploit situations, study finds.

• August 09, 2013 09 Aug'13

  Lavabit, Silent Circle close secure email rather than spill the goods

  Lavabit and Silent Circle, both providers of secure communications for the consumer market, close under threat of U.S. government meddling.

• August 09, 2013 09 Aug'13

  Five major technology trends affecting software security assurance

  Column: Gary McGraw says five shifts in the IT landscape are affecting software security, but several BSIMM best practices can limit risk exposure.

• August 09, 2013 09 Aug'13

  Neohapsis: IPv4 plus IPv6 enables man-in-the-middle attacks

  Neohapsis' Scott Behrens explains how having both IPv4 and IPv6 Internet protocols enabled can lead to man-in-the-middle attacks.

• August 07, 2013 07 Aug'13

  FortiGuard Labs sees fast rise of mobile malware in 2013

  FortiGuard Labs reports a 30% increase in mobile malware so far in 2013, and cautions ransomware is also making an appearance on mobile devices.

• August 06, 2013 06 Aug'13

  Radware's Ron Meyran discusses DoS attack tools, planning, execution

  Ron Meyran, Radware's director of security solutions, answers our questions about DoS attack planning and execution.

• August 02, 2013 02 Aug'13

  Black Hat 2013: Experts urge elliptical curve cryptography adoption

  A session by a team of crypto experts at Black Hat USA 2013 argued that RSA and Diffie-Hellman should be abandoned in favor of ECC.

• August 01, 2013 01 Aug'13

  New data on enterprise mobile security

  We polled readers in our annual Enterprise Mobile Security Survey and the 2013 results are in.

• August 01, 2013 01 Aug'13

  Black Hat 2013 keynote: Alexander details NSA surveillance programs

  In his keynote at Black Hat 2013, Gen. Keith Alexander said NSA surveillance programs have strict oversight, despite many inaccurate media reports.

• August 01, 2013 01 Aug'13

  Black Hat 2013 opens with testy keynote, smart device hacks

  After a contentious opening keynote by NSA Director Gen. Keith Alexander, day one of Black Hat 2013 showed smart device hacks, severe SCADA issues.

• August 01, 2013 01 Aug'13

  Is big data education a big failure?

  Big data presents big challenges for computer science programs from classification to cloud security. Are industry partnerships the answer?

• August 01, 2013 01 Aug'13

  Ten years later: The legacy of SB 1386 compliance on data privacy laws

  A decade after becoming law, the ripple effects of California's SB 1386 have surfaced in a new breed of proactive, granular state data privacy laws.

• July 26, 2013 26 Jul'13

  Feds catch hackers behind worldwide data breaches

  Feds indict, unmask hackers behind largest known data breach conspiracy targeting worldwide financial institutes, payment processors and retailers.

• July 24, 2013 24 Jul'13

  RSA warns about 'KINS' banking Trojan

  RSA is warning that a new banking Trojan, 'KINS,' with architectural similarities to previous Trojans, may start hitting PCs soon.

• July 24, 2013 24 Jul'13

  Cisco spends cool $2.7 billion in Sourcefire acquisition

  In biggest security acquisition since 2011, Cisco has announced it will buy IDS maker Sourcefire for $2.7 billion.

• July 22, 2013 22 Jul'13

  Malwarebytes: Maneuver around 'FBI ransomware' on Macs

  Jerome Segura of Malwarebytes explains how to get around 'FBI ransomware' computer locking.

• July 19, 2013 19 Jul'13

  Bit9 report blasts Java security vulnerabilities as 'severe'

  A study by Bit9 explains just how bad the Java problem really is: The most popular version has 96 severe vulnerabilities.

• July 12, 2013 12 Jul'13

  2013 Black Hat conference: Feds welcome!

  Despite DefCon founder's blog telling Feds to stay home, Black Hat says they're 'welcome' at the show.

• July 12, 2013 12 Jul'13

  FortiGuard Labs: Advanced persistent threats are escalating

  Advanced persistent threats are on the rise, according to a report by FortiGuard Labs.

• July 09, 2013 09 Jul'13

  Aveksa acquisition expands RSA's intelligence-driven security strategy

  Aveksa acquisition should help RSA compete in burgeoning identity management market.

• July 09, 2013 09 Jul'13

  Damballa: Security vendor partnerships of growing importance

  Damballa executives say partnerships among security point product vendors are increasingly important, and will ultimately benefit enterprises.

• July 09, 2013 09 Jul'13

  Security researcher finds vulnerabilities in emergency alert system

  Seattle-based application security company IOActive has uncovered significant vulnerabilities in Digital Alert Systems' DASDEC.

• July 08, 2013 08 Jul'13

  California data breach report: 2.5M residents at risk of identity theft

  In 2012, data breaches in California put 2.5 million residents at risk of identity theft.

• June 19, 2013 19 Jun'13

  RSA Silver Tail improves online fraud detection, enterprise security

  Fraud prevention for the Web: RSA Silver Tail sets stage for enterprise-level security with big data and brand new interface.

• June 18, 2013 18 Jun'13

  Users may remain vulnerable despite Oracle Java patch release

  Oracle has issued a new security patch for Java, but only 7% deployed the patch before it.

• June 17, 2013 17 Jun'13

  Gary McGraw: NSA data collection programs demand discussion, scrutiny

  Opinion: Gary McGraw details the various and sundry NSA data collection programs and explains why all its efforts demand new discussion and scrutiny.

• June 13, 2013 13 Jun'13

  Enterprise BYOD offers mixed bag for enterprise endpoint security

  A Gartner analyst says enterprise BYOD -- specifically iOS and Android devices -- presents many pros and cons for enterprise endpoint security.

• June 12, 2013 12 Jun'13

  CEO: Symantec strategy to emphasize endpoint security, partnerships

  Symantec CEO Steve Bennett says future product strategy will align with the 'Symantec 4.0' blueprint, pushing core features and vendor partnerships.

• June 11, 2013 11 Jun'13

  Mullen: Cybersecurity threats demand leadership from Capitol Hill

  Adm. Mike Mullen criticized U.S. politicians for a lack of leadership on vital cybersecurity issues and called the NSA PRISM leak a 'huge breach.'

• June 11, 2013 11 Jun'13

  Harsher penalties for HIPAA violations altering compliance efforts

  More frequent audits and larger penalties for violating HIPAA are motivating enterprises to tame HIPAA compliance challenges, Gartner analysts say.

• June 05, 2013 05 Jun'13

  Ponemon data breach study finds costs up, notification major driver

  The latest Ponemon study on data breaches found that the cost per lost record in an average breach incident increased modestly, from $130 to $136.

• June 03, 2013 03 Jun'13

  Staff infection: IT security education is contagious

  If bad attitudes are spreading across the IT staff like germs, better IT security education may just be the cure.

• June 03, 2013 03 Jun'13

  McGraw: Financial services develop a proactive posture

  The idea behind proactive security is simple: build security in the first time by following security models like BSIMM and security engineering.

• June 03, 2013 03 Jun'13

  Diversity at work: MDM solutions keep pace

  Philip Clarke, co-leader of the Wireless and Mobility track at Nemertes Research, reports on what’s ahead for mobile device management solutions.

• May 31, 2013 31 May'13

  HIPAA Omnibus Rule, PPACA challenge enterprise compliance management

  Compliance practitioners say new mandates like the HIPAA Omnibus Rule and Obamacare are making enterprise compliance management even harder.

• May 31, 2013 31 May'13

  Report finds security tools add software vulnerabilities of their own

  A report by iViZ Security Inc. found that overall vulnerabilities in security products in 2012 rose sharply.

• May 24, 2013 24 May'13

  Case study: CDI launches aviation company DLP program on short runway

  Technology services company CDI-Aerospace used a Verdasys DLP solution to manage third-party risk for a major aviation client.

• May 21, 2013 21 May'13

  Sourcefire updates malware detection, malware analysis capabilities

  New features for detecting and analyzing malware in Sourcefire's FireAMP and FirePOWER products supplement flagging signature-based antimalware.

• May 15, 2013 15 May'13

  DDoS attack trends highlight increasing sophistication, larger size

  Though the Spamhaus DDoS attack showed the potential devastation of increasing bandwidth, DDoS attack trends show DDoS type to be just as important.

• May 09, 2013 09 May'13

  Temporary fix out for Department of Labor website IE8 zero-day

  Microsoft is still working on a permanent fix for the IE8 zero-day found in the Dept. of Labor website attack. Also: Adobe preps ColdFusion patch.

• May 09, 2013 09 May'13

  Department of Labor website hack highlights advanced attack trends

  The IE8 zero-day attack planted in the U.S. Labor Department's website highlights how few organizations can ward off never-before-seen attacks.

• May 06, 2013 06 May'13

  After lull, PLA 'Comment Crew' hasn't changed cyber-espionage tactics

  The Chinese government's alleged cyber-espionage arm remains active after a quiet period, using the same tactics revealed in Mandiant's APT1 report.

• May 01, 2013 01 May'13

  IT security education climbs the corporate ladder

  Managers need more training about technical security threats and input into IT policies that threaten productivity.

• May 01, 2013 01 May'13

  Marcus Ranum: Q&A with clean-slate pioneer Peter G. Neumann

  Marcus Ranum, security expert and Information Security magazine columnist, goes one-on-one with clean-slate luminary Peter G. Neumann of SRI International and formerly Bell Labs.

• April 30, 2013 30 Apr'13

  McAfee jumps into IAM with one-time password, cloud SSO products

  McAfee introduces two new identity and access management (IAM) products.

• April 25, 2013 25 Apr'13

  Over 100k serial devices online and unsecured, says HD Moore

  Security researcher HD Moore says 114,000 serial devices exposed to the Internet are highly hackable.

• April 24, 2013 24 Apr'13

  Trusteer warns of new man-in-the-browser Twitter attack

  The attack seeks to compromise a Twitter webpage via a man-in-the-browser attack. Trusteer warns it could be a harbinger of broader future attacks.

• April 23, 2013 23 Apr'13

  2013 Verizon DBIR: Authentication attacks affect all organizations

  The 2013 Verizon data breach report details how authentication attacks affect organizations of all sizes, blaming single-factor passwords.

• April 22, 2013 22 Apr'13

  Verizon DBIR 2013: Damage caused by simple attacks, slow detection

  Verizon's 2013 breach report shows most breaches are caused by a select few attack types, and the majority of breaches aren't detected for months.

• April 22, 2013 22 Apr'13

  Verizon data breach report 2013: Data shows need for risk awareness

  Verizon's annual breach report indicates outsiders still cause most breaches, and despite no one-size-fits-all defense, better risk awareness can help.

• April 18, 2013 18 Apr'13

  Symantec 2013 Threat Report highlights rise in SMB attacks

  Big Yellow's annual report indicates a threefold rise in targeted attacks against SMBs as attackers search beyond big firms for susceptible targets.

• April 16, 2013 16 Apr'13

  Emerging antiphishing tools use testing, training to educate users

  Emerging enterprise antiphishing tools use testing, training to help users recognize bogus messages, addressing a long-standing defensive pain point.

• April 16, 2013 16 Apr'13

  SSH keys audited automatically by free tool

  SSH Communications Security will offer a free tool for auditing SSH key use within large organizations at next week's Infosecurity Europe conference.

• April 12, 2013 12 Apr'13

  Opinion: The APT1 aftermath and information sharing

  Marcus Ranum says the Mandiant APT1 report must serve as a model for better information sharing within the information security industry.

• April 10, 2013 10 Apr'13

  Veracode report highlights key problems in mobile app security

  Security testing vendor Veracode has released a report showing that mobile apps aren't getting their cryptography right.

• April 09, 2013 09 Apr'13

  For CISOs, California Right to Know Act would raise privacy emphasis

  The proposed California Right to Know Act may compel CISOs to develop additional privacy policies or create new privacy officer roles.

• March 27, 2013 27 Mar'13

  Panel: Cyber-intelligence alone can't stop enterprise security threats

  Panelists at the SANS Cyber Threat Intelligence Summit lament the challenges of using cyber-intelligence to thwart enterprise security threats.

• March 25, 2013 25 Mar'13

  Why information security education isn’t making the grade

  Security experts explain why a holistic approach to security is critical to training computer engineers and computer scientists for a career in information security.

• March 25, 2013 25 Mar'13

  CISOs: From no seat to multiple hats

  The CISO role in many enterprises is expanding beyond security risk mitigation to risk management, privacy and regulations, and compliance.

• March 25, 2013 25 Mar'13

  Security transitions: Changes that make a difference

  This month, Information Security Magazine examines security industry changes that can really make a difference: improving identity management and building security into software from the get go.

• March 22, 2013 22 Mar'13

  'Internet underground' fight demands better cybersecurity intelligence

  Former U.S. national security advisor Greg Rattray believes better cybersecurity intelligence is needed to combat a growing "Internet underground."

• March 21, 2013 21 Mar'13

  Huawei security issues are result of 'rumors,' says Huawei executive

  Huawei security issues threating national security are 'rumors' lacking supporting evidence, a Huawei France executive tells LeMagIT.

• March 20, 2013 20 Mar'13

  Research highlights speed, frequency of ICS security attacks

  A new Trend Micro study using honeypots for research highlights an alarming number and variety of attempted ICS security breaches.

• March 20, 2013 20 Mar'13

  Certain Cisco IOS, IOS XE devices susceptible to brute-force attacks

  Cisco has issued a security advisory after Hashcat researchers disclosed a password flaw in IOS and IOS XE devices that enable brute-force attacks.

• March 19, 2013 19 Mar'13

  Opinion: Yemeni CERT could turn the tide for Millennials

  Providing order and security for the Internet in Yemen, where half of the population is under 18, could provide opportunity in a faltering nation.

• March 14, 2013 14 Mar'13

  Secunia: More focus needed on third-party application security

  Secunia highlights the growing need for better third-party application security, plus Microsoft's security improvements, and the growing cost of zero-days.

• March 14, 2013 14 Mar'13

  DoD security panel calls for new cyber-defense, offense

  A Pentagon advisory panel suggests both beefed-up U.S. cyber-defenses and a proactive plan for offense.

• March 05, 2013 05 Mar'13

  RSA 2013: FBI offers lessons learned on insider threat detection

  At RSA Conference 2013, experts from the FBI said insider threat detection hinges not on technology, but on a multifaceted 'people-centric' approach.

• March 05, 2013 05 Mar'13

  RSA 2013: Experts struggle to define offensive security, hacking back

  Is offensive security or 'hacking back' a viable cyberdefense tactic? RSA Conference 2013 experts struggled to define the terms, never mind the role they play.

• March 04, 2013 04 Mar'13

  Emerging threats include kinetic attack, offensive forensics: RSA 2013

  At RSA 2013, experts Ed Skoudis and Johannes Ullrich explained how the SANS CyberCity supports offensive forensics and helps prevent kinetic attacks.

• March 04, 2013 04 Mar'13

  RSA 2013 crowd awed by live 'sinkholing' in P2P botnet takeover

  Tillmann Werner of CrowdStrike wowed onlookers with a live 'sinkholing' demonstration, taking down the Kelihos P2P botnet.

• February 28, 2013 28 Feb'13

  RSA 2013: More from Coviello on big data analytics in the security industry

  RSA's Art Coviello explains why the shortcomings of current mainstream security products are part of what's driving enterprise interest in big data.

• February 27, 2013 27 Feb'13

  Spear phishing, manpower drive Chinese APTs, says researcher at RSA 2013

  Chinese cyberattacks rely on spear phishing and overwhelming numbers, not sophisticated attack methods, says a researcher at RSA Conference 2013.

• February 27, 2013 27 Feb'13

  Vendors showcase MAM products that ease BYOD challenges at RSA 2013

  RSA exhibitors offered a range of mobile application management solutions, intended to ease the challenges of monitoring BYOD environments.

• February 27, 2013 27 Feb'13

  RSA 2013: Charney optimistic about the future of information security

  In his RSA Conference 2013 keynote, Microsoft's Scott Charney struck an optimistic note when talking about the future of information security.

• February 27, 2013 27 Feb'13

  Big data 2.0: CISOs push need to identify attack campaigns

  CISOs at RSA Conference 2013 say identifying attack campaigns means taking security big data to the next level. The hard part? Finding data analysts.

• February 26, 2013 26 Feb'13

  Coviello pitches 'transformational' information security strategy

  In a talk critical of cyberattack finger-pointing, Art Coviello stressed the need for infosec strategy to emphasize big data, interconnectivity.