IT leadership


  • Data protection compliance costs less than noncompliance

    Smaller companies -- with fewer than 5,000 employees -- in particular may be hit hard by GDPR requirements and other data compliance hurdles. A new report does the math.Continue Reading

  • Ten years on, SaaS provider's aim is improving cybersecurity

    A goal set by acquired cloud company Sonian is improving cybersecurity, whether through IT security frameworks or features in its service, co-founder says.Continue Reading

  • MSSPs add advanced threats as managed security services gain hold

    Skill shortages and budget constraints have lead some companies to adopt a hybrid approach to managed security. Is it time for CISOs to start looking for 'expertise as a service'?Continue Reading

  • The managed security provider comes knocking

    A constantly evolving threat landscape and a deepening skills crisis has more enterprises looking to a managed security service provider for help handling some of their security requirements. The trend is expected to drive strong demand for MSSPs over the next few years, especially in areas like intrusion prevention and detection systems, distributed denial-of-service mitigation, unified threat management and security information and event management (SIEM). Estimates for the overall size of the global market over the next few years range from the low $20 billion to $35 billion. That makes it one of the fastest growing segments in the security industry. What are the factors CISOs need to consider when choosing a managed security provider and what are some best practices for getting the most out of these relationships?

    Enterprises have a range of options for using such services, from managed on-premises or managed customer-premise equipment services to fully outsourced, cloud-hosted options. A hybrid security model has worked for Arlington County in Virginia. The local government's security operations center is managed by in-house engineers who inherently know the network and are better positioned to respond to SIEM alerts from the MSSP. "We preferred the hybrid approach because we had the seasoned staff available to perform this aspect of the security practice," CISO David Jordan said. "It's a positive and successful approach, and the results are repeatable."

    Much of the managed security provider growth is being driven by the need for increased security and compliance measures at small to medium-sized businesses. In this issue of Information Security magazine, we look at the evolution of the managed security provider and the best ways to handle these partnerships.

    Continue Reading

  • How can a vendor risk assessment help enterprise security?

    Third-party vendors are necessary for organizations, but with them come more security risks. Expert Mike O. Villegas discusses how vendor risk assessments can help.Continue Reading

  • Is mobile payment security regulated enough by PCI DSS?

    PCI DSS is pretty specific about security, but does it do enough for mobile payment security? Expert Mike Chapple explains why he says yes.Continue Reading

  • Exchange email security best practices sanction self-assessments

    Do you have the guts and technology know-how to undertake a self-assessment of your organization's Exchange-related risks? If so, start here.Continue Reading

  • Six areas of importance in the PCI Penetration Testing Guidance

    Complying with PCI penetration testing mandates has always been a challenge for enterprises. Expert Kevin Beaver discusses the recently released PCI SSC pen testing guidance and how it can help enterprises overcome their PCI woes.Continue Reading

  • From SSL and early TLS to TLS 1.2: Creating a PCI DSS 3.1 migration plan

    PCI DSS 3.1 requires enterprises to deplete SSL and early TLS use by June 30, 2016. Expert Michael Cobb offers advice for putting a migration plan to TLS 1.2 in place.Continue Reading

  • Manage compliance controls with Adobe Common Controls Framework

    Adobe's Common Controls Framework sets an example for enterprises struggling to manage multiple compliance standards and looking to build their own compliance framework.Continue Reading

  • Fighting crimeware, RAM scraping and other modern mischief

    There's a good possibility that the attacks you see this year will be harder to detect than in years past, particularly as malware generation toolkits make these more advanced techniques easy to incorporate with existing systems.

    In this three-part guide, SearchSecurity contributors examine the latest iterations of malware. First, however, is a chapter on crimeware in general -- that is, malware used to conduct crime. Not surprisingly, that means grabbing sensitive personal information from either point-of-sale terminals or individual end users. The ultimate goal is the same either way: To get at the money. Investigation is essential to understanding and preventing attacks, so we've included some guidance on how a formal investigation should proceed. Later, particular methods of malware users are explored in depth -- RAM scraping and advanced evasion techniques.

    This guide provides a valuable rundown of what's coming at you in the months ahead from the world of malware, and helps determine what you must do to keep your enterprise systems and finances secure.

    Continue Reading

  • Four ways security compliance standards strengthen enterprise security

    Rather than approaching security compliance standards as boxes to be checked, expert Steven Weil provides four ways enterprises can use compliance standards to strengthen security programs.Continue Reading

  • Credit card protection tactics: Technology vs. standards

    In 2014 shoppers spent almost $300 billion dollars online (a number expected to grow in future years). There was a significant number of online fraud attempts, too—and about 78% of those were made through website applications. (In contrast, only 3% were made via mobile applications).

    This Technical Guide looks at efforts made thus far to crack down on credit card fraud. It starts with a discussion of card-not-present scams, currently a tool of choice for fraudsters, not only because they can shift tactics rapidly among different types of Internet transactions but also because there is no need to steal a card itself (only its attributes), which means customers are typically unaware of the theft until after fraudulent transactions have occurred. It then considers the new breeds of technology placed into networks today that focus on fraud and may give organizations means to not only detect and monitor but also stop fraud. The good news is that these tools for banks and merchants alike begin to protect before a transaction is ever made.

    Finally, Chapter 3 explores whether the Payment Card Industry’s Data Security Standard (PCI DSS) effectively and efficiently protects consumer data.Continue Reading

  • What advice does the PCI Special Interest Group have for compliance?

    A new PCI Special Interest Group document gives advice to enterprises on staying PCI DSS compliant after audits. Expert Mike Chapple highlights the key takeaways.Continue Reading

  • How can companies protect against Backoff malware?

    After Backoff malware was discovered in over 1,000 businesses, companies should be asking how to prevent it. Expert Mike Chapple answers.Continue Reading