Security Wire Weekly

P2P encryption for mobile is not an endorsement, says PCI Council

Robert Westervelt — Thu, 24 May 2012 19:44:12 +0000

The PCI Security Standards Council recently urged merchants to use certified point-to-point encryption hardware when swiping credit card payments with a mobile device. But Bob Russo, general manager of the PCI SSC insists that the PCI Council is not endorsing the technology. In this interview, Russo discusses the state of the PCI special interest groups (SIGs) and addresses why no Mobile SIG exists.

Costly business logic flaws require manual testing

Robert Westervelt — Tue, 08 May 2012 19:11:32 +0000

Business logic flaws are costly to detect but even more costly if they are exploited, says application security expert Dan Kuykendall, CTO of NTOBJECTives Inc. Manual testing can detect the issues before cybercriminals can take advantage of the flawed functionality.

2012 Verizon DBIR lessons overshadowed by hype

Robert Westervelt — Wed, 25 Apr 2012 20:40:57 +0000

In this edition of Security Squad, the editors discusses the 2012 Verizon DBIR findings that have been hyped and misconstrued and why only 8% of organizations make a breach discovery with internal technologies. Also, a discussion on how the message delivered at a recent conference by several security luminaries fell flat.

Mobile device security policy essential to BYOD security

Robert Westervelt — Thu, 12 Apr 2012 20:11:36 +0000

Do you think you need a mobile device management platform? Think again, said Darrin Reynolds, vice president of information security at Diversified Agency Services. A formal policy should come first. Reynolds explains that security essentials can be done with existing systems.

Expert advocates for more effective penetration tests

Robert Westervelt — Tue, 03 Apr 2012 12:47:43 +0000

Dave Kennedy, CSO of Diebold Inc. and a noted penetration tester talks about the need for enterprises to have more effective penetration tests and to stop buying the latest security technology. It doesn’t work, he told attendees at the 2012 InfoSec World Conference and Expo. Kennedy said businesses should base their pen testing requirements from the Penetration Testing Execution Standard (PTES) and hold pen testers responsible for meeting the standard.

Is your firm reviewing your logs? SIEM’s second life

Robert Westervelt — Thu, 29 Mar 2012 14:46:17 +0000

Chris Petersen founder and CTO of LogRhythm talks about the SIEM market, the challenges for enterprises to get beyond compliance and shares his thoughts on the future of SIEM with deeper analytics. The interview was conducted last month at RSA Conference 2012.

Verizon DBIR 2012 overview, attack mitigation strategies

Robert Westervelt — Thu, 22 Mar 2012 19:35:53 +0000

Christopher Porter of Verizon explains some of the findings from the Verizon 2012 Data Breach Investigations Report. This year, hacktivists had a big impact on the numbers. Attacks are mainly less sophisticated and more automated in nature, Porter said.

Big data or big security buzz word?

Robert Westervelt — Thu, 08 Mar 2012 13:10:50 +0000

Pete Lindstrom of Spire Security joins the editorial team in a discussion about the themes that emerged at RSA Conference 2012. Big data resonated at this year’s conference, but what does it mean? Also, the team talks about the specter of mobile security and whether application security gets overshadowed at the annual event.

RSA 2012 Andy Purdy on critical need to address SCADA woes

Robert Westervelt — Fri, 02 Mar 2012 08:39:08 +0000

Andy Purdy, chief cybersecurity strategist at CSC shares his views on SCADA vulnerabilities and sharing threat intelligence data at RSA Conference 2012. A member of the team that developed the U.S. National Strategy to Secure Cyberspace in 2003, Purdy later served as cybersecurity czar overseeing the NCSD in the Department of Homeland Security and the US-CERT.

RSA Preview - The Erosion of Digital Trust

Robert Westervelt — Wed, 15 Feb 2012 23:02:58 +0000

The SearchSecurity team previews the 2012 RSA Conference. Hacktivism and numerous high-profile attacks, including the RSA SecurID breach could take center stage at this year’s conference. Targeted attacks, SCADA system weaknesses and mobile security challenges are likely to be the emerging topics in San Francisco.