Get With the Program

Around the end of the year I typically like to take a look back at the various blog entries on Speaking of Security to review what was discussed and how it applies to what I’m hearing from customers. The wide range of interesting topics reminds me of something I frequently encountered back when I was…

Information Security and Enterprise Risk: How Do They Relate?

As of 2014, information security has become a board-level concern. Senior business executives—including the president, chairman, and board of directors—are paying attention to enterprise risk and information security in a way they never have before. The reason is obvious: the drumbeat of illustrious companies who’ve been successfully attacked, and the associated business costs of those…

Identity Governance at CSA Congress EMEA

I gave one of the keynotes at the recent Cloud Security Alliance (CSA) EMEA Congress in Rome, speaking about the “Grand Challenges of Hybrid Cloud“. In discussing the challenge of effective identity governance for the hybrid cloud  I drew on the experience of Deutsche Bank, who received the 2013 Identity Management award from Kuppinger-Cole for…

What’s an Asset?

Ask a security professional for his or her job description, and you’re likely to get an answer along the lines of, “Protecting the company’s assets from being stolen or compromised.” Then try asking what they mean by “assets.” You’ll almost certainly get either a blank stare or an irritated scowl. Everyone knows what an asset…

The Twelve Days of GRC

Greetings and Happy Holidays.   As this year draws to a close, we can all take a deep breath as this has been a big year in the world of GRC.  Collectively as an industry, we have seen the advent of new laws and industry regulations; we have embraced new technologies; we have weathered financial storms…

Understanding & Detecting Backoff POS Malware

Point of Sale (POS) malware has had its share of headlines this year. Now with the holiday shopping season underway POS systems will certainly be an enticing target for hackers to explore due to the payoff of thousands of fresh credit card numbers that will be run through these devices. “Backoff” is part of a…

Fighting Fraud: Detect and Stop the Bad, Detect and Fast-Track the Good

“You will know them by their fruits.” This wisdom is thousands of years old, and it reminds us that what people do is what really matters. In the context of fighting fraud, we’re referring to the deliberate misuse or misapplication of an organization’s resources for personal gain, or the theft of information that leads to…

New Onyx Variant of Boleto Malware Emerges

Revisiting a threat that we discussed a few months ago in the blog entitled RSA Uncovers Boleto Fraud Ring in Brazil, there continues to be attacks against the Brazilian payment processing method known as the Boleto. RSA Research provided a detailed report in July covering the payment system and the vulnerabilities exploited by a specific fraud…

Are You Struggling with Account and Entitlement Reviews?

Account and entitlement reviews can be time-consuming and prone to errors if carried out manually. The process is further complicated if your Identity and Access Management (IAM) solution is heavily dependent on unstructured data and your IAM tools are poor at identifying who owns the data. These reviews are not traditionally part of an organization’s…

Are you available (securely)?

A bunch of years ago, prior to all of these new-fangled high-availability capabilities, I was working with customers of one of EMC’s storage groups, helping them design and implement disaster recovery solutions. We would meet with a customer and the first question we’d ask was ‘What are your availability requirements?’; their initial response was inevitably…