Info Risk Today Podcast

The Internet of Things is posing an increased risk to all organizations. One global data center provider, for example, recently discovered that its malware-infected power supplies were part of a botnet, says Chris Richter of Level 3 Communications.

MasterCard's Oliver Manahan says merchants and issuers must embrace stronger cardholder authentication and security methods, such as biometrics and tokenization, to ensure payment card data is secure.

The list of information security threats facing organizations continues to grow longer. But it's up to CIOs to put the right defenses - and priorities - in place, says David White at BAE Systems Applied Intelligence.

Wary of intrusions, data compromise and theft, organizations increasingly are deploying privileged access management solutions. Idan Shoham of Hitachi ID Systems offers the essential do's and don'ts.

Keeping track of missing devices is a critical aspect of information security. Ali Solehdin, senior product manager at Absolute Software, discusses Computrace, which helps organizations secure endpoints and the sensitive data those devices contain.

EdgeWave's Mike Walls, a former bomber pilot who led Navy red teams, says penetration testing is useful in analyzing bits and bytes but not the readiness of operations under attack from cyberspace. Red teams, he says, can analyze the impact on operations.

Christophe Birkeland, CTO of malware analysis for Blue Coat Systems, was part of the team that discovered the Russia-targeting Inception campaign, and says the hunt for new APT attacks remains ongoing.

Too few security systems interoperate, which makes it difficult for organizations to block or detect data breaches. But Cisco has an interoperability plan to improve the state of cybersecurity defenses, Chief Security Architect Martin Roesch says.

Phishing campaigns are becoming harder to mitigate because of an uptick in spoofed websites tied to top-level domains, such as .bank, says Dave Jevans of the Anti-Phishing Working Group.

For Symantec, the investigation into the Duqu 2 began May 29, when Kaspersky Lab shared samples of the espionage malware - which is based on Flame and Stuxnet - and asked the security researchers to help verify its findings.

Organizations are getting increasingly prioritizing incident response capabilities by putting investigation firms on retainer, or creating their own internal teams, says Patrick Morley, president and CEO of Bit9 + Carbon Black.

Gartner's Claudio Neiva says there is only so much an intrusion detection and prevention system can do, so organizations need to take additional steps to safeguard critical data and systems.

Hackers are using medical devices as gateways to launch targeted attacks at hospitals, but there are steps organizations can take to better protect their environments, says Greg Enriquez, CEO of TrapX.

Attackers today continue to refine their distributed denial-of-service attack capabilities, delivering downtime on demand. The increase in attack effectiveness and volume demands new types of defenses, says Akamai's Richard Meeus.

Two years after the leaks that showed the U.S. National Security Agency spied on America's European allies, the U.S. and Europe still need to rebuild trust so they can collaborate on defending against cyber-attacks, says Carsten Casper of Gartner.

Last year, organizations took an average of 205 days to detect a breach. To better combat such attacks and lock down breaches, FireEye's Jason Steer says organizations must lower that to hours or even minutes.

Larry Ponemon, founder of the Ponemon Institute, offers an in-depth analysis of the results of the organization's 10th study of the costs of data breaches, which found, for example, that rapid growth in hacker attacks is leading to escalating costs.

"Show me your dashboard." That's a request security expert Gavin Millard regularly makes to CISOs to demonstrate how today's too-complex dashboards highlight the challenge of gathering and distilling essential security metrics.

Mark Weatherford, a former DHS cybersecurity leader, says the Office of Personnel Management neglected to take basic steps that could have helped prevent a breach that may have exposed the PII of 4 million current and former government workers.

While cyberthreat information sharing within the banking sector has improved, the retail sector has failed to keep up. But ISACA's Robert Stroud said pending federal legislation could help change that.

When it comes to advanced threat protection, security leaders increasingly turn to new machine learning solutions. Stephen Newman of Damballa discusses key skills and strategies necessary for success.

Financial services firms are increasingly applying contextual security tools to help identify fraud more quickly. But a shift to continuous authentication will provide even better security, says Vasco's Jan Valcke.

At CA Technologies, mobile security is not just a solution for customers; it's a practice that IT security leaders have embraced internally. CA's Robert Primm discusses how to secure a borderless workplace.

Intel Security cybercrime expert Raj Samani says that after the April disruption of the Beebone botnet by law enforcement agencies, researchers have found more infected nodes than normal, largely in Iran.

How does an advanced threat adversary operate for 10 years, undetected? FireEye APAC CTO Bryce Boland shares details of the decade-long APT30 campaign that targeted organizations in India and Southeast Asia.

Many security pros look askance at "cybersecurity." But Symantec's Sian John says the embrace of that term shows just how much senior executives are beginning to understand the risks their organizations face.

Assessing the risks presented by "digital business" - the new business designs that blur the digital and physical worlds - will be a theme at the 2015 Gartner Security and Risk Management Summit, says Andrew Walls, event chairman.

To help organizations discover what they don't know is happening on their networks, Darktrace uses machine learning to create advanced baselines of normal behavior, then sounding alarms when it sees deviations.

Cybercrime continues to evolve, offering an ever-increasing array of niche capabilities, ranging from attack techniques and infrastructure to related research and sales services, warns Trend Micro's Bharat Mistry.

The EMV Migration Forum has published a new "roadmap" to help card issuers, acquirers and merchants prepare for the October card-present fraud liability shift date. Director Randy Vanderhoof explains why the clarification is needed.

With federal regulators moving closer to restarting the delayed HIPAA compliance audit program, now is the time for covered entities and business associates to prepare for potential scrutiny, says healthcare attorney Brad Rostolsky.

The method the Internal Revenue Service used to authenticate users, which failed to keep sophisticated hackers from breaching a taxpayer-facing system, has been widely criticized by cybersecurity experts.

To entice more women, as well as men, to enter information security professions, researcher Lysa Myers says the industry needs to kill its boring image and better communicate the full array of opportunities available and the skills that are in demand.

A game-changing impact of the Edward Snowden leaks about previously secret National Security Agency surveillance activities is the increased use of encryption, such as to protect email, says Peter Swire, a former White House chief privacy counsel.

Vendors' and software makers' over-reliance on security messages and warnings has left users habituated to them, thus rendering such alerts less effective or even worthless, warns cybersecurity expert Alan Woodward.

In an exclusive interview, independent security researcher Billy Rios describes security vulnerabilities that he discovered last year in medical infusion pumps, which led two federal agencies to issue recent warnings.

Citing as inspiration the Manhattan Project, in which the United States developed the atomic bomb during World War II, Sam Visner is leading an effort to get cybersecurity researchers to collaborate in developing new ways to defend cyberspace.

Achieving secure nationwide data exchange will gain momentum thanks to healthcare payment reform that rewards collaborative efforts, says David Whitlinger, leader of New York's HIE initiative.

Because healthcare organizations are juggling so many information security, privacy and regulatory demands, hiring individuals with key professional certifications who can help optimize limited resources is critical, says security expert Steven Penn.

In addition to providing training, healthcare organizations should consider implementing technology to help prevent user mistakes that can lead to breaches of protected health information, says Geoffrey Bibby of ZixCorp.

Dick Williams, CEO of digital security firm Webroot, says the cybersecurity profession needs more than just technical experts. Learn why he says firms will seek out those who can understand the behaviors of cyber-attackers.

Although the 2015 Healthcare Information Security Today survey shows improving regulatory compliance is priority No. 1, CISO Cris Ewell of Seattle Children's Hospital suggests building a strong information security program should be a higher priority.

The use of century-old laws and the lack of a data protection regime is hurting India's ability to combat cyberfraud, says independent adviser Nandkumar Saravade. What immediate steps must be taken?

Former RSA Chairman Art Coviello has re-emerged as a partner with venture capital firm Rally Ventures. What's it like to transition from creating new security solutions to discovering and nurturing them?

Patching is among the primary challenges facing enterprises in their adoption of IoT devices. Fortinet's Darren Turnbull shares insight on how to anticipate and respond to the top security obstacles.

Much of today's crime is "cyber-enabled," warns cybercrime expert Raj Samani, and successfully blocking such attacks increasingly demands not just better technology and public-private collaboration, but also an understanding of psychology.

The IT security industry must do a much better job of persuading young people with the requisite math and science skills to join the cybersecurity workforce rather than choose another profession, says David Shearer of (ISC)².

The U.S.'s move to EMV alone will not eliminate fraud because certain data elements could still be exposed in the breach of EMV card transactions, says Jeremy King of the PCI Security Standards Council, who highlights other essential security steps.

Christopher Painter, the United States' top cyber diplomat, says the nation's No. 1 cybersecurity priority is getting nations to agree not to attack their respective critical infrastructures.

In this exclusive interview, Kelly King, CEO of BB&T, one of the nation's largest banks, urges other CEOs to ensure that their executive teams and boards are well-informed about cyber-risks.