Info Risk Today Podcast

2014 may well be the "Year of Security," and IT security pros must prepare now for new job demands. ISACA's Robert Stroud offers five New Year's resolutions to help prepare for 2014's security trends.

A preliminary version of the cybersecurity framework takes a too-broad approach to privacy, says security and privacy attorney Harriet Pearson. And that could result in fewer organizations adopting the voluntary security guidelines.

While preparing a speech to be delivered in Korea, NIST's Ron Ross wanted to convey the message of the importance of computer security. He hit on five themes - threat, assets, complexity, integration and trustworthiness - which form the acronym TACIT.

The breach at Target stores that may have affected as many as 40 million credit and debit card account holders is a watershed moment that could greatly raise awareness of cybersecurity risks, says privacy attorney David Navetta.

Cyberthreats increasingly target mobile devices, and simple security measures could help end-users slash these incidents by 50 percent. This is the key finding of ENISA's new Threat Landscape Report, says Louis Marinos, the prime author.

Most fraud on the Internet is linked to unsecured identities, which is why a new global identification framework is needed, says Paul Simmonds, who heads a coalition working on a framework model.

Cybersecurity risks posed by inadequate IAM and IT asset management are mounting. Now the National Cybersecurity Center of Excellence has drafted guidance to address banking institutions' unique risks, says Nate Lesser, the center's deputy director.

Managers at all levels must understand their responsibilities in providing role-based cybersecurity training, says Patricia Toth, a computer scientist at the National Institute of Standards and Technology.

The NIST cybersecurity framework will help U.S. banking institutions assess their security strategies, but some institutions fear the framework could trigger unnecessary regulations, says Bill Stewart of Booz Allen Hamilton.

The theft of 2 million credentials reminds security professionals that their organizations are at risk because many employees use the same passwords and devices for personal and business purposes, data security lawyer Ronald Raether says.

You can be outraged that the NSA collects Internet communications records of U.S. citizens. But don't be surprised, says sociologist William Staples. This is just one example of our "culture of surveillance."

Governments and others using cloud-based services should keep 10 security tips in mind, including making sure they can maintain control of their data if a service provider goes bankrupt, says Dimitra Liveri, co-author of a new report.

Ensuring strong authentication of users while maintaining ease of use is a difficult challenge for health information exchanges nationwide, says David Whitlinger of New York's statewide HIE.

ATM cash-outs and card-skimming schemes are getting more difficult to detect because today's attacks are global, coordinated and sophisticated, says ATM security expert Chuck Somers.

Wayne Dunn, CTO of HarborOne Bank in New England, says improving vendor management is a top security priority for institutions in 2014. As more core banking functions are outsourced, due diligence becomes increasingly critical.

For risk managers, an often overlooked step for minimizing supply chain risks is to continually monitor outsourcers and other third parties to address critical security issues, says the Information Security Forum's Steve Durbin.

Computer scientists at the Georgia Institute of Technology are developing new ways to apply encryption when storing or searching data in the cloud, says Paul Royal, associate director of the university's information security center.

U.S. Attorney Steve Wiggington says identity theft, especially linked to card skimming, is still the No. 1 fraud threat facing financial services institutions as well as consumers. He stresses information sharing is critical for fighting fraud.

When it comes to safeguarding the privacy and security of healthcare information, smaller clinics, as well as patients who use telehealth technologies, face considerable challenges because of a lack of expertise, says researcher David Kotz.

Organizations need to know how other enterprises handle cyber-attacks to truly understand whether their IT security investments will pay off, the EastWest Institute's Karl Rauscher says.

Every second, 80 "things" are being connected to the Internet, and ISACA's Rob Stroud says that requires information security professionals to identify and mitigate threats, protect individuals' privacy and manage access.

New requirements to mitigate payment card risks posed by third parties, such as cloud providers and payment processors, are a focal point of the PCI Security Standards Council's updated data security standard.

As Michigan deploys its Cyber Civilian Corps, the state will need to address some of the same challenges the federal government faces in sharing cyberthreat information between the government and the private sector, state CIO David Behen says.

The number of reported breaches is up considerably this year, but so is the overall quality of organizations' breach preparedness, says Michael Bruemmer of Experian Data Breach Resolution.

Inadequate authentication is among the greatest security challenges for online payments, says Scott Dueweke of Booz Allen Hamilton, who suggests biometrics needs to play a bigger role.

Mobile security is no longer about managing devices, says Ian McWilton of Moka5. The real trick is to secure corporate assets through containerization solutions that reduce costs and improve user experience.

Banking executives were among the CEOs who met with President Obama at the White House to discuss cybersecurity strategies. Paul Smocer of BITS explains how this discussion may pay off for financial institutions.

Pennsylvania Chief Information Security Officer Erik Avakian explains how the commonwealth is using a $1.1 million federal grant to pilot a program to furnish single identities to residents who transact state business over the Internet.

For years, researchers have studied malicious insider threats. But how can organizations protect themselves from insiders who make a mistake or are taken advantage of in a way that puts the organization at risk?

The good news is: U.S. banks have learned valuable security lessons from defending against recent distributed-denial-of-service attacks. The bad news? DDoS has evolved into new and improved assaults.

Using "synthetic identities" to commit fraud is becoming easier, but it's increasingly difficult for organizations to detect this type of deception, says Claudel Chery of the U.S. Postal Inspection Service.

Rather than waiting until they're a breach victim, organizations should reach out to law enforcement officials to develop a good working relationship in battling cybercrimes, federal prosecutor Erez Liebermann says.

Organizations must develop a "defensible response" to data breaches and fraud incidents because of the likelihood of a regulatory investigation or legal action, says attorney Kim Peretti, a former Department of Justice cybercrime prosecutor.

What are some of the unique challenges organizations face when they move into continuous monitoring and risk mitigation? Scott Gordon of ForeScout and Ken Pfeil of Pioneer Investments offer insight.

IT security leaders need to develop a strong, holistic security and risk management strategy as they implement advanced, strategic technical capabilities, IBM's David Jarvis says in analyzing new survey results.

What is hostile profile takeover, and why does this emerging threat pose such a risk to smart phone users? Dave Jevans, CTO of Marble Security, describes this and other new mobile threats.

The average insider scheme lasts 32 months before it's detected, says threat researcher Jason Clark, who suggests using a combination of the right technologies and the right processes is the key to improving detection.

Mary Galligan, the just-retired head of the FBI's New York cyber unit, says the federal government can do more to help businesses take all the right steps to protect sensitive information and prevent breaches.

Banking institutions and merchants are fighting back against cyber-attacks by sharing information and assisting law enforcement investigations, says Julie Conroy of Aite, which has issued a report about account takeover and cyberfraud trends.

Nations' policies for mitigating cyberthreats can conflict with efforts to promote cyber-enabled global trade, cautions Allan Friedman, research director of the Brookings Institution's Center for Technology Innovation.

To mark his induction into the National Cyber Security Hall of Fame, Purdue University Computer Science Professor Eugene Spafford offers insights on key challenges, including overcoming senior executives' misperceptions about key issues.

Face-to-face and over-the-phone social-engineering schemes are increasingly used to perpetrate fraud, highlighting the need for more education and real-time transaction monitoring, says Gartner's Avivah Litan.

Knowledge-based authentication is no longer reliable, says fraud expert Avivah Litan, an analyst at Gartner. She explains why so-called behavioral authentication is the only reliable way to verify users.

Attacks waged for cyber-espionage, fraud, DDoS and other nefarious deeds are increasingly being hired out to sophisticated hackers for specific purposes, says Symantec researcher Kevin Haley.

What are the distinct phases of the fraud lifecycle, and how can banking institutions intervene at each stage to prevent losses? Daniel Ingevaldson of Easy Solutions offers fraud-fighting tips.

Mitigating card risks associated with retail malware attacks and POS vulnerabilities is a focus of updates to the PCI Data Security Standard, say Bob Russo and Troy Leach of the PCI Security Standards Council.

Top executives at healthcare organizations must take the lead in overcoming a culture that portrays privacy and security as barriers, says Joy Pritts, chief privacy officer at the Office of the National Coordinator for Health IT.

Professionalizing occupations within the cybersecurity field won't necessarily help fill vacant IT security jobs in government and industry, says Diana Burley, an IT security workforce expert.

More than 1,000 banks will test their incident response strategies by participating in a simulated cyber-attack exercise. SWACHA's Dennis Simmons says the drill, which is open to more participants, will help bolster defenses.

Phishing attempts against bank employees are on the rise. How can institutions improve their defenses? Daniel Ingevaldson of Easy Solutions offers insights on how to combat advanced phishing techniques.