Info Risk Today Podcast

In response to today's cybersecurity challenges, Southern Methodist University has selected Frederick Chang to head a new program that will address top issues - including how to fill the skills gap.

In the wake of a year of attacks waged against banking institutions by Izz ad-Din al-Qassam Cyber Fighters, the FS-ISAC's Bill Nelson and the ABA's Doug Johnson say the need to regularly update DDoS preparedness is a critical lesson learned.

John Streufert, the DHS director overseeing the rollout of a federal continuous diagnostic initiative to mitigate IT systems vulnerabilities, expects that many state and local governments will participate in the program.

The massive initiative to deploy continuous monitoring at U.S. federal government agencies will be done in phases, with the initial rollout occurring over three years, the Department of Homeland Security's John Streufert says.

As the federal government ramps up deployment of continuous monitoring, agencies should significantly reduce the time to certify and accredit IT systems and detect vulnerabilities, says the Defense Department's Robert Carey.

Many banking institutions have done a poor job of addressing call-center fraud, says IDC analyst Jerry Silva, who offers tips on addressing the challenge of balancing customer service with security.

Gartner analyst Avivah Litan says fraudsters are using DDoS attacks as a distraction for a new, extremely effective account takeover scheme. How should institutions respond to this emerging threat?

Because big data brings significant benefits - and risks - CEOs and boards of directors must take charge of developing privacy protection policies, ISACA International Vice President Jeff Spivey says.

Today's advanced threats are no secret. Focusing the correct resources on them is the true challenge, says Will Irace of General Dynamics Fidelis Cybersecurity Solutions. He offers tips for harnessing the right skills and technology.

Version 3.0 of the PCI Data Security Standard is coming, and draft guidelines reflect the impact of recent retail breaches. PCI GM Bob Russo explains big changes to ensuring payment card security.

As new state health insurance exchanges gear up for open enrollment Oct. 1, privacy expert Chris Rasmussen asks whether regulators will miss the deadline for a risk analysis of a key data services hub.

Bruce McConnell, who just stepped down as one of the federal government's top cybersecurity policymakers, says he understands why some lawmakers don't trust DHS with significant authority to safeguard government IT.

The old saw of a blind squirrel fortuitously finding an acorn reminds the Atlantic Council's Jason Healey of cyber-assailants from third-rate cyber-power Iran, believed to be behind DDoS attacks on U.S. banks.

It's time to start thinking about the next wave of DDoS attacks, says Neustar's Rodney Joffe. And it's time for other critical infrastructure industries - not just banks - to assess their risks.

Organizations won't effectively share cyberthreat intelligence until they have more efficient ways of gathering and prioritizing data, says EMC's Kathleen Moriarty, author of a new <a href="http://www.emc.com/collateral/emc-perspective/h12175-transf-expect-for-threat-intell-sharing.pdf" target="_blank"><b>report</b></a> about information sharing weaknesses.

Though others deemed Bruce McConnell as one of the government's most innovative security thought-leaders, he says his vision of how best to secure IT evolved during his just-ended 4-year tenure at DHS as a senior cybersecurity policymaker.

Because mobile payments are so new, banking institutions worldwide are still trying to understand which threats to address first, says payments fraud expert Neira Jones.

<p>It's an increasingly common question from CEOs. "How is our security program protecting the business?" Pamela Gupta of OutSecure shares insight on what CISOs should demonstrate when they answer that question.</p>

The best ideas to secure the Internet do not come from the top-down government approach imposed by some foreign governments, but from the openness derived by a multi-stakeholder process, says Christopher Painter, America's top cyber diplomat.

The hotline, the communications link established between Washington and Moscow during the Cold War to avert a nuclear war, is being used to warn of potential cyber and environmental crises, the State Department's Christopher Painter says.

Kim Peretti, the ex-prosecutor who helped nab Heartland hacker Albert Gonzalez, says recent indictments offer insights into the actors behind global fraud schemes that affected 160 million cardholders.

Organizations increasingly engage with customers via social media, but managers often fail to incorporate or enforce key policies. Attorney David Adler offers tips to improve social media management.

Because state HIEs vary in connectivity and interoperability levels, secure e-mail based on the Direct Project offers a dependable way of sharing patient data during a disaster, says Tia Tinney of the Southeast Region Collaborative for HIT.

As social media use grows, so do the risks of organizations getting caught up in costly legal disputes over ownership and assets. Alan Brill of Kroll advises on how to mitigate such risks.

At a time of heightened cybersecurity threats, few organizations have processes for employees at all levels to report breaches. It's time for accelerated breach response, says attorney Ellen Giblin.

A new incident response publication coming from the National Institute of Standards and Technology will include guidance on how to form circles of trust - networks of IT security experts spanning multiple organizations, says NIST's Lee Badger.

Securing mobile devices in the enterprise is just half the challenge. The other is ensuring that employees are able to work productively. A panel of experts from Attachmate offers new strategies.

Losses linked to retail breaches have fueled class action lawsuits on behalf of consumers. But Javelin's Al Pascual says banks are soon likely to take legal action, too, in breach cases that expose cards and lead to fraud.

One of the biggest security challenges the Washington state health insurance exchange faces as it prepares for its Oct. 1 launch is building interfaces with its partners, says CIO Curt Kwak.

<p>Recent DDoS attacks on banks are prime examples of the new age of ideological threats to organizations across all industries. Who are the threat actors, and how can organizations best manage risks?</p>

Getting critical infrastructure operators involved is the biggest challenge the federal government faces in creating a cybersecurity framework, says NIST's Adam Sedgewick, who leads efforts to create the framework ordered by President Obama.

What are the top three cybersecurity game changers, and what negative impact can they have on organizations if security leaders do not manage them properly? Rolf von Roessing of ISACA shares insight.

Patent infringement lawsuits that involve security practices are becoming more common in heavily-regulated industries. Organizations need to take several steps to be well-prepared, advises patent attorney James Denaro.

Whether or not Congress enacts cyberthreat intelligence sharing <b><a href='https://www.govinfosecurity.com/legislation-c-191'>legislation</a></b>, the IT security community is moving forward with its own information sharing initiatives, MS-ISAC Chairman William Pelgrin says.

Most organizations rate their mobile device security efforts as poor, in need of improvement or just adequate, according to the latest ISMG survey. So where are the security gaps? Malcolm Harkins of Intel offers insights.

RSA Chief Information Security Officer Eddie Schwartz is heading a new task force that he hopes will help develop the next generation's well-trained, rightly skilled cybersecurity workforce.

Cyberthreats, including distributed-denial-of-service attacks, are growing worldwide. So FS-ISAC is expanding its information sharing efforts internationally to help financial institutions counter the threats, says Bill Nelson, the organization's president.

The mobile security focus has shifted from basic block-and-tackling to ensuring better productivity and corporate data protection, says Jonathan Dale of Fiberlink. What new challenges are posed?

<p> DDoS attacks on U.S. banks will continue, and community institutions may well be the next major targets. Rodney Joffe of Neustar offer tips for how smaller institutions can assess DDoS risks and improve DDoS mitigation.</p> <p> In an interview about DDoS threats and defenses, Joffe discusses:</p> <ul> <li>Why community banks must consider themselves the next targets;</li> <li>How organizations can make themselves less attractive to attackers;</li> <li>How to minimize the impact of a DDoS attack.</li> </ul>

Robert Bigman, former CISO at the CIA, says many government agencies and other organizations have yet to take adequate steps to prevent rogue systems administrators from accessing sensitive information on systems they manage.

Security and privacy professionals should be cautious about the type of information they share with the federal government's intelligence community, says Peter Swire, a former White House privacy counselor.

The implementation of IPv6, the new Internet communications protocol, will have a major impact on identity and access management. EMC researcher Davi Ottenheimer explains how organizations should prepare.

Data loss prevention strategies are shifting. Organizations are now turning to end-users to help protect critical data. Stephane Charbonneau of Titus discusses how to engage users to improve security.

We're already seeing the next generation of advanced security threats, so now is the time for organizations to adopt next-gen security defenses. Brian Hazzard of Bit9 explains how.

The advanced persistent threat is top of mind for all organizations. Either they are dealing with it now, or preparing their defenses just in case. Robert Berlin of Fortinet offers security insight.

Access is a two-edged sword. Organizations need to open systems to employees, partners and customers. But they also must keep out threat actors. Douglas Mow of Courion talks about finding a balance.

Organizations generally do a good job focusing on governance, risk and compliance. But breaches add up, and LockPath CEO Chris Caldwell wonders "Where is the 'S' in GRC?" - where is the security?

A continuing initiative at the Department of Defense, which has enormous purchasing power, could influence the security features of commercial mobile devices around the world, says Terry Sherald, who heads the effort.

Over the past decade, many organizations shifted their security focus from regulatory compliance to metrics business intelligence. What's the latest shift? Vivek Shivananda of Rsam explains.

Who are the threat actors, what are their techniques and when are they apt to attack? This is the type of threat intelligence all organizations need, says Scott Kaine of Cyveillance.