Info Risk Today Podcast

State-sponsored attacks are up significantly, so organizations need to rely on new, stronger controls to ward off advanced threats. John Gordineer of Dell SonicWALL discusses the role of next-generation firewalls.

Misconfigured firewalls aren't necessarily a result of technical issues. Often, there are business or staff issues that can be easily addressed to improve security. Jerry Skurla of FireMon explains how.

Data breach notification legislation before Australia's parliament, if enacted, would add new dimensions to its privacy laws, perhaps influencing lawmakers elsewhere, privacy lawyer Françoise Gilbert says.

Globally, across industries, DDoS attacks are getting larger, says Susan Warner of Neustar. But are the attacks aimed more at disrupting organizations, or distracting them, so <a href='https://www.inforisktoday.com/fraud-c-148'><b>fraud</b></a> can be committed?

Mobile device management and <a href='https://www.inforisktoday.com/application-security-c-205'><b>application security</b></a> are just two aspects to consider. What about <a href='https://www.inforisktoday.com/network-perimeter-c-213'><b>network security</b></a>? Dave Jevans of Marble Security discusses a three-tiered approach to <a href='https://www.inforisktoday.com/mobility-c-212'><b>mobile security</b></a>.

In the face of advanced threats, organizations need to shift their security posture from <a href='https://www.databreachtoday.com/preparedness-c-323'><b>breach prevention</b></a> to <a href='https://www.inforisktoday.com/response-c-40'><b>incident response</b></a>, says Tom Cross of Lancope, who discusses new strategies.

The information security industry needs to hit rock bottom, says Akamai's Joshua Corman. And then - to truly improve <a href='https://www.inforisktoday.com/'><b>information risk management</b></a> - it needs to develop a new, adversarial view of the world.

Conventional DDoS attacks are a nuisance, but the rise of application-layer attacks is a real concern, says Vann Abernethy of NSFOCUS. What are the risks, and how can organizations mitigate them?

What is one of the most common mistakes organizations make when they uncover a data breach? Brian Laing of AhnLab tells how a seemingly innocent response often leads to costly consequences.

The techniques employed by advanced threats aren't particularly sophisticated. It's the intellect and infrastructure behind them that create greater risks, says David Scholtz, CEO of Damballa.

Regulations initially cause organizations to spend more funds on data breaches, but eventually those rules could save enterprises money, the Ponemon Institute's Larry Ponemon says in analyzing his latest study on breach costs.

On average, 86 percent of web applications have at least one serious vulnerability, and each app is attacked about 4,000 times per year, says Imperva's Terry Ray. So, how must security be improved?

<p> When it comes to <a href='https://www.databreachtoday.com/breaches-c-318'><b>breach</b></a> prevention, many organizations are improving their own security posture, but neglecting that of their strategic partners. Trend Micro's Tom Kellermann outlines third-party risks.</p> In an interview about virtual supply chain threats, Kellermann discusses:</p> <ul> <li>Supply chain gaps organizations frequently overlook;</li> <li>Top threats exploiting those gaps;</li> <li>Proactive security measures that should be employed.</li> </ul>

Defacement and downtime are two consequences for organizations struck by distributed-denial-of-service attacks. But what's the brand impact? Akamai's Fran Trentley discusses risks and mitigation.

How organizations view security is about to change, says Hugh Thompson of the security firm RSA. He explains why analytics will turn everything we thought we knew about security on its head.

<p>The latest phishing trend: the privatization of banking Trojans. Why should financial institutions be concerned? Daniel Cohen of RSA tells what to look for in the newest cross-channel schemes.</p>

</br><p>RSA's Art Coviello finds today's cybersecurity strategies to be lacking. Global organizations must rely more on big data and public-private partnerships to defend themselves from advanced threats.</p>

</br> When it comes to <a href='https://www.bankinfosecurity.com/mobile-banking-c-106'><b>mobile banking</b></a> and <a href='https://www.bankinfosecurity.com/payments-c-328'><b>payments</b></a>, security risks are similar globally. But Western institutions can learn from innovative solutions now offered in the East, says fraud expert Tom Wills.

Despite growing awareness of cyberthreats, Americans are not overly concerned about their own cybersecurity, Unisys' Steve Vinsik says in his analysis of his company's latest security index.

It isn't just a financial services issue. Organizations of all types are victimized by data security breaches and <a href='https://www.bankinfosecurity.com/payments-c-328'><b>fraud schemes</b></a> that compromise payment card data. What can be done to help ensure better security and <a href='https://www.bankinfosecurity.com/pci-dss-c-295'><b>PCI compliance</b></a>?

Privacy attorney Ron Raether challenges a commission's recent recommendation that the government should support companies that use the hack-back approach to mitigating the theft of intellectual property.

Attacks aimed at mobile devices are progressing much more rapidly than any attacks ever waged against PCs. Organizations are in danger if they don't pay attention, says anti-phishing expert Dave Jevans.

Facing advanced cyber-attacks, organizations must shift their focus to detection and mitigation, says ISACA's Jeff Spivey, who outlines four capabilities necessary for effective response.

Maintaining accurate logs of systems' activities is crucial in helping catch insiders who threaten an organization's digital assets, says George Silowash, co-author of the <b><a href='http://www.sei.cmu.edu/reports/12tr012.pdf' target='_blank'>Common Sense Guide to Mitigating Insider Threats</a></b>.

In this exclusive interview, Tim Horton of First Data explains how the nation's largest credit card processor is helping financial institutions and merchants mitigate risks posed by malware and DDoS attacks.

Why are ATM cash-out schemes expected to increase - especially in the U.S.? John Buzzard of FICO's Card Alert Service offers insights, based on federal investigators' most recent global fraud bust.

CERT Technical Manager Dawn Cappelli tells a tale of how three individuals, who unexpectedly quit their jobs at a law firm, used a free cloud service to sabotage files containing proprietary client information from their former employer.

Cash-out scams are old news. But the size and sophistication of the latest $45 million global fraud scheme that struck banks add up to a troubling trend, says former federal prosecutor Kim Peretti.

How could global fraudsters steal $45 million from banking institutions without being detected or stopped? It's a process breakdown, not a technology failure, says fraud expert Avivah Litan of Gartner.

<b><a href='/cloud-c-232'>Cloud computing</a></b> providers must step up and develop approaches to prevent their employees from stealing or harming customer data they host, say two experts from Carnegie Mellon University's CERT Insider Threat Center.

Mark Weatherford, who recently stepped down as DHS deputy undersecretary for cybersecurity, says that although planned OpUSA DDoS attacks may initially be a nuisance, they represent a genuine long-term threat to the government.

In assessing the risk of a distributed-denial-of service attack, organizations must think beyond shoring up systems' perimeters and concentrate on analyzing cyberthreat intelligence, Booz Allen Hamilton's Sedar Labarre says.

Today's spear-phishing campaigns are localized, small and can slip through typical spam filters. As a result, detection practices have to evolve, says researcher Gary Warner of the University of Alabama at Birmingham.

NIST's Ron Ross, a big NASCAR fan, likens new security controls guidance to the tools race-car builders use to prevent drivers from breaking their necks when crashing into a brick wall at 200 miles an hour.

Security firm Mandiant recently released a widely publicized report detailing cyber-espionage activity originating in China. Mandiant Director Charles Carmakal discusses the latest nation-state threats.

The massive distributed-denial-of-service attack in Europe that targeted Spamhaus could easily have been prevented if information service providers followed a 13-year-old industry best practice, ENISA's Thomas Haeberlen says.

When Richard Nealon first sat for his CISSP exam, he was struck by how U.S.-centric the questions were. Since then, he has strived to promote greater awareness of global information security concerns.

NIST's Donna Dodson is leading a federal government effort to take hundreds of suggestions from the private sector to create an IT security best practices framework that critical infrastructure operators could voluntarily adopt.

Although there have not yet been any confirmed reports of financial fraud associated with a major data breach at the Utah Department of Health last year, the potential for costly fraud is huge, contends Al Pascual of Javelin Strategy and Research.

<p>In light of evolving fraud threats, financial institutions increasingly are turning to two-factor authentication solutions. Alex Doll, CEO of OneID, offers advice to help institutions make the right choices.</p> <p>In an interview about the myths and realities of two-factor authentication, Doll discusses:</p> <ul> <li>The current threat landscape;</li> <li>How organizations are successfully deploying two-factor solutions;</li> <li>How to keep customer experience top-of-mind in a two-factor rollout.</li> </ul>

It isn't just the quantity of cyber-attacks that's staggering; it's the quality. The average hacker now has access to nation-state-level attack capabilities, says James Lyne of Sophos. How can organizations defend?

It isn't a staffing shortage that we face, but rather a skills crisis, says Allan Boardman, international vice president of ISACA. How can organizations build the security skills they need to mitigate evolving risks?

Organizations face new cyber-risks from their third-party service providers. But standard contracts fail to cover these risks. Trend Micro's Tom Kellermann discusses the risk management essentials.

As data protection regulations continue to be refined, organizations throughout Europe are more sensitive to privacy restrictions in individual countries, says Dwayne Melancon, CTO of Tripwire.

Distributed-denial-of-service attacks are increasing against European banking institutions. But UK consultant Mark Child says if banks are worried about DDoS, then they have bigger security problems.

<p>Should IT security practitioners be deemed professionals like those in medicine and law? That's not an easy question to answer, says Ronald Sanders, former human capital officer at the U.S. Office of the Director of National Intelligence.</p>

Distributed-denial-of-service attacks jumped significantly in 2012. And it's not just banking institutions that are victims, Verizon finds in its just-released Data Breach Investigations Report.

The European parliament recently voted to extend and strengthen the European Network and Information Security Agency. What does this news mean for Europe's top cybersecurity agency and for the state of emerging threats across Europe?

The hunt for a Boston Marathon bombing suspect that locked down the city caused massive disruption to business operations, but enterprises that had business continuity plans in place hardly missed a beat.

To retain their customers after a breach of sensitive information, organizations should take the extra step of calling those affected to offer free credit protection services, says security expert Brian Dean.