Info Risk Today Podcast

<p>The rush to find qualified IT security professionals to meet current cyberthreats could jeopardize IT systems' security in the not-too-distant future, say two leading IT security experts, Eugene Spafford and Ron Ross.</p>

As part of their mobile security strategies, healthcare organizations must remember not to neglect issues involved with medical devices used for patient care, says privacy expert Peter Swire, a former presidential adviser.

Lisa Xu, CEO of NopSec, says pursuing leadership roles in information security - a male-dominated field - can be challenging for women. What advice does she offer for women to grow in their careers?

NIST's Ron Ross sees complexity as the biggest risk enterprises face. To ease risk, Ross favors moving data to the cloud. Purdue's Eugene Spafford doesn't fully subscribe to Ross' plan. The two square off in this interview.

Kaspersky Lab has identified a new spear-phishing attack involving a Trojan designed to target Android devices. Researcher Kurt Baumgartner says organizations need to be prepared for more mobile malware attacks.

E-mail authentication foils phishing, but authentication is only effective if every partner in the chain adopts it. John Carlson and Andrew Kennedy of BITS explain how institutions can improve e-mail practices.

Intel has added <b><a href='/privacy-c-151'>privacy</a></b> to the portfolio of its top information security executive, Malcolm Harkins, who says too many information security professionals are "color blind or tone deaf" to privacy, wrongly thinking strong data protection provides privacy safeguards.

Getting inspectors general and agencies' IT security heads to agree on how best to evaluate information security should strengthen U.S. federal government agencies' risk management frameworks, say former OMB leaders Karen Evans and Franklin Reeder.

Computer networks in nations where the government has ratified international cyber-agreements have lower incidents of <b><a href='/anti-malware-c-309'>malware</a></b> infection, says Paul Nicholas, Microsoft senior director of global security strategy and diplomacy.

The bad guys who attack information systems are getting better at what they do, making old threats even more dangerous, says Steve Durbin of the Information Security Forum.

Understanding big data is not the problem, say Michael Fowkes and Aaron Caldiero of Zions Bank. Figuring out how to use the information contained within big data in a meaningful way - that's the trick.

Want to know how predictive analysis could work to defend your IT systems? Take a look at how American Navy SEALS found Osama bin Laden, says Booz Allen Hamilton's Christopher Ling.

What can organizations do to improve security after a network attack? Post-breach investigations help security leaders trace steps and strengthen weak points, says investigator Erin Nealy Cox.

<p>What's the cost to an organization when it suffers a seurity breach and breaks trust with its own customers? Jeff Hudson, CEO of Venafi, presents results of a new survey on the cost of failed trust.</p> <p> Venafi has just partnered with Ponemon Group to release a new survey, <a href='https://www.bankinfosecurity.com/whitepapers/2013-annual-cost-failed-trust-report-threat-attacks-w-699'><b> "The Cost of Failed Trust"</b></a>. Among the key findings: $398M is the average loss facing every Global 2000 organization from attacks on trust assets. And so many of these incidents result from serious exploits of what could be described as common, easy-to-fix vulnerabilities.</p>

The motive behind the cyber-attack on South Korean banks and broadcasters was atypical, as compared to most digital assaults that involve implanting malware on IT systems, says McAfee's Vincent Weafer.

It's a boom time for information security start-ups. But what unique qualities separate winners from losers? Alberto Yépez of Trident Capital describes the role of venture capital in today's market.

Prolexic's CEO Scott Hammack says battling distributed-denial-of-service attacks has become part of everyday business. And during this in-depth interview, he explains why.

DDoS attacks on banks have returned, and the attackers are changing their tactics and expanding their attack toolsets. How must organizations change the way they defend against DDoS? Carlos Morales of Arbor Networks shares strategies.

Companies wanting to share cyber-threat information with the government and other businesses should adopt the U.S. Defense Department's doctrine of information superiority, says Lares Institute Chief Executive Andrew Serwin.

Phishing attacks are up, and the methods are changing. Paul Ferguson of the Anti-Phishing Working Group explains how phishers are fine-tuning their schemes and exploiting cross-platform technologies.

We now have seen three waves of DDoS attacks on U.S. banks, and Dan Holden of Arbor Networks says we have seen three distinct shifts in these incidents. What can we expect going forward?

Business line managers are in better positions to control and monitor network and system access privileges than IT departments, since they know their employees and the privileges they should be provided, says Bill Evans of Dell Software.

Authenticating appropriate network administrators and employees has become increasingly challenging, especially for healthcare organizations and regional banking institutions, says Tim Ager of Celestix.

New research says more than 25 percent of consumers hit by a data breach later become victims of identity fraud - especially when payment card information is exposed. Javelin's Al Pascual shares analysis.

Will Pelgrin and Rich Licht of the Center for Internet Security see a strong link between cyber and physical security, and that has led to the creation of a new unit at the center to help local and state governments to secure both.

Intelligence is helping organizations not only detect and prevent intrusions, says Mark Wood of Dell SecureWorks. It's also helping them identify they've been targeted for an attack in the first place.

Because data stored in a cloud-based "sandbox" environment for testing purposes is vulnerable, it should be masked to protect sensitive information, says Karen Hsu of Informatica.

Data security used to be about building firewalls and protections around the data. Now it's about securing the data itself. That's why data is the new perimeter, says Charlie Pulfer of Titus.

Despite ever-evolving cybersecurity threats, David Knight of Proofpoint says spear phishing attacks are really the greatest worries for most security and risk officers.

The growth in cloud computing and mobility is creating a need for a streamlined, centralized process for managing user authentication, says Sarah Fender of PhoneFactor.

Financial institutions can use real-time security analytics to detect early indicators of fraud, such as cash-out schemes, says David Pack of LogRhythm.

To improve security and increase workforce productivity across an enterprise, a set of integrated capabilities is needed, says Corey Williams, senior director of product management at Centrify.

The private sector has a unique opportunity to respond to President Obama's cybersecurity executive order and help shape information sharing and critical infrastructure protection. David Burg of PwC tells how.

One of the biggest challenges facing organizations is that fraudsters constantly change the way they try to cheat banks and other organizations, says Rajib Roy, president of Equifax Identity and Fraud Solutions, which provides advanced analytics and proprietary technology to deliver customize insights for identity intelligence, fraud prevention, privacy and data security.

The new generation of mobile applications requires layers of security to protect integrity, says Vince Arneja of Arxan Technologies.

Banking institutions need to ramp up their ability to deal with security issues as they roll out more mobile banking applications, says Andrew McLennan of Metaforic.

Public cloud services can reduce costs for large enterprises, but they pose security risks that must be addressed, says Tsahy Shapsa of CloudLock.

Balancing the customer experience with risk mitigation is tricky, says Jon Karl of Iovation. But automating customer reputation profiles can help organizations take the guesswork out of fraud prevention, and improve the experience on both sides of the transaction.

Advanced persistent threats are evolving, and banks can help thwart them by using continuous monitoring for real-time detection, says J. Paul Haynes of eSentire.

Automating governance, risk and compliance reduces vulnerabilities that can have an adverse impact on the bottom line, says Sergio Thompson-Flores, chief executive of Modulo, a provider of GRC offerings.

Security leaders know their old perimeter-based security models are insufficient. But what new model is best? And how can it reduce reliance on passwords for authentication? Julian Lovelock of HID Global offers insight.

Hewlett-Packard's John Diamant points out most enterprises invest little in the area with the greatest vulnerabilities: <b><a href='/application-security-c-205'>application security</a></b>.

Distributed-denial-of-service attacks are not new, but they are being taken more seriously as a threat to network security and data protection, especially by financial-services, says Ashley Stephenson of Corero Network Security.

Most organizations have more data than they know what to do with, much less understand how they can use that data in a meaningful way, say NopSec's Lisa Xu and Steven Leonard. Having the ability to aggregate that data is key.

Combining a network access control system with a mobile device management system is a good way to address security for BYOD, says Scott Gordon of ForeScout.

Companies developing their own mobile applications must take steps to ensure their security policies are followed no matter where or how the apps are used, says Kurt Stammberger of Mocana Corp.

Cyberattacks used as modes of distraction for fraud are organizations' biggest concern, say Pam O'Neal and Scott Register of IXIA.

Debate over cybersecurity bills last year coupled with recent, highly publicized attacks have raised the visibility of the threat, and that could push Congress to enact IT security legislation in 2013, White House Cybersecurity Coordinator Michael Daniel says.

Most organizations are challenged by having too much information in too many places. But Dieter Schuller of Radiant Logic says centralizing data can improve identity management.

Paige Leidig, chief marketing officer of CipherCloud, says information protection requirements continue to be the primary hurdle for enterprise adoption, despite explosive growth in the cloud content and collaboration market and its evident advantages to productivity and cost efficiencies.