Forrester Research analyzes the past, present and future of security information vendors and products.

Security information management (SIM) technologies experienced a pretty rocky ride since emerging earlier this decade, industry watchers says, and the ride isn’t over yet for those ready to adapt to customers’ changing needs.

According to Forrester Research, SIM technology drew in enterprise security managers looking to reduce the noise among multiple security devices distributed in large environments, but lost some ground when IDS and IPS technology gained intelligence. SIM products initially used data aggregation and event correlation features similar to those of network management software and applied them to event logs generated from security devices such as firewalls, proxy servers, IDS and IPS devices, and antivirus software. SIM products also normalized data — that is, they translated Cisco and Check Point Software alerts, for example, into a common format so the data could be correlated with one system. Like network management software, SIM tools generally consist of server software, agents installed either on servers or security devices, and a central management console.

Read full story


Regulatory changes are coming for the payment-card industry, say leaders of the PCI Security Standards Council, which is responsible for developing and implementing security standards for cardholder data protection.

The council, which has about 500 participants, just completed the annual process of electing its board of advisors. Cisco and Citrix Systems were among the victorious candidates this week, winning a combined 14 elected positions on the 21-member advisory board, which will be providing feedback on upcoming initiatives.

Among these initiatives are possible new requirements around the use of virtualization and wireless technologies, as well as more definitive answers on how to “scope,” or set the limits of, a PCI assessment.

Still unclear is whether the council will back the concept of end-to-end encryption as a way for the industry to help fight payment-card fraud, such as the breach that struck Heartland Payment Systems earlier this year.

Continue reading the article …

Penetration testing is not always well understood by those purchasing such services. It is my belief that organisations could often obtain better value for money by considering other security assessment techniques, writes Lee Newcombe, principal consultant at Capgemini.

I describe the whole spectrum of penetration testing, vulnerability assessment, configuration and process reviews as security assessment. I use the term penetration testing in a purist manner; a penetration test will attempt to circumvent the security features of the system under test and then examine how far the tester can extend their access into the target organisation. A penetration test is not necessarily a comprehensive assessment of the security of an organisation; one weakness is all the tester needs.

Continue reading the article

The results of Actimize’s Card Fraud and Mass Compromise peer-review survey validate a number of widely held assumptions about recent developments in card fraud, and also point to a number of less obvious trends in card fraud risk management.  Download this report to learn more about:

  • Impact of mass compromise events on consumer confidence
  • Effect of the current economic situation on consumer card usage
  • Anticipated growth rate of ATM/debit fraud in 2009
  • Methods and technology banks are using to prevent ATM/debit fraud

Get the report here: cardfraudmasscomp

Every CIO needs to know whether an enterprise can enter the cloud and remain both secure and compliant within regulatory restrictions. A panel of cloud computing providers at RSA Conference 2009 in San Francisco debated concerns about compliance, security and interoperability in the cloud, answering some of the following questions:

How secure is cloud computing?

“It’s key to consider your cloud provider’s security. Is it PII? Is it HIPAA? Is it regulatory data? Do these controls meet my regulatory policies?” said Eran Feigenbaum, director of enterprise application security at Google Inc. and former chief information security officer (CISO) at PricewaterhouseCoopers.

Continue reading …

As retailers shut down and liquidate their point of sale systems, guess what else they’re selling?

Without question, 2008 was an eventful year for major financial institutions, with massive losses, questions of solvency and, ultimately, government bailouts now totaling over a trillion dollars. The corporate fire sales, downsizing and mergers now commonplace in the financial industry are a cause for not only serious concern about the health of our economy, but also concerns relating to the security of personal and financial data. With companies being sold and mergers taking place, and on such tight deadlines, mistakes regarding the confidentiality and privacy of the data are likely being made every day. Significant risk is increasing for personally identifiable information entrusted to these firms.

Continue reading ….

PCI DSS is imperfect, but Ben Rothke and Anton Chuvakin say the standard is in security’s best interest. Here they refute common complaints and criticisms of PCI DSS.

Ayn Rand’s 1,100-page treatise Atlas Shrugged deals with the concept of morality of rational self-interest. When dealing with information security professionals, there is likely no greater example of self-interest than the promotion of the PCI Data Security Standard (DSS).

PCI is a pragmatic standard which requires security-comatose organizations to wake up to their responsibilities. And while PCI is only required for companies dealing with credit and debit card holder data, its relevance is germane for any organization.

Continue reading …