Information risk management, and lessons-learned in the financial industry Last week's Economist had a good article entitled "Confessions of a Risk Manager", in which a risk manager from a global bank uses 20-20 hindsight to look at "what went wrong" in the lead-up to the credit crunch and the ensuing fallout. I won't pretend to understand all the ins and outs of financial derivatives, but there were some points raised that anyone in the IT security space can identify with...

On August 18 the PCI Security Standards Council formally announced (http://www.pcisecuritystandards.org/pdfs/08-18-08_2.pdf) forthcoming changes to the Payment Card Industry's Data Security Standard (PCI DSS) as it moves from version 1.1 to version 1.2 in October 2008. The release represents the first major update since September 2006.

What's my take on the summary of changes? Most merchants will be pleased to see that these are relatively minor changes...

Although the NERC Cyber-Security Standards (http://www.nerc.com/files/CIP-002-1.pdf) are applicable only in the US, I think there's no doubt that cyber security is fast becoming a major concern of electric utility companies worldwide. In addition, other US critical infrastructure industry segments, such as water and chemical companies are also coming under increasing federal pressure to improve their own cyber-security efforts. Still, the NERC Cyber-Security standards have been criticized for being too ambiguous, providing little in the way of guidance, as well as for leaving loopholes for utility companies to beat the rules...

Click to Download/Listen (07:47)

In a recent RSA Web Seminar focused on the new FACTA Identify Red Flags provisions, industry analyst, Ken Herbert, with Frost & Sullivan, explained what financial institutions or creditors need to know about the upcoming November 1 FACTA deadline and provided some key recommendations for complying with the regulation. In this week's podcast, we'll share some of the questions and answers from this online event. To learn more, watch the entire webcast replay.

A recent survey confirmed that internal threats continue to grow and to represent a challenge to organizations' security postures. It revealed that, in scans of 100,000 PCs and servers in many industries: 12% of infected computers had a missing or disabled anti-virus program, 10.7% had unauthorized personal storage such as USB sticks or external hard drives, 9.1% had unauthorized peer-to-peer (P2P) applications installed, 8.5% had a missing 3rd party desktop agent, 2.6% had unprotected shared folders, 2.2% had unauthorized remote control software, and 2% had missing Microsoft service packs. These results continue to resonate with the conclusions of the CSI FBI survey that reported in 2007 that internal threats have now outpaced viruses in terms of risk to organizations...

In previous lives, both as a talking head and implementation guy, I'd get some pretty in-depth questions about subtle security issues -- usually as a result of something someone had read was a "best practice". Sometimes questions were about specific configuration settings for an OS or obscure firewall ports, other times it was a question about some arcane encryption algorithm or key length. Usually, I'd respond by asking, "Is this the biggest issue you have?" Common examples include...

Europe is a hotbed of cutting-edge fashion. But why am I telling you guys this? You work in the Information Security business -- the kind of business that draws out the fashionista in all of us... And I guess that's one of the issues with what, in relative terms, is still a pretty young industry: every "season" we eagerly anticipate the new "line" from the next greatest new discovery.

That said, I do think that we're definitely starting to see signs of maturity in the market -- of the emergence of "design classics"...

On August 5, 2008, federal law enforcement officials announced the indictment of 11 people charged with stealing and selling more than 41 million credit and debit card numbers from nine major US companies.

"This is the single largest and most complex identity theft case ever charged in this country," said US Attorney General Michael Mukasey.

According to officials, the defendants -- three from the United States, one from Estonia, three from Ukraine, two from China, one from Belarus, and one of unknown origin -- tapped into wireless networks and installed programs that captured card numbers, passwords and account information. The stolen data was then hidden around the globe and sold for profit.

This event reflects a growing trend in cyber crime...