Meet the Bloggers Twitter BTSecureThinking YouTube Channel Blogroll About BT Looking for more?
BTSecureThinking Resources center

SecureThinking > Tags

Posts tagged - RSA Conference

Tuesday, March 1, 2011

RSA 2011: Fraud, Cryptography and Cloud

By Ben Rothke, Senior Security Consultant, BT Global Services

You can’t really expect to go to the RSA Conference and not hear about the latest in fraud and cryptography.  Each year, these areas become more sophisticated and frankly, they continue to fascinate us security professionals.  This year, a new element was presented in the mix – the cloud. 

I ran into Whit Diffie — appropriately at the Cryptography Research booth on the exhibit floor — and it was a fitting way to end Day 2 at the conference.  Diffie, one of the greatest cryptographers in history, has been at the RSA Conference since the first year.  Here we are, 20 years later, and we wanted to know his thoughts on the conference and cryptography and how the event has changed over the years.  Here is what he had to say:

But issues related to fraud, cloud security and cryptography really captured the attention of most everyone at the conference.

During the Security Bloggers Meet-Up, I ran into Idan Aharoni who is the head of fraud intelligence at RSA.  Idan talked about how even unsophisticated fraudsters are now able to get involved in very sophisticated schemes by utilizing an underground.  Here is what he said:

Ralph Poore, chief cryptologist for Cryptographic Assurance Services, talked about some of the research presented at the conference so far on encryption and cryptography.  He shares his thoughts on where he’d like to see more focus:

I also stopped Ron Woerner, a professor at Bellevue University, to ask about his thoughts on the conference thus far.  He agreed that everyone seems to have their head in the clouds; and he compared cloud security to the topic of PKI back 10 years ago at the conference, when the conference floor at that time was buzzing with the need for PKI (see Ron Woerner’s video interview included here).

All in all, the RSA Conference, now in its 20th year, has continued to be successful in addressing the issues that are most pressing with the community.  I am looking forward to seeing how this conference adapts and changes during the next 20 years!

Posted at 3:41 PM in SecureStrategies | 1 Comment »
Tags: , , ,

Bookmark and Share

Monday, March 29, 2010

Missing elements in PCI DSS

By Sushila Nair, Product Manager, Managed Security Solutions Group, BT Global Services

It is interesting to note that chip and pin was missing from the study initially done by the PCI council in 2009 on emerging technologies and yet is mentioned specifically by Bob Russo during a panel discussion at RSA.  Key Management Insights recently posted this to their blog:

Bob Russo, General Manager of PCI Security Standard Council, boiled it down to: “There needs to be a mind shift from just compliance to security [since] compliance is a byproduct of good security.”  And when it comes to PCI DSS, Russo added, “PCI DSS is the baseline.”  Russo hinted at some of the clarifications coming in the PCI DSS update in October 2010.  He identified three of the technologies which are likely to receive clarification as:

  • Chip & PIN technology
  • End-to-end encryption
  • Tokenization

The focus on new technology, though not a panacea, is an acknowledgement that our current methodology for securing payment data is difficult to secure.  Retail sectors, which operate on tight profits, are struggling to have the in-house expertise to put the right controls in place to protect the data they house.  

Given that Payment card data was stolen in 84 percent of the 285 million security breaches recorded in 2008, according to the most recent Verizon Business Data Breach Report, the payment card industry realizes that something needs to be done.  Security breaches are ever increasing and if the industry does not take action, then it is likely that the federal government will impose additional regulations. 

The focus on continuous control monitoring is key to understanding what your security posture is. While it is impossible to have impenetrable security, it is critical to be monitoring your network so when a breach does occur, the correct action can be taken.

Undoubtedly, the stakes of not complying with PCI-DSS are rising.  Companies that don’t take PCI-DSS seriously are exposing their customers and themselves to an unacceptable business risk, and their cost of doing business will surely rise to cover the net impact of breaches.  The real question is whether the costs will rise in a controlled fashion as companies put in place best practices, such as outsourcing, to enable their security to be in the hands of seasoned experts — or if businesses will allow costs to spiral as they pay for fines, compensation, and remedial activities in response to data breaches.

Posted at 2:30 PM in SecureCompliance | No Comments »
Tags: , , , , , , ,

Bookmark and Share