Ben Rothke spent a lot of time behind the camera at this year’s RSA documenting the perspectives of the security industry’s tastemakers, but we rather hoped that he’d get in front of the camera at some point and share his thoughts. 

Happily for us, the good folks over at InfosecIsland.com managed to catch Ben after his presentation on data destruction and asked him to sum up his thoughts on the topic.

As far as Ben’s concerned, data destruction really isn’t rocket science.  With a few simple tools, a willingness to implement best practices, and a healthy relationship with both the vendor and the National Association of Information Destruction, there’s no need to fear the data destruction process and inadvertently leave your company’s data behind for all the world to see.

To see Ben’s interview in full, click here.

Application security has been a hot topic of discussion on the SecureThinking blog lately, and it seems to be weighing heavily on the minds of other industry experts, as well. 

At the recent RSA 2011 conference, George Hulme reported on the growing consensus that “good enough” might not actually be good enough when it comes to application security, especially when acquisitions are involved.

The main problem, as Dan Holden, director of DVLabs at TippingPoint pointed out, is that there’s a lack of pressure on software developers and coders to protect their customers.  He points to the many recent security incidents involving legitimate web browsers visiting legitimate e-commerce sites, “only to be redirected someplace else and infected with malware.”   From his perspective, the connection between customer satisfaction and good development practices needs to be made explicit if this problem is to be fixed.

But it’s not only the development process where issues of application security are relevant.  Josh Corman, research director of enterprise level security at the 451 Group, made an excellent point.  “When it comes to our IT systems, the notion of having a defensible infrastructure almost never comes up in our acquisition negotiations,” Corman said to the audience during a panel on application security at the RSA Conference.  “And those expecting new technologies, such as cloud computing, to auto-magically solve the problem are going to be disappointed.”

To read George Hulme’s article in full, click here.

RSA was a great opportunity to meet and talk with some of the best minds in security today.  I had conversations with some experts about expectations for RSA and asked others about trends they’re seeing in security (“RSA 2011: Fraud, Cryptography and Cloud”).

On my last day at the conference, I thought I’d see what big security threats were still keeping folks up at night.

Ed Skoudis, InGuardians founder and fellow of the SANS Institute, said that the trends he’s seeing in threats today include social networking attack vectors, memory scraping and hardware hacking:

Bill Cheswick, often known as one of the fathers of the firewall, now technical staff lead member for Shannon Lab, shared his overview of what he’s been reading in papers about the possibility of exploiting patches, the ability to hide malware and other threats:

If you weren’t staying up late worrying before, you just might now.  Security threats continue to grow and evolve.

If you are interested in seeing all of the interviews I took recorded RSA 2011, visit our YouTube channel here.

The RSA 2011 conference is this week, and the conference is celebrating its 20^th anniversary with the theme of The Adventures of Alice & Bob.

For those not cryptographically attuned, Ron Rivest (the R in RSA) is using fictitious placeholder names to explain the RSA encryption method and the many steps involved in the complex system.  He created Alice & Bob to make the subject matter easier to grasp – replacing Person A and Person B.  For more on this, check out “Who are Alice and Bob?”

Here’s what you can expect if you’re attending RSA 2011: some of the hot topics at this year’s conference will be cloud computing, social networking, cybercrime, smart grid, and virtualization.

The main conference kicks off on Tuesday, February 15.  On the day before, Monday, there are a number of half-day and full-day “pre-conference” sessions.  Some interesting ones include the 2011 eFraud Network Forum, Innovation Sandbox and Cloud Security Alliance Summit.

If you’ve never been to RSA, check out the First-Time Delegate Orientation on Tuesday.  This will help you get your bearings on this huge show and offer the inside scoop from the RSA Conference team and hot tips from long-time delegates.  And of course, for those who want to meet the hardware and software vendors, their will be more than 350 information security companies at the conference expo.   To maximize your time, I suggest you take a quick walk through all of the aisles to see which vendors you want to spend time with.  Better yet, check out the entire vendor list here, and you can then hit the ground running.  And when you stop at a booth, go straight to the technical engineers and product managers.  The show floor will include some of the brightest minds in the business. 

The best part of RSA are the educational sessions, and there are hundreds of great sessions on a wide range of topics.

As for me, I will be at RSA and will be tweeting about the happenings there.  You can follow me on Twitter and attend my sessions, which include:

• Thursday, February 17 – 11:10 am – “Old Media Where Art Thou? Handling Media Destruction”
• Thursday, February 17 - 5:15 pm – “Tales of plagiarism, copyists and some really good books from the Security Reading Room”
• Friday, February 18  - 10:10 am – “What Happens in Vegas Goes on YouTube: Security and Corporate Social Networks”

 And BT Chief Security Technology Officer Bruce Schneier will be presenting:

• Wednesday, February 16 — 10:00 am – “The Dishonest Minority: Security as Society’s Enabler”
• Wednesday, February 16 — 2:20 pm – Panel – “Cyberwar, Cybersecurity, and the Challenges Ahead”

Well, it’s that time of year again with just a few days left until RSA 2011 voting for the annual SC Magazine awards closes down.  While many of the categories are decided behind closed doors, the winners of the Social Media Awards are decided by popular vote.

While all the bloggers and Tweeters who have made it through the nomination process are valuable contributors to the network security dialogue, we’re particularly proud to see that BT’s Chief Security Technology Officer Bruce Schneier is among the finalists for his blog, Schneier on Security.  Whether you’re looking for a perspective on the latest hacks or need some light relief on Friday with Bruce’s latest squid blog, Schneier on Security is a must-read for security folks.

If you think so too, why not take a couple of minutes to vote for Bruce as the best security blogger over at SC Magazine.  It’s an easy process – just follow this link to the SC Magazine home page and cast your vote in the categories on the right hand side.  Voting is open now and wraps up on Friday, February 11^th at 8 pm ET.

.

How could this happen?  VeriSign used to have more brand equity in Internet infrastructure security than anybody.  They built public certificate authorities and secured widespread adoption of their root certificates starting in 1995 – and along with Thawte, they were the first root CA to have certificates installed in Netscape Navigator.  They became inextricably linked with the Padlock Icon revolution of browsers.  VeriSign purchased Thawte Technologies from Mark Shuttleworth for $575 Million in stock in 1999 – more than $850 million in today’s money – and owned the two largest Certificate Authorities online.  They took a commanding role in the Managed Security Services space, buying Guardent in 2003.  Along the way, they built significant businesses in secure mail, payment processing and professional services.

VeriSign also acquired Network Solutions in 2000 and started building out an enhanced Naming & Directory Services group, which controls .com, .net, .cc, and .tv.  They used to operate .org as well but had to give it up in 2003.  VeriSign claims it operated comfortably in excess of 30 billion DNS inquiries every day, and the company operates the internet’s two root name servers. 

Yet in the past several months – culminating in the most recent announcement of Symantec’s acquisition of the “authentication services” business for $1.28B – VeriSign has pared itself down to have little to do with enabling security at all.  The company sold its MSS business in mid-2009, and messaging, reselling, and various other units have all moved on or disappeared.  VeriSign’s press release of May 19 even says, “Following the close of this transaction, VeriSign’s remaining business will consist of its Naming Services business, which contributed approximately $162 million or 61 percent of the company’s revenues in the quarter ended March 31, 2010.”

VeriSign was originally a spinoff from RSA, intended to commercialize the cryptography technologies required to create X.509 certificates and build a services business around them.  They did so, very successfully, and as a result invited a lot of competition.  Ultimately, many of these businesses saw tremendous increases in price pressure, and a tendency towards commoditization, and its profitability waned.  You can make up some of the difference if you can increase sales volume, but only to a point; eventually, your overhead and organization becomes the limiting factor, and you can’t afford to support the business any further. 

Yet security has only increased in prominence in the past 10 years.  Why does VeriSign believe they should no longer make a business of it?  It’s hard to say.  Despite VeriSign being a public company, mandatory financial reporting didn’t include a detailed breakdown of P&L by business unit, and historically those numbers have been deliberately opaque.  A simple example:  when SecureWorks acquired the VeriSign MSS business, the press release claimed that the combined revenues were “greater than $100M,” yet the industry scuttlebutt on each company’s individual run rates would have led us to expect a figure closer to $200 million at the time. 

The market has changed.  At its peak, VeriSign’s stock traded at more than $258 (in February 2000) and now hovers around $27.  Its market cap today is $5 billion, compared to an on-paper peak of almost $50 billion at the height of the dot-com boom. 

Profits don’t come easily, and opportunities to innovate require a lot more insight and discipline than they used to.  That’s the same trend any market will experience – it’s standard business school 101 stuff.  Yet rather than stay and fight, VeriSign has decided to abandon its roots and focus purely on a market in which it holds something close to a monopoly interest. 

There is no doubt that internet directory and naming services will continue to grow and be essential, but what happens when the other TLD registrars prepare for their next phase of growth?  VeriSign needs to bring its significant intellectual capital and resources to bear on increasing its scope of services and opportunity for its customers, rather than entrenching itself around the chosen core.

               BT MSSG      & 

          Sanjay Mehta, Senior Vice President, Breach Security

The nirvana of that moment in time when you are completely secure without a single vulnerability in sight is unfeasible and, even if it were possible, it would be fleeting.  Despite our fondest wishes for this moment, we accept the fact that our networks are vulnerable and are in a constant state of flux, causing the vulnerabilities to alter and the risks to change.  Organizations struggle with how to continue to develop their core business while managing their risk and doing it all with fewer people and resources than they had last year.  The only way this is possible is to work smarter – but how does that translate into practice?

We accept that our security is flawed, so it becomes critical that we place security devices wherever we have high or unacceptable risk.  It is essential that the security alerts from security products like WAFS, firewalls, IDS/IPS as well as host information and application logs are centralized.  The devices we select are critical and should be chosen in line with risk.  It is worth bearing in mind that web applications are one of our largest areas of risk and were one of the key areas of focus in PCI DSS 1.2 which was based on the forensics of card breaches.

Once the devices are selected, then the complexity of managing this new technology comes into place and again, outsourcing is a serious option for companies that are constrained by head count.  The footprints of what has happened on our network is in our log files, and it’s impossible to check the multitude of consoles for the vast array of product that we have, so it is critical we centralize our log files and have the capability to correlate and look for patterns of attacks.  Unfortunately, security breaches are not limited to 9 to 5 or business hours, so our security monitoring framework must be built to take this intelligence, look for patterns of attacks and be manned 24×7.

This week’s RSA Conference pinpointed the problem of treating compliance as a single point in time. 

Most companies breathe a sigh of relief once PCI compliance is “achieved” via an audit or code review.  IT professionals move on to the next priority, and often, compliance “maintenance” is forgotten.  In doing so, they fail to understand that audits and code reviews are outdated the moment they are completed.  Web applications continue to be developed and altered, and as a result, continued compliance can’t be ensured with the “one-time look” that occurs with audits and code reviews.  And it would certainly be cost-prohibitive to conduct an audit or review with each application change.

Fortunately, continuous PCI compliance can be achieved using a web application security solution that provides real-time, continuous security for all protected web applications. 

In today’s compliance landscape, it’s simply not enough to know that a problem exists.  Sophisticated web application security solutions help companies mitigate problems.  Organizations need to have a real-time solution – not just a single look in time – to be truly secure and PCI compliant.

Here is more information on how vulnerability scans and code reviews compare to web application firewalls:

Internet memes are harmless, right?  Fun little things that make you giggle, right?  According to Toby Weir-Jones these innocent memes have a much darker side.  Today, as part of Jennifer Leggio’s RSA week guest blogger series, Toby explores the security implications of a business’s decision to enter the social media space as well as suggesting some social media-security best practices for those who have taken the plunge.

To read Toby’s post click below:

A few years ago, in 2006 – ancient history in social media – various researchers proposed methodologies to study how quickly a meme can spread.  Some tried to characterize based on qualitative attributes of the meme itself, such as how funny it was, or how socially relevant, while others avoided those grey areas and focused instead on the quantitative attributes of network owners who posted links or tracked referral URLs.  In both cases, the general conclusions were fairly predictable:  given a good story, it can go viral and appear everywhere within hours . . .