A weekly feature highlighting news stories, reports and editorials of interest to IT and security managers. Also see stories including SecureWorks news, press releases, and research.

Gartner: Insert Tab A into Slot B Security?

Digital Bond: Revised NERC CIP Standards out for 45 day comment period

Wired.com: Proof: Porn Pop-Up Teacher is Innocent, Despite Misdemeanor Plea

Washington Post: Pharmacy Extortionists Take on CIA, DoD, FBI, NSA

CSO Online: AUDIO: Despite Recession, Online Shoppers Threaten IT Security

A weekly feature highlighting news stories, reports and editorials of interest to IT and security managers. Also see stories including SecureWorks news, press releases, and research.

Securosis.com: Building a Web Application Security Program: Part 1, Introduction

Tao Security: Intellectual Property: Develop or Steal

SANS: SANS Reading Room: EVTX and Windows Event Logging

Wired.com: Kidnapped Hacker Found in Turkey, Arrested

PCI Security Standards: PCI Security Standards Council Introduces Quality Assurance Program for Assessment Community (PDF)

A weekly feature highlighting news stories, reports and editorials of interest to IT and security managers. Also see stories including SecureWorks news, press releases, and research.

The Washington Post: A Closer Look at McColo

Computer World: Laid-off sysadmin arrested for threatening company’s servers

SecurityFocus: Firm offers $1 million bounty for blackmailers

Dark Reading: Schools Suffer One-Third of Total U.S. Data Breaches

SC Magazine: Visa sets PCI compliance deadlines for rest of world

A weekly feature highlighting news stories, reports and editorials of interest to IT and security managers. Also see stories including SecureWorks news, press releases, and research.

CNN: Obama, McCain campaigns’ computers hacked for policy data

SC Magazine: Hackers begin malware barrage soon after Obama elected

CSO Online: PCI’s Post-Audit Pain Points

Credit Union Information Security: Vendor Management: 10 Tips for Hiring a Managed Security Services Provider (Free Registration Required)

Wired.com: Extortion Plot Threatens to Divulge Millions of Patients’ Prescriptions

Search Security: Security spending driven by mergers, Web 2.0 and compliance

A weekly feature highlighting news stories, reports and editorials of interest to IT and security managers. Also see stories including SecureWorks news, press releases, and research.

Search Security: Security survey finds increase in security standards adoption

SC Magazine: Malicious spam sees eight-fold jump in six months

SC Magazine: Cybercrooks use Google name to spread Facebook worm

eWeek: Stealthy Trojan Swipes Bank Log-ins, Financial Data From Thousands

Information Week: New Malware Technique Bypasses Traditional Defenses

On Wednesday, the Federal Trade Commission announced they were delaying enforcement of the ID Theft Red Flags Rule until May 1, 2009. This delay ONLY applies to organizations supervised by the FTC. It does NOT apply to institutions supervised by the member agencies of the FFIEC (FDIC, OTS, OCC, FRB and NCUA). As of this blog posting, there has been no public announcement from the FFIEC agencies regarding any extension of the November 1 compliance deadline for Red Flags.

According to the press release, the deadline is being moved further out because of a uncertainty about who has to comply with the Red Flags Rule:

“During the course of these efforts, Commission staff learned that some industries and entities within the FTC’s jurisdiction were uncertain about their coverage under the Rule. These entities indicated that they were not aware that they were engaged in activities that would cause them to fall under the FACT Act’s definition of creditor or financial institution. Many entities also noted that, because they generally are not required to comply with FTC rules in other contexts, they had not followed or even been aware of the rulemaking, and therefore learned of the Rule’s requirements too late to be able to come into compliance by November 1, 2008. The Commission’s delay of enforcement will enable these entities sufficient time to establish and implement appropriate identity theft prevention programs, in compliance with the Rule.”

We’ll keep an eye on this and provide an update if we hear anything from the FFIEC agencies.

A weekly feature highlighting news stories, reports and editorials of interest to IT and security managers. Also see stories including SecureWorks news, press releases, and research.

CNET: Adobe addresses Flash Player ‘clickjacking’ flaw

CNET: Report: As stock market drops malware rises

SC Magazine: FTC extends “Red Flags Rules” enforcement six months

Dark Reading: ‘Block the Vote’ Tactics Go Online This Election

Network World: P2P legislation forcing university IT to get tough on piracy

A weekly feature highlighting news stories, reports and editorials of interest to IT and security managers. Also see stories including SecureWorks news, press releases, and research.

SC Magazine: FBI sting busts 56 for buying, selling stolen credit card data

Search Security: Malicious program poses as Windows Security Center 

Dark Reading: Inspector General Report: Two IRS Applications Leave Taxpayer Data at Risk

CNet: Fake Microsoft e-mail contains Trojan virus

Computer World: Woman is first to plead guilty in notorious spam case

Information Week: Merchants Lack Technical Skill To Spot Online Ad Fraud

SC Magazine: Academics predict growing cybercrime sophistication

To follow up on a question that was asked during our recent webcast “PCI DSS v1.2: What You Need to Know“, here are links to the various card brands’ compliance programs where you can find detailed information on their requirements for protecting cardholder data:

• American Express: www.americanexpress.com/datasecurity
• Discover: www.discovernetwork.com/fraudsecurity/disc.html
• JCB International: www.jcb-global.com/english/pci/index.html
• MasterCard: www.mastercard.com/sdp
• Visa: www.visa.com/cisp

These, in addition to the PCI Security Standards Council’s website, are good resources for learning more about what it takes for your organization to be compliant.

There are hundreds of security certifications out there, but not all are equal when it comes to validating a person’s security expertise. Like security ROI, compliance v. security, etc., this is a topic that seems to raise its head every so often in the security community. Last week, Stephen Northcutt (President of SANS and founder of the GIAC certification) gave his take:

“First, what does a security certification prove? Security certifications prove that the candidate meets a minimum standard. How do you know what a certification is worth? By making sure you understand what the minimum standard is and what the quality of a certification is.

Let’s do the quality part first. Anybody and his brother can go out and write some questions and pretend to offer a certification. But, when they do that, there is no quality review, and that gives people like the original blogger an understandably bad taste in their mouth. So, the first step is to find out if the certification provider has undergone, or is undergoing IS0 17024 certification for certifications. That doesn’t prove their content is perfect, but it goes a long way towards assuring their process is repeatable and solid.

Now, let’s address the “minimum standard” part of a security certification. Quality and respected Security Certification providers like (ISC)2, ISACA and GIAC, develop a Job Task Analysis for their certifications. Here is a nice discussion of a Job Task Analysis (JTA) that has nothing to do with Security. Each and every certification should have a JTA describing the knowledge, skills and abilities required for that particular job. The more detailed and fine-tuned the JTA, the easier it is to address the minimum standard assured by the certification. For instance, the CISSP is so broad you can really only say it proves you know the basic theory and terminology of security. The CompTIA Security+ is similar; it says you know enough theory and terminology of security to be entry level. The GIAC GSEC is pretty much in the same boat; it says you know essentially the same theory and terminology of security as the CISSP, but you also know some pragmatics (what tools to use and when, operating system basics, some hands-on experience). In all three cases the minimum standard is a broad understanding of security; none of these certs demonstrate deep knowledge, but all of them assure employers you have the foundation to understand security. This may sound trite at first, but all three also demonstrate that you can read, write, reason and memorize, which are, in fact, important skills.

In order to go beyond “memorizing mostly useless and dated facts”, the JTA has to get more specific. If I was an employer looking for a quality measurement tool for potential candidates, I would look for a security certification that has quality and is specific to the job I am trying to fill. For instance, SecureWorks, probably the best IDS/Log Monitoring Outsourcing contractor in the industry, requires Intrusion Detection certifications. Currently they require the GCIA, but I am sure that they would accept a resume from anyone with a quality certification in the same field.”

Stephen is right. If you’re evaluating job candidates you have to understand what holding a certification really means for a person’s expertise and ability. Here at SecureWorks, we gained that understanding through first-hand experience with the multitude of available certs. This experience led us to requiring the GCIA for all SOC analysts because it aligns very well with the baseline level of technical expertise and proficiency we need from our analysts to provide the best quality of service.

If you don’t have first-hand experience, I suggest taking Stephen’s advice: research the verifiable steps a certification provider has taken to ensure the quality of their certifications (e.g. ISO 17024) and how the specific certification applies to the job to be done (e.g. JTA).