Security Wire Weekly

Jim Lewis of CSIS and Stephen Cobb of ESET join the SearchSecurity team in a discussion about the impact that nation-state attacks have on the security industry and the way businesses secure their systems. Stuxnet, Flame and Duqu are being linked to state-sponsored cyber activities, but the real threat may come from cybercriminals who follow no rules of engagement and are difficult to control.

The PCI Security Standards Council recently urged merchants to use certified point-to-point encryption hardware when swiping credit card payments with a mobile device. But Bob Russo, general manager of the PCI SSC insists that the PCI Council is not endorsing the technology. In this interview, Russo discusses the state of the PCI special interest groups (SIGs) and addresses why no Mobile SIG exists.

Business logic flaws are costly to detect but even more costly if they are exploited, says application security expert Dan Kuykendall, CTO of NTOBJECTives Inc. Manual testing can detect the issues before cybercriminals can take advantage of the flawed functionality.

In this edition of Security Squad, the editors discusses the 2012 Verizon DBIR findings that have been hyped and misconstrued and why only 8% of organizations make a breach discovery with internal technologies. Also, a discussion on how the message delivered at a recent conference by several security luminaries fell flat.

Do you think you need a mobile device management platform? Think again, said Darrin Reynolds, vice president of information security at Diversified Agency Services. A formal policy should come first. Reynolds explains that security essentials can be done with existing systems.

Dave Kennedy, CSO of Diebold Inc. and a noted penetration tester talks about the need for enterprises to have more effective penetration tests and to stop buying the latest security technology. It doesn’t work, he told attendees at the 2012 InfoSec World Conference and Expo. Kennedy said businesses should base their pen testing requirements from the Penetration Testing Execution Standard (PTES) and hold pen testers responsible for meeting the standard.

Chris Petersen founder and CTO of LogRhythm talks about the SIEM market, the challenges for enterprises to get beyond compliance and shares his thoughts on the future of SIEM with deeper analytics. The interview was conducted last month at RSA Conference 2012.

Christopher Porter of Verizon explains some of the findings from the Verizon 2012 Data Breach Investigations Report. This year, hacktivists had a big impact on the numbers. Attacks are mainly less sophisticated and more automated in nature, Porter said.

Pete Lindstrom of Spire Security joins the editorial team in a discussion about the themes that emerged at RSA Conference 2012. Big data resonated at this year’s conference, but what does it mean? Also, the team talks about the specter of mobile security and whether application security gets overshadowed at the annual event.