The next item to tackle is the overall security architecture – and this includes several things. But let me first state the disclaimer that of course it is imperative that the correct governance and policies are in place and that technology can’t replace those things. But, it is also clear that however sophisticated, no paper document or process design will block an attack in the meantime until...

With the Target data breach, many are wondering how criminals can profit from the use of the stolen credit cards. Here's how they do it.

“We live in a world where we’re ceding a lot of our power to other companies,” said Bruce Schneier ( @schneierblog ), security blogger and author of “Liars and Outliers” in our conversation at the 2013 RSA Conference in San Francisco. Schneier was referring to companies such as Google and Facebook that control our data as well as companies that control our devices, such as Apple. “These companies...

When most people think of penetration testing, they think of a simulated external attack where the tester tries to break into a network remotely. Companies focus most of the security spending and policies on keeping hackers out remotely, from firewalls and other security hardening appliances, software and tools. However, given the proliferation of mobile devices in the workplace and use of Wi-Fi...

Tips from six CSOs/CISOs from varied industries who have actually applied risk-based security management to their business.

Last week, I sat in on a briefing by a guy who calls himself “ Four ” who happens to be involved in intrusion detection for Facebook. He shared some interesting perspective at the Black Hat conference through a discussion of ”Intrusion Detection Along the Kill Chain.” The information Four presented is based on the work done by Eric M. Hutchins, Michael J. Cloppert, Rohan M. Amin, Ph.D of Lockheed...