Read sample Alert issue: "Virtualization: Security Enabler or Security Threat"

The CSI ALERT newsletter goes beyond the usual headlines, delving deeper into the news with interpretive analysis, giving you the insight you need to protect your organization without inhibiting productivity. Published 10 times per year, the Alert digs into pressing security issues--like identity management, cloud computing, virtualization, compliance, globalization and mobile devices--and helps security managers decide what's real, what's hype and what's right for their organization.

The Alert is FOR CSI MEMBERS ONLY. Not a member yet? You can click here to learn a bit more about all the benefits of membership. Or, if you'd like to sample some standard Alert fare, read "Virtualization: Security Enabler or Security Threat," for free. It's an oldie from 2008, but a goodie. (Oh, just go ahead and buy a membership already.) If you're already a member of CSI--thanks!--make sure you're logged in, and follow the links below to read our most recent issues of the Alert.

APRIL 2011 Alert
Is Data Loss Plummeting?

Our guess is that the primary finding of the latest Verizon business
2011 Data Breach Investigations Report — namely that even with doubling
the number of examined incident cases, the total number of compromised
data records dropped by an order of magnitude — will be so unpalatable
to some that the report will fall off the radar in a hurry.

Also in this issue:
OTA Releases Messaging Ecosysyem Security Framework
RSA and the Client-Side Attack
Double Agency And The Authorized Use Of Confidential Information by Chalres Cresson Wood

MARCH 2011 Alert
Exploring Client-Side Attacks

In a textbook proof that the discovery and demonstration of an
application vulnerability has little if any impact on whether anything
is done about it in the field, Marco Balduzzi, a researcher at the
International Secure Systems Lab in Nice, France, recently took on the
question of the extent of HTTP parameter pollution faults in the field.

Also in this issue:
Whats Gets Your Web Goat
Automatic Deletion Dates For Electronic Storage Of Personal Information by Charles Cresson Wood

FEBRUARY 2011 Alert
Worrying about the Web

When the 2011 (ISC)² Global Information Security Workforce Study
was issued in mid-February, the electronically conducted survey of 10,413
information security professionals from companies and public sector
organizations around the globe presented a number of key findings such as: application vulnerabilities represent the number one threat to organizations, and mobile devices were the second highest security concern for the organization. To learn more, download this issue now.

Also in this issue:
Auditing Third-Party Handling of Internal Proprietary Information by Charles Cresson Wood

JANUARY 2011 Alert
Lessons from IT Masters

As many readers will already know, CSI is a charter
member of the IT Policy Compliance group. The group recently published a
35-page report, of which this Alert issue covers a small excerpt of. This
research report covers findings from primary research on the masters of IT, and
what these people and organizations are doing differently with IT to deliver
the most value and least risk, compared with all other organizations.

Also in this issue:
Information Security Benchmarking Required Annually by Charles Cresson Wood 

DECEMBER 2010 Alert
Scripts, Anyone?

As we were digging into Verizon’s 2010 Data Breach Investigations
Report as part of preparing our own annual Computer Crime survey,
it was hard not to be struck once again by the topline finding that 86
percent of victims had evidence of the breach in their logs. Given that 61
percent of the breaches were discovered by a third party, it’s hard not to
conclude that organizations – and the companies that wind up as Verizon
customers after a breach tend to be huge companies – aren’t doing much
in the way of watching their logs.

Also in this issue:
Page 5-Straight-Up, No-money Log Management
Page 8-My New ESXi Lab System by Barry Shteiman
Page 11-The Wikileaks Brouhaha & Compartmentalization by Charles Cresson Wood

NOVEMBER 2010 Alert
Key Presentations from This Fall’s CSI Events

This month we dedicate the Computer Security ALERT to a recap of sessions presented at the 2010 Annual Conference, including some of the sessions that were streamed live to attendees of our newly introduced online conference, CSI VX. These write-ups don’t do justice to the full content of the presentations, but on the other hand we feel we’ve been able to grab a fair measure of benefit from the conference material and we’d like to share it with you here.

Also in this issue: 
Production Crypto-Process Deployments Require Key-Management Documentation
by Charles Cresson Wood

SEPTEMBER 2010 Alert
PaaS Security – Is It Only Skin Deep?
Lori MacVittie, Technical Marketing Manager, F5

It is a widely acknowledged axiom of technology that if you can win the hearts and minds of developers, you will be successful. This makes the sometimes raised prediction that Platform as a Service (PaaS) will in the long term be “the” cloud of choice a much surer bet.

Also in this issue:  

“What Color Is Your Information Risk?”
Report Available

RIPE NCC and Duke University BGP Experiment
by Erik Romijn

Annual Information Security Control Compliance Reports
by Charles Cresson Wood 

AUGUST 2010 Alert: A STANDARIZED AND OPEN CLOUD
Last month we looked at cloud computing with particular emphasison the primary
public Web driver, Amazon. Obviously, there's plenty more cloud in the sky than that. This month, in three shorter takes, we'll look at other key elements of the current cloud element.

JULY 2010 Alert: The Amazon Cloud
We’ve looked at cloud security issues in the past, but it was
arguably with an angle that we’ve seen much too much of: the “nobody’s
got a good handle on this security in the cloud thing, plus how can you
be compliant if you don’t know where your data physically resides?” sort
of thing. Not that these aren’t legitimate, but surely it’s time to dig a little
more into the details.

JUNE 2010 Alert: DevOps + Sec?
One network and data center trend we’ve been following with interest here at CSI is what could perhaps be called a movement. It’s called DevOps, a sort of contraction of development and operations, with one of its key motivations being to increase the cooperation between those who develop enterprise applications and those who have to keep them running reliably in production environments.

April 2010 Alert: E-Health Security in America
As though healthcare institutions' information security/privacy pros weren't challenged enough by the staggering complexity of healthcare computing environments, the job is beginning to require even more acrobatics because of rapid advancement in health information technology and stiffer federal regulations on privacy and security. In this issue of the Alert we think through a long list of new policies and processes healthcare institutions will need to put into place before rolling out Health Information Exchange and/or Patient Health Record platforms. We examine how adoption of e-health technology could actually make it easier to manage certain security risks. We investigate the security and privacy issues to consider as your organization tries to prove "meaningful use" of your new e-health systems and win a piece of those coveted economic stimulus funds. We take a look at some standardization efforts and the role of the open source community. And we take a peek into one patient's experience with one hospital's personal health record system, based on Microsoft's HealthVault platform.

March 2010 Alert: Next-Gen Security Metrics
Security metrics are too hard. They're too hard even when you've got ownership and oversight of every inch of your computing environment...so how much worse is it when your organization starts employing third-party IT services like cloud computing, Web services and smartphone services? This issue of the Alert proposes a policy for working security metrics into service agreements with third parties. In this issue we also discuss whether security metrics experts' caution is actually hurting the security industry--and how things might be better if we took inspiration from mathematicians and fashion designers. Plus we take a look at the Common Assurance Metric--a global, collaborative metrics effort with the backing of the Cloud Security Alliance, Microsoft, Google, ENISA and others--get us closer to those ready-to-wear security metrics, or will it stop short too? 

February 2010 Alert: Secure Application Development 

What should go into your in-house secure software development lifecycle (assuming you need one)? Are you better off buying straight off the shelf? There are secure software initiatives and incentives, models and middleware, testers and tools, to help both the lone Web app developer writing code in the coffee shop and the 20,000-developer-strong global ISV development team. What about everyone in between? Read this issue of the Alert for a briefing on the Software Assurance Maturity Model and other tools infosec pros should use to guide the secure application development process. Plus, hear what software security experts Jeff Williams and Gary McGraw have to say about the virtues of commercial off-the-shelf software, the security industry's myopic obsession with Web apps, and more.

January 2010 Alert: Going International
Throughout January 2010 hardly a day went by without some mention being made of Google—the Operation Aurora attacks against the company, the possible of discontinuation Google China search engine result censorship, the possibility of Google abandoning the search engine business in China altogether, and the question of whether Google’s threats were motivated by business or by social responsibility. Internet privacy and security were thrust to the forefront of global debate. In this issue of the Alert we discuss what key lessons infosec professionals should learn from Google about managing privacy and security in an organization endeavoring to start business in a new nation. Also in this issue: Charles Cresson Wood suggests a way to resolve the incompatible legal requirements so often encountered by international organizations, and Ralph Hughes talks through some of the considerations all international enterprises should examine before adopting or rejecting open-source software.

November / December 2009 Alert: Visibility
“Are we secure?” It’s a simple question, but exceptionally difficult for most security managers to answer. Security professionals are asked plenty of other equally simple, equally challenging questions—are we compliant, have we been hacked, are we secure enough, etc. Why can so few of us respond to these questions with anything but tepid, tentative, tremulous half-answers? Why are these answers so difficult to come by…and why do we accept that it is so? This issue of the Alert provides guidance on what tools and techniques can make visibility easier to come by, and what careful questions can help you find the right answers.