At Cyber-Ark we don’t typically like to brag about our achievements, but we have had such a great week that we can’t help but show off a bit. This year we have been shortlisted for not one, not two, not even three but FOUR SC Magazine Europe Awards! We are very excited and wanted to send our congratulations to all of the finalists that were also shortlisted in the Best IAM Solution, Best Remote Access, Best Security Management and Information Security Product of the Year Categories. While we’ve been celebrating we’ve also been paying close attention to some evolving stories in cyber legislation as well as an interesting twist on a phone hacking and wanted to put stories out there to get our readers’ opinions:

• Bloomberg Businessweek reported that the Cyber-Security bill has been delayed in reaching a vote on the Senate floor.  The Senate bill would authorize the Homeland Security Department to identify infrastructure that’s “considered critical to U.S. economic and national security” and develop standards that must be met to protect them. Understanding the security threat that cyber war poses on our nation and the number of sophisticated hackers out there, advisors are doing their best educate the Senate on the urgency behind this bill. Bruce McConnell, a counselor to Napolitano on cyber security matters stated, “What we were here today to do was make sure the Senate understands the severity and importance of the threats that we’re facing and the need for action.”

• Trying to hide your organization’s data breach? VeriSign proved this week that you can actually get away with it. After scouring 2,000 SEC filings Reuters reported this week that VeriSign was actually hit by hackers back in 2010 but did not report the breach until their SEC filing in October of 2011. How is this possible when the company states that “more than half (56%) of the world’s DNS hosts rely on the VeriSign .net and .com infrastructure”? Well, as long as credit card data isn’t involved organizations actually aren’t forced by the government to reveal a breach to the public.

• Finally, FOX News and other outlets reported that a phone call between the FBI and Scotland Yard was recorded and released online by the hackers in Anonymous. Luckily, the FBI said that there was no classified information on the call, but it was still accessed illegally. Anonymous tweeted that they were able to hack the phone call by compromising an investigator’s emails. If the call is authentic, it is quite jarring that the group was able to hack into the very call that discussed proceedings for past offenses.

We’d love to get your thoughts on these legislative issues as well as the phone hacking – do you think the Senate is taking the threat of cyber war seriously? Should VeriSign have been forced by law to reveal that they were breached? Is Anonymous a bigger threat than we anticipated?

Let us know in the comments!

It’s time for the first IT Security Rewind of 2012. While 2011 was certainly shaped by several spectacular security breaches, if the beginning of 2012 is any indication, then we are in for another wild ride.

NoSQL is No Small Problem: Dark Reading shines some “light” on a serious vulnerability to track in 2012—the security flaws of database technology NoSQL.  The article highlights that as with many traditional database technologies, the proactive management of privileged identities is a critical component to ensuring an effective security posture within these systems.

SCADA Issues Persist: There’s no lack of examples when it comes to highlighting the prevalence of vulnerabilities that exist in SCADA Systems.  As Sara Yin of Wired highlights through coverage of a recent presentation by Blake Cornell, an independent security researcher, default passwords have played a significant role in recent incidents, including the Siemens breach.  Again, it’s increasingly evident that using advanced privileged identity management technology can be part of an effective solution for managing these risky passwords that can be manipulated to gain wide-scale system access and control.

Consumerization of IT Risk: Consumerization of IT has carried over a hot topic for the security industry —is it 2012’s “cloud”-like buzz word? More importantly, what types of security risks does this trend pose? As reported in NetworkWorld, a survey of 520 CIOs found that 77% said they worry that “further consumerization of IT will lead to greatly increased business risks.” As enterprise technology continues to “go mobile”—this will be an important development to track, especially as individuals use mobile devices, such as phones and tablets, to share and exchange sensitive information.

So, 2012 begins. Let us know your predictions on the biggest security topics to watch for this year.

Returning from a holiday break is never easy, so if you were slightly neglectful to your industry news this week don’t fret – we’ve got it covered. It may have been a week of turkey hangovers for some of us, but the IT industry was busy reporting end-of-year recaps, forecasts for 2012 and of course, breaking news: Here is our summary of this week’s hottest stories.

Looking to achieve a life of “privilege” as an IT security pro? InformationWeek posted its annual “Best Paying IT Security Jobs In 2012” article and guess what? Security professionals can expect salaries to increase by an average of 4.5% in 2012—not bad in such a tumultuous economy. If you are a security professional in a midlevel/ senior role you are in a great position as demand is high. Supply, however, remains a different matter. Robert Half Technology said it expects to see “an abundance of positions and a shortage of skilled candidates.” As expected, the article also reported demand would soon increase for people who could manage “privileged identity management.”

Cyber crime linked to terrorism – In far more serious news, the FBI has revealed that four hackers were arrested in the Philippines last week in connection with an organized attack on the clients of U.S. telecommunications giant AT&T. Law enforcement officials believe the suspects were employed by the terrorist group Jemaah Islamiyah, which has been linked to numerous bombing attacks. According to Reuters, the FBI claims that AT&T’s customers were the targets of the hackers and were not the carriers themselves. An anonymous source reportedly added that the hackers breached the phone systems of AT&T customers and made calls to expensive international premium-rate services.

Water-pump hack pumped with errors – The SCADA hack that resulted in a water pump being destroyed has proven to be false – Wired reported this week that a contractor who was supposed to work on the system logged in according to permissions during a vacation trip to Russia, which was misconstrued as an outside hack.  In truth, the water pump simply burned out, as pumps are wont to do, and a government-funded intelligence center incorrectly linked the failure to an internet connection from a Russian IP address months earlier.

That about wraps it up for this week – we’d love to hear your thoughts on this week’s happenings – leave your comments here…

The Thanksgiving holiday is a great time to reflect on the things we are grateful for in IT security like data protection, fraud prevention, identity management and other preventative approaches. Here’s our look at the biggest stories of the week, where those approaches may have failed.  IT teams take note, don’t let these headlines ruin your turkey dinner:

From Russia, with No Love: According to reports from Wired and CNET, hackers from Russia were able to destroy a water pump at a utility in Illinois by hacking into their SCADA system.  This is a disturbing attack, as the hackers apparently breached the network of the company that made the SCADA system, stealing customer usernames and passwords. Worse—this appears to be very similar in scope and process to the recent RSA breach, and it also highlights to continued vulnerability of SCADA systems to these types of attacks (and the importance of controlling privileged access points and hardcoded passwords).

No Safe Space: Details are just beginning to form surrounding new of a Romanian hacker accused of hacking into NASA beginning on Dec. 12, 2010. Authorities claim that the hacker was able to obtain unauthorized access to protected data—an indication that abuse of privileges may have occurred. The hacker, who ended up destroying most of the data, was arrested and charged with multiple crimes.

No One Loves the IRS, Especially the GAO: In broader security news, the Government Accountability Office (GAO) has blasted the Internal Revenue Service (IRS) for failing to implement stronger security measures after numerous reports regarding organizational weakness in internal control over information security. The GAO takes particular exception to the IRS “deficiencies in its controls over access to the automated systems and software applications” and other weaknesses that “increase the risk of unauthorized individuals accessing, altering, or abusing proprietary IRS programs and electronic data and taxpayer information.” If the details are true, it’s quite evident that the IRS is not effectively and proactively managing privileged accounts and identities.

That’s our news for this week—let us know what we missed, and what you are, or aren’t thankful for in the realm of IT security!

This week we honored Christopher Columbus, someone who undoubtedly took a major risk and in the end, discovered something completely new. Thus it is appropriate that in this week’s IT Security Rewind we must report the passing of the visionary Dennis Ritchie, creator of the C programming language and co-developer of the Unix operating system. eWeek.com provided the following quote from Jeong Kim, president of Alcatel-Lucent Bell Labs, “Dennis was well loved by his colleagues at Alcatel-Lucent Bell Labs, and will be greatly missed. He was truly an inspiration to all of us, not just for his many accomplishments, but because of who he was as a friend, an inventor, and a humble and gracious man. We would like to express our deepest sympathies to the Ritchie family, and to all who have been touched in some way by Dennis.” To read more about Dennis’ accomplishments visit: http://www.eweek.com/c/a/Security/Dennis-Ritchie-Founder-of-Unix-C-Dies-at-70-215748/.

In other security news this week:

FTP may be dying but collaboration is not: eWeek’s Cameron Sturdevant (@csturdevant) took a look at the effect of the consumerization of IT on collaboration tools highlighting some major security vulnerabilities that have arose with the adoption of these free Saas tools.  With the proliferation of mobile devices Sturdevant emphasizes the importance of regulations in file sharing stating, “There are reasons to put boundaries on user collaboration, and licensed SaaS and on-premise tools are often best equipped to put these restrictions into practice. Blocking restricted data is among the chief reasons to curtail user file sharing. Helping well-meaning employees stay on the right side of the law when it comes to using regulated data is an important feature that is missing from nearly all the no-cost Internet services.” We completely agree and hope that Sturdevant will check out our secure file transfer solution to see how we successfully secure data in transit.

The real threat is still Inside: Despite constant media chatter around advanced persistent threats and external hackers, Dark Reading reported on a study that serves as a good reminder to organizations to look inside their organizations for threats within company walls. The study, conducted annually by Amplitude Research on behalf of VanDyke Software, found that a “of the many reasons cited for network intrusions, more than half could be attributed to internal issues: lack of adequate security policies (17 percent); employee negligence (12 percent); unauthorized access by current or future employees (11 percent); employee Web usage (6 percent); and lack of software updates (6 percent).”  Surprisingly, hacker/network attacks accounted for only 14 percent of intrusions; viruses, malware, and spyware were 10 percent.

PCI still a pain point for many: Okay we admit it, we love reports, especially when they support messages we’ve been sending for some time now. This report conducted by Verizon and covered by SC Magazine UK, found that “most businesses that accept credit or debit cards, or both, continue to struggle to achieve and maintain compliance with the Payment Card Industry Data Security Standard (PCI-DSS).” In fact, of those assessed by Verizon, only 21 percent were found to be fully compliant. These results were almost identical to last year’s which proves that, as an industry, we need to do more to educate organizations and help them to understand how to achieve compliance not just for auditing purposes, but for the protection of their customers’ sensitive information.