When a small phishing gang decides to upgrade its infrastructure, it is often done in a quick and dirty fashion. The transition is almost immediate, and often buggy and unprofessional. But what happens when a gang on the scale of the Rock Phish group decides to abandon its old methods and upgrade its botnet infrastructure? It is done slowly, smoothly but most importantly -- professionally. The RSA FraudAction Research Labs recently gathered information that indicates major changes in the tactics employed by the Rock Phish gang. We have reason to believe that the gang is replacing its phishing infrastructure, and upgrading it to an advanced Fast-Flux botnet. We also believe that this new infrastructure belongs to none other than the infamous Asprox Botnet, which has recently been spreading itself using surges of SQL injection attacks...

October is creeping up on us, and for most of us that means the beginning of the end of 2008, along with the nagging feeling that we should be doing some planning for 2009. This is the perfect opportunity to take stock of your security and compliance programs, and to develop a plan for improving things next year. If you've been following our various blogs here at RSA you probably realize by now that we espouse a security and compliance program based on three core pillars: it's information-centric, risk-driven and framework-based. Our compliance team has spoken with hundreds of customers from all over the world and in every industry segment this year, and we're finding that this approach is gaining acceptance at an ever-increasing rate. Organizations are realizing that they need to discover, manage and control their information assets in order to protect them...

This past weekend, I left Southeast Asia after a week-long trip to Bangkok, Singapore and Manila. The week was spent in back-to-back meetings with customers and our local sales teams, and the majority of our discussions centered on PCI DSS and compliance in general. One clear takeaway: Compliance is one of THE growing areas of concern for businesses in the region.

I found the degree to which customers in the region were concerned about compliance to be a bit of a surprise. I say 'surprise' because I often hear that compliance isn't as much of an issue outside of the U.S. From what we're seeing, though, the regulatory environment in non-U.S. geos, including Southeast Asia, is becoming more complicated...

So, several weeks ago I wrote a piece discussing the "long road to ISO 27001" adoption. A question posed to readers at the end of the piece: "How far off are we from the point at which ISO 27001 certifications in the U.S. are standard operating procedure for businesses -- the exception, rather than the rule?"

Well, the results are in! Our servers nearly crashed thanks to the influx of responses, but, fortunately, that wasn't the case. Here are the results...

I've just returned from my summer vacation, somewhat foolishly deciding to spend it under canvas in the south-west of the UK and expecting to get good weather. If my tent had leaked as badly in the last couple of weeks as data seems to have been leaking in the UK during the same period, I'd be in need of an aqualung by now! If it were an Olympic sport, Britain would have beaten China for pole position in the medals table!

It all started with the loss of a memory stick by a UK Government contractor which contained somewhere around 120,000 records, including the details of 10,000 of our nation's most serious criminals. We then heard about a compromise at global hotel chain Best Western...

Click to Download/Listen (06:46)

Paul Davilman from RSA’s Compliance and Solutions team sits down with Amanda Van Veen to talk about the North American Electric Reliability Corporation (NERC) Cyber Security Standards and how these standards will impact IT security in the utility industries. Please note that due to the U.S. Labor Day holiday, we'll be back in two weeks (on September 8) with a new show.

On August 18 the PCI Security Standards Council formally announced (http://www.pcisecuritystandards.org/pdfs/08-18-08_2.pdf) forthcoming changes to the Payment Card Industry's Data Security Standard (PCI DSS) as it moves from version 1.1 to version 1.2 in October 2008. The release represents the first major update since September 2006.

What's my take on the summary of changes? Most merchants will be pleased to see that these are relatively minor changes...

Information risk management, and lessons-learned in the financial industry Last week's Economist had a good article entitled "Confessions of a Risk Manager", in which a risk manager from a global bank uses 20-20 hindsight to look at "what went wrong" in the lead-up to the credit crunch and the ensuing fallout. I won't pretend to understand all the ins and outs of financial derivatives, but there were some points raised that anyone in the IT security space can identify with...