Recent CSI members-only publications (PDF):

• October 2009 Alert: Windows 7 + More Info- Less Info
  Poor Vista. Vista was a trail-blazer, harangued and maligned by a world that wasn't ready for it. Blamed for the failings of application and device driver developers and for the limitations of aging hardware. Criticized for being too heavy-handed with the security warnings given to protect reckless security-unsavvy users from themselves. To top it all off, starting Oct. 22 Vista will have to share store shelves with its more easy-going, better-behaved, better-loved little sister, Windows 7—Microsoft's new client operating system that's been receiving a steady stream of positive reviews from reviewers seemingly surprised to be writing them. Windows 7 is the remedy for all of users' major complaints about Windows Vista. Plus, when coupled with Windows Server 2008 R2, Windows 7 could be the OS for securely managing a mobile, widely distributed workforce.
• September 2009 Alert: Claims-Based Identity Management + More Info- Less Info
  Want to reduce your data security efforts? Have less data. Want to maintain your privacy? Don't give out so much personal information. Want to make sure a user is who they say they are? Then don't just ask the user; ask someone you trust to vouch for them. Want attackers to stop stealing your valuable data? Make your data less valuable to them. The logic is sound, but historically, as it relates to electronic data, the practice has been difficult if not impossible. Making these logical actions both possible and relatively easy for everyone involved is the promise made by claims-based identity and access management—collectively, OpenID, information cards and SAML.
• August 2009 Alert: Social Networking + More Info- Less Info
  Let's face it: social networking isn't going anywhere, and as these services become more common, flatly blocking them will certainly succeed in creating disgruntled users but not necessarily succeed in adequately mitigating social networking security threats. In this issue learn how attackers are leveraging social networking for more sophisticated attacks; see examples of how user carelessness has landed individuals and businesses in hot water; get tips on how to combat these threats, and; learn a few ways to use social networking sites to actually improve your security program.
  This issue includes four step-by-step guides to securing your accounts on Twitter, FaceBook, LinkedIn and MySpace. They're written in plain language, so distribute them to your end users.
  This link will also send you to a recording of an informal CSI members-only Web/audio conference held Aug. 27. It was a lively, open conversation about a variety of best and worst practices regarding social networking security, and includes a few demos of Facebook, MySpace, LinkedIn and Twitter.
• July 2009 Alert: Incident Response + More Info- Less Info
  With threats diversifying and the legal landscape becoming more of a quagmire, the process of responding to security incidents is riddled with unfamiliar pitfalls. In this issue learn what often-overlooked parties should have a place on your incident response team/s. Learn why conducting e-discovery internally may be a bad idea. Learn how to navigate data breach notification law—which becomes particularly (even surprisingly) complicated when you do business in more than one country. Gain insight into collaborative multi-organization incident response. Get a case study of how to architect and implement a Security Information and Event Management (SIEM) center. And learn why you need a forensic readiness plan, and how to implement one.
• May/June 2009 Alert: Unified Compliance + More Info- Less Info
  This issue of the Alert considers the manifold challenges of achieving, proving and maintaining compliance with many regulations at once, one would think that any efforts to unify, integrate, streamline and simplify the process would be pounced on with great enthusiasm. However one of the largest such projects, the Unified Compliance Framework, has been slow to truly take off. The common reason given by reluctant security, privacy and compliance officers, is that—while they applaud both the spirit and the implementation of the project—the price of the framework is simply too high. There are other unified compliance tools out there, and security/compliance officers at some organizations have established and run their own internal unified compliance programs—but they know best of all that it's much easier said than done. This issue of the Alert discusses both how to leverage unified compliance projects and how to develop your own internal unified compliance program.
• April 2009 Alert: Online Trust (and other broken things) + More Info- Less Info
  In the past few months, SSL has gone through the ringer in highly public fashion. The MD5 hash algorithm, which some SSL certificates still use, is being so thoroughly broken and beaten apart it's almost hard to watch. Closed padlocks and HTTPS:// don't inspire the safe feeling they used to. And in the background you can hear the casual cracking of CAPTCHA after CAPTCHA... Can we still trust online trust?
  This issue of the Alert discusses online trust and other things that continue to fail us. Compliance checklists and risk models are rickety crutches. In dealing with the BBC show's purchase and subsequent use of a botnet, the cybercrime law enforcement gets it wrong. Again. Security ROI, control systems, the Same Origin Policy, Social Security numbers and signature-based anti-virus all make the "dishonorable mentions" list.
• March 2009 Alert: Security in a Recession + More Info- Less Info
  In this economic downturn, many businesses are afraid to move, for fear that one step in the wrong direction could have disastrous effects. When everything is risky, how do you manage risk? Though the risks are different, good risk management stays the same—but is your current risk management process good enough?
  Mergers, layoffs, and even suspicion of layoffs are making fearful and disgruntled insiders more likely to resort to data thievery or destruction—like, for example, planting a malware bomb designed to crash all of Fannie Mae's 4,000 servers. You've got to get the timing just right when revoking or modifying access privileges and retrieving computing devices. When the moment comes, will you be prepared to spring into action? Do you have an adequate change management policy in place? Are you sure you won't fall out of compliance with security and privacy regulations while in the midst of these massive changes?
• February 2009 Alert: Smartphones + More Info- Less Info
  Make no mistake, smartphones are a different animal than any other mobile devices you're used to managing. Smartphones introduce a staggering amount of complexity to your security program and users have different expectations about smartphone use. Do you need to purchase a fleet of devices for users, or is it possible to let staff drop their own money on the smartphone of their dreams and still protect your organization's data? Believe it or not, we think that buying a fleet of phones and dropping cash on third-party security tools should be low on the to-do list.
• January 2009 Alert: New Year Predictions + More Info- Less Info
  The security industry needs reform. Simply polishing up the status quo is not enough to ad-equately address the threat landscape and the business needs of today, much less tomorrow. Yet how can intelligent, effective, proactive change be achieved amid so much uncertainty?
  A new American presidential administration—whose campaign headquarters was named Change.gov—promises to make cybersecurity a higher priority. The new administration is expected to institute new, stiffer, better-enforced federal security standards and regulations; and information security managers will be responsible for complying with such standards and regulations. The global economy is in crisis. Although the information security industry has proven quite hardy, compared to the rest of the market, the job of security managers grows more challenging. Acquisitions, layoffs and pay freezes make employees disgruntled, thereby increasing the insider threat. Security managers must manage access rights during layoffs, prepare for the possibility of security services going out of business and secure new "cost-saving" technologies. The year 2009 will be defined by change. We've made our best predictions, and set some priorities. Here are our opinions on what to expect and what to demand.
• November/December 2008 Alert: Cloud Computing + More Info- Less Info
  If you embrace cloud computing, can you still prove regulatory compliance? As a user of cloud-based computing and storage resources, it's hard to be sure what server you're accessing, who else can access it, or what country it's located in, much less if that server is secure. Additionally, the cloud-based server is owned by a third party—a third party who may not share their log files, audits, or forensic investigations with you.
  Luckily, while cloud services still may not be right for handling medical or payment card information, security vendors and cloud service providers are beginning to offer ways to effectively secure your cloud-based computing resources and satisfy some compliance requirements (of the Sarbanes-Oxley Act, for example). Early cloud adopters may have to pay a premium for better security—so before storing sensitive data or conducting sensitive activities in the cloud, organizations must investigate whether the business benefits outweigh the security costs.
• October 2008 Alert: Secure Web Browsing + More Info- Less Info
  Is "safe browsing" in Web 2.0 just a myth? Browser security is paramount, because the browser is in a position to both protect the client machine from drive-by malware downloads and mitigate attacks that are executed within the Web exclusively (never touching the client machine). Plug-ins, IFRAMES and JavaScript—the bread-and-butter of Web 2.0—are fast becoming criminal hackers' favorite attack vectors, but unfortunately, today's browsers' best defenses against those attacks also render most of Web 2.0 unusable.
  So, in this issue, we make our wish list for the next generation of secure browsers. We discuss how the betas of Google Chrome and Internet Explorer 8 match up. We take a closer look at clickjacking (the latest darling of the security media) and see whether next-gen browsers have a good defense. We discuss the inexorable blurring of the line between operating systems and Web browsers, and think about what new policies we'll need to address emerging Web 2.0 applications.
• September 2008 Alert: Security of Green Computing + More Info- Less Info
  The September Alert focuses on the inherent security risks of going green. We show you how to go green without jeopardizing security with two goals in mind: properly disposing of used equipment and minimizing energy consumption. Recycling your used electronic equipment is a secure, and greener, alternative to tossing it in the trash. Avoid having a dumpster diver recover your used devices and the sensitive information stored on it. Third party recyclers will overwrite your data and provide you with an audit report. An easy and secure way to begin to go green is to activate your power management settings. Power management software will help you save on energy bills and reduce your carbon emissions.
• August 2008 Alert: Trusted Computing + More Info- Less Info
  If fully embraced, trusted computing offers a host of benefits to your endpoint security efforts, and bolsters your anti-malware, data security and application security programs too. It's probably the best defense against rootkits you'll ever find and can detect whether or not an application has been tampered with before it even loads up. It strengthens whole-disk encryption. Unlike a standard NAC solution, trusted computing can deny unauthorized users access not only to the network but to the device itself.
  So why are so few organizations using it? Despite its manifold attractions, trusted computing has been only very feebly embraced by the security community. It has its limitations and complications, and also suffers from an image problem due to its potential use in digital rights management. However, the biggest reason trusted computing hasn't taken off seems to be because very few people have the faintest notion what it means or how to use it.
• July 2008 Alert: The Fate of the Secure OS + More Info- Less Info
  As of June 30 Microsoft ceased selling Windows XP (except on budget PCs sold mainly in developing countries). Though sales of XP's successor, Windows Vista, are better than most people think, even some of the most security-conscious IT professionals are flatly refusing to adopt Vista, which is certainly the most security-minded operating system ever created and quite arguably the most secure.
  Yet when a small selection of CSI members were polled, only two respondents named Vista as the most secure operating system currently available. Not one single respondent planned to migrate their XP-running machines to Vista—not in six or even 12 months. Eighty-one percent of respondents planned to stay on XP "for as long as is humanly possible," and the remainder planned to wait until the next Windows operating system is released; the next Windows OS is currently code-named "Windows 7," and is tentatively scheduled for a January 2010 release (by which time XP will be over nine years old).
  Why are even security professionals rejecting Vista? What must Microsoft change with Windows 7 to win over the reluctant XP devotees? Can a non-Windows OS capitalize on Vista's market failure and succeed XP as the enterprise-standard operating system? What does all this mean for desktop security?