The economic lifecycle of the underground fraud community functions very similarly to the world of legitimate business. Online fraudsters have supply chains, third-party outsourcers, vendors, and online forums where people with skills and people with opportunities to commit fraud can find each other. The underground fraud supply chain is becoming more technically and operationally sophisticated, and we’ve coined this “Fraud-as-a-Service” or “FaaS”. FaaS consists of services for advanced hosting, Trojan infection kits and cashout services – all for sale within the fraudster underground.

Encryption is one security control that's showing up a lot more frequently these days; in many cases the choice to implement encryption isn't optional. PCI requires it, state PII protection laws are starting to demand it, and many other government and industry regulations imply it as a requirement. The other thing that's changing the way we look at encryption is that it's becoming ubiquitous - many of the hardware and software products we buy that touch information now have encryption built in. All of these factors are combining to make encryption one of the fastest growing areas of security. So what's the downside?

Well, it’s that time of year again: lots of prognosticators making predictions for 2009 as they take a look at 2008 in the rearview mirror and try to figure out what’s in front of us in the New Year. So, I’ll join the legions of IT experts guessing what may be in store in the coming months as we raise our glasses to 08 and toast 09 with anticipation, hope and given the current economic climate, with consternation as well. Since I am a creature of Washington and have the opportunity to work with the U.S. Congress, I’ll focus on what steps we might expect our national legislature to take in 2009 as it relates to information security and privacy issues.

The New Year has just arrived and I'm reminded how, globally, we are all connected in ways that would have been impossible 20 years ago: it's almost hackneyed to say it again, but thanks to an amazing combination of infrastructure and technology, we can live, work and play from Mumbai to London and from Tokyo to New York City as one world in real-time. Of course, a lot of this is dependent on some of the basic building blocks we use being sound, and in the last few days one of these building blocks has come under attack: MD5 is on its last legs as a tool in the cryptographic toolbox.

As companies everywhere seek to reduce capital and operational expenses in a troubled economy, they ask themselves, How can we spend as little as necessary today to minimize additional costs throughout the next year? IT and security professionals relate to this as their goal is to never have to withdraw from the Contingency Reserves (or similar) budget item. Contingency Reserves is finance-speak for the allocation you must set aside to accommodate potential financial ramifications resulting from IT security breaches. These breaches occur when sensitive information leaks into the wrong hands, most frequently as a result of inadvertent internal error.

I love crime shows: Law & Order SVU, Inspector Morse, CSI:, the occasional episode of Monk, and others. (OK – I’ll admit I like some of these for the drama as well!).  I also love a really good “Who Dunnit?” novel – usually with a good twist or two, of which Jeffrey Deaver is quite the modern master. 

My colleague, Paul Stamp, recently shared his thoughts on the global economic downturn and the fact that it is making many organizations concerned that their IT security budgets will be cut.  Echoing Paul’s observations, almost all the customers I’ve spoken with have not seen their PCI budgets cut, but that is not to say they aren’t concerned.  Many have expressed a desire to stretch their dollars further, asking the question, “When it comes to PCI and my other security and compliance initiatives, how can I do more with less?”

Click to Download/Listen (15:01)

This week's Speaking of Security podcast features part two of an interesting discussion with Uri Rivner, Head of New Technologies for RSA. Uri talks about what organizations can do to combat fraudsters. Through a layered security approach, organizations can stay one step ahead to mitigate the risk of fraudsters targeting their business.