The annual RSA Conference is perhaps the biggest gathering of information security professionals from around the world. The topics that were discussed this year ranged from cloud security, mobile security to behavior based solutions.

With 22,000 participants, this year’s conference had a huge turnout. RSA 2013 was the perfect venue to pick-up the latest information about varied security topics, gather thought-provoking insights, and network with other experts and colleagues.

During the conference, I attended several interesting talks, which I will discuss in detail my next blog post. For now, I will share with you my high-level takeaways from these discussions:

• There is an increased involvement and interest from the government, which was evident from the buzz generated by the recent White House executive order on cybersecurity. Both the government and security industry expressed the desire for tightening cybercrime laws. The government encouraged more participation from the private sector and work as one. The Department of Homeland Security (DHS) also announced its initiative to share real time classified threat information with security vendors.
• Cloud Security was well discussed and generated a lot of interest from users.  A good part of the first day was dedicated to the Cloud Security Alliance Summit. There were some interesting keynotes from Mark Weatherford of DHS,  former American Express CEO Jim Robinson, and Trend Micro Vice President of Cloud Security Dave Asprey. Some of the key issues of cloud security were highlighted and best practices were discussed.

Read the rest of this entry »

The annual Pwn2Own hacking contest is always a rather frightening demonstration of how available exploits are. Year in, year out, the latest browsers and Web plug-ins fall to researchers demonstrating cutting-edge ways to craft exploits and defeat the latest security precautions put in place by various software vendors.

Most vendors, however, have become quite good at patching vulnerabilities as they are discovered in contests like this. For example, both Chrome and Firefox have received updates that fixed the flaws uncovered at Pwn2Own. Flash and Internet Explorer will receive similar updates next month.

We’ve talked before about how to best secure Java and PDF readers. What about Flash?

Can you do without it?

If you’re really security-minded, yes, you can do without Flash. To a large degree, Flash’s usage is now limited to online video, games, annoying ads, and the navigation menus of websites. (Among other things, the rise in popularity of smartphones and tablets – which generally don’t have Flash – has played a role in that development.)

If these are things that aren’t important to you, you can safely remove Flash and not have your day-to-day browsing experience be affected. For many people, the stumbling block is likely to be online videos. It may be a good idea to check if your favored video site has HTML5 support. For example, Youtube has HTML5 support – but it’s as an opt-in beta.

Is it built into your browser?

Some browsers actually have Flash directly integrated into them, making updating them relatively painless. Internet Explorer 10 (on Windows 8) receives Flash updates as part of Windows Update. Flash is completely integrated into Chrome, so auto-updates for Chrome also ensure that Flash is kept up to date.

Using these browsers ensures that the version of Flash for that browser is kept up to date by the browser itself as part of its own auto-update. This minimizes your exposure to exploit kits, as many cybercriminals (due to the cost of cutting-edge exploits) will prefer to use long-patched security flaws, aware that many users don’t always run the latest version of software.

How do I keep my version of Flash up-to-date?

Today, Flash comes with its own auto-update installer. However, it won’t hurt to check manually every now and then whether the version you have is up to date.

To do that, you can visit Flash’s about page and check what version you have installed. If you need to download an updated version,  the about page helpfully provides links to the download for Flash Player.

Even if you use multiple browsers, you only need to do this twice: one to check on Internet Explorer, and another for non-IE browsers collectively.

Read the rest of this entry »