Tenable Network Security is changing the licensing model for Nessus. The new licenses go into effect July 31. They replace the free Registered Feed option where users could update plug-ins after a seven-day period with a free Home Feed that offers updates with no delay and the current Direct Feed, which will be replaced with the Professional Feed.

Jeff Vance of Network World put out a great piece a few months back on how a data leak prevention tool running at George Washington University Hospital averted what could have been a major security risk to Vice President Dick Cheney. But while this technology clearly has a tremendous security upside, will pervasive use of this technology lead us down a China-like censorship path?

If you're responsible for the security of your network and its data, you might want to shift your focus away from looking at your network from the outside in, and look at it from the inside out.

From a threat perspective, insider attacks can be thought of like an al-Qaida element operating within your walls. You might not see the threat or an actual attack on a daily basis, but you know the threat exists and you must plan for it. Similarly, attacks from the outside can be thought of as a Hamas-like element that exists outside your corporate boundary. Hamas-like attacks are more predictable and identifiable in nature, and as a result are easier to plan for. While both threats are serious, it's the attack from within that always comes as a surprise.

If you're like me, then you have a drawer full of USB thumb drives that you've collected from vendors over the years. Whenever I'm in a rush, I pop one out, copy some data to it, and transport it to its destination. Then what do I do? I usually leave it around like I do pens, sticky notes, and CD-ROM's. And while I encourage you to steal my sticky notes, I care a lot about protecting my thumb drives from theft. If you're not taking seriously the threat that removable devices pose to your network, now's the time to pay attention.

In an effort to fight back against a massive amount of phishing attacks against PayPal, the e-commerce company recently announced that it will soon force customers who want to use its service to upgrade to browsers that have the latest phishing protection, such as Internet Explorer 7, Firefox 2, and Opera 9. Additionally, PayPal also is working diligently with ISP's to filter fraudulent phishing e-mails by dropping messages that lack a valid digital signature. But can you believe that some are crying foul?

As I go through my mailbox and sort through the 1,000 different security products that I'm seemingly pitched on every week, I couldn't help but smile as I reflected on the fact that some my favorite, and most useful tools, are free.

While I didn't get as much time on the floor as I would have liked, I think one of the more interesting themes from the RSA show is Governance, Risk, and Compliance (GRC). Ultimately, all the security products available, all the best practices, all the sessions, directly impact GRC.

One of the themes coming from RSA and from vendors in the last few months is the notion that virtual servers, whether running on a hypervisor or not, are somehow more at risk that physical servers. I don't buy it entirely because servers and applications that are virtualized tend to be in tightly controlled data centers. If your data center is secure, so are your servers. Why treat virtualized servers special?

Most of us are aware of how various sites and ad networks data mine the cookies on your computer to produce targeted ads on Web sites that you frequent, but not many are aware of how pervasively ISPs are starting to participate in the process of selling your Web-surfing habits to the ad networks.

They say girls develop much faster than boys. At the very least they appear to be quicker on the uptake when it comes to avoiding getting duped on the Internet.

I must admit, I frequent the New York Times technology section. No, not for the engaging technical news, but for the good technology business-related info. Occasionally, I'll stumble across some interesting security-related topics, and today was one of those days.

It’s been widely reported today that the source of the recent massive credit card theft at the Hannaford and SweetBay grocery chains was a pervasively installed piece of malware.

The finding was revealed in a letter from Hannaford general counsel Emily Dickinson to Massachusetts Attorney General Martha Coakley and Gov. Deval Patrick's Office of Consumer Affairs and Business Regulation.

The latest exposure of more than 4 million credit and debit card numbers may strain the validity and stability of the credit card industry's controversial security rules.

Way on the other side of our little blue planet, folks in New Zealand are reeling from the recent arrest of 18-year old Owen Thorn Walker, who masterminded a group of programmers that infected more than a million computers around the world.

I missed the chance to comment on last week's Google/Postini announcement, but hot on its heels comes a somewhat related announcement from Webroot, and a chance for a two-for-one blog entry.

We're less than a week away from finding out whether Punxsutawney Phil predicts six more weeks of winter. While we wait for him to make his annual weather forecast, we've got time to squeeze in another holiday. You may not be as familiar with this one -- there's no parades, gift-giving or time off from work. Frankly, it's a shame we have to acknowledge it at all. But it's a testament of the kind of world we live in. Today is Data Privacy Day.

The SANS Institute’s Top 10 Menaces of 2008, developed by panel of security experts, predicts key threats in 2008. While some threats have been with us for some time, like Web-based attacks, spyware, and bot nets, and insider problems, the difference is in the sophistication of the attacks.

Usually I support lawsuits against big corporations that expose sensitive customer information. Most corporations only take privacy seriously when you whack them on the nose. But a $5 million suit recently filed against Sears for exposing customer purchases is more about cashing in than redressing harm.

Network access control can address some compliance and reporting requirements, but truthfully, there is only so much that it can audit effectively.

The flailing around in Congress over giving big telecom companies, including AT&T and Verizon, retroactive immunity for playing along with the NSA's wiretapping program is over for now, and the news isn't good for the telcos.

Sometimes I wonder about the value of surveys. Yes, some of them are very useful (we've been known to utilize a couple ourselves), but often I find myself scratching my head at the results of some random poll thinking, "Well, duh."

Last week a notebook -- containing information on 268,000 blood donors -- was stolen from a Minnesota blood drive. The data included names, addresses, blood types and, of course, Social Security numbers. The police suspect it was a random act, and not one committed with the express intent of getting the personal data. Still, it's one just more case of data privacy woes that could be avoided if companies stopped using Social Security numbers to identify customers.

Have you ever wondered how much a single lost, stolen, or compromised customer record costs your company? According to a recent study, exactly $197. That's up 15 bucks from 2006 when an incident of data loss cost your org $182.

Remember when you were a kid playing with your favorite toy on the playground, then dropping it to hit the monkey bars or slide? You came back later only to find some big doofus took your prized possession and wouldn't give it back. It was a tough lesson to learn, but a valuable one: If you don't want something stolen, keep a watchful eye on it.

The Federal Information Security Management Act of 2002, or FISMA, started the ball rolling in many ways for the government's own internal policies on how they handle private data. While it was ostensibly about improving the security status of government agency networks (and it's certainly highlighted deficiencies in that area), it also has a lot to say about the normal handling of private data.

There's a lot of different types of data leaks that have made the press. Hackers compromising servers, laptops stolen, backup tapes lost. But some of those data losses share one thing in common -- the data was never supposed to have been there to lose in the first place.

In security, as in anything else, trends come and go. Some hang around for the long haul, some get superseded, and still others just get laughed at in hindsight. From identity management, endpoint compliance, de-perimeterization, and dozens of other buzz-word compliant trends that have ebbed and flowed over the years, we've learned a lot as an industry. Like the fact that any vendor can and will apply their product to whatever the current trend is. Or, probably more important, that behind most trends there's a kernel of useful knowledge and functionality to be gained.

Right on the heals of Congress investigating P2P file sharing that I discussed in P2P a National Threat: Your tax dollars at waste, comes this news from tech.blorge.com about how back-up tapes containing over 800,000 social security numbers of Ohio state employees were stolen from an intern's car.

Listen as RSA Security's Chief Executive Officer Art Coviello talks with NWC contributor Robert Hertzberg about Internet crime, privacy protection, terrorism—and storage behemoth EMC's impending $2.1 billion acquisition of RSA. | Listen Now